-
- Art. 3 FC
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 13 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 26 FC
- Art. 29a FC
- Art. 30 FC
- Art. 31 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 45 FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 74 FC
- Art. 75b FC
- Art. 77 FC
- Art. 81 FC
- Art. 96 para. 1 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123a FC
- Art. 123b FC
- Art. 130 FC
- Art. 136 FC
- Art. 164 FC
- Art. 166 FC
- Art. 170 FC
- Art. 178 FC
- Art. 189 FC
- Art. 191 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 97 CO
- Art. 98 CO
- Art. 99 CO
- Art. 100 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 633 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Art. 808c CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 60 PRA
- Art. 60a PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 64 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 73 PRA
- Art. 73a PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Art. 1 IMAC
- Art. 1a IMAC
- Art. 3 para. 1 and 2 IMAC
- Art. 8 IMAC
- Art. 8a IMAC
- Art. 11b IMAC
- Art. 16 IMAC
- Art. 17 IMAC
- Art. 17a IMAC
- Art. 32 IMAC
- Art. 35 IMAC
- Art. 47 IMAC
- Art. 54 IMAC
- Art. 55a IMAC
- Art. 63 IMAC
- Art. 67 IMAC
- Art. 67a IMAC
- Art. 74 IMAC
- Art. 74a IMAC
- Art. 80 IMAC
- Art. 80a IMAC
- Art. 80b IMAC
- Art. 80c IMAC
- Art. 80d IMAC
- Art. 80h IMAC
- Art. 80k IMAC
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 4 FADP
- Art. 5 lit. c FADP
- Art. 5 lit. d FADP
- Art. 5 lit. f und g FADP
- Art. 6 para. 3-5 FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 18 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 52 FADP
- Art. 54 FADP
- Art. 55 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 16 CCC (Convention on Cybercrime)
- Art. 18 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 27 CCC (Convention on Cybercrime)
- Art. 28 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
-
- Art. 2 para. 1 AMLA
- Art. 2a para. 1-2 and 4-5 AMLA
- Art. 2 para. 2 AMLA
- Art. 2 para. 3 AMLA
- Art. 3 AMLA
- Art. 7 AMLA
- Art. 7a AMLA
- Art. 8 AMLA
- Art. 8a AMLA
- Art. 11 AMLA
- Art. 14 AMLA
- Art. 15 AMLA
- Art. 20 AMLA
- Art. 23 AMLA
- Art. 24 AMLA
- Art. 24a AMLA
- Art. 25 AMLA
- Art. 26 AMLA
- Art. 26a AMLA
- Art. 27 AMLA
- Art. 28 AMLA
- Art. 29 AMLA
- Art. 29a AMLA
- Art. 29b AMLA
- Art. 30 AMLA
- Art. 31 AMLA
- Art. 31a AMLA
- Art. 32 AMLA
- Art. 33 AMLA
- Art. 34 AMLA
- Art. 38 AMLA
FEDERAL CONSTITUTION
MEDICAL DEVICES ORDINANCE
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
CRIMINAL CODE
CYBERCRIME CONVENTION
COMMERCIAL REGISTER ORDINANCE
FEDERAL ACT ON COMBATING MONEY LAUNDERING AND TERRORIST FINANCING
FREEDOM OF INFORMATION ACT
FEDERAL ACT ON THE INTERNATIONAL TRANSFER OF CULTURAL PROPERTY
- I. Introduction
- II. Differences in Application
- III. Types of Data Concerned
- IV. Data Protection Principles for Processing
- Bibliography
- Materials
I. Introduction
1 The FADP and the AMLA are based on different guiding principles. On the one hand, there is the AMLA, which aims to prevent the misuse of the financial center for criminal activities (Art. 1 AMLA). To achieve this purpose, the processing—i.e., the collection and management—of personal data is required to a considerable extent. In contrast, data protection law pursues a different goal: It aims to protect the privacy and fundamental rights of individuals whose data is processed by private entities or federal authorities, and ensures that they retain control over their personal data. The comprehensive reference to the FADP in Art. 33 AMLA is purely declaratory in nature. Even without it, the FADP would apply without restriction. Accordingly, all information collected by financial institutions within the framework of the legal requirements of the AMLA is fully covered by the scope of the FADP. The reference also clarifies that the relevant provisions of the AMLA are not to be understood as a special regime that would supersede the scope of the FADP.
