Transfer of employee data to the US authorities

A number of banks have handed over to the US authorities documents including lists of current and former employees’ names, email addresses and telephone numbers, as well as those of third parties. We carried out an examination of the relevant facts among the five banks concerned, and issued a series of recommendations calling upon the banks to adopt a more transparent approach.

During their on-going negotiations with the US authorities, several Swiss banks handed over documents concerning their business relations with US clients. The documents in question also contained the names of current and former bank employees, as well as those of third parties. Many of the persons whose names were on the lists contacted us about this matter. As soon as it became clear that further data transfers were due to take place, we decided in August 2012 to proceed with an examination of the facts in order to clarify the issues relating to data protection. Our purpose was to obtain detailed information about the transfers that had already occured in order to determine whether individual personality rights had been infringed and whether the persons concerned could be better protected.

As part of our examination, we held discussions with the State Secretariat for International Financial Matters, the Swiss Financial Market Supervisory Authority (FINMA) and the Federal Office of Justice. We listened to the reasons that were put forward in defense of the Federal Council's decision regarding the cooperation of the Swiss banks with the US authorities. We also held discussions with the relevant banks. As a first step, we asked the banks to be more transparent vis-à-vis their employees in order to protect the persons concerned. As a reaction to this, the banks agreed that, for the duration of the current enquiries, they would inform any employee who might be affected before any further documents were released to the US authorities. The banks were also asked to fill out a questionnaire and provide us with all the documents detailing the data transfer process and the information provided on bank employees. We also carried out an on-site inspection at some of the banks to see exactly how documents were selected and what procedure had been put in place for employee information and access.

On the basis of the documents and explanations that were given to us, and in view of the various government agencies involved, we have come to the conclusion that the decision to transfer data was reasonable due to the existence of an overriding public interest. It was plausibly demonstrated to us that the banks would have laid themselves open to serious consequences if they had not transferred the data demanded by the US authorities. In our recommendation, therefore, we recognized the existence of an overriding public interest, which is a precondition for the transmission of personal data to a country with an insufficient level of data protection. However, we also made it clear that the banks had not acted entirely in accordance with data protection legislation for the data transfers that had already taken place. Some of the institutions, for example, had not informed all the persons concerned that the transfer of data was imminent, nor had all the persons been given access to the documents concerning them that were due to be transferred. We therefore asked the banks to grant a right of information to all the persons concerned (including current and former employees as well as third parties) with regard to the documents that had already been handed over. As for future data transfers to the US authorities, the banks are required to provide advance warning to all persons who may be concerned about the type and scope of the documents in question, as well as the period covered by those documents. Former employees as well as third parties must be informed to the extent that this is possible without undue effort.

The banks must give all the parties concerned a reasonable period of time within which they can ask to see all documents concerning them. If, after seeing the documents, an individual objects to the transfer of documents containing their name, the bank will have to weigh up all the interests at stake in the particular case. Should the bank decide to proceed nonetheless and to hand over the documents, it shall be obliged to inform the person concerned of its intention and to inform that person of their rights.

All the banks that have been involved have accepted our recommendations (in German).

https://www.edoeb.admin.ch/content/edoeb/en/home/documentation/annual-reports/20th-annual-report-2012-2013/transfer-of-employee-data-to-the-us-authorities.html