Data Privacy Notice

Information on data protection according to the EU General Data Protection Regulation (EU-GDPR) for natural persons

This information is valid for current and potential customers of Banca Credinvest SA (hereinafter the Bank").

The Bank complies with the laws and regulations on banking secrecy and data protection in order to guarantee the protection and secrecy of personal data. This document provides an overview of how we process your personal data and your rights.

1. Responsible for data processing

The responsible unit is the data protection officer (DPO) of the Bank, who can be contacted at the following addresses:

Banca Credinvest SA
Via G. Cattori 14
6900 Lugano
Phone: +41 58 225 70 28
dpo@credinvest.ch

2. Type of data processed

On the basis of the product or service provided, the Bank collects and processes the personal data of customers, in particular:

• personal information such as name and surname, date of birth, KYC documents (including copy of national identity card or passport), telephone number, postal address and e-mail, as well as data on family members such as the name of the spouse / partner and / or children;
• financial information, such as records of payments and transactions, information relating to the client's properties (securities and real estate), financial statements, liabilities, taxes, income, earnings and investments;
• tax domicile and other tax documents and information such as the tax code;
• professional information about the client, such as position and work experience;
• knowledge and experience in the field of investments;
• details on contacts with the customer and the products and services requested as well as details on any mandates conferred;
• recordings of telephone conversations between the customer and the Bank;
• identification number assigned to customers, such as customer or account number;
• when a customer accesses the Bank's website (www.bancacredinvest.ch), the data transmitted by his browser are automatically recorded by our server (including date and time of access, name of the file consulted, as well as the volume of data transmitted and access performance, customer browser, language and domain, IP address). Additional data will be recorded through the Bank's website only in the event of voluntary consent, for example in the course of a registration or request;
• in some cases (where permitted by law), particular categories of personal data, such as biometric data, political opinions and affiliation, medical and health information, racial or ethnic origin, religious or philosophical beliefs and, to the extent permitted by law, related data to any criminal convictions or offenses.
• In some cases, the Bank may also collect the aforementioned information by consulting public registers, public administrations or other third-party sources, such as asset screening services, credit reference agencies, fraud prevention agencies. Where relevant to the products and services provided to customers, the Bank also collects information on any co-holders of cards or current accounts, partners (including other shareholders or beneficiaries), dependents or family members, representatives and agents.

3. Purpose of data processing and legal bases

The Bank processes the personal data mentioned above in compliance with the provisions of the EU General Data Protection Regulation (EU-GDPR) for customers acquired under the freedom to provide services and the Swiss Federal Data Protection Act (DPA) for all remaining customers:

3.1. For the fulfillment of contractual obligations (Article 13 (2) (a) DPA; Article 6 (1) (b) of the GDPR)

The data is processed to provide banking and financial services as part of the execution of contracts with customers or to carry out pre-contractual activities in anticipation of the conclusion of the aforementioned contracts. The purposes of data processing depend mainly on the specific product (for example, bank account, credit, securities, deposits) and may include needs analysis, advice, asset management and assistance as well as the execution of transactions.

3.2. For the fulfillment of legal obligations (Article 13 (1) DPA; Article 6 (1) (c) GDPR) or in the public interest (Article 6 (1) (e) GDPR)

The Bank is subject to various legal obligations (e.g. Swiss laws such as the Banking Act, the Collective Investments Act, the Money Laundering Act, the Mortgage Obligations Act, FINMA ordinances and circulars, tax laws) and banking supervision (e.g. Swiss National Bank, FINMA). Other purposes of data processing include creditworthiness assessment, identity and age verification, anti-fraud and anti-money laundering measures, fulfillment of control and notification obligations under tax laws as well as assessment and risk management in the Bank and in the Group headed by the Bank.

3.3. For the pursuit of legitimate interests (art. 13 (1) DPA; art. 6 (1) (f) of the GDPR)

Where necessary, we process data beyond the limit strictly necessary for the effective fulfilment of our contractual obligations in order to pursue our legitimate interests or those of a third party, provided that these do not override the interests or fundamental rights and freedoms of customers. In addition to the following examples, we also obtain personal data from publicly available sources for customer acquisition purposes:

• consultancy and data exchange with information offices (eg debtors register) to ascertain creditworthiness and credit risks in the credit granting activity and the existence of the requirements for holding an account with a balance of irrelevant basis and basic accounts;
• make legitimate claims and develop a line of defense in the event of a dispute;
• guaranteeing IT security and the functioning of the Bank's IT systems;
• prevent and ascertain crimes;
• video surveillance, in order to prevent unauthorized access, collect evidence in the event of theft or fraud or ascertain availability and deposits;
• measures for the security of buildings and places (eg access control);
• measures to manage activities and further develop services and products;
• Group risk management.

Where the Bank processes personal data pursuant to points 3.1, 3.2 and 3.3, it is not necessary to obtain the explicit consent of the data subject in advance.

3.4. Based on consent (art. 13 (1) DPA, art. 6 (1) (a) GDPR)

If the data subject has consented to the processing of personal data for specific purposes (e.g. data transfer within the Group, analysis of trading activity for marketing purposes, etc.), the lawfulness of such processing is based on consent. . The consent granted can be revoked at any time. This also applies to the revocation of declarations of consent granted to the Bank before the entry into force of the GDPR, or before 25 May 2018. It should be noted that the revocation does not only have effect for the future. Not affected by the revocation, all treatments took place before the revocation.