II. Differences in Application
2 The comprehensive processing of personal data extends across all levels of the institutions involved. First, financial intermediaries are obligated to collect and document certain customer data (e.g., the identity of the contracting party and beneficial owner, or special investigations in cases of suspected money laundering). Furthermore, the competent supervisory authorities (e.g., self-regulatory organizations) even assume a dual role: On the one hand, they have access to the information processed by financial intermediaries; on the other hand, they themselves process personal data regarding the financial intermediaries and their employees. Finally, selected data collected by both financial intermediaries and supervisory authorities is forwarded to the Money Laundering Reporting Office (MROS). The MROS then transmits the relevant information to the competent law enforcement authorities. In implementing this aspect, the Anti-Money Laundering Act distinguishes between financial intermediaries (private entities), to whom Art. 34 AMLA applies, and the MROS (a federal body), to which Art. 35 et seq. AMLA apply.
A. Private Individuals
1. Financial Intermediaries and Traders
3 Financial intermediaries and traders are classified as private individuals within the meaning of Art. 2 para. 1 lit. a FADP. The processing of personal data by them is generally permissible, provided that no applicable legal norms are violated. They are therefore subject to both the general provisions of Art. 1–29 FADP and the special provisions on data processing by private individuals pursuant to Art. 30–32 FADP.
2. Self-Regulatory Organizations
4 In addition to financial intermediaries, the Message on the Anti-Money Laundering Act (AMLA) also designated self-regulatory organizations (SROs) as private individuals within the meaning of the FADP. This classification under data protection law has caused uncertainty in legal scholarship: SROs are subject—despite their organization under private law as an association (Art. 60 et seq. CC)—to the supervision of FINMA (Art. 18 AMLA), which in turn is a federal body.
5 The primary purpose of an SRO is to ensure compliance with the AMLA due diligence obligations (public law) by its member financial intermediaries. In addition to the tasks listed in Art. 24 AMLA, SROs also act as industry representatives, which falls within the scope of private law.
6 If an SRO sanctions an affiliated financial intermediary for a violation, the sanction is, according to legal doctrine, case law, and the legislature, of a private-law nature (i.e., a contractual penalty within the meaning of para. 1 of Art. 160 of the CO or a measure under association law). However, even with this line of reasoning, it must be taken into account that the relationship between SROs and their affiliated financial intermediaries tends to be classified as public law—not least due to the introduction of the supervisory organization pursuant to Art. 43a FINMASA. Despite the explicit classification of the sanction mechanism of the SRO PolyReg as private law in the judgment 2C_887/2017 of March 23, 2021, the Federal Supreme Court simultaneously pointed to the growing trend of self-regulation under purely private law evolving into a public function. In the Federal Supreme Court’s view, this leaves open the possibility of classifying money laundering fines as falling under public law. At the same time, the Federal Supreme Court considered classifying the sanctions as falling under public law to be questionable, insofar as a formal legal basis for this might not be sufficient.
7 From a data protection perspective, the legal nature of the relationship between the data controller and the data subject plays a decisive role: if the relationship is governed by public law, the data controller must be classified as a public body. Compliance with AMLA regulations constitutes a public task of the Confederation, which is why classifying the SRO as a federal body (Art. 5(i) FADP) and applying stricter data protection provisions (Art. 33 et seq. FADP) would certainly be conceivable. Other legal opinions leave this question open. However, other activities of SROs would fall under the rules governing data processing by private entities. Furthermore, the primary task of an SRO is not data processing on behalf of the federal government. In our view, it is therefore correct to subject the legal relationship between the SROs and those individuals whose data is processed by affiliated financial intermediaries to the data protection provisions applicable to private individuals. If a data subject wishes to assert a legal claim against an SRO, they must consequently pursue civil remedies (Art. 32 FADP).
