Investor Data Rights under Swiss and EU Law (2025)

Executive Summary

This brief outlines the legal rights of investors to access, verify, and correct account-related personal data under the Swiss Federal Act on Data Protection (FADP) and the European Union’s General Data Protection Regulation (GDPR).
It is designed as an educational resource for investors engaging with fintechs, custodial platforms, and digital asset companies operating in or from Switzerland or the EU.

These frameworks exist to give individuals control over their personal data - including trading histories, risk assessments, and support correspondence - especially when that data may affect their financial recovery or claims.

1. The Legal Framework

🇨🇭 Switzerland — FADP (Revised 2023)

• Grants individuals the right to obtain confirmation whether personal data is being processed and to receive a copy of that data.
• Applies to all entities processing personal data in Switzerland, regardless of domicile.
• Enforcement: Federal Data Protection and Information Commissioner (FDPIC).
• Entities must respond “without undue delay,” generally within 30 days.

🇪🇺 European Union — GDPR

• Broader in scope; applies to any controller processing data of EU residents.
• Articles 12–23 define “data subject rights” - including access, rectification, erasure, and restriction of processing.
• Noncompliance may trigger administrative fines up to €20 million or 4% of global turnover.

2. What Counts as “Personal Data”

Under both FADP and GDPR, personal data means any information relating to an identified or identifiable person, including:

• Account identifiers and wallet addresses
• Transaction logs and order histories
• Customer support records
• Correspondence with financial platforms
• Risk assessments or “know your customer” (KYC) files

For investors, this means that every transactional or support record tied to your account falls within your data-access rights - even if the platform claims it is “internal.”

3. How to Request Your Data

Investors can exercise their access rights through a simple written request.

Your request should include:

1. Full name and address
2. Account identifiers (email, customer ID, etc.)
3. A request for “all data processed about me, including internal correspondence and risk or suitability assessments.”
4. Optional: request metadata, timestamps, and internal data lineage if relevant to loss events.

Sample opening line:

“This request is made under Article 25 of the Swiss FADP (2023) and/or Article 15 of the EU GDPR. Please confirm whether you process any personal data about me and provide a copy of such data in a machine-readable format.”

This template ensures your request is legally precise and triggers formal disclosure obligations.

4. Platform Obligations

Once a valid request is received:

• The company must confirm receipt.
• Provide the data within 30 days (FADP) or 1 month (GDPR).
• If refusing, it must explain why and inform you of your right to complain to the FDPIC (Switzerland) or supervisory authority (EU).
• Repeated delays or evasive responses may be treated as noncompliance.

Failure to respond within the time limit can serve as probative evidence of noncompliance in subsequent proceedings or settlement negotiations.

5. Remedies for Noncompliance

If a platform ignores or refuses your lawful request:

🇨🇭 In Switzerland:

• File a complaint with the Federal Data Protection and Information Commissioner (FDPIC)
  👉 https://www.edoeb.admin.ch

🇪🇺 In the EU:

• Contact your national supervisory authority (e.g., CNIL in France, DPA in Ireland).
• The EU maintains a full list here: https://edpb.europa.eu/about-edpb/board/members_en

Civil Remedies:
Courts can compel disclosure and award damages in case of unlawful processing or obstruction.
In egregious cases, regulators may issue fines or enforcement actions.

6. Practical Tips

✅ Keep a record of all correspondence.
✅ Use registered email or certified mail for requests.
✅ Keep screenshots of platform acknowledgments.
✅ Avoid providing sensitive personal information unless required for verification.
✅ For complex cases, involve counsel or a digital rights NGO.

If multiple regulators are involved (for example, FDPIC and DFPI or SEC), it may strengthen your case to show you’ve exercised your lawful data-access rights.

Disclaimer

This document is for educational and informational purposes only and does not constitute legal advice.
For personalized guidance, consult an attorney familiar with Swiss and EU data protection law.