Consent to disclosure of data in General Terms and Conditions
The Ombudsman regularly receives inquiries about so-called “banking secrecy and data protection waivers”, in other words declarations, usually contained in the bank’s GTC, under which the customer declares his or her consent to the disclosure of data to third parties, e.g. other companies within the same group, stock exchanges, issuers, supervisory authorities, financial service providers, etc. in connection with transactions and services, and waives banking secrecy and data protection to that extent. Such declarations vary and are generally worded very broadly to enable them to cover a multitude of potential situations.
Although, in principle, the Ombudsman shares the concern surrounding protecting the financial privacy of banking customers, he unfortunately had to inform the customer that he would not be able to satisfy his request.
It is the Ombudsman’s task to act as an independent and neutral information point and mediator without jurisdictional power, which means that any individual or legal entity directly affected can contact him in connection with a specific transaction conducted with a bank if he, she or it feels they have suffered damage, loss or some other detriment as a result of misconduct by said bank. The Ombudsman has no jurisdiction in relation to general business and pricing policy however or for abstract legal and economic issues.
If specific damage is caused to the customer by the disclosure of information concerning him that is subject to secrecy protection, he is of course free to refer his case to the Ombudsman.
The general and abstract review of the GTC of all banks requested here by the customer is beyond the scope of the Ombudsman’s role and granted powers however. It is his understanding such roles are reserved for the courts and the Federal Council, based on the Unfair Competition Act (“UCA”), whereby in addition to individually affected clients action can be taken here also by consumer protection organisations and the Swiss Confederation (see Art. 8 et seqq. UCA). If the bank, as owner of data collections, fails to comply with the principles enshrined in the Federal Act on Data Protection, it is then within the remit of the Federal Data Protection and Information Commissioner to intervene (see Art. 26 et seqq. of the Federal Act on Data Protection).
With regard to the customer’s concerns, the Ombudsman did note however that he did not share the fear that the GTC provisions criticised by him would entitle the bank to freely handle data protected by law. On the one hand, the Ombudsman maintained that, due to the fundamental principles of the law of agency, the bank was still under obligation to safeguard the recognised interests of its customers. On the other, he noted that – as in the example of such a GTC clause specified by the customer – the customer does not grant a general waiver but simply releases the bank from its obligation to maintain bank client confidentiality to the express extent, and for the express purpose, that a disclosure of the data is necessary in connection with transactions to be processed for the customer, or services to be provided for the latter,. If such a limited authorisation is exceeded by the bank, there would still be a secrecy violation which would be punished by the relevant authority and may constitute grounds for the customer’s claims for compensation.
Even if the customer is asked to expressly agree to such waivers with the GTC, the Ombudsman also believes that the provisions in question, at least in part, are only of a declaratory nature and are first and foremost aimed at transparency. Where execution of a customer’s instruction involves a need to disclose protected data to third parties, a sufficient consent to said disclosure should in good faith also be presumed to have been granted as implied. Examples of this are the transfer of a sum of money to the recipient’s account held with a bank overseas or the purchase of a registered share in a company incorporated abroad.
In addition, in the Ombudsman’s view, the following should also be considered: where banks execute financial market or foreign currency transactions on a customer’s behalf, they can actually be faced with requests from authorities, issuers, stock exchanges and financial intermediaries, etc. in many respects to disclose who they are acting on behalf of. If the bank fails to meet such a request, it can expose itself and the customer to significant detriment and legal risks. Obtaining timely consent from the customer on a case-by-case basis is both cumbersome and uncertain if the bank does not manage to reach the customer within the critical period or if the latter refuses to grant consent in the specific situation. The Ombudsman therefore felt that the fact that banks obtain declarations of consent from their customers who may carry out financial market and foreign currency transactions in advance and irrespective of the individual case in each instance, related to an understandable and essentially legitimate interest.
In addition to these remarks about the background to the phenomenon observed by the customer, the Ombudsman also referred to a detailed and, in his opinion, very clear illustration of the problem in the following two brochures from the Swiss Bankers Association aimed at the general public which can be found on the website www.swissbanking.org:
– Information from the Swiss Bankers Association regarding the disclosure of client details in payment transactions, securities transactions and other transaction types in connection with SWIFT (June 2009)
– Information from the Swiss Bankers Association regarding the disclosure of client data and other information in international payment transactions and investments in foreign securities (February 2016)