8 The opinion expressed here aligns with that of the Message on the Anti-Money Laundering Act (AMLA). While there are clear overlaps between private and public law, it must nevertheless be noted that private law continues to form the core of the legal classification of SROs. This also applies in light of the developments described above and the associated discussions regarding a possible classification of individual aspects under public law. A deviating classification under public law would be justified if this were enshrined in law. This is reinforced by the Message on the AMLA, which states that SROs and supervisory organizations are not actual authorities of the Confederation, the cantons, or the municipalities within the meaning of Art. 29 para. 2 AMLA. Recognized SROs within the meaning of Art. 24 AMLA are organizations that have been entrusted by the legislature with regulatory and supervisory duties for affiliated financial intermediaries. These organizations are agents performing a sovereign function. An argument to the contrary would unnecessarily undermine the Swiss self-regulation system, which also complies with international standards.
9 To conclusively clarify their legal nature, the legislature designated self-regulatory organizations as associations under private law to which a public-law function has been entrusted. Consequently, SROs exercise supervision over their affiliated persons and may also impose sanctions in the event of a breach of due diligence obligations. On September 26, 2025, the Federal Assembly decided to expressly subject the legal relationship between SROs and their members to the provisions of private law in Art. 24b of the New Money Laundering Act (nGwG), whereby the liability of SROs, their bodies, and their staff is governed accordingly.
B. Federal Bodies
10 Federal bodies within the meaning of Art. 5(i) of the FADP are subject to both the general data protection provisions of Art. 1–29 FADP and the special provisions of Art. 33–42 FADP. The distinction between private individuals and federal bodies is significant in that the principles enshrined in Art. 6 FADP are interpreted and applied differently. While, for example, a private individual complies with the principle of lawfulness under Art. 6 para. 1 FADP simply by ensuring that their data processing does not violate any applicable legal norms, the actions of a federal body must be based on a formal legal basis (Art. 34 para. 1 FADP). The principle of legality illustrates, for example, that the actions of federal bodies must always be based on a legal foundation.
11 According to Art. 5(i) FADP, federal authorities and agencies, as well as individuals to the extent that they are entrusted with public tasks of the Confederation, fall under the definition of federal bodies; these include FINMA, the Office of the Attorney General of Switzerland, the Federal Gaming Board (ESBK), and MROS. The latter is affiliated with the Federal Office of Police (fedpol) pursuant to Art. 23 para. 1 AMLA, which in turn is an administrative central office for combating organized and internationally active crime within the meaning of the Federal Act on Federal Criminal Police Central Offices and Joint Centers for Police and Customs Cooperation with Other States (ZentG).
12 The cantonal law enforcement authorities are not subject to the FADP, as they are cantonal bodies rather than federal ones. From the time criminal proceedings are initiated until their conclusion, the provisions of the Swiss CrimPC (Art. 95 et seq. CrimPC) apply pursuant to Art. 2 para. 3 FADP. This applies both to data processing by the court in the context of the proceedings and to that of the other parties to the proceedings, namely the parties. Upon conclusion of the proceedings, the CrimPC again declares the FADP applicable (Art. 99 CrimPC). From this point on, the processing of personal data is thus once again governed by the provisions of the FADP.
III. Types of Data Concerned
13 The fulfillment of due diligence obligations by financial intermediaries necessarily involves the processing of personal data. This refers to “all information relating to an identified or identifiable natural person” (Art. 5(a) FADP). The term is deliberately very broad and encompasses any information containing information content that relates to or can be linked to one or more natural persons. A subcategory of personal data consists of sensitive personal data. Also worth mentioning in connection with the due diligence obligations of financial intermediaries is profiling, both high-risk and non-high-risk.
14 With these types of data, different levels of protection must always be assumed: they range from publicly available data through various categories of ordinary personal data to sensitive personal data. These gradations shape the risk assessment and determine both the required level of data security and the scope of the duty to provide information. While the processing of ordinary personal data generally poses no difficulties, stricter requirements apply to personal data requiring special protection, as explained in more detail below. Special rules also apply to profiling, which will be discussed subsequently.