4. Access and protection of personal data

Within the Bank, access to data is guaranteed to the operating units that need it in order to be able to fulfill the Bank's contractual, legal and supervisory obligations. Also service providers and agents representing , logistics, printing, telecommunications, collection, consultancy, sales and marketing) possibly appointed by the Bank may receive data for these purposes, as long as they comply with banking secrecy and the Bank's written instructions pursuant to the DPA and the GDPR.
With regard to the transfer of data to recipients outside the Bank, it must first be specified that the Bank's collaborators are obliged to observe the secrecy of any facts and assessments relating to the customer of which they may be aware (banking secrecy pursuant to of the General Terms and Conditions; Art.47 Federal Banking Act).

Under certain conditions, the Bank is authorized to disclose information to third parties, for example

• public authorities and institutions (e.g. Swiss National Bank, FINMA, financial authorities, prosecution authorities), provided that legal obligations exist;
• other companies within the Bank, for risk control by virtue of legal obligations;
• other credit and financial service providers, similar institutions and processors, to whom we pass personal data in order to conduct our business relationship (in particular for: processing bank references, support / maintenance of data processing applications / IT, archiving, document processing, call-center services, compliance services, controlling, data screening for anti-money laundering, data destruction, purchase, management of physical spaces, real estate appraisals, loan processing service, management of guarantees, collection, payment card processing (debit / credit cards), customer management, marketing, media technology, reporting, research, risk control, expense accounting, telephony, video identification, website management, services investment, shareholder register, fund management, auditing services, payment transactions).

Adequate technical and organizational measures have been adopted in order to prevent any unauthorized or illegal access to personal data provided by customers.

5. Transfer to a third country

Data may only be transferred to countries outside Switzerland if this is necessary for the execution of client orders (e.g. payment and securities orders), if it is required by law (e.g. reporting obligations to under the tax law), if the customer has given his consent. If you use service providers in a third country, they are obliged to comply with the data protection levels in force in Switzerland and Europe, as well as with written instructions by accepting the EU standard contractual clauses.

6. Duration of storage

The Bank retains personal data only for the time necessary to achieve the purpose for which they were collected or to comply with the requirements of the law, regulations or internal regulations. To this end, specific criteria are applied to determine the appropriate periods to retain personal data based on the purpose, such as proper accounting management, facilitating the relationship with the customer, defending oneself in the event of legal actions or responding to requests from the regulator. In general, the Bank retains personal data for the duration of the relationship or contract plus a further ten years, which reflects the period of time allowed for the presentation of legal actions following the termination of such relationship or contract. Pending or threatened legal or regulatory proceedings may lead to retention beyond that period.

7. Data protection rights

7.1. In general

Each interested party has the right to access (Article 8 DPA; Article 15 GDPR), rectify (Article 5 DPA, Article 16 GDPR), delete data (Article 5 DPA; Article 17 GDPR), limit the processing of data (articles 12, 13, 15 DPA; article 18 GDPR), oppose the processing of data (article 4 DPA; article 21 GDPR) and possibly have the right to data portability, allows interested parties to receive, from data controller, " the personal data concerning him provided to a data controller " so that he can transmit them to another data controller (for example, another company (Article 20 of the GDPR). Furthermore, where applicable , the data subject has the right to lodge a complaint with the supervisory authority responsible for privacy (Article 77 of the GDPR).

7.2. Right to object to the processing of data for marketing purposes

In some cases, we process personal data for direct marketing purposes. The data subject has the right to object at any time to the processing of personal data carried out for these purposes, including profiling to the extent that it is connected to such direct marketing. In case of opposition to the processing for direct marketing purposes, the personal data are no longer processed for these purposes. There are no formal requirements for filing an opposition.

8. Obligation to provide data

As part of the business relationship, the data subject is required to provide the personal data necessary to start and conduct a business relationship and to fulfill the related contractual obligations or the data required by law. In the absence of such data, In principle, we are unable to enter into or perform a contract with our customers. Specifically, the provisions of the anti-money laundering law require us to verify the identity before starting a business relationship. To enable us to comply with this legal obligation, the persons concerned are required to provide us with the necessary information and documents and to notify us without delay of any changes that may occur during the business relationship. In the absence of the necessary information and documents, we are not allowed to start or continue a business relationship.

9. To what extent are automated decision-making procedures (including profiling) used?

As a rule, the Bank does not take decisions solely on the basis of automated procedures, as defined in art. 22 of the GDPR, to establish and implement the business relationship. If the Bank uses these procedures in individual cases, it will inform separately to the extent that this is required by law. A right to object will be guaranteed in certain circumstances.

10. Profiling by the Bank

In some cases, we automatically process customer data for the purpose of evaluating certain personal aspects (profiling). Examples:

• the law requires us to take anti-money laundering, anti-fraud and anti-terrorist financing and crimes that pose a threat to assets. In this context, data evaluations are also carried out (such as for example in payment transactions);
• to provide services to its customers, the Bank uses profiling tools.