Attention to new sanctions related to Russia

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctions Russian oligarchs, officials and entities.

OFAC has designated seven Russian oligarchs and 12 companies they own or control, 17 senior Russian government officials and a state-owned Russian weapons trading company and its subsidiary, a Russian bank.

What does this regulation mean for U.S. persons?

U.S. persons are generally prohibited from dealings with designated individuals and entities subject to U.S. jurisdiction. This prohibition also applies to employees and board members of designated entities if they are subject to U.S. jurisdiction.

OFAC has issued General License 12, which authorises a time-limited maintenance or wind-down of operations, contracts or other agreements (e.g. authorising the transfer of shares) that were in effect prior to 6 April 2018. Furthermore, General License 13 authorises U.S. persons with shares in a designated entity or blocked entity (50% OFAC rule) to divest or transfer these shares to a non-U.S. person, or to facilitate the transfer by a non-U.S. person to another non-U.S. person of debt, equity or other holdings in the blocked entities listed in this General License.

What does this regulation mean for companies owned or controlled by designated individuals or entities?

Property and interests in property of entities of which 50% or more is directly or indirectly owned by one or more designated individual(s) or entity(ies) are considered as blocked regardless of whether such entities appear on the OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List).

Such participations could lead to significant difficulties not only with U.S. persons and entities, but also with non-U.S. persons (if applicable under the specific regulation) and persons who are risk-averse in the fairly long-term. Furthermore, this scenario could also result in reputational damage.

Will foreign persons (non-U.S. persons) be subject to sanctions for doing business with designated individuals or entities?

Foreign persons (non-U.S. persons) could also be subject to sanctions for doing business with designated individuals, entities and blocked entities (50% OFAC rule) for knowingly facilitating significant transactions, including deceptive or structured transactions, for or on behalf of any person subject to U.S. sanctions with respect to the Russian Federation or their children, spouses, parents, or siblings.

Broad factors for “significant transaction” and “significant financial transaction” include the size, number and frequency of the transaction(s), the nature of the transaction(s) or the level of awareness of management and whether the transaction(s) are part of a pattern of conduct.

You can count on us

Would you like to ensure compliance with sanctions regulations, review or expand your existing sanctions compliance system, or do you have any specific questions about sanctions regulations? We will be happy to actively support you as your partner:

  • We can help you carry out health checks and ensure compliance with your obligations in accordance with the specific OFAC regulation on designated individuals, entities or blocked entities.
  • Furthermore, we can help you carry out health checks and ensure compliance with your obligations in accordance with local (e.g. SECO, UNO) and EU sanctions regulations in general, including a comprehensive report with clear guidance on the next steps you need to take.
  • We can provide you with a memorandum on specific questions with regard to your business model or project.
  • We can offer support with the practical implementation of an adequate compliance management system.
  • We can assist you with the development, improvement and implementation of your organisation, policies, guidelines, procedures, training and controls.

Contact us

Susanne Hofmann
Director
Leader Legal Compliance, PwC Switzerland
Direct: +41 58 792 17 12
susanne.hofmann@ch.pwc.com

Simeon Probst
Partner
Leader Customs & Trade, PwC Switzerland
Direct: +41 58 792 53 51
simeon.probst@ch.pwc.com

Gianfranco Mautone
Partner
Leader Forensic Services and Financial Crime, PwC Switzerland
Direct: +41 58 792 17 60
gianfranco.mautone@ch.pwc.com

Désirée Bysäth (Author)
Assistant Manager
Legal Compliance, PwC Switzerland
Direct: +41 58 792 40 03
desiree.bysaeth@ch.pwc.com

Sanction Compliance Health Check

The regulatory environment has been changing for some years now. Although existing sanctions against Iran for example have been lifted, there are still considerable difficulties in dealing with sanctions in general. Moreover, technological developments such as new payment transaction technologies have led to significant challenges for financial intermediaries

Due to the international activities of Swiss-based companies and the extraterritorial character of US (OFAC) and EU sanctions, it may be necessary for Swiss-based companies to consider not only the Swiss sanctions of SECO.

