In the context of its activities, Banca Credinvest SA (hereinafter the "Bank") processes data relating to natural persons and legal entities ("personal data"). This personal data includes information on clients (current and former), potential clients, business partners and their employees, and any other person interacting with the Bank ("clients/counterparties" or " concerned persons").
The Bank complies with banking secrecy and data protection laws and regulations in order to ensure the protection and confidentiality of personal data. This document provides an overview of how the Bank handles the rights and personal data of clients/counterparties.
On the basis of the products or services provided, the Bank collects in particular the following personal data:
The Bank may also collect such information by consulting public registers, government agencies or other third-party sources, such as asset screening services, credit reference agencies or fraud prevention agencies. Where relevant to the products and services provided to clients/counterparties, the Bank also collects information on joint credit card holders or joint account holders, business partners (including other shareholders or beneficiaries), dependents or family members, representatives and agents.
When clients/parties access the Bank's website (www.credinvest.ch), the data transmitted by the browser are recorded (such as date and time of access, name of the file consulted, volume of data transmitted, information accessed, browser type, language, domain and IP address). Additional data will only be recorded via the Bank's website in the event of voluntary consent, e.g. in the course of a registration or enquiry.
The Bank processes the aforementioned personal data in accordance with the provisions of the Data Protection Act (DPA) and, in the case of personal data on clients acquired under the freedom to provide services, in accordance with the EU General Data Protection Regulation (EU GDPR).
Personal data of clients/counterparties are always processed for a specific purpose and only to the extent necessary to achieve that purpose. The main purposes of such data processing are as follows:
Data are processed to provide banking and financial services within the framework of the execution of contracts concluded with clients/counterparties or to carry out pre-contractual activities in anticipation of the conclusion of the aforementioned contracts. The purposes of data processing depend primarily on the specific product (e.g. bank account, credit, securities or deposits) and may include analysis on needs, advice, asset management and assistance, as well as the execution of transactions.
The Bank is subject to various legal obligations (e.g. Swiss laws such as the Banking Act, the Collective Investment Schemes Act, the Anti-Money Laundering Act, the Financial Services Act, the Mortgage Bond Act, FINMA ordinances and circulars, and tax regulations) and banking supervisory regulations (e.g. of the Swiss National Bank or FINMA), which may require the processing of personal data. Other purposes of data processing include, for example, the assessment of creditworthiness, identity and age verification, anti-fraud and anti-money laundering measures, the fulfilment of control and reporting obligations under tax laws as well as the assessment and management of risks of the Bank.
Where necessary, the Bank processes data beyond what is strictly necessary for the effective fulfilment of its contractual obligations in order to pursue the legitimate interests of the Bank or those of a third party, provided that these do not override the interests or fundamental rights and freedoms of clients/parties. In addition to the following examples, the Bank also obtains personal data from publicly available sources for the purpose of acquiring new clients:
Where the Bank processes personal data pursuant to Sections 2.1, 2.2 and 2.3, it is not necessary to obtain the concerned person's prior express consent to the processing of the data.
If the concerned person has consented to the processing of personal data for specific purposes (e.g. analysis of trading activity for marketing purposes), the lawfulness of such processing is based on consent. The consent given may be revoked at any time.
Within the Bank, access to data is granted to the business units that need it to fulfil contractual, legal and supervisory obligations. Service providers and representative agents (typically providers of banking, IT, logistics, printing, telecommunications, debt collection, consultancy, sales and marketing services) that may be commissioned by the Bank may also receive data for these purposes, provided that they comply with banking secrecy and the Bank's written instructions in accordance with the applicable regulations. As far as the transfer of data to recipients outside the Bank is concerned, it should first of all be pointed out that the Bank's employees are obliged to observe secrecy with regard to any facts and evaluations concerning clients/counterparties of which they may become aware.
Under certain conditions, the Bank is authorized to disclose information to third parties, e.g. to
Appropriate technical and organizational measures have been taken to prevent any unauthorized or unlawful access to personal data of clients/counterparties.
