Recent developments in Swiss and EU data protection rules

In short:

1. The Swiss Data Protection Authority held that a bank did not comply with Swiss data protection rules because it failed to respond in a timely manner to data subject access requests and did not provide the actual personal data (Cembra decision, Switzerland).
2. The Swiss Data Protection Authority held that the use of voiceprints for client authentication constitutes a processing of sensitive data that requires explicit consent, which had not been obtained in the case at hand (PostFinance decision, Switzerland / decision being appealed).
3. The General Court of the European Union upheld the EU-US Data Privacy Framework and therefore provided, for now, some legal certainty for transatlantic transfers of personal data (Latombe decision, EU / decision could be appealed).
4. The Court of Justice of the European Union held that pseudonymised data which cannot be re-identified by the recipient does not constitute "personal data" for that recipient which corresponds de facto to a recognition of the relative approach (Banco Popular decision, EU).
    

1. Cembra decision on data subject access requests (January 29, 2025)

Within three months, two complaints were lodged against Cembra Money Bank ("Cembra") with the Swiss Federal Data Protection and Information Commissioner (the "Swiss DPA") regarding failures to respond appropriately to data subject access requests ("DSAR").

The first case concerned Cembra's late response beyond the statutory 30-day deadline prescribed by Article 25(7) of the Swiss Federal Act on Data Protection ("FADP"). Cembra attributed the delay to staffing shortages, but failed to notify the data subject and extend the deadline as permitted by Article 18(2) of the Federal Ordinance on Data Protection ("FODP").

The Swiss DPA issued a formal reminder, clarifying that the 30-day deadline is binding.

The second complaint related to a credit card application. Despite repeated DSARs, Cembra provided only general references to legal grounds and categories of data, without disclosing the actual personal data processed.

Practical takeaways:

• Deadlines: DSARs must be answered within 30 days. If not possible, the controller must inform the requesting data subject and set a new deadline. Failing to do so constitutes a breach of the FADP and may trigger an intervention of the Swiss DPA.
• Specificity of the response: In response to a DSAR, controllers must disclose the specific personal data processed, not only generic categories or extracts of the privacy policy. This is especially important where the DSAR relates to a denied service, such as the refusal of a credit card application, in order to allow the data subject to assess the accuracy, request corrections and understand how the decision was reached.
• Extent of disclosure: The Cembra decision supports the position that controllers must provide the personal data itself but not necessarily the underlying documents.
• Risk of prosecution: If a controller intentionally fails to comply with its obligations to handle and respond to DSARs in accordance with the FADP, this may constitute a criminal offence. In such cases, the responsible decision-makers can be held personally liable and fined up to CHF 250,000. The Cembra decision emphasizes that controllers should implement clear internal processes to ensure DSARs are received, reviewed, and processed in line with legal requirements in order to mitigate this risk.

2. PostFinance decision on voice recognition (May 16, 2025)

The Swiss DPA investigated PostFinance's use of voice recognition as a means of authentication. During a certain period of time, PostFinance had created and stored voiceprints of clients to verify identity. PostFinance had done so without obtaining explicit consent. The Swiss DPA concluded the practice was disproportionate and ordered PostFinance to delete all existing voiceprints and to seek explicit consent before using biometric authentication in the future.

The Swiss DPA highlighted that voiceprints are biometric data under the FADP, thus constituting sensitive personal data since they uniquely identify individuals. Unlike passwords, voices cannot be changed if compromised. According to the Swiss DPA, reliance on an opt-out mechanism does not satisfy the legal standards required for an explicit consent to serve as justification for a prima facie disproportionate processing of sensitive personal data under the FADP.

Important: PostFinance has appealed to the Federal Administrative Court, which will now further examine the lawfulness of biometric voice authentication without explicit consent.

Practical takeaways:

Even though this decision is being appealed, it nevertheless provides for important insight into the positions currently being taken by the Swiss DPA:

• Express consent required for voiceprint: Biometric data, such as voiceprints, constitute sensitive personal data under the FADP. Their processing, when considered prima facie disproportionate (as was the case here), requires the explicit consent of the data subject if consent is the applicable justification ground for the processing.
• Opt-out mechanism does not suffice: If consent is the applicable justification ground for the processing of sensitive personal data (such as biometric data), controllers cannot rely on an opt-out mechanism. A proactive consent (opt-in) is mandatory to meet the legal conditions of explicit consent under Article 6(7)(a) FADP. Note that an opt-out approach continues to suffice if the processing of sensitive personal data is, other than in the case at hand, proportionate in the given circumstances.