Our Service:

Carrying out a sanction compliance health check is recommended if the following circumstances are shown to exist:

    • Not (or only partially) implemented sanction risk management,
    • Minimisation of existing risks,
    • Enhancement or optimisation of existing procedures,
    • Expansion into new countries/markets,
    • Changes in business activities,
    • Acquisition of new companies, or
    • Knowledge of gaps or inaccuracies.

You can count on us!

If you, as a financial intermediary, would like to be compliant in the area of sanctions regulation, or if you would like to review or expand your existing sanctions system, we will be happy to actively support you as your partner:

  • We support you in carrying out a health check and checking compliance with your obligations in accordance with local (e.g. SECO, UNO) and international (e. g. EU, OFAC) sanctions regulations.
  • We provide you a clear report with the results of our health check.
  • We support you in the practical implementation of a suitable compliance management system.
  • We support you in the development, improvement, and implementation of your organisation, policies, guidelines, procedures, training, and controls.

Read Full Article

Your contacts

Michèle Hess 
Partner
Regulatory & Compliance Services
Direct: +41 58 792 46 67
Mobile: +41 79 878 00 85
michele.hess@ch.pwc.com

Susanne Hofmann
Director
Legal Compliance Leader Switzerland
Direct: +41 58 792 17 12
Mobile: +41 79 286 83 67
susanne.hofmann@ch.pwc.com

Stay up to date by following our PwC Legal Social Media Channels (LinkedIn, Twitter, Facebook) and our website.

Federal Act on Data Protection (FADP): Swiss Federal Council publishes Draft Bill

On September 15, 2017 the Swiss Federal Council published the draft bill to the revision of the Federal Act on Data Protection (FADP). The revised bill intends to strengthen the protection of personal data and to adapt the existing provisions to the digital age. Moreover, it aims at adapting Swiss data protection legislation to legislation at European level, i.e. the EU General Data Protection Regulation (GDPR). In this context, remaining recognized by the EU as a third country providing an adequate level of data protection is crucial for the Swiss economy.

Key Features of the Draft Bill and Differences to the EU-GDPR

The Federal Council answered the criticism of the Swiss business community by implementing extensive changes to the preliminary draft of the FADP, which it published in December 2016. In that regard, the Federal Council rejected a so called “Swiss finish”. The current draft bill does not exceed the EU standards stipulated in the EU data protection legislation with regard to key elements anymore.

Generally, the draft bill aims, as its counterpart in the EU, at generally increasing transparency in data processing as well as at enhancing data breach sanctions. Moreover, in different areas the draft adopts the relevant EU legal terminology. It also establishes a risk-based approach, e.g. the data protection duties of the data controller are expanded contingent to the privacy risks of the concerned data subjects. The revised FADP requires all data controllers and processors to keep records on their data processing activities, similar to the GDPR. Reflecting the same development as in the EU, the revised FADP strengthens the role and position of the Federal Data Protection and Information Commissioner (FDPIC).

However, in some areas the draft bill substantially differs from EU legislation. For example, it does not require data controllers to document FADP compliance. Thus, unlike the GDPR, it does not introduce a reversal of proof approach with regard to data protection. Specific provisions on the protection of children and the right to data portability have not been introduced to the draft bill either. With regard to the latter, the Federal Council wants to wait for the EU’s experience prior to taking similar steps. Comparable considerations apply to the “right to be forgotten”, which has been limited to personal data matters concerning deceased persons.

Further differences to the GDPR concern sanctions. The upper limit stated in the preliminary draft has been substantially reduced from CHF 500’000 to CHF 250’000 and thus is significantly lower than in the EU. In addition, data controllers in Switzerland are subject to less reporting and consultation obligations towards the FDPIC as their counterparties in the EU towards their data protection authorities.

