Table of Contents
The following information about data protection explains:
- how your personal data are processed;
- the rights given to you by data confidentiality and privacy laws.
Who is responsible for processing your data?
Bordier & Cie bank is responsible for processing your personal data.
How are your data protected?
Which sources and which data do we use?
We process personal data that we obtain from our clients in the context of our business relationships. To the extent that this is necessary to deliver our services, we also process personal data that we obtain from sources accessible to the public (e.g. debt registers, registers of commerce and of associations, press, Internet) or which have been legitimately notified to us by other Bordier group companies or other third parties (such as a credit agency). This includes Bordier group companies in Switzerland and abroad.
The data concerned are personal information (e.g. name, address and other particulars, date and place of birth, nationality), identification data (e.g. particulars shown on an identity card) and authentication data (e.g. specimen signature). These may also be data taken from orders received (e.g. payment order), data obtained in the performance of our contractual obligations (e.g. selling data referring to payment transfers), information about your financial situation (e.g. solvency, scoring/rating data, origin of assets), marketing and sales data (including scores established for advertising campaigns), data included in documents (e.g. consultation record), and other similar data.
Why do we process your data and what is the legal basis for doing so?
We process personal data in compliance with the provisions of the European General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FAPD):
a) For the fulfilment of contractual obligations (GDPR Art. 6, para. 1b)
We process data to provide banking and financial services in the context of the performance of contracts signed with our clients or to take pre-contractual measures in connection with an application. The data are primarily processed in a manner consistent with the product concerned (e.g. bank account, credit, securities, deposits), in particular to assess needs, provide advice, asset management and assistance, and to execute transactions.
You will find further information about the purpose of data processing in the contract documents and in the General Terms and Conditions for the products concerned.
b) For the purposes of legitimate interests (GDPR Art. 6, para 1f)
If necessary, we process your data beyond performance of the contract for the purposes of our own legitimate interests or those of a third party. Examples:
- verification and optimisation of procedures to assess needs with a view to direct discussions with you;
- exercise of legal claims and defence in litigation;
- safeguarding of IT security and the bank’s IT operations;
- prevention and clarification of offences and risk checks;
- video surveillance to protect the owner of property rights in premises against intruders, to gather evidence of a hold-up or fraud, or proof of availability and payments, e.g. at the Bank’s counters;
- measures to protect buildings and sites (e.g. access controls);
- measures for the management of business and development of products and services.
We also procure personal data from sources accessible to the public in order to approach prospective clients.
c) On the basis of consent given by you (GDPR Art. 6, para. 1a)
As long as you agree to the processing of your personal data by us for certain purposes, that processing is lawful because it is based on your consent. Consent may be withdrawn at any time. This rule likewise applies to declarations of consent that you gave us before the GDPR entered into force, i.e. before 25 May 2018. Withdrawal of consent does not affect the legality of the processing of data which took place before such withdrawal.
d) To comply with a legal obligation (GDPR Art. 6, para. 1c) or in the public interest (GDPR Art. 6, para. 1e)
Are your data transferred to third parties?
Inside the bank, all departments that need your data to comply with our contractual and legal obligations have access to them. Service providers and performance agents designated by us may likewise have access to such data for the reasons cited if they respect banking secrecy. These are companies in banking services, IT services, logistics, printing services, telecommunications, debt recovery, consultancy, sales and marketing.
As to the forwarding of data to recipients outside our bank, please note in the first place that we, as a bank, are required to deal in confidence with all matters and assessments linked to our clients of which we are aware (banking secrecy in compliance with our general terms and conditions). We may have to communicate data concerning you, but only if statutory provisions so require, if you have given your consent (e.g. for the processing of a financial transaction for which you have given an order), or if we have been authorised to undertake a bank investigation. Pursuant to those requirements, the recipients of data of a personal nature may include:
- public law entities and institutions (e.g. Swiss National Bank, FINMA, financial authorities, criminal authorities) on the basis of a legal or official obligation;
- other credit institutions and financial services institutions or comparable institutions to which we forward your personal data to enable us to put in place a business relationship with you (e.g. depending on the particular contract that has been signed: bank correspondents, custodian banks, brokers, stock exchanges, information agencies);
- other Bordier group companies to check risks on the basis of a legal or official obligation.
If you have given your consent or if you have released us from banking secrecy, your data may be disclosed to other recipients.
Are your data transferred to a third country or international organisation?
a) Your data may be forwarded to countries outside Switzerland and the EU (known as ‘third countries’) if:
- that is necessary for the purpose of execution of your orders (e.g. for payment on transferable securities);
- this is required by law (e.g. compulsory declarations under tax law), or
- you have given your consent to us.
b) Please contact us if you wish to consult a copy of the measures taken to export your data (GDPR Article 13, para 1f).
