Skip to content
Article

Data protection in pension funds: legal requirements and practical implementation

Data protection law Data compliance Employee data protection

Although many pension funds have implemented initial measures, key obligations such as procedure directories divided into procedures in accordance with the BVG obligation and private insurance, processing directories, data protection impact assessments and clear responsibilities are still incomplete in some cases. The EDÖB is increasing its vigilance in view of new risks. Read here to find out what needs to be done and how you can ensure legal compliance.

Introduction

With the revised Data Protection Act (DSG) coming into force on 1 September 2023, the regulatory environment for Swiss pension funds has become significantly stricter in terms of data protection. First, it must be clarified which data protection regime a pension fund and its service company are subject to. Compliance measures must then be taken to implement the requirements appropriately.

Applicable provisions

The following legal provisions are particularly relevant to pension funds in terms of data protection law:

  • Federal Law on Occupational Retirement, Survivors’ and Disability Pension Plans (BVG; SR 831.40): Contains specific provisions on data processing by pension funds, in particular Art. 85a BVG (‘Protection of personal rights in data processing’). This provision obliges pension funds to observe the principles of proportionality, purpose limitation and transparency. The provisions of the BVG take precedence over data protection provisions as lex specialis.
  • Ordinance on Occupational Old Age, Survivors’ and Disability Pension Plans (BVV 2; SR 831.441.1): Specifies data processing in connection with actuarial tasks (see Art. 96a BVV 2 on the processing of health data).
  • Federal Act on the General Part of Social Insurance Law (ATSG, SR 830.1): The general part of social insurance law also applies to pension funds. There are a number of topics, e.g. electronic data exchange (Art. 76a ATSG) and access to files (Art. 47 ATSG), which are also relevant to pension fund data protection issues.
  • Federal Act on Freedom of Movement in Occupational Old Age, Survivors’ and Disability Pension Provision (FZG; SR 831.42): Regulates entitlements and procedures when leaving a pension fund, in particular the transfer of vested benefits to a new institution. Master data, vested benefits, technical interest rate, insurance period and date of birth may be processed.
  • Federal Law on Accident Insurance (UVG; SR 832.20): Applies when pension funds have to coordinate benefits with accident insurers, in particular in the case of supplementary insurance or parallel pension payments. Art. 97 UVG permits the processing and exchange of health data, information on the circumstances of the accident and benefit decisions between the insurance providers involved.
  • Federal Law on Disability Insurance (IVG; SR 831.20): This is particularly relevant when assessing a degree of disability or coordinating pension entitlements. According to Art. 66a f. IVG, pension funds may inspect IV decisions, medical reports and information on the ability to work in order to properly assess their own benefit obligations.
  • Data Protection Act (DSG; SR 235.1): The DSG applies in principle to all data processing by private and public actors in Switzerland. Among other things, it regulates the principles of lawful data processing (Art. 6 DSG), the information obligations (Art. 19 DSG), the right to information (Art. 25 DSG), data protection impact assessments (Art. 22 DSG) and reporting obligations in the event of data security breaches (Art. 24 DSG).
  • Data Protection Ordinance (DSV; SR 235.11): Supplements the DSG with detailed implementing provisions, for example on the design of processing records, the form of information provision and risk assessment.
  • Obligations law (OR; SR 220), Art. 328b OR: Employers – and thus also pension funds in relation to their employees – may only process data to the extent that it is relevant to the employment relationship or necessary for the performance of the employment contract. This provision is often understood as a data protection requirement under employment law and may also apply to personnel-related processes within the pension fund.
  • Civil Code (ZGB; SR 210), Art. 28 ff.: These provisions comprehensively protect the privacy of the persons concerned. The processing of personal data may fall under Art. 28 ZGB if it violates the right to privacy or personal integrity. In the event of a dispute, claims for injunctive relief, removal or damages may be asserted.
Law Relevant articles Typical situation for pension funds Permissible data
BVG Art. 85a–85e BVG Complete implementation of occupational pension provision: entry, departure, claims, lump-sum payments, coordination Master data, salary, contribution data, insurance periods, health data, marital status, descendants
UVG Art. 97 Coordination of accident benefits, supplementary insurance, parallel pensions Health data, accident circumstances, benefit decisions
IVG Art. 66a–b Disability assessments, pension entitlements, integration measures Expert opinions, IV decisions, capacity for work
KVG Art. 84–84a Daily allowance coordination, sickness-related disability Diagnoses, AUF periods, medical correspondence
AHVG Art. 50c–e Old-age pension comparison, survivors’ benefits Pension amounts, insurance numbers, family situation
FZG Art. 8, 22c, 22d, 24d, 22f, 24fbis Withdrawal, transfer of vested benefits, change of fund Vested benefits, technical interest rate, date of birth, duration of insurance

Federal body or private controller?