Keeping the EU Adequacy Status

Keeping unrestricted access to the EU single market is an additional factor shaping the revision of the FADP. In that context, adapting to parts of the EU data protection legislation seems a precondition for Switzerland to remain recognized by the EU as a third country providing an adequate level of data protection and, thus, benefiting of cross-border data transfers absent of additional legal safeguards. This is particularly important to the Swiss economy.

Need for Action for Companies

The revision of the FADP will have a material and significant influence on how companies will process personal data in the future. Despite the differences to the GDPR and to the preliminary draft the intention of the recently published draft bill remains the same: Increased transparency and stronger sanctions for data breaches.

It is envisaged that the revision should be completed in the summer of 2018. We however strongly recommend that companies consider the upcoming data protection legislation already today. Companies operating in Switzerland should gain a complete and full view of their data processing. Following this analysis and in application of a risk-based approach, the necessary measures must be taken to ensure compliance of data processing with the future new law.

Contact us

Susanne Hofmann
Director
Legal Compliance Leader Switzerland
+41 58 792 17 12
susanne.hofmann@ch.pwc.com

Dr. Idir Laurent Khiar
Assistant Manager
Legal Compliance
+41 58 792 17 51
idir.laurent.khiar@ch.pwc.com

Swiss banks and wealth managers subject to new EU regulation on data protection

It is a truism that information management is the basis for a successful banking business. As you may know, the EU General Data Protection Regulation (GDPR) is a fundamental regulatory revision of information management and a new chapter on data protection. While governing the entire processing of personal data, the GDPR can be easily called a milestone in data protection.

As the regulation will be in force starting May 2018 and imposes far-reaching obligations on all processors of data of EU residents, it is high time to decide on concrete next steps. The GDPR will apply to all Swiss banks and wealth managers actively offering cross-border services to customers domiciled in the EU. Swiss Banks may also consider that compliance with GDPR will likely mean to be essentially compliant with the future revised Swiss Data Protection Act.

PwC Switzerland is pleased to present a white paper on the impact of the GDPR on banks and wealth managers in Switzerland. The paper outlines regulatory requirements for banks and wealth managers and analyzes the impact on institutions. With a detailed approach, the study also shows the importance to combine the regulatory requirements with operational excellence initiatives, linked to digitalization and data security, to prepare your institution at best for the future.

We are delighted to support your bank with any questions around GDPR and data privacy to ensure regulatory compliance by May 2018. Please do not hesitate to contact us for any further questions.

Read Attachment

Contact Us

Susanne Hofmann-Hafner
Director, Tax and Legal
+41 58 792 17 12
susanne.hofmann@ch.pwc.com

Patrick Akiki
Partner, Advisory
+41 58 792 25 19
akiki.patrick@ch.pwc.com

Reto Häni
Partner, Cybersecurity
+41 58 792 75 12
reto.haeni@ch.pwc.com

The countdown is on: one year to get ready for the EU General Data Protection Regulation GDPR

On 25 May 2016 the EU General Data Protection Regulation (GDPR) entered into force. After the elapse of the 2-year transposition period, it will become directly applicable on 25 May 2018.

The new EU data protection legislation introduces substantial changes for companies dealing with personal data: As a selection, the new requirements on transparency, on proportionality as well as on documentation when processing personal data are among the key changes. These are significant challenges for companies. In addition, the new legislation substantially improves the rights of the concerned individuals – the data subjects. Thanks to the GDPR, they now have clear-cut rights with regard to companies processing their data. Inter alia the key rights include the right on information, on rectification and deletion of personal data, on restriction of processing, on portability as well as the right to object processing. As data controllers, companies have to be able to comply with all these rights.

Besides new duties and compliance obligations for companies, data protection authorities are given new competences and enforcement instruments. Standing out are the new sanctions of up to the amount of EUR 20m or 4% of the international annual turnover of the concerned company, whichever is higher.