A. Personal Data
15 For data to qualify as personal data, the data subject must be identified or at least identifiable. It does not matter whether the person is clearly identified or merely identifiable.
16 Among the most fundamental due diligence obligations of a financial intermediary are the identification of the contracting party (Art. 3 AMLA), the determination of the beneficial owner (Art. 4 AMLA), and the fulfillment of other special due diligence obligations (Art. 6 AMLA). The information collected in this context (such as name, address, and contractual or financial information) constitutes personal data within the meaning of Art. 5(a) of the FADP. It is subject to the documentation requirement under Art. 7 of the AMLA.
B. Sensitive Personal Data
17 Sensitive personal data constitutes a subcategory of personal data. This exhaustive list provided by law includes, among other things, health data, biometric data, or data regarding administrative and criminal proceedings or sanctions (Art. 5(c) FADP). Data subject to special protection are those whose processing is subject to stricter legal requirements in some respects compared to ordinary personal data. This classification is based on the fact that, according to the legislature’s intent, these categories of data “affect the personality of the data subjects so significantly” that their processing is in every case considered an infringement of personality.
18 Personal data collected by financial intermediaries in fulfillment of their reporting obligation or reporting right may be regarded as particularly sensitive. Special data protection provisions have been enacted for personal data requiring special protection within the meaning of Art. 5(c) FADP, both for financial intermediaries (Art. 34 AMLA) and for MROS (Art. 35 AMLA).
19 Depending on the risk, a transaction or business relationship must be subject to more extensive or detailed due diligence (Art. 6 AMLA). Examples of data requiring special protection—which are collected as part of the special due diligence—include possible criminal proceedings against a client, political views, and the role of a politically exposed person (PEP).
20 In this context, the proportionality of data processing under data protection law must be examined, for example, if the special investigations have led to the refutation of an initial suspicion. The personal data collected would thus have fulfilled its purpose and would have to be deleted in accordance with para. 6(4) of the FADP, whereby the reason for deletion would have to be recorded in a file note. However, processing and retaining this data appears proportionate and appropriate. This is for the following reason: In everyday practice, anti-money laundering units process systemically generated hits from their monitoring software (e.g., Compliance Suite) for both new applications and existing customers. Although these hits are predominantly so-called false positives (no actual match), a comparison must nevertheless be made between the generated hit and the customer based on the personal data already collected about them (Art. 5(a) FADP). Personal data is also collected through investigations into both the customer and the match—which does not necessarily have to be an existing customer of the financial intermediary in question. This data, in turn, serves as evidence that a verification has taken place and identifies the specific characteristics based on which the match corresponds to or does not correspond with the respective customer. The purpose served by this personal data appears significantly more generic in this case, namely compliance with the financial intermediary’s due diligence obligations, and not (merely) to dispel an initial suspicion or to forward a suspicious activity report to MROS. The financial intermediary’s due diligence obligations under anti-money laundering law also include the documentation of the clarifications carried out (Art. 7 AMLA). The personal data collected in this context therefore also serves to provide a verifiable account that the statutory due diligence obligations have been fulfilled. In our view, the documentation of the due diligence measures taken can be understood as an independent processing purpose within the meaning of Art. 6 FADP. This applies in particular with regard to the audit activities of internal and external auditors, as well as potential administrative or criminal proceedings in which the financial intermediary must be able to demonstrate in a verifiable manner why no reportable circumstances were assumed and why the due diligence obligations were complied with. It therefore appears proportionate and appropriate not to delete this data immediately for evidentiary purposes, but to continue storing it.
C. Profiling / High-Risk Profiling
21 Profiling is a specific type of processing of personal data. It refers to the automated process in which a person’s personal characteristics are analyzed and evaluated. An evaluation occurs as soon as the available data is interpreted, thereby resulting in a subjective assessment. In contrast, a mere statement of facts—that is, an objective recording of actual circumstances—does not constitute profiling. “Automated” describes a processing operation using technical means. The evaluation process is fully automated. So-called high-risk profiling is a specific form of profiling. It is characterized by the linking of data, thereby processing essential aspects of a natural person’s personality. This poses a high risk to the personality or fundamental rights of the data subject.
