The FDPIC (Federal Data Protection and Information Commissioner) has published one of its first decisions on the right of access to data under the Swiss FADP.
The Commissioner issued a reprimand against a bank that failed to respect the legal deadlines for responding to data subject requests and merely provided standardized replies to all requests.
On 29 January 2025, the FDPIC issued a decision against Cembra Money Bank AG (“the Bank”) for failing to comply with the 30-day deadline set out in Article 25 FADP and for failing to provide the personal data processed as such.
Complaints
Between 2023 and 2024, the FDPIC received two complaints against the Bank.
- First complaint: The Bank did not reply within 30 days to an access request; the FDPIC sent a reminder, after which the Bank complied, citing a temporary staff shortage as the reason for the delay.
- Second complaint: The Bank denied a credit card without giving reasons. After repeated requests, the data subject submitted an access request using the FDPIC’s template form, asking for “the personal data processed as such.” Since the Bank did not reply, the individual initiated conciliation proceedings before the Basel-City civil court. Only at that point did the Bank send a generic letter listing categories of data, without providing the actual data.
Investigation and findings
The FDPIC opened a preliminary investigation under Article 49 FADP.
- On late responses: The FDPIC recalled that, under Article 25(7) FADP, requests must be processed within 30 days. If this is not possible, the data subject must be informed, and a new deadline must be indicated (Art. 18(2) DPO). The Bank never did this, thus breaching the law. In 9 out of 13 cases, delays exceeded the deadline by far, up to 9 months. The decision clarifies that the 30-day deadline is mandatory unless a justified extension is provided; failure to comply may lead to administrative fines and costs.
- On standardized replies: Instead of providing actual data, the Bank sent a list of categories and referred to its privacy notice. The FDPIC stressed that Art. 25(2)(b) FADP requires disclosure of “the personal data processed as such.” This is essential, for instance, to verify a credit card refusal and, if necessary, to rectify inaccurate data (Art. 32(1) FADP).
Examples of information that should be disclosed include:
- individual credit score (ZEK/IKO/Moneyhouse);
- history of requests or interactions (CRM);
- income or creditworthiness data used in the analysis;
- reasons for the decision (“score too low,” “insufficient income,” etc.);
- source of the data (broker, platform, etc.).
The controller may still invoke limitations or redact sensitive parts (Art. 26 FADP), but must at least inform about the existence of the data, otherwise facing administrative or, in serious cases, criminal sanctions (Art. 60(1) FADP).
Sanction
With its decision of 29 January 2025, the FDPIC ordered the Bank to provide the actual data processed to all data subjects who had only received standardized responses (Art. 51(3)(g) cum Art. 25(2)(b) FADP). The Bank was issued a reprimand (Art. 51(4) FADP) and ordered to pay procedural costs of CHF 5,829.40.