Recommendation

Swiss companies that (e.g. because they do business in the EU) are subject to the GDPR now have one year to make the necessary adaptions to comply with the GDPR. The new requirements are to be analyzed, gaps to be identified and mitigation actions to be planned and implemented. It is important to be prepared.

Contacts:

Susanne Hofmann
Legal Compliance Leader
+41 58 792 17 12
Email

Michael Adrian Meyer
Legal Services – Senior Manager
+41 58 792 51 31
Email

Reto Häni
Partner and Leader Cybersecurity
+41 58 792 75 12
Email

Idir Laurent Khiar
Legal Services – Assistant Manager
+41 58 792 17 51
Email

Swiss-US Privacy Shield: New Framework for the Transfer of Data to the USA

The so-called Swiss-US Privacy Shield replaces the Safe Harbor Agreement between Switzerland and the USA. The agreement establishes a new regulatory framework for the transmission of personal data from Switzerland to certified companies domiciled in the US. The same standards will apply for Swiss transfers of personal data to the USA as for data transfers from the EU.

Swiss data protection legislation stipulates specific requirements for the transfer of personal data abroad. They protect the personality and the rights of the data subjects concerned. However, the US is not deemed to provide an adequate level of data protection in terms of Swiss law. Swiss companies therefore have to take specific measures to safeguard personal data when it is transferred to the US.

Until recently, Swiss companies could rely on the Swiss-US Safe Harbor Agreement. After the Court of Justice of the European Union declared the EU-US Safe Harbor Agreement invalid, the Swiss Federal Data Protection and Information Commissioner (FDPIC) put the Swiss-EU Safe Harbor Agreement into question.

In August 2016, the EU and USA put into place a successor agreement, the EU-US Privacy Shield. Switzerland also entered into negotiations with the USA, which resulted in the Swiss-US Privacy Shield.

Enhancing the Application of Data Protection Principles, New Tasks for the FDPIC
The agreement is expected to substantially improve the position of those concerned by personal data transfers. The application of data protection principles by participant companies should be enhanced, as should the management and supervision of the framework by the US authorities. Cooperation between the US Department of Commerce (DOC) and the Federal Data Protection and Information Commissioner (FDPIC) should be intensified. The persons concerned are being given specific instruments to enable them to find out about data processing directly from certified US companies or the competent authorities, and to ensure that any required corrections or deletions are made. For example, the FDPIC will act as a point of contact for persons in Switzerland in the event of any problems in connection with the transfer of data.

Same Conditions as in the EU for the Transmission of Personal Data to the US
The new regulatory framework corresponds to the solution adopted by the USA and the EU and implemented within the European Economic Area (EEA) – the EU-US Privacy Shield. The similarity is highly significant, as it guarantees the same framework conditions for persons and businesses in Switzerland and the EU/EEA area in relation to transatlantic data flows. The same standards therefore apply for Swiss personal data transfers to the USA as for data transfers from the EU. This increases legal certainty in commercial transactions and reduces additional costs for the economy.

Need for Action for Companies
US companies can start the certification process with the DOC three months after the finalization of the agreement. Interested US companies are advised to obtain a Privacy Shield Certificate from the DOC. Swiss companies should make sure that their US partners possess such a certificate. These conditions are essential for Swiss companies to submit personal data to the US without requiring additional contractual guarantees. Furthermore, companies should review their current contractual basis for data transfers to the US and adapt it to the Swiss-US Privacy Shield where required.

New Swiss Federal Data Protection Act

Just before Christmas, the Federal Council published the preliminary draft for the revision of the Swiss Federal Data Protection Act (FDPA). The revision’s focus is to strengthen data protection and the individual rights of citizens. At the same time, developments at European level are taken into account, in particular the recently adopted General Data Protection Regulation (GDPR) of the European Union and the Data Protection Convention of the Council of Europe (ETS 108).