For mandatory pension schemes, Art. 2 para. 1 lit. a DSG is decisive, according to which federal bodies (including institutions organised under public law or acting on behalf of the federal government) are subject to special data protection requirements.

In contrast, non-mandatory pension schemes are considered private controllers within the meaning of Art. 5 lit. j DSG, which is why the general provisions for private individuals in the DSG and the DSV apply to them (Art. 40 DSG).

but have delegated management and operational activities to a service company that takes care of everything. The contract is concluded with the service company and not with individual employees. In this case, the service company – acting through its employees – usually also determines (alone) how the personal data is processed. It thus becomes the so-called controller under data protection law, i.e. it is directly responsible for compliance with most of the obligations under the DPA.

If a pension fund foundation has transferred the management and operational activities to a so-called service company, which takes over all tasks related to administration, it makes the essential decisions on the purpose and means of processing personal data. In particular, it determines which data is processed and in what manner, and acts on its own responsibility. It thus becomes the controller within the meaning of the GDPR and is therefore responsible for compliance with data protection regulations. However, it may well be the case that, under the service agreement, responsibility remains with the pension fund foundation and the service company remains solely a processor. Clear rules help to clarify this between the parties.

Key data protection obligations

Depending on whether they operate in the mandatory or non-mandatory sector, pension funds are subject to public or private data protection law. This has a direct impact on the scope and nature of their data protection obligations.

Obligations for all pension funds (in the mandatory and non-mandatory areas):

  • Compliance with basic data protection principles (Art. 6 DSG): Compliance with the basic data protection principles in accordance with Art. 6 DSG is mandatory for both the pension fund (PK) and its commissioned service company. These principles – in particular lawfulness, proportionality, purpose limitation, transparency, accuracy of data and data security – must be observed whenever personal data is processed. If data processing is carried out by a service company, it must be ensured that the latter also strictly complies with the requirements. If the service company acts as the controller, it has a direct obligation to implement the basic principles. This includes, in particular, ensuring that the processing has a clear, legally permissible purpose, that only as much data as is necessary for this purpose is processed, and that appropriate technical and organisational measures are taken to protect the data. If, on the other hand, the service company acts as a processor, responsibility for data protection remains with the pension fund, which must ensure that the service company is contractually obliged to comply with the data protection principles and monitor compliance. In both cases, it is crucial that the basic principles are not only formally fulfilled, but also effectively implemented in daily processing practice.
    • Record of processing activities (Art. 12 DSG in conjunction with Art. 3 ff. DSV):
    • Keeping a detailed record of processing activities in accordance with Art. 12 DSG is now mandatory. This must include all processing purposes, categories of personal data and categories of data subjects, categories of recipients, the storage period for personal data or the criteria for determining this period, the measures taken to ensure data security in accordance with Article 8 DSG, and the country in which personal data is disclosed and the guarantees provided in accordance with Article 16(2) must be specified. The exemption does not apply even to supposedly small institutions, as particularly sensitive data such as health or salary data are regularly processed (Art. 24 lit. a DVV). A sample processing directory from ASIP can be found here.
  • Privacy by design and by default (Art. 7 DSG):
  • In line with privacy by design and by default, pension funds must also ensure that data protection is guaranteed as standard when planning and designing IT systems and business processes. This applies in particular to digitised service processes, internal management systems and external platforms. In practice, this is always achieved when processing procedures are also subject to a data protection impact assessment (see following point), as this allows for in-depth consideration of risks and mitigation measures.
  • Data protection impact assessment (DPIA; Art. 22 GDPR in conjunction with Art. 6 DSV):
  • If there is a high risk to fundamental rights – e.g. when processing health data, profiling data or new technologies – a structured risk analysis is required.
  • Reporting of data breaches (Art. 24 DSG):
  • Breaches with a high risk to data subjects must be reported to the EDÖB without delay. It is advisable to document the incident and carry out a risk assessment before reporting it. The pension fund is required to define an appropriate process and test it in advance. Reports to the EDÖB that may reach the high-risk threshold can be submitted via the reporting form
  • Information obligations (Art. 19 DSG and Art. 86b BVG):
  • Data subjects must be informed transparently about the scope, purpose, recipients, storage periods and their rights – in writing, in an understandable manner and in good time. The minimum content of the information per processing operation must be observed. In addition, there are special legal information obligations under Art. 86b BVG, some of which contain personal data.
  • Contracts with order processors (Art. 9 DSG in conjunction with Art. 7 DSV): Pension funds must enter into data protection-compliant agreements with their order processors. This includes, in particular, binding instructions, subcontractor clauses, security requirements and data return. A sample order processing agreement is available from us for a fee.
  • Appointment of a data protection advisor (Art. 10 para. 1 DSG): For the purely non-mandatory area, the appointment of a data protection advisor is not mandatory. However, this means that the EDÖB must be consulted for data protection impact assessments (Art. 23 DSG). See below for the mandatory area.