3. Latombe decision on the EU-US Data Privacy Framework (Case T-553/23, Latombe v Commission, decision still subject to appeal)

On September 3, 2025, the General Court of the European Union (the "General Court") upheld the European Commission's adequacy decision for the EU-US Data Privacy Framework ("DPF"). The General Court confirmed that, as far as data recipients certified under the DPF are concerned, the US now provides for an adequate level of protection from the perspective of the EU General Data Protection Regulation ("GDPR").

The DPF was adopted after its predecessors, the Safe Harbor and the Privacy Shield, were struck down in Schrems I (2015) and Schrems II (2020) due to insufficient safeguards against surveillance from US intelligence agencies. In the meantime, the US established the Data Protection Review Court (DPRC), tasked with reviewing intelligence activities involving individuals protected under the DPF. The DPRC is one of the key elements on which the DPF is based.

In this case, the plaintiff challenged the DPRC's independence and argued that bulk data collection by US intelligence agencies remained incompatible with the GDPR.

The General Court dismissed these arguments, finding that the DPRC is appropriately structured regarding appointment, dismissal and protection from executive interference. It also clarified that EU law does not require prior authorization for every instance of bulk collection, provided ex post judicial review is in place, which the DPRC ensures.

Important: The Latombe decision is subject to appeal before the European Court of Justice.

Practical takeaways:

• DPF confirmed (for now): The General Court upheld the DPF confirming that EU personal data can be transferred to US-based data recipients certified under the DPF.
• Swiss angle: Switzerland and the US have adopted the Swiss-US Data Privacy Framework, which is almost identical to the DPF. Accordingly, this decision is a welcome development also for Swiss data controllers as the fate of the DPF and its Swiss equivalent are closely related.
• DPF remains at risk: At present, over 2,800 US companies are certified under the DPF. However, its long-term stability remains uncertain, as regulatory, judicial or political developments could undermine it. For instance, certain European privacy advocate groups (like NOYB) have already expressed their intention to continue  challenging the DPF and several European data protection authorities have advised companies to prepare "exit strategies" from the DPF. Organizations relying on the DPF or its Swiss equivalent are therefore encouraged to adopt flexible approaches, establish fall-back mechanisms such as Standard Contractual Clauses (SCCs), and regularly reassess their data flows.

4. Banco Popular decision on pseudonymised data (C-413/23, European Data Protection Supervisor v. Single Resolution Board)

On September 4, 2025, the Court of Justice of the EU (the "CJEU") ruled on a case concerning the transfer of pseudonymised data. The case reached the CJEU after the General Court had overturned a decision of the European Data Protection Supervisor. The CJEU set aside that judgment and referred the matter back to the General Court.

The CJEU clarified that pseudonymised data cannot automatically be characterized as personal data in all circumstances. Instead, their status depends on the recipient’s realistic ability to re-identify the individual. This means that the same dataset may be personal data for a data controller (who retains the re-identification key or correlation table), but not for the recipient who does not have access to the key, correlation table or to other means reasonably likely to be used to enable such recipient to re-identify individuals.

The ruling thus endorses the so-called "relative approach" to the notion of personal data, as opposed to the "absolute approach". Under the "relative approach", information qualifies as personal data only from the perspective of the recipients who are actually able to identify the underlying data subjects. As a result, the same piece of information may or may not be considered personal data, depending on who is processing it and the identification tools available to them. By contrast, the "absolute approach" treats information as personal data within the meaning of the law regardless of the identification means available to a particular recipient; if the data subjects can be identified by anyone, the information is deemed personal data for everyone.

The CJEU also held that the data controller is subject to the duty to inform from the moment data is collected, including where data will be shared in pseudonymised form. Individuals must notably be informed of the recipients, so as to put them in a position to exercise their rights in a meaningful manner.

Practical takeaways:

• Relative approach confirmed: Pseudonymised data does not constitute personal data for a recipient who cannot realistically re-identify individuals.
• Transparency duties remain: Controllers must still comply with their duty to inform data subjects, even when data are shared in pseudonymised form since, from their standpoint, pseudonymised data remains personal data whose processing does trigger the transparency obligations.

Please do not hesitate to contact us in case of any questions.

Legal Note: The information contained in this Smart Insight newsletter is of general nature and does not constitute legal advice.