Speaking to the country's German-language newspaper, Tages Anzeiger, data commissioner Hanspeter Thür said that he had written to several banks to find out what data had already been transferred to the US Department of Justice (DoJ).
"We have informed them that we are opening an analysis to verify the legality of the data transmitted to the US," Thür told the paper, according to an automated translation. "Until we have the results we have demanded that no further bank employee data be sent to the US, unless against an employee in a criminal case."
The Swiss Government authorised some banks to transfer records in April after the US threatened to open criminal proceedings against them, according to news website SwissInfo. That data was supposed to have been encoded to protect the identity of individuals working for the banks, who have said that they are now at risk of criminal prosecution in the US for aiding and abetting tax evasion.
Thür told Tages Anzeiger that the data commissioner's office was not made aware of the arrangement between the Swiss Government and the US authorities, and only became aware of the situation when it received "numerous complaints" from bank employees asking about their legal options. Last month, the commissioner's office wrote to the Swiss Bankers' Association and Private Bankers' Association setting out information-sharing restrictions under the country's data protection laws.
"We anticipated that our concerns had been taken into account," Thür told the newspaper. "But when HSBC announced last week that it had delivered a second batch of employee data to the US, we were prompted to take action."
In Switzerland, the data commissioner acts mainly in an advisory and dispute settlement role. However, it can bring actions against those who break the law in the country's Federal Court.
In 2009, Thür challenged global search giant Google over its Street View mapping service. The country's Supreme Court held in June this year that Google would have to extend its privacy procedures where sensitive personal details and images revealing undisclosed private property were concerned, and that it should establish an efficient procedure to allow concerned individuals to have identifiable personal details manually removed in cases where its automatic blurring technology - used in some cases to obscure faces and car number plates - had failed.
Swiss law prohibits the transfer of personal data to countries that do not meet its "adequacy" standard for privacy protection. A 'Safe Harbor Framework' between the two countries allows organisations in the US to self-certify that they meet this standard.
The US is currently in the process of establishing arrangements with various countries aimed at cracking down on tax evasion by US taxpayers who store assets in offshore accounts. A model agreement between the US and five European states, including the UK, on its Foreign Account Tax Compliance Act (FATCA) was published earlier this month.
FATCA introduces reporting requirements for foreign financial institutions (FFI) holding accounts for US residents, irrespective of national privacy laws. Institutions which do not collect and report this information can be subject to a 30% 'withholding tax' on their own US source income and sales proceeds. The US has said that it intends to base agreements with other international governments under FATCA on this agreement.