Bank reprimanded by the PFPDT

(Translated by DeepL)

In its decision of 29 January 2025, published on 1 July 2025, the Federal Data Protection and Information Commissioner (PFPDT) issued a warning to a Swiss bank for repeated violations of the provisions of the Data Protection Act (DPA) relating to the right of access. This decision sets clear standards : strict compliance with the 30-day deadline for responding to the data subject and the obligation to provide personal data ‘as such’.

This decision follows two complaints filed by customers who exercised their right of access. In one case, the bank did not respond within the legal deadline and, in the other, it limited itself to a generic letter listing the categories of data processed and referring to its privacy policy for the rest.

The PFPDT considered that there were sufficient indications to suggest that the bank was in breach of data protection rules in its handling of access requests, which justified the opening of an investigation. The investigation found that, of thirteen access requests sent to the bank between December 2023 and August 2024, nine had been processed after the deadline and all had received standardised replies.

In its decision closing the proceedings, the PFPDT ordered the full disclosure of the data, accompanied by the threat of the penalty provided for in Art. 63 LPD, issued a warning to the bank and imposed a fee on it.

With regard to the content of the response to a request for access, two complementary objectives pursued by Art. 25 LPD must be taken into account : (i) ensuring transparency and (ii) enabling the effective exercise of other rights, in particular the right to rectification. A standardised response to a request for access that renders this right meaningless, such as simply communicating abstract categories of data or referring to a privacy policy, is not sufficient.

In this case, the bank should have provided the specific data relating to the customer, including the data used to refuse the credit card, so that the data subject could verify its accuracy and, if necessary, request its rectification.

Art. 25 para. 2 lit. b LPD requires the data controller to communicate the personal data processed as such. This includes identifying data and all associated information, including that derived from internal analyses or tools. The exceptions provided for in Art. 26 LPD are strictly limited and must be invoked and justified in writing.

This obligation is particularly important in the banking sector, where institutions process large amounts of data and use complex systems. Legal doctrine accepts that, in the event of a very broad request, the data controller may ask the data subject to clarify the request. However, this does not justify the absence of an individualised response. The controller also retains the right to restrict access or refuse certain data on legitimate grounds, for example by redacting sensitive information or information relating to third parties, in accordance with Art. 26 LPD.

With regard to the time limit for processing a request for access, Articles 25(7) LPD and 18(1) OPDo set a time limit of 30 days. Despite the phrase ‘as a general rule’ (in der Regel) appearing in the French and German versions of the law, the PFPDT considers this time limit to be mandatory. It may only be extended if the data subject is informed and the decision is justified, in accordance with Art. 18 para. 2 OPDo.

The argument put forward by the bank to justify its delays, namely a lack of staff, did not convince the PFPDT : the institution could have used the extension mechanism provided for in Art. 18 para. 2 OPDo, but did not do so. If no response is received within 30 days, the person concerned may take legal action to assert their right of access.

The PFPDT found that the bank had repeatedly violated the LPD by breaching Art. 25 para. 2 let. b and para. 7. On the basis of Art. 51 para. 3 let. g LPD, it ordered the bank to respond to access requests in accordance with the law, under threat of the penalty provided for in Art. 63 LPD. Intentional failure to comply with this order exposes the perpetrator to a fine of up to CHF 250,000.

As the bank took the necessary measures during the investigation to restore compliance with the FADP, the PFPDT limited itself to issuing a warning (Art. 51 para. 5 FADP). It also charged the institution a fee of CHF 5,829.40, corresponding to the time spent on the proceedings (Art. 59 para. 1 lit. d LPD cum Art. 44 OPDo).

As neither the decision on the merits nor the decision on its publication were contested, they became final upon expiry of the 30-day appeal period.

The message sent by the PFPDT is clear : the 30-day deadline must be respected and the response cannot be reduced to a standard template. Even though the administrative measure taken against this bank is limited to a warning, it has a strong symbolic significance. The PFPDT is demonstrating its willingness to intervene in cases of systematic practices that contravene the PDPA. Data controllers who delay compliance expose themselves not only to legal risk but also, and above all, to reputational risk, in a context where transparency in data processing is now an essential marker of reliability.