The protection of your personal data is important to Banca Zarattini & Co SA (hereinafter Banca Zarattini) which has adopted strong policies in respect thereof.
As you may know, the entry into force on May 25, 2018, of the General Data Protection Regulation (EU 2016/679 “GDPR”) imposes higher standards of personal data protection which have an extra-territorial effect. The Swiss Data Protection Act is being revised and will contain similar provisions. In this regard, Banca Zarattini (“we” or “us”) is adapting its policies concerning the handling and use of your personal data.
We therefore request that you read this Data Protection Notice which provides you with detailed information relating to the protection of your personal data and to bring this Notice to the attention of any individual whose information you provide to us.
It is important to note that as a client of Banca Zarattini, your information is protected by Banking Secrecy statutes which prohibit the disclosure of your information to third parties, unless otherwise authorized by you. For the avoidance of doubt, the present Notice does not constitute a waiver of Banking Secrecy. Its purpose is to inform you on the way your information is handled and collected within the contractual framework agreed with the Bank. In addition, this Notice is to inform you on the data collected by us, the reasons we collect and (may) share it and how long we keep it.
In connection thereto, we draw your attention to your rights and how they may be exercised.
1. Which personal data do we use about you?
We collect and use your personal data as required in the scope of our commercial relations;
the services we provide and to comply with applicable laws and regulations.
We may collect various types of personal data about you, including:
• personally identifiable information (e.g. name, ID card and passport numbers, nationality, place and date of birth, photograph);
• contact information (e.g. postal address and e-mail address, phone number);
• family situation (e.g. marital status, number of children);
• tax status (e.g. tax ID, tax status);
• education and employment information (e.g. level of education, employment, employer’s name, remuneration);
• banking, financial and transactional data (e.g. bank account details, financial statements, credit card number, money transfers, assets, declared investor profile, credit history, debts and expenses);
We never ask, collect nor store personal data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union memberships, genetic data, data concerning your sexual orientation or data relating to criminal convictions and offences unless
required by law.
2. Specific cases of personal data collection, including direct collection
We may also collect information about you where you do not have a direct relationship with us. This may happen, for instance, when your employer provides us with information about you or your contact details are provided by one of our clients if you are, for example:
• Family members;
• Co-borrowers / guarantors;
• Legal representatives (power of attorney);
• Beneficiaries of payment transactions made by our clients;
• Beneficiaries of insurance policies and trusts;
• Landlords;
• Ultimate beneficial owners;
• A debtor of a Client (e.g. in case of bankruptcy);
• Company shareholders;
• Representatives of a legal entity (which may be a client or a vendor);
• Staff of a service provider or a commercial partner.
3. Why and what basis do we use your personal data?
To comply with our legal and regulatory obligations
We use your personal data to comply with various legal and regulatory obligations, including:
• banking and financial regulations in compliance with which we:
– implement security measures in order to prevent abuse and fraud;
– detect transactions which deviate from normal patterns;
– define your credit risk score and your reimbursement capacity;
– monitor and report risks that institutions could incur;
– reply to an official request from a duly authorised public or judicial authority;
– record, when necessary, phone calls, chats, email, etc;
(We will only record or monitor communications to the extent permitted, and subject to any conditions applied, by applicable law).
• prevention of money-laundering and financing of terrorism;
• compliance with legislation relating to sanctions and embargoes;
• fight against tax fraud and fulfilment of tax control and notification obligations.
To perform a contract with you or to take steps at your request before entering into a Contract
We use your personal data to enter into and perform our contracts, including to:
• provide you with information regarding our products and services;
• assist you and answer your queries;
• evaluate if we can offer you a product or service and under which conditions;
To serve our legitimate interests
We use your personal data in order to deploy and develop our products or services, to improve our risk management processes and to defend our legal rights, including:
• proof of transactions;
• fraud prevention;
• IT management, including infrastructure management (e.g. shared platforms) & business continuity and IT security;
• establishing individual statistical models, based on the analysis of transactions, for instance in order to help define your credit risk score;
• personalising our offering to you or the entity you represent;
• improving the quality of our banking services;
To respect your choice if we request your consent for specific processing
In some cases we require your consent to process your data, for example:
• where the processing in section 3 above leads to automated decision-making, which produces legal effects or which significantly affects you. At that point, we will inform you separately about the logic involved, as well as the significance and the envisaged consequences of such processing;
• if we need to carry out further processing for purposes other than those above in section 3, we will inform you and, where necessary, obtain your consent.
