Data protection information pursuant to the Data Protection Act (DPA) and the EU General Data Protection Regulation (EU GDPR)

In the context of its activities, Banca Credinvest SA (hereinafter the "Bank") processes data relating to natural persons and legal entities ("personal data"). This personal data includes information on clients (current and former), potential clients, business partners and their employees, and any other person interacting with the Bank ("clients/counterparties" or " concerned persons").

For the use of cookies and other tracking technologies, please also refer to the Information on cookie management, available here.

The Bank complies with banking secrecy and data protection laws and regulations in order to ensure the protection and confidentiality of personal data. This document provides an overview of how the Bank handles the rights and personal data of clients/counterparties.

1. Type of data processed

On the basis of the products or services provided, the Bank collects in particular the following personal data:

  • personal information such as first name and surname, date and place of birth, nationality, domicile, gender, telephone number, postal address and e-mail address, as well as data on family members or close persons such as spouse/partner and/or children;
  • financial information, such as records of payments and transactions, information on the client's property (movable and immovable), balance sheets, liabilities, taxes, income, gains and investments;
  • tax domicile and other tax documents and information such as the tax code;
  • professional information about the client, such as position and work experience;
  • knowledge and experience in the investment field;
  • details of contacts with the client and the products and services requested as well as details of any mandates given;
  • recordings of telephone conversations with the Bank;
  • identification number assigned to clients/counterparties, such as relationship number or account number;
  • in some cases (and to the extent permitted by law), special categories of personal data, such as biometric data, political opinions and affiliations, medical information, racial or ethnic origin, religious or philosophical beliefs, and data relating to any criminal convictions or offences.

The Bank may also collect such information by consulting public registers, government agencies or other third-party sources, such as asset screening services, credit reference agencies or fraud prevention agencies. Where relevant to the products and services provided to clients/counterparties, the Bank also collects information on joint credit card holders or joint account holders, business partners (including other shareholders or beneficiaries), dependents or family members, representatives and agents.

When clients/parties access the Bank's website (, the data transmitted by the browser are recorded (such as date and time of access, name of the file consulted, volume of data transmitted, information accessed, browser type, language, domain and IP address). Additional data will only be recorded via the Bank's website in the event of voluntary consent, e.g. in the course of a registration or enquiry.

The Bank may use cookies, tracking technologies and other means (e.g. web beacons, pixels, gifs, tags, unique identifiers) to collect and process the above information from various channels, including email and the devices that clients/parties use to interact with the Bank, to access the Bank's websites or platforms, products, services and mobile applications. For the use of cookies and other tracking technologies, please also refer to the Cookie Management Policy, available here.

2. Purpose of data processing and legal bases

The Bank processes the aforementioned personal data in accordance with the provisions of the Data Protection Act (DPA) and, in the case of personal data on clients acquired under the freedom to provide services, in accordance with the EU General Data Protection Regulation (EU GDPR).

Personal data of clients/counterparties are always processed for a specific purpose and only to the extent necessary to achieve that purpose. The main purposes of such data processing are as follows:

2.1. Fulfilment of contractual obligations

Data are processed to provide banking and financial services within the framework of the execution of contracts concluded with clients/counterparties or to carry out pre-contractual activities in anticipation of the conclusion of the aforementioned contracts. The purposes of data processing depend primarily on the specific product (e.g. bank account, credit, securities or deposits) and may include analysis on needs, advice, asset management and assistance, as well as the execution of transactions.

2.2. Fulfilment of legal obligations

The Bank is subject to various legal obligations (e.g. Swiss laws such as the Banking Act, the Collective Investment Schemes Act, the Anti-Money Laundering Act, the Financial Services Act, the Mortgage Bond Act, FINMA ordinances and circulars, and tax regulations) and banking supervisory regulations (e.g. of the Swiss National Bank or FINMA), which may require the processing of personal data. Other purposes of data processing include, for example, the assessment of creditworthiness, identity and age verification, anti-fraud and anti-money laundering measures, the fulfilment of control and reporting obligations under tax laws as well as the assessment and management of risks of the Bank.

