Careers
Instagram Linkedin

Banque

Deleting personal data in Switzerland: nFADP compliance in 5 steps with Qim info

14

project days

1

data specialist

Suppression des données personnelles pour conformité nLPD

How do you reliably and correctly delete the sensitive data of thousands of customers, employees and prospective customers every year? This is the challenge facing a Swiss bank in the face of the new requirements of the new Federal Act on Data Protection (nFADP). To make a success of this regulatory and operational transformation, it called on Qim info. Find out how a Data specialist deployed a solution for managing sensitive data in compliance with the new Swiss legislation in just two weeks.

nFADP compliance: Swiss legal obligations on the deletion of personal data

From September 2023, the new Federal Act on Data Protection (nFADP) requires all Swiss companies to review their personal data management. The right to be forgotten, compliance with retention periods, the obligation to document and secure deletion are all legal requirements. For this Swiss bank, this means identifying all the personal data of customers, employees and prospects stored in hundreds of applications, and organising its deletion according to a precise annual schedule.

Also read our article: GDPR data security: what is it?

nFADP: risks of non-compliance and possible sanctions

Since the entry into force of the new Federal Act on Data Protection Act (nFADP), Swiss companies have had to demonstrate rigorous management of personal data. Failure to do so can have serious consequences, both in legal and reputational terms:

  • Compliance obligations: each company must be able to identify the data processed, respect a retention schedule, guarantee secure deletion and document each operation (purge log, error reports, etc.).
  • Criminal penalties: in the event of intentional breaches (lack of information, illegal transfers, failure to cooperate with the FDPIC, etc.), directors or managers may be fined up to CHF 250,000.
  • Company liability: if identifying the offender within the company represents a disproportionate effort, the fine may be passed on to the company, up to a maximum of CHF 50,000.
  • Administrative measures: the Federal Data Protection and Information Commissioner (FDPIC) may impose measures such as prohibiting processing, requiring deletion or suspending activities.
  • Civil remedies: those affected can take action to obtain compensation for moral or financial loss.

Deleting personal data: framing the project in accordance with Swiss law

Before moving on to automating processes, the first step is to establish a methodical working framework. Qim info was asked to:

  • map applications processing personal data,
  • prioritise perimeters according to their level of criticality,
  • analyse the impact of definitive deletion versus irreversible anonymisation,
  • design robust workflows validated by the legal department,
  • informing and involving application owners in the new legal framework,
  • carry out an initial manual purge under real-life conditions.
Technos

nFADP compliance: 5 steps to structuring data deletion

To meet the requirements of the nFADP, Qim info mobilised a Data specialist to structure its intervention in five successive stages, from impact analysis to execution of the first purge cycle. This methodical approach, deployed in just 14 days, builds a reliable, compliant and reproducible process, in line with Swiss legal obligations.

1. Analysis of the suppression method: Qim info begins with a precise assessment of the potential impact of definitive data deletion, comparing it with irreversible anonymisation. This step highlights the dependencies between applications and guides technical choices in complete security.

2. Analysis of the deletion method: Qim info begins with a precise assessment of the potential impact of definitive data deletion, comparing it with irreversible anonymisation. This step highlights the dependencies between applications and guides technical choices in complete security.

3. Extraction of personal data: Qim info consultant assists the bank in identifying and extracting the personal data of employees, customers and prospects eligible for deletion. This phase initiates the construction of the first processing flows, based on data that can actually be used.

4. Mapping the applications concerned: from among the hundreds of applications listed in the activity logs, Qim info prioritises the areas to be dealt with on the basis of their business criticality and the regulatory issues at stake. Each application is rigorously classified.

5. Design of deletion workflows: robust processing workflows are designed in collaboration with application owners. These include validation of records by stakeholders and the legal department, ensuring document compliance at every stage.

6. Purge governance and first test delete: the last phase is based on two key actions: putting in place the controls associated with the process (purge log, error reports) and carrying out a first manual delete on a restricted perimeter. This stage validates the correct operation of the data flows and makes data governance part of the organisation’s practices.

Personal data governance: the foundation for long-term compliance

By structuring this bank’s personal data deletion flows, Qim info is playing a central role in ensuring its compliance with the nFADP. Thanks to its expertise in data governance and a methodical approach, the Swiss ESN is meeting the most stringent regulatory requirements while ensuring the controlled management of sensitive data.

At the end of the assignment, the organisation benefits from:

  • a complete mapping of applications handling personal data,
  • clear prioritisation of critical areas,
  • a documented removal process and
  • teams trained in its deployment.

The success of an initial test purge provides a lasting foundation for good governance and compliance practices.

Data deletion: the Qim info Data & Innovation department guides you towards nFADP compliance

Are you a bank, insurance company or a business exposed to data compliance obligations? Qim info’s Data & Innovation department can help you set up reliable processes for the deletion, governance and documentation of personal data. With offices in Geneva, Lausanne, Zurich, Basel and Annecy, our ESN draws on local expertise to bring your organisation into line with the requirements of the nFADP, while ensuring the control and security of your sensitive data flows. As a true IT partner, our team mobilises its know-how to build sustainable compliance.

Contact us to talk to our experts.

GENEVA Carouge

Rue du Tunnel, 15-17
1227 Carouge – CH
+41 (0) 22 304 15 00

GENEVA Petit-Lancy

Route de Chancy, 59
1213 Petit-Lancy – CH
+41 (0) 22 304 15 00

LAUSANNE

Place Bel-Air 1
1003 Lausanne – CH
+41 (0) 21 341 15 00

ZURICH

Dreikönigstrasse 55
8002 Zürich – CH
+41 (0) 44 201 01 34

BASEL

Schützengraben 7,
4051 Basel – CH
+41 (0) 61 723 01 88

ANNECY

7 Av. du Pré Félin
74940 Annecy – FR
+33 (0) 4 56 67 49 91

© Qim info – Design : WeAreBandits – Growth : Nexoka
Instagram Linkedin
Instagram Linkedin