4. Who do we share your personal data with?
In order to fulfil the aforementioned purposes, but subject to applicable law relating to information sharing, we only disclose your personal data to:
• Service providers which perform services on our behalf;
• Independent agents, intermediaries or brokers, banking and specialised partners, with which we have a regular relationship;
• Financial, taxation, regulatory or judicial authorities, state agencies or public bodies, upon
request and to the extent permitted by law;
• Certain regulated professionals such as lawyers, notaries or auditors;
• In particular, in relation to our Corporate & Institutional Banking business, we may disclose, if necessary, your personal data:
– to any counterparty, custodian, depositary, broker or nominee appointed or instructed by us on your behalf, or on behalf of the entity you represent, or through whom we may deal or transact in relation to your account or for purposes otherwise ancillary to the provision of services provided by Banca Zarattini to you or the administration of your account;
– to any licensed credit agency in order to perform a credit assessment for any credit or mortgage-based products requested by or applied for by you and to tracing agents to recover debt;
– to any rating agency, insurer or other provider of credit protection to Banca Zarattini;
– to fraud prevention agencies (‘FPAs’) in order to check the identity of the client or individuals or to investigate or prevent money laundering, fraud or other illegal activity;
– if the disclosure relates to the actual or potential transfer or novation of one or more transactions pursuant to any applicable Terms of Business (or risks relating to such transactions) by us.
5. Transfers of personal data outside Switzerland or the EEA
In certain circumstances, we may transfer your data to another country. In case of international transfers to a country for which the competent Authority has recognised that it provides an adequate level of data protection, your personal data may be transferred on this basis.
For transfers to a country where the level of personal data protection has not been recognised as “adequate” by the competent Authority, we will either rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you such as when making an international payment) or implement standard contractual clauses approved by the
competent Authority to ensure the protection of your personal data.
To obtain a copy of these safeguards or details on where they are available, you can send a written request to us as set out in section 10.
There may be other notices or policies detailing how we process your personal data applicable in certain territories outside of the EEA. In the event that the provisions of such notices or policies conflict with those within this Data Protection Notice, the former notices or policies shall take precedence.
6. How long do we keep your personal data for?
We will retain your personal data for the longer of: (i) the period required by applicable law; or (ii) such other period necessary for us to meet our operational obligations, such as: proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests.
In general, Banca Zarattini will retain personal data for the period of your relationship or contract with Banca Zarattini plus 10 years, reflecting the length of time for which legal claims may be made following termination of such relationship or contract. An ongoing or anticipated legal or regulatory proceeding may lead to retention beyond this period.
Due to requirements laid down by the Swiss Financial Market Supervisory Authority (“FINMA”), Banca Zarattini is also obliged to record external and internal telephone calls of all employees engaged in securities trading. Banca Zarattini must furthermore store all electronic correspondence (e-mails, communication via Bloomberg or Reuters, etc.) and evidence of the calls made on business telephones by these employees for a period of two years. The bank must also make this information available to FINMA on demand. This applies also to employees identified by a risk-based assessment as being highly exposed to information that has relevance to market supervision.
Banca Zarattini also stores all incoming and outgoing business and private communication data (in particular e-mails) in a separate, protected electronic archive located in Switzerland for a period of 10 years.
7. What are your rights and can you exercise them?
Depending on the data protection laws which apply to your situation, you have the following rights:
• To access: you can obtain information relating to the processing of your personal data, and a copy of such personal data.
• To rectify: where you consider that your personal data is inaccurate or incomplete, you can require that such personal data be modified accordingly.
• To erase: you can require the deletion of your personal data, to the extent permitted by law.
• To restrict: you can request the restriction of the processing of your personal data.
• To object: you can object to the processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.
• To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
• To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party.
If you require further information, or if you wish to exercise the rights listed above, please send a letter or e-mail to the address set out in section 10 below.
In accordance with applicable regulation, in addition to your rights above you are also entitled to lodge a complaint with the competent supervisory authority.
8. Security Note
We have in place appropriate technical and organisational measures to prevent unauthorised or unlawful access to the personal data you have provided to us. As complete data security cannot be guaranteed for communications via e-mails and similar means of communication, we would recommend sending any particularly confidential information by an alternative secure means.
9. How can we keep up with changes to this data protection notice?
This privacy notice was updated in May 2018. It is a notice explaining what Banca Zarattini does, rather than a document that binds Banca Zarattini or any other party contractually. We reserve the right to amend it from time to time. If the notice has been updated, we will take steps to inform you of the update by appropriate means, depending on how we normally communicate with you, such as through your account statement.
10. How to contact us?
If you have any questions relating to our use of your personal data under this Data Protection Notice, please contact our Data Protection Officer at the following address:
dataprotection@zarattinibank.ch
Please include a scan/copy of your identity card for identification purpose.