Read more…

 

Contacts:

Susanne Hofmann-Hafner
Leader Legal Compliance
susanne.hofmann@ch.pwc.com
+41 58 792 17 12

Michael Adrian Meyer
Data Protection specialist
michael.adrian.meyer@ch.pwc.com
+41 58 792 51 31

Marco Schurtenberger
Risk Assurance & Cyber security specialist
marco.schurtenberger@ch.pwc.com
+41 58 792 22 33

Data privacy in the EU: What is the latest news?

The EU/US Privacy Shield is formally adopted

More than nine months after the Court of Justice of the European Union invalidated Safe Harbor the EU/US Privacy Shield is approved. From 1 August 2016 onward European companies seeking to transfer data to the United States will be able to self-certify to the Privacy Shield programme.

What are the main differences?

The Privacy Shield contains detailed requirements for US organisations to safeguard EU residents’ personal data. To join the programme, US organisation must meet four requirements: (i) the organisation must fall under the enforcement authority of the Federal Trade Commission (FTC) or another US agency that can assure compliance; (ii) it must publish its commitment to comply with the Privacy Shield Principles; (iii) it must publicly disclose its data protection policy; and (iv) it must implement the Principles. Most of the Privacy Shield Principles were already included into the Safe Harbor framework. However, some of the Principles have been enhanced, making the Privacy Shield stronger than Safe Harbor. Relevant differences of the Privacy Shield to the former Safe Harbor are e.g.:

  • stronger obligations for US companies to protect the transferred personal data (e.g. data integrity and purpose limitation principle, accountability for onwards transfer principle) including stronger monitoring by the US Department of Commerce and FTC whether companies are fulfilling the obligations,
  • written commitments by the United States to prevent generalised access to personal data, and
  • the formation of an office of ombudsman in the United States who will handle and solve complaints raised by affected EU individuals.

The Privacy Shield produces many critics mainly stating that the programme is not able to protect the transferred personal data from the United States government’s mass surveillance, which was one of the reasons of the European Court of Justice to invalidate Safe Harbor. One of the new additions includes in fact an authority (ombudsman) to handle any claims by EU citizens over surveillance or data privacy abuse. But criticizers of Privacy Shield consider these new provisions as not addressing the surveillance in any significant way. Thus, there is a chance the Privacy Shield programme will endure the same fate as the Safe Harbor framework.

Further developments

Schrems vs Facebook – take 2

Ireland’s data protection commissioner announced in May 2016 that they will continue to investigate Max Schrems’ complaint as to whether the EU Standard Contractual Clauses remain a valid data transfer mechanism to the United States. Thus, the commissioner’s intention is to seek declaratory relief in the Irish High Court and a referral to the European Court of Justice to determine the legal status of data transfers under Standard Contractual Clauses.

“Microsoft Ireland case”

Recently, Microsoft won a legal case, where the United States Court of Appeals has ruled that Microsoft cannot be forced by the United States government to hand over emails stored on Microsoft servers outside the United States. Thus, the data stored in Microsoft’s EU data centre in Ireland are safe from a search warrant issued under the Stored Communications Act (SCA).

Conclusion

The EU/US Privacy Shield can be used in the EU as a legal basis to transfer personal data to the United States beginning from this August 2016. However, it is recommended to monitor the development in the data protection area by affected companies, since the Privacy Shield might be ruled invalid as well and even the future of Standard Contractual Clauses remains unclear.

What does it mean for Switzerland?

Many Swiss organisations are reliant on transferring personal data to the United States. With the EU/US Privacy Shield the data protection level for transatlantic data transfers is improved, so it is desirable that Switzerland and the United States come to an agreement about a successor of the Safe Harbor framework comparable to the Privacy Shield. It is expected that the Swiss authorities will negotiate a similar programme covering the data transfer between Switzerland and the United States in the near future.