Data may only be transferred to countries outside Switzerland if this is necessary for the execution of client/counterparty orders (e.g. payment and securities orders), if it is required by law (e.g. reporting obligations under tax law) or with the consent of clients/counterparties. If the Bank uses service providers in a third country, these are obliged to comply with the data protection levels applicable in Switzerland.
The Bank only retains personal data for as long as is necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal regulatory requirements. To this end, specific criteria are applied to determine the appropriate periods for retaining personal data based on the purpose, such as proper accounting management, facilitating client/counterparty relations, defending against legal action or responding to requests from the regulator. In general, the Bank retains personal data for the duration of the relationship or contract plus an additional ten years, which reflects the period of time allowed for filing legal actions following the termination of that relationship or contract. Pending or threatened legal or regulatory proceedings may result in retention beyond that period.
Every concerned person has the right to be informed about his or her data, the right to have them rectified or erased and to restrict and/or object to their processing, as well as to obtain a transfer of such data to the extent applicable. There is also, to the extent applicable, the right to lodge a complaint with a competent data protection supervisory authority.
The consent to the processing of personal data may be revoked at any time. This revocation will only be applicable for the future, any processing carried out before the revocation will not be affected.
The concerned person's rights of access, revocation or objection are not absolute as they are not applicable in certain circumstances or may be subject to exceptions (e.g. for the fulfilment of legal obligations). The Bank will comply with requests received in accordance with the applicable data protection rules. In addition, when a concerned person exercises his rights, the Bank may first ask to provide proof of identity. The Bank may also ask to provide additional information in the event that a request is unclear. If the Bank is unable to comply with the request, it will provide an explanation.
To exercise his or her rights, the concerned person is requested to use the contact details provided in Section 11.
In certain cases, the Bank processes personal data for direct marketing purposes. The concerned person has the right to object at any time to the processing of personal data for such purposes, including profiling insofar as it is related to such direct marketing. In the event of an objection to processing for direct marketing purposes, the personal data shall no longer be processed for these purposes.
To lodge an objection, the concerned person is requested to use the contact details provided in Section 11.
Within the scope of the business relationship, the concerned person is required to provide the personal data necessary to initiate and conduct a business relationship and to fulfil the related contractual obligations, or the data required by law. Without such data, the Bank is in principle unable to enter into or perform a contract with its clients. Specifically, the provisions of the Anti-Money Laundering Act require the Bank to verify identity before entering into a business relationship. To enable the Bank to comply with this legal obligation, the concerned person is required to provide the necessary information and documents and to notify the Bank without delay of any changes that may occur in the course of the business relationship. In the absence of the necessary information and documents, the Bank is not permitted to enter into or continue a business relationship.
As a rule, the Bank does not make decisions solely on the basis of automated procedures to establish and implement the business relationship. If the Bank uses such procedures in individual cases, it will inform the client separately to the extent required by law. A right of objection will be granted in certain circumstances.
In some cases, the Bank automatically processes client/counterparty data for the purpose of assessing certain personal aspects (profiling). Here are some examples:
The Bank takes appropriate technical measures (e.g. encryption, pseudonymisation, logging, access control or data backup) and organizational measures (e.g. instructions for our employees, confidentiality agreements or reviews) to ensure the security of the information collected and processed and to protect it against unauthorized access, misuse, loss, falsification or destruction. Access to personal data is only granted to clients/counterparties in cases of actual need.
However, it is generally impossible to completely rule out security risks: some residual risks are most often unavoidable. In particular, since perfect data security cannot be guaranteed for communication by e-mail, instant messaging or similar means of communication, the Bank recommends sending confidential information by particularly secure means.
The unit responsible for data processing is the Bank's data protection officer (DPO), who can be contacted at the following addresses:
Banca Credinvest SA
Via G. Cattori 14
Phone: +41 58 225 70 28