For how long are your data stored?
We process and store your personal data for as long as necessary to comply with our legal and contractual obligations. Please note that our business relationship is an ongoing obligation, established on the basis of periods lasting for several years.
If your data are no longer required to fulfil our contractual or statutory obligations, they shall be deleted, unless their use is necessary for a limited period for the following purposes:
- compliance with the duty of archiving as stipulated in tax and commercial legislation: this includes in particular the Swiss Code of Obligations, the Federal Value Added Tax Act, the Federal Act on Direct Federal Tax, the Federal Act on Harmonisation of Direct Cantonal and Communal Taxes, the Federal Stamp Duties Act and the Federal Withholding Tax Act;
- We, as a bank, may be subject to a prohibition of destruction, by virtue of which we are required to retain supporting documents for an indefinite period.
What are your rights as regards data protection?
Every interested party has a right of access pursuant to FAPD Article 8 (GDPR Article 15), a right of rectification pursuant to FAPD Article 5 (GDPR Article 16), a right of erasure pursuant to FAPD Article 5 (GDPR Article 17), a right to restriction of processing pursuant to FAPD Articles 12, 13 & 15 (GDPR Article 18 ), a right to object pursuant to FAPD Article 4 (GDPR Article 21) and, as the case may be, a right to data portability pursuant to GDPR Article 20. In certain cases, you also have the right to lodge a complaint with the appropriate authority responsible for the protection of personal data (GDPR Article 77).
You may at any time withdraw consent given to us for processing of your personal data. You may also do so for declarations of consent that you gave us before the GDPR entered into force, i.e. before 25 May 2018.
Please note that withdrawal of consent applies only to the future. It does not concern data that have already been processed.
Are you obliged to give us your data?
In the context of our business relationship, you must provide all the personal data required to enable us to accept and establish a business relationship and fulfil the accompanying contractual obligations, together with the data that the law requires us to collect. Without such data, we are not in principle able to sign or perform a contract with you.
Pursuant to the regulatory provisions concerning the prevention of money laundering in particular, we must identify you on the basis of your identity documents before opening a business relationship with you. For this purpose, you must let us have your name, date and place of birth, nationality, address and particulars enabling you to be identified. To enable us to fulfil these legal requirements, you must provide us with all information and documents required on the basis of the Anti-Money Laundering Act and immediately let us know any change that may occur in the course of our business relationship. If you fail to send us the necessary information and documents, we cannot establish or continue the business relationship desired by you.
To what extent is automated processing used for decision-making?
When we establish and implement a business relationship, we do not generally use automated processing for decision-making, pursuant to GDPR Article 22. If we do have to apply this procedure in individual cases, we will inform you separately to the extent that we are required to do so by law.
Are your data used for profiling?
We process some of your data automatically in order to assess personal aspects (profiling). We use profiling for instance in the following cases:
- By virtue of the provisions of laws and regulations, we are required to prevent money laundering, the financing of terrorism and offences which present a risk to assets. Data evaluations (including for payment transactions) are likewise made with that end in view. In parallel, these measures are also designed to protect you.
- We use evaluation tools to be able to give you information and advise you specifically on financial products. They enable communication and marketing to be adapted in the light of your needs.
What is the right to object to data processing for direct marketing purposes?
In some cases, we use your personal data for direct marketing purposes. You are entitled to object to processing of this type at any time. The same applies to profiling insofar as this is directly linked to direct marketing.
If you object to your personal data being used for direct marketing, we will no longer process them for that purpose.
What is the individual right to object?
You are entitled at any time to object to processing of your personal data within the meaning of GDPR Article 6, para. 1e (data processing in the public interest) and GDPR Article 6, para. 1f (data processing for the purposes of legitimate interests) for reasons linked to your particular situation. This likewise applies to profiling within the meaning of the provision of GDPR Article 4, para. 4.
If you file an objection, we will no longer process your personal data unless we are able to show that there are legitimate and overriding reasons in favour of processing which take precedence over your own interests, rights and freedoms, or to establish, exercise or defend your rights in the courts of law. Please note that, in that case, we shall no longer be able to provide services for you nor continue a business relationship.
Who may you contact if you have further questions?
For all questions concerning the protection of your data, you may contact our data protection officer by letter at the following postal address:
Bordier & Cie
Data Protection Officer
Rue de Genève 16
1204 Geneva 2
Or by email at the following address: firstname.lastname@example.org