Contacts:

Susanne Hofmann, Legal Compliance Leader Switzerland, susanne.hofmann@ch.pwc.com, +41 58 792 17 12

Marco Schurtenberger, Specialist Cyber security & IT compliance, marco.schurtenberger@ch.pwc.com, +41 58 792 22 33

Data Protection: EU Data Protection Law Has Changed

In May 2016 the official texts of the General Data Protection Regulation (“GDPR”) have been published in the EU Official Journal in all the official languages. The GDPR entered into force on 24 May 2016 and it shall apply from 25 May 2018.

The GDPR will replace the currently still applicable EU data protection directive 95/46/EC and is imposing a much tougher data protection regulatory framework across the EU on the processing of personal data.

Please see our short flyer on the GDPR essentials, which is outlining the most crucial changes and innovations of the new regulation.

Who is affected?

The GDPR is impacting lots of different entities based on its defined scope – even entities outside of the EU territory. In fact, GDPR is applicable to

  • all companies, organisations, etc. of controllers or processors in the EU if they are processing personal data, and
  • all controllers or processors based outside the EU who are targeting, offering or selling goods or services to persons in the EU. It also applies to controllers/processors who are monitoring the behaviour of persons within the EU.

Thus, based on the second point above, organisations based in Switzerland will also have to comply with the GDPR provisions.

Conclusion:

We recommend to early assess whether and how you are affected by the upcoming GDPR. If the territorial scope is applicable to your company, initiate an analysis of your data flows and types, processing purposes, and processing operations and take a risk-based approach to appropriately close gaps to get compliant with the GDPR.

PwC can support you in different stages of your “GDPR Compliance Journey”. For example, PwC developed a Readiness Assessment Tool (short “R.A.T.”) which consists of approximately 60 key questions with pre-populated answers linked to a maturity matrix. In a R.A.T. session we will guide you and the relevant key stakeholders (e.g. Legal, Compliance, IT, Data Protection Officer, etc.) through the questionnaire. With the interview we will obtain an understanding of your current level of readiness to comply with the new GDPR requirements. The result will then be a risk-weighted report about your GDPR maturity. See also our flyer on R.A.T.

Contacts:

Susanne Hofmann, Legal Compliance Leader Switzerland, susanne.hofmann@ch.pwc.com, +41 58 792 17 12

Marco Schurtenberger, Specialist Cyber security & IT compliance, marco.schurtenberger@ch.pwc.com, +41 58 792 22 33

New European General Data Protection Regulation (GDPR) published

The European General Data Protection Regulation (GDPR) has been published in EU’s Official Journal today.

What does this mean

This means that the GDPR will be fully applicable in all EU member states with effect from May 25, 2018 and compliance with GDPR is mandatory for

  • all establishments of controllers or processor (companies, organisations, etc) in the EU, if they are processing personal data, and
  • all controllers or processors based outside the EU who are targeting, offering or selling goods or services to persons in the EU. It also applies to controllers / processors who are monitoring the behaviour of persons within the EU.

Organisations based in Switzerland will also have to comply with the provisions of the GDPR if they are processing the personal data of individuals in the EU. Becoming compliant is important for organisations impacted, as the GDPR empowers data subject’s rights and those of data protection authorities, who will have more powers to oversee compliance with the GDPR. Significant fines and sanctions could be imposed in cases of non-compliance. Many organisations will need to start planning their compliance activities now to ensure that they have enough time to become compliant.

How can we help?

Schedule one hour with one of our privacy experts below to undertake our GDPR Readiness Assessment using our interactive survey.

Webinar in June 2016

We would like to invite you to join a Webinar on Data Protection we are planning for June 2016. Please click here to register. In this Webinar we will inform you about the latest developments around the GDPR and related matters such as the EU/US Privacy Shield. We will also give an overview where we see potentially the biggest gaps compared to the current data protection laws .

Contacts

If you have any questions, please do not hesitate to get in contact with us:

Susanne Hofmann 
Head of Legal Compliance

Marco Schurtenberger
Specialist Cyber Security & IT Compliance