Digital data protection implementation for Avaloq banks
As experts for the compliance division of banks, we are well aware of the General Data Protection Regulation (GDPR). It has been in force since May 25, 2018, and lays down uniform rules for the protection of personal data in the EU member states. Our compliance experts will be pleased to answer your questions about the extent to which the EU regulations apply to Swiss banks and how the requirements can be implemented in as digitised a form as possible.
Your contact:
Birol Izel
Head of Delivery Switzerland and Liechtenstein
Does the GDPR also affect Switzerland?
All companies that store and process personal data of EU customers are affected - including companies based outside the EU. The implementation of the GDPR is mandatory for Swiss banks with personal data of EU citizens.
The implementation of the EU regulation also offers Swiss banks the opportunity to strengthen their data protection standards today and to prepare for future legal developments.
How can the "right to erasure" be reconciled with the legal retention periods?
The right to erasure of personal data (Art. 17 GDPR) raises a number of questions regarding implementation. In particular, there are complex dependencies on contractual and statutory retention periods from other areas of law. This gives rise to many difficult questions of interpretation and ranking, which must be taken into account when considering the type of "erasure".
Legally compliant implementation in the Avaloq PDW Framework
In order to address this area of conflict, Avaloq provides the Personal Data Wiping (PDW) Framework. It allows for one- or two-stage erasure processes.
- One-stage: The personal data (objects) are directly and irrevocably deleted.
- Two-stage: The recognised objects are hidden for a predefined period and are only irreversibly deleted after the period has expired.
Which GDPR solutions does Confinale offer?
We support banks in the digital implementation of the GDPR requirements, "Right of erasure ", the "Right of access" and the "Right of rectification".
Right of erasure
We use the Personal Data Wiping (PDW) Framework provided by Avaloq for the automated erasure of personal data and adapt it to your needs.
Right to information & rectification
We can also parameterise other aspects of the GDPR requirements, such as the right of access and the right of rectification, for your bank in Avaloq.
The implementation of the GDPR requirement requires the analysis of all systems and processes that process personal data:
- Output & archive systems
- Management information systems (MIS)
- Regulatory reporting to authorities
- E-mail & photo files
- CRM tools
- Systems of outsourcing service providers
- E-Banking
With our approach, we ensure the implementation on the Avaloq side and define the specifications for the Avaloq-dependent external systems together with you. In doing so, we are happy to become part of your existing GDPR organisation.
Implemented in 5 steps
- Analysis of data storage: We analyse the storage of customer-specific data in Avaloq and its various dependencies.
- Specification: Based on use cases, we work together with your business and IT departments to develop the implementation specifications for Avaloq and the surrounding systems. This includes defining the relevant meta types and dependencies that are relevant for deletion.
- Processes: Based on your organisation and the involved stakeholders (data user, data owner, data supervisor) we design and establish the necessary processes.
- Implementation: Based on the analysis results and the specification, we implement the PDW framework and put it into operation. This includes: Documentation for business users, testing support & training.
- Complementary functions: For all other GDPR requirements not covered by the PDW framework, we parameterise solutions in Avaloq.