22 Compliance with the due diligence obligations under Art. 6 AMLA may, under data protection law, require or entail so-called “profiling.” Profiling is defined as the evaluation of certain personal aspects of an individual based on automatically processed personal data. These are consequently evaluated automatically in order to draw conclusions—also automatically—about characteristics of an individual. High-risk profiling occurs when the automated linking of data enables the assessment of essential aspects of a natural person’s personality, ultimately resulting in a personality profile. The mere collection of personal data within the framework of KYC does not in itself constitute profiling.
23 Profiling occurs, for example, when a business relationship is assigned a money laundering risk. In fulfilling the second partial obligation of Art. 6 AMLA, the so-called “filtering,” the financial intermediary establishes criteria that distinguish between transactions that are either typical or atypical for the business relationship in question—in other words, those requiring further clarification. For private individuals, there are generally no specific additional legal consequences as in the public sector, subject to the corresponding transparency and information obligations (Art. 6 para. 3 in conjunction with Art. 19 of the FADP). It should be noted that the identification of criminal structures or patterns in connection with money laundering and terrorist financing constitutes a consistent element of the global defense mechanism against money laundering.
24 A more sensitive form is “high-risk profiling” (Art. 5(g) FADP). The high risk does not refer to the money laundering risk of a business relationship, but to the risk that the collected data will be used to analyze or even predict certain personal aspects of a customer (personality profile). Such profiling exists only if two additional conditions are met: First, different data must be linked together; second, the insights gained from this must relate to essential aspects of personality or at least be directed toward them. If both elements are present, the high risk is conceptually deemed to exist.
25 In the context of due diligence obligations under money laundering law, it is occasionally assumed that transaction monitoring in particular could fulfill this requirement. While it cannot be ruled out that the analysis of transaction data constitutes profiling within the meaning of Art. 5(f) FADP, Art. 5(g) FADP requires, for high-risk profiling, an additional linking of data that allows for an assessment of essential aspects of a person’s character and can be consolidated into a comprehensive customer profile. By contrast, the due diligence obligations under Art. 6 AMLA pursue a functionally limited purpose, namely the identification of the nature and purpose of the business relationship as well as the investigation of unusual or high-risk transactions. Even though various pieces of information regarding the business relationship are taken into account here, the analysis focuses primarily on the plausibility of transactions and the identification of atypical transaction patterns in payment transactions. While the resulting data sets may be extensive, what is decisive is not the volume of data processed, but whether this data can be consolidated into a profile of the data subject’s personality. This is generally not associated with the cross-domain linking of data with the aim of creating a comprehensive profile of the data subject’s personality. By way of comparison, high-risk profiling occurs, for example, when data from different areas of life—such as consumption, location, online, or health data—are linked together to form a comprehensive profile of the data subject’s personality. Whether such a profile exists must ultimately be assessed on a case-by-case basis.
26 Finally, it should be noted that in the case of high-risk profiling, there may be an obligation to conduct a data protection impact assessment (DPIA) (Art. 22 FADP). A DPIA serves as a self-assessment of processing operations that appear sensitive from a data protection perspective. In this process, the planned project is first described from the perspective of data processing. It then describes the potential adverse consequences that this processing could have for the data subjects with a certain degree of probability. Based on these findings, the technical and organizational measures already implemented as well as those still planned are then outlined, which are intended to prevent or at least mitigate such negative effects.
27 For financial intermediaries, a DPIA is particularly relevant when they use automated procedures—including AI-based systems—in connection with compliance with anti-money laundering due diligence obligations that analyze or predict personal aspects based on customer data. In such cases, an increased risk to the privacy of the data subjects may arise, which may necessitate the conduct of a DPIA pursuant to Art. 22 of the FADP. It should be noted, however, that a breach of the obligation to conduct a DPIA does not entail direct sanctions and does not constitute a violation of privacy.