Extended obligations for federal bodies (in the mandatory area):

  • Existence of a legal basis (Art. 34 DSG): Federal bodies may only process personal data if there is a legal basis for doing so. Art. 85a BVG regulates the protection of personal rights in data processing. According to this, personal data may only be processed by the pension fund if this is necessary to fulfil the statutory tasks of occupational pension provision. Sensitive personal data and personality profiles may only be processed if this is essential for the fulfilment of these tasks. This once again emphasises the principles of purpose limitation, proportionality, transparency and necessity. A legal basis in the formal sense is always required if particularly sensitive personal data is processed, if profiling is carried out or if the nature or purpose of the processing potentially constitutes a serious interference with the fundamental rights of the data subject. In exceptional cases of profiling or processing of particularly sensitive data, a legal basis in the substantive sense is sufficient, provided that the processing is indispensable for the fulfilment of a task defined in formal law and the purpose of the processing does not entail any particular risks for the fundamental rights of the data subject. Notwithstanding the above requirements, federal bodies may also process personal data if the data subject has given their express consent or if the data subject has made their data generally accessible without objecting to processing. Furthermore, processing is permissible if it is necessary to protect the life or physical integrity of the data subject or a third party and timely consent cannot be obtained. Finally, the Federal Council may authorise processing if it concludes that this does not jeopardise the rights of the data subject. Consequently, a legal basis analysis must always be carried out before any processing can take place (see the EDÖB information sheet on ‘Planning and justifying online access to personal data’. Depending on the circumstances, a data protection impact assessment may also be necessary.
  • Creation of processing regulations (Art. 6 DVV): If a pension fund or a processor commissioned by it carries out automated data processing, processing regulations must be created if one of the following conditions is met:
  • Sensitive personal data is being processed,
  • profiling is being carried out,
  • the processing is based on Art. 34 para. 2 lit. c DSG (refusal of rights of access in the overriding public interest),
  • personal data is being transferred to cantons, foreign authorities, international organisations or private individuals,
  • linking of data files, or
  • operation of an information system or management of a joint data file together with other federal bodies.

The processing regulations must contain, in particular, information on the internal organisation, the procedures for data processing, the control mechanisms and the technical and organisational measures to ensure data security.

In addition, the regulations must be updated regularly and made available to the responsible data protection advisor. The FDPIC provides a basic framework for processing regulations for federal bodies.