2.3. Pursuit of legitimate interests

Where necessary, the Bank processes data beyond what is strictly necessary for the effective fulfilment of its contractual obligations in order to pursue the legitimate interests of the Bank or those of a third party, provided that these do not override the interests or fundamental rights and freedoms of clients/parties. In addition to the following examples, the Bank also obtains personal data from publicly available sources for the purpose of acquiring new clients:

  • exchange of data with information bureaus (e.g. debtors' register) to ascertain creditworthiness and credit risks in credit-granting activities and the existence of the requirements for holding an account with a negligible basic balance and basic accounts;
  • make legitimate claims and develop a line of defense in the event of litigation;
  • ensure the IT security and operation of the Bank's IT systems;
  • prevent and detect offences;
  • video surveillance, in order to prevent unauthorized access, collect evidence in the event of theft or fraud, or ascertain availability and deposits;
  • measures for the security of buildings and places (e.g. access control);
  • measures to manage activities and further develop services and products.

Where the Bank processes personal data pursuant to Sections 2.1, 2.2 and 2.3, it is not necessary to obtain the concerned person's prior express consent to the processing of the data.

2.4. Specific Purposes

If the concerned person has consented to the processing of personal data for specific purposes (e.g. analysis of trading activity for marketing purposes), the lawfulness of such processing is based on consent. The consent given may be revoked at any time.

3. Access to and protection of personal data

Within the Bank, access to data is granted to the business units that need it to fulfil contractual, legal and supervisory obligations. Service providers and representative agents (typically providers of banking, IT, logistics, printing, telecommunications, debt collection, consultancy, sales and marketing services) that may be commissioned by the Bank may also receive data for these purposes, provided that they comply with banking secrecy and the Bank's written instructions in accordance with the applicable regulations. As far as the transfer of data to recipients outside the Bank is concerned, it should first of all be pointed out that the Bank's employees are obliged to observe secrecy with regard to any facts and evaluations concerning clients/counterparties of which they may become aware.

Under certain conditions, the Bank is authorized to disclose information to third parties, e.g. to

  • public authorities and institutions (e.g. Swiss National Bank, FINMA, financial authorities or criminal prosecution authorities), provided there are legal obligations;
  • other companies within the Bank, to control risk by virtue of legal obligations;
  • other credit and financial services providers, similar institutions and processors to which the Bank transmits personal data for the purpose of conducting business (e.g. for the processing of bank references, support / maintenance of data processing / IT applications, archiving, document processing, call-center services, compliance services, controlling, data screening for anti-money laundering, data destruction purchasing, physical space management, property appraisals, loan processing service, collateral management, collection, payment card processing (debit/credit cards), client management, marketing, media technology, reporting, research, risk control, expense accounting, telephony, video identification, website management, investment services, shareholder register, fund management, auditing services or payment transactions);

Appropriate technical and organizational measures have been taken to prevent any unauthorized or unlawful access to personal data of clients/counterparties.

4. Transfer to a third country

Data may only be transferred to countries outside Switzerland if this is necessary for the execution of client/counterparty orders (e.g. payment and securities orders), if it is required by law (e.g. reporting obligations under tax law) or with the consent of clients/counterparties. If the Bank uses service providers in a third country, these are obliged to comply with the data protection levels applicable in Switzerland.

5. Duration of storage

The Bank only retains personal data for as long as is necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal regulatory requirements. To this end, specific criteria are applied to determine the appropriate periods for retaining personal data based on the purpose, such as proper accounting management, facilitating client/counterparty relations, defending against legal action or responding to requests from the regulator. In general, the Bank retains personal data for the duration of the relationship or contract plus an additional ten years, which reflects the period of time allowed for filing legal actions following the termination of that relationship or contract. Pending or threatened legal or regulatory proceedings may result in retention beyond that period.

6. Data protection rights

6.1. In general

Every concerned person has the right to be informed about his or her data, the right to have them rectified or erased and to restrict and/or object to their processing, as well as to obtain a transfer of such data to the extent applicable. There is also, to the extent applicable, the right to lodge a complaint with a competent data protection supervisory authority.

The consent to the processing of personal data may be revoked at any time. This revocation will only be applicable for the future, any processing carried out before the revocation will not be affected.

The concerned person's rights of access, revocation or objection are not absolute as they are not applicable in certain circumstances or may be subject to exceptions (e.g. for the fulfilment of legal obligations). The Bank will comply with requests