IV. Data Protection Principles for Processing
28 The principles of data processing under the FADP are mandatory, regardless of whether the processing is carried out by a private controller or a federal body. The principles listed in Art. 6–8 FADP include:
Lawfulness
Good faith
Proportionality
Purpose limitation (transparency)
Destruction and anonymization
Accuracy
Consent (including explicit consent)
Data security
29 The right of access is of crucial importance, i.e., the right of a data subject to inspect the personal data concerning them (Art. 25 FADP). The AMLA contains special provisions in this regard as a lex specialis: For data maintained in the separate data collections pursuant to para. 3 of Art. 34 of the AMLA, the right of access may be asserted exclusively against MROS. Finally, it should be emphasized that the right of access under data protection law does not establish a claim to the surrender of the original documents: Under Art. 25 para. 2(b) of the FADP, only the personal data contained therein must be provided as such, but not complete documents such as emails, contracts, or reports.
30 For further details on the aforementioned principles, reference is made here to the literature on data protection law. In addition to the processing principles, there are further governance obligations, the violation of which generally does not constitute an infringement of personal rights. These include the obligation to maintain a record of processing activities (Art. 12 FADP), the engagement of processors (Art. 9 FADP), and, where applicable, a DPIA (Art. 22 FADP). In addition, reference should be made to the investigative powers of the FDPIC (Art. 49 et seq. FADP) as well as the sanctions pursuant to Art. 60 et seq. FADP.
Bibliography
Alberini Adrien, Kommentierung zu Art. 33 GwG, in: Ursula Cassani, Christian Bovet, Katia Villard (Hrsg.), Commentaire romand, Loi sur le blanchiment d'argent, Basel, 2022.
Caroline Kindler, Kommentierung zu Art. 25 GwG in: Damian K. Graf/Doris Hutzler (Hrsg.), Onlinekommentar zum Bundesgesetz über die Bekämpfung der Geldwäscherei und der Terrorismusfinanzierung – Version: 16.01.2025: https://onlinekommentar.ch/de/kommentare/gwg25 (besucht am 8.10.2025), DOI: 10.17176/20250319-201115-0.
Christen Marquard/Kuert Matthias, Kommentierung zu Art. 25 GwG, in: Peter Ch. Hsu/Daniel Flühmann (Hrsg.), Basler Kommentar, Geldwäschereigesetz, Basel 2021.
De Capitani Werner, Kommentierung zu Art. 33 GwG, in: Schmidt Niklaus (Hrsg.), Kommentar Einziehung – Organisiertes Verbrechen – Geldwäscherei, Bd. I, 2. Aufl., Zürich et al. 2007.
Derungs Corsin/Gmünder Eliane, Kommentierung zu Art. 33 GwG, in: Kunz Peter V./Jutzi Thomas/ Schären Simon (Hrsg.), Stämpflis Handkommentar, Geldwäschereigesetz (GwG), Bern 2017.
Fiechter Eric/Maiko Günther, Sphère privée et diligence bancaire – des droits bafoués et des limites ignorées ? – Relation entre la loi sur le blanchiment d’argent et la loi sur la protection des données, in: SJZ 2010, S. 338-343.
Gaul Caroline/Isler Michael/Vasella David, Kommentierung zu Art. 33 GwG, in: Hsu Peter Ch./Flühmann Daniel (Hrsg.), Basler Kommentar, Geldwäschereigesetz, Basel 2021.
Glatthaar Matthias/Schröder Annika, Kommentierung zu Art. 5 lit. f und g DSG, in: Thomas Steiner/Anne-Sophie Morand/Daniel Hürlimann (Hrsg.), Onlinekommentar zum Bundesgesetz über den Datenschutz – Version: 21.08.2023: https://onlinekommentar.ch/de/kommentare/dsg5fundg (besucht am 12.3.2026), DOI: 10.17176/20230819-101936-0.
Graber Christoph K./Oberholzer Dominik, Das neue GwG, 3. Aufl., Zürich 2009.
Häfelin Ulrich/Müller Georg/Uhlmann Felix, Allgemeines Verwaltungsrecht, 8. Aufl., Zürich et al. 2020.
