Back to insights
Regulation2026-03-15

nFADP Art. 31 and periodic verification: the legal basis explained

Switzerland's revised Federal Act on Data Protection (nFADP), in force since 1 September 2023, set up a framework that directly governs how financial institutions may periodically verify existing staff. The relevant provision is Art. 31 — not the more commonly cited Art. 19.

Art. 19 vs. Art. 31 — the distinction that matters

nFADP Art. 19 governs the transparency duty: before processing personal data, the controller must inform the data subject of the purpose, the legal basis, data categories, recipients and retention. That applies to both initial screening and periodic verification.

nFADP Art. 31 governs the legal basis for processing when no explicit statutory mandate exists. For the periodic verification of staff already in post, the applicable basis is usually overriding interest — the institution's regulatory obligation under FINMASA Art. 3 to maintain documented fit-and-proper status for key-function holders.

What overriding interest requires

Processing on an overriding-interest basis is not a free pass. Under nFADP Art. 31 the institution must:

  • Identify the legitimate interest — here, the FINMA-imposed obligation to maintain ongoing fit-and-proper status for covered roles.
  • Show the processing is necessary to achieve that interest — periodic verification from public sources is the minimum-necessary means.
  • Ensure the processing does not override the individual's interests or fundamental rights — addressed by the notice-and-consent layer.

    • The Art. 19 notice is what turns a bare overriding-interest claim into a defensible legal basis. Without it, the processing may be technically lawful but not auditable.

    The consent-ledger requirement

    A notice delivered verbally or buried in an employment contract does not meet the documentation standard expected at FINMA examination. The institution needs a timestamped, exportable log showing:

  • Which covered employee received which version of the notice
  • When it was delivered
  • Whether the person acknowledged receipt
  • Whether consent was given, refused or later withdrawn

    • That is what Premtrace's auditable consent ledger provides — a tamper-evident record of every consent event in the programme.

    Practical implications for compliance teams

  • Legal-basis documentation — your records of processing should explicitly cite nFADP Art. 31 (overriding interest) as the basis for periodic verification, with the FINMASA Art. 3 obligation as the identified interest.
  • Transparency notices — maintain a version-controlled library of Art. 19 notices. Update them whenever scope or methodology changes.
  • Data minimisation — public sources only. Queries built from full name, professional role and employer. No sensitive categories sought.
  • Retention — configure retention in your DPA. Five years is the default ceiling; most firms settle on three.

    • Why this matters at examination

    A FINMA examination of a fit-and-proper programme will ask to see the consent records, the methodology, the findings and the sign-off. Institutions that cannot produce these in a structured, auditable form are exposed — regardless of whether the underlying verification was actually performed.

    Talk to us about how the Premtrace consent ledger and attestation binder meet those documentation requirements.

    See the programme in practice

    Book a 30-minute demo. We’ll walk through a live cycle and present the attestation binder your Compliance Officer signs off.

    Book a demo