  • Appointment of a data protection advisor (Art. 10 DSG in conjunction with Art. 25ff. DSV): The federal body must appoint an independent, professionally qualified contact person for internal consultation and coordination with the EDÖB (Art. 28 DSV). The data protection advisor is responsible for 1) applying data protection regulations, in particular by reviewing the processing of personal data and recommending corrective measures if a violation of data protection regulations is identified, advising the controller on the preparation of the data protection impact assessment and reviewing its implementation, 2) serving as a point of contact for data subjects, and 3) training and advising the employees of the federal agency on data protection issues. Given the limited human resources of many pension funds, they often turn to external consultants (we are available as external data protection consultants). Such outsourcing to external service providers is permissible, but must be secured by contractual provisions in accordance with data protection regulations. The data protection consultant must be reported to the FDPIC via the reporting portal. The pension fund also has a duty to grant the data protection consultant access to information, processing records and personal data and to notify him of any data security breaches (Art. 27 DSV).
  • Consent for profiling (Art. 6 para. 7 lit. c DSG): Federal authorities require consent for the profiling of personal data. There is no legal basis for profiling within the framework of the BVG.
  • Reporting obligations and consultations:
    • Reporting data processing to the EDÖB: The processing register must be reported to the EDÖB (Art. 12 para. 4 DSG). The EDÖB has created a reporting portal called DataReg for this purpose.
    • Consultation in the event of high-risk processing (Art. 23 DSG): It is mandatory to notify the EDÖB before commencing the processing of personal data if a high risk remains after a data protection impact assessment and appropriate mitigation measures have been taken.
    • Notification of projects for the automated processing of personal data to the FDPIC (Art. 31 DSV): Federal bodies must notify the FDPIC of any planned automated processing activities at the time of the decision to develop or approve the project. The notification must contain the information specified in Article 12(2)(a) to (d) of the GDPR and the expected date of commencement of the processing activities. The FDPIC enters this notification in the register of processing activities. The federal body responsible updates the notification when the project enters into productive operation or when the project is discontinued.
  • Labelling requirement for automated individual decisions (Art. 21 para. 4 DSG): If an individual decision is made automatically by a federal body, it must be labelled accordingly (Art. 21 para. 4 DSG). This must be observed, for example, in the case of decisions generated by artificial intelligence.
  • Disclosure of personal data abroad (Art. 16 DSG and Art. 8ff DSV): Disclosure abroad is generally possible in compliance with Art. 16 DSG and Art. 8 DSV. Federal bodies may also provide specific guarantees to ensure appropriate data protection, which they shall communicate to the EDÖB in advance.
  • Disclosure to third parties and restrictions (Art. 36 DSG in conjunction with Art. 86a BVG): Disclosure to third parties is only permitted if there is a legal basis for doing so, in particular by means of automated information and communication services (para. 5) or in individual cases if the requirements of para. 2 BVG are met. Disclosure in connection with the Public Information Act or in cases of overriding public interest is likely to be rare in the context of pension funds. Data subjects may object to the disclosure of their data (Art. 37 BVG). Art. 86a BVG allows disclosure to third parties unless there are overriding private interests.
  • Additional information requirements (Art. 29 and 30 DSV): There is an additional information requirement when disclosing data to third parties (Art. 29 DSV), namely regarding how up to date, reliable and complete the personal data being disclosed is. In the case of systematic collection of personal data, the data subject must be informed unless the data controller is obliged to provide information (Art. 30 DSV).
  • Logging (Art. 4 DSV): In the case of automated processing of particularly sensitive personal data on a large scale or in the case of high-risk profiling, if the preventive measures cannot guarantee data protection, the responsible federal body and its contractor must at least log the storage, modification, reading, disclosure, deletion and destruction of the data (Art. 4 para. 2 DSV). The records must provide information about the identity of the person who carried out the processing, the nature, date and time of the processing and, where applicable, the identity of the recipient of the data. The records must be kept for at least one year separately from the system in which the personal data is processed. They may only be accessed by the bodies and persons responsible for monitoring the application of data protection regulations or for maintaining or restoring the confidentiality, integrity, availability and traceability of the data, and may only be used for this purpose.
  • Special storage, archiving and deletion obligations (Art. 38 DSG and 15 DVV): In accordance with Art. 41 para. 8 BVG in conjunction with Art. 27j BVV 2, held in pension funds when benefits are paid out for up to 10 years after the end of the obligation to pay benefits if no pension benefits are paid out until the insured person reaches the age of 100. or would have reached the age of 100, and in the event of a transfer, for up to ten years after the insured person’s termination benefit has been transferred to the new pension fund or to an institution that maintains vested benefits accounts or policies. In the event of the liquidation of an occupational pension institution, it is the responsibility of the liquidators to ensure that the documents are stored correctly (Art. 27k BVV 2). Thereafter, the general principle applies that personal data must be deleted or anonymised as soon as the purpose for which it was processed ceases to apply. In accordance with the Archiving Act of 26 June 1998, pension funds in the compulsory pension scheme must offer the Federal Archives all personal data that they no longer need on an ongoing basis. Personal data that is not suitable for archiving must first be destroyed, unless it is anonymised or must be retained for evidence or security purposes or to protect the legitimate interests of the data subject.
  • Data processing for research, planning and statistics (Art. 39 DSG): Federal bodies may also use personal data for research, planning and statistics, but must ensure that third parties do not pass it on and that re-identification is impossible.
  • Claims and proceedings of data subjects against federal bodies: The rights granted in Art. 41 DSG correspond in essence to those under Art. 25 ff. DSG. The only special feature concerns the refusal of access under Art. 42 DSG. However, the procedure differs in this respect, as administrative proceedings under VwVG apply here.

Facilities and voluntary measures

  • Information obligations (Art. 21 DSG): There are also facilities regarding information obligations in Art. 21 para. 3 lit. d DSG for federal bodies, insofar as Art. BVG does not apply. For example, information may be withheld if it would jeopardise an investigation or official or judicial proceedings. This may apply, for example, to pension funds when cases of abuse are being investigated.
  • Penal provisions: Federal bodies are not subject to criminal sanctions under Art. 60 ff. DSG, but are subject to administrative control by the EDÖB with powers of instruction and inspection.
  • Codes of conduct (Art. 11 DSG): Federal bodies may submit codes of conduct to the EDÖB (Art. 11 para. 1 DSG); this does not have to be done by an association of pension institutions on their behalf.

Conclusion and recommended action

In practice, this means that it is essential to set up a data protection management system, i.e. data protection governance. Each time data is processed, it must be checked whether this falls within the mandatory or non-mandatory area. In particular, the additional obligations for federal bodies must be ensured. Limited resources can be covered by external support.

Sources