Heierli Christian Marcus, Das Konzept der Selbstregulierung im GwG, in: GesKR 2010, S. 38 ff.
Kilgus Sabine, Datenschutz und Geldwäschereibekämpfung – Wer schützt wen wovon wofür?, in: Persönlichkeitsschutz zwischen Mensch und Maschine, 25 Jahre Datenschutz-Forum Schweiz, 2024, S. 135-153.
Kuster Matthias, Zur Rechtsnatur der Sanktionsentscheide von Selbstregulierungsorganisationen und der Schweizer Börse, in: AJP 2005, S. 1502 ff.
Maurer-Lambrou Urs/ Kunz Simon, Kommentierung zu Art. 2 DSG, in: Maurer-Lambrou Urs/Blechta Gabor-Paul (Hrsg.), Datenschutzgesetz / Öffentlichkeitsgesetz, Basler Kommentar, 3. Aufl., Basel 2014.
Rosenthal David, Das neue Datenschutzgesetz, in: Jusletter 16. November 2020.
Rudin Beat, Kommentierung zu Art. 2 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, 2. Aufl., Bern 2023.
Derselbe, Kommentierung zu Art. 5 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, 2. Aufl., Bern 2023.
Taube Tamara, Entstehung, Bedeutung und Umfang der Sorgfaltspflichten der Schweizer Banken bei der Geldwäschereiprävention im Bankenalltag, in: SGFM – St. Galler Schriften zum Finanzmarktrecht Band/Nr. 9, Zürich et al. 2013.
Thelesklaf Daniel, Kommentierung zu Art. 33 GwG, in: Thelesklaf Daniel/Wyss Ralph/van Thiel Mark/Ordolli Stiliano (Hrsg.), Orell Füssli Navigator Kommentar, GwG Kommentar/AMLA Commentary, 3. Aufl., Zürich 2019.
Vasella David, Überlegungen zum Profiling mit hohem Risiko, datenrecht.ch, 23.11.2020, abrufbar unter https://datenrecht.ch/ueberlegungen-zum-profiling-mit-hohem-risiko/, besucht am 12.3.2026 (zit. Vasella, Profiling).
Wyss David, FINMA-Bussenkompetenz – ein wirksames Mittel zur Abschreckung?, in: GesKR 2024, S. 129 ff.
Zysset Pascal, Kommentierung zu Art. 25 GwG, in: Peter V. Kunz/Thomas Jutzi/Simon Schären (Hrsg.), Stämpflis Handkommentar zum Geldwäschereigesetz (GwG), Bern et al. 2017.
Materials
Beschluss des Parlaments vom 26.9.2025 (Referendumsvorlage), BBl 2025 2899, abrufbar unter https://www.fedlex.admin.ch/eli/fga/2025/2899/de, besucht am 22.1.2026.
Botschaft zum Bundesgesetz über den Datenschutz (DSG) vom 23.3.1988, BBl 1988 II 413 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/1988/2_413_421_353/de, besucht am 9.8.2025.
Botschaft zum Bundesgesetz zur Bekämpfung der Geldwäscherei im Finanzsektor vom 17.6.1996, BBl 1996 III 1154 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/1996/3_1101_1057_993/de, besucht am 21.8.2025.
Botschaft zum Bundesgesetz über den Datenschutz (DSG) vom 15.9.2017, BBl 2017 6941 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2017/2057/de, besucht am 15.12.2025.
Botschaft zur Änderung des Geldwäschereigesetzes (GwG) vom 26.6.2019, BBl 2019 5451 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2019/1932/de, besucht am 9.10.2025.
Botschaft zum Bundesgesetz über die Transparenz juristischer Personen und die Identifikation der wirtschaftlich berechtigten Personen (TJPG) vom 22.5.2024, BBl 2024 1607 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2024/1607/de, besucht am 22.1.2026.
Geschäftsbericht 2021 des Bundesgerichts vom 17.2.2022, abrufbar unter https://www.eidgenoessischegerichte.ch/de/files/geschaeftsberichte/GB_2021_d.pdf, besucht am 23.8.2024.