-
Audit Industry, Services, Institutions
More security, more trust: Audit services for national and international business clients
-
Audit Financial Services
More security, more trust: Audit services for banks and other financial companies
-
Corporate Tax
National and international tax consulting and planning
-
Individual Tax
Individual Tax
-
Indirect Tax/VAT
Our services in the area of value-added tax
-
Transfer Pricing
Our transfer pricing services.
-
M&A Tax
Advice throughout the transaction and deal cycle
-
Tax Financial Services
Our tax services for financial service providers.
-
Financial Services
Consultancy services that generate real added value for financial service providers.
-
Advisory IT & Digitalisation
Generating security with IT.
-
Forensic Services
Nowadays, the investigation of criminal offences in companies increasingly involves digital data and entire IT systems.
-
Regulatory & Compliance Financial Services
Advisory services in financial market law and sustainable finance.
-
Transaction Services / Mergers & Acquisitions
Successfully handling transactions with good advice.
-
Legal Services
Experts in commercial law.
-
Trust Services
We are there for you.
-
Business Risk Services
Sustainable growth for your company.
-
IFRS Services
Die Rechnungslegung nach den International Financial Reporting Standards (IFRS) und die Finanzberichterstattung stehen ständig vor neuen Herausforderungen durch Gesetzgeber, Regulierungsbehörden und Gremien. Einige IFRS-Rechnungslegungsthemen sind so komplex, dass sie generell schwer zu handhaben sind.
-
Abacus
Grant Thornton Switzerland Liechtenstein has been an official sales partner of Abacus Business Software since 2020.
-
Accounting Services
We keep accounts for you.
-
Payroll Services
Leave your payroll accounting to us.
-
Real Estate Management
Leave the management of your real estate to us.
-
Apprentices
Career with an apprenticeship?!
Classification1
1This is a highly simplified presentation, which should enable a quick initial classification of the topic. Each institution should determine the relevance and theconcrete need for action individually.
Obtain an overview
It is absolutely essential that the financial service provider obtains an overview of the data processing in his institution at the beginning and considers roles and responsibilities accordingly. Without such a general overview, a rulecompliant implementation of the regulations will inevitably fail. Whether a formal record of processing activities is mandatory or useful must be decided on a case-by-case basis. In the projects we carried out, it has proven useful to draw up a record even in the case of only slightly more complex relationships (e.g. if several types of services are offered). The record can then be used as a basis for further implementation work.
Qualifying relationships with cooperation partners
The qualification of the relationships between the financial service provider and its respective cooperation partners (e.g. banks, IT, research service providers, corporate services, consultants) has proven to be particularly challenging. The new role model introduced with the revised Data Protection Act, with the “controller” and, if applicable, a “ processor” processing data on behalf of the controller, is only easy to implement at first glance. Contrary to a general usage of the language, not every contractual relationship that involves the transfer of personal data to a third party qualifies as processing on behalf of the controller within the meaning of the Data Protection.
In practical implementation, all processing of personal data that is not carried out exclusively by the financial service provider must be checked to determine who is the “controller and whether there is also a “processor”.
In our projects, we have had good experiences with directly discussing such matters with the cooperation partners in order to understand in detail what personal data is processed, how and to what extent.
At least in cases where there is a processing on behalf of a controller, the contract between the financial service provider and its cooperation partner must be reviewed and, if necessary, adapted. The latter can be challenging in individual cases, especially if there are different views on the necessity of adjustments or their design.
Data security
Financial service providers must take suitable technical and organisational measures to adequately protect personal data. The Ordinance to the Data Protection Act contains an extensive catalogue of such technical and organizational measures. Apart from the fact that breaches of data security can have serious consequences, one should think here of the loss of client or employee data, for example: Anyone who violates the minimum data security requirements may be liable to prosecution.
In the practical implementation, we clarified in a first step which data security measures were already in place and documented them. Where IT services were outsourced to third parties, which was at least partially the case at the majority of the institutions we accompanied, we took this step together with these service providers whenever possible. When assessing the appropriateness of the measures, the complexity of the circumstances must again be taken into account. Here, too, IT service providers were usually able to provide valuable input. However, the involvement of specialists is sometimes indispensable.
Implementation of the duty to provide information
For financial service providers who have a good overview of the data processing that takes place, the involvement of third parties and the existing measures for data security, the implementation of the duty to provide information is then possible with reasonable effort. However, since a breach of this duty can lead to a fine, a careful approach is highly recommended.
As a rule, the duty to provide information is formalized in one or more (e.g. separate for customers, employees, visitors to the website, etc.) privacy policies. If a website is available, it makes sense to publish the policy there. In addition, it should be pointed out in contracts and/or in the institution’s general terms and conditions that the privacy policy can be found on the website of the financial service provider. If there is no website, the privacy policy must be brought to the attention of the data subjects in another way. The information that the policy is generally available at the company is not sufficient.
Conclusion
Financial service providers who have not yet come to terms with the provisions of the new data protection law should do so promptly. Waiting is not an option. Although the work required for this is associated with effort, it can be efficiently implemented through good planning, a clear allocation of roles and responsibilities and, if necessary, with the involvement of the necessary specialist expertise.
Do you have any questions about the new Data Protection Act and/or its concrete implementation? Our specialists from the Regulatory & Compliance FS Team will be happy to support you. We look forward to hearing from you.