How do you reliably and correctly delete the sensitive data of thousands of customers, employees and prospective customers every year? This is the challenge facing a Swiss bank in the face of the new requirements of the new Federal Act on Data Protection (nFADP). To make a success of this regulatory and operational transformation, it called on Qim info. Find out how a Data specialist deployed a solution for managing sensitive data in compliance with the new Swiss legislation in just two weeks.
nFADP compliance: Swiss legal obligations on the deletion of personal data
From September 2023, the new Federal Act on Data Protection (nFADP) requires all Swiss companies to review their personal data management. The right to be forgotten, compliance with retention periods, the obligation to document and secure deletion are all legal requirements. For this Swiss bank, this means identifying all the personal data of customers, employees and prospects stored in hundreds of applications, and organising its deletion according to a precise annual schedule.
Also read our article: GDPR data security – what is it?
nFADP: risks of non-compliance and possible sanctions
Since the entry into force of the new Federal Act on Data Protection Act (nFADP), Swiss companies have had to demonstrate rigorous management of personal data. Failure to do so can have serious consequences, both in legal and reputational terms:
- Compliance obligations: each company must be able to identify the data processed, respect a retention schedule, guarantee secure deletion and document each operation (purge log, error reports, etc.).
- Criminal penalties: in the event of intentional breaches (lack of information, illegal transfers, failure to cooperate with the FDPIC, etc.), directors or managers may be fined up to CHF 250,000.
- Company liability: if identifying the offender within the company represents a disproportionate effort, the fine may be passed on to the company, up to a maximum of CHF 50,000.
- Administrative measures: the Federal Data Protection and Information Commissioner (FDPIC) may impose measures such as prohibiting processing, requiring deletion or suspending activities.
- Civil remedies: those affected can take action to obtain compensation for moral or financial loss.
Deleting personal data: framing the project in accordance with Swiss law
Before moving on to automating processes, the first step is to establish a methodical working framework. Qim info was asked to:
- map applications processing personal data,
- prioritise perimeters according to their level of criticality,
- analyse the impact of definitive deletion versus irreversible anonymisation,
- design robust workflows validated by the legal department,
- informing and involving application owners in the new legal framework,
- carry out an initial manual purge under real-life conditions.
nFADP compliance: 5 steps to structuring data deletion
To meet the requirements of the nFADP, Qim info mobilised a Data specialist to structure its intervention in five successive stages, from impact analysis to execution of the first purge cycle. This methodical approach, deployed in just 14 days, builds a reliable, compliant and reproducible process, in line with Swiss legal obligations.
1. Analysis of the deletion method: Qim info begins with a precise assessment of the potential impacts of permanently deleting data, comparing it to irreversible anonymisation. This step highlights interdependencies between applications and guides technical decisions with full security.
2. Analysis of the deletion method: Qim info begins with a precise assessment of the potential impact of definitive data deletion, comparing it with irreversible anonymisation. This step highlights the dependencies between applications and guides technical choices in complete security.
3. Extraction of personal data: Qim info consultant assists the bank in identifying and extracting the personal data of employees, customers and prospects eligible for deletion. This phase initiates the construction of the first processing flows, based on data that can actually be used.
4. Mapping the applications concerned: from among the hundreds of applications listed in the activity logs, Qim info prioritises the areas to be dealt with on the basis of their business criticality and the regulatory issues at stake. Each application is rigorously classified.
5. Design of deletion workflows: robust processing workflows are designed in collaboration with application owners. These include validation of records by stakeholders and the legal department, ensuring document compliance at every stage.
6. Purge governance and first test delete: the last phase is based on two key actions: putting in place the controls associated with the process (purge log, error reports) and carrying out a first manual delete on a restricted perimeter. This stage validates the correct operation of the data flows and makes data governance part of the organisation’s practices.
Personal data governance: the foundation for long-term compliance
By structuring this bank’s personal data deletion flows, Qim info is playing a central role in ensuring its compliance with the nFADP. Thanks to its expertise in data governance and a methodical approach, the Swiss ESN is meeting the most stringent regulatory requirements while ensuring the controlled management of sensitive data.
At the end of the assignment, the organisation benefits from:
- a complete mapping of applications handling personal data,
- clear prioritisation of critical areas,
- a documented removal process and
- teams trained in its deployment.
The success of an initial test purge provides a lasting foundation for good governance and compliance practices.
Data deletion: the Qim info Data & Innovation department guides you towards nFADP compliance
Are you a bank, insurance company, or business subject to data compliance obligations? Qim info’s Data & Innovation department supports you in implementing reliable processes for the deletion, governance, and documentation of personal data. With offices in Geneva, Lausanne, Zurich, Basel, and Annecy, our IT services company leverages local expertise to align your organisation with the requirements of the revised Swiss Data Protection Act (nLPD), while ensuring control and security over your sensitive data flows. As a true IT partner, our team applies its know-how to build lasting compliance.
Contact us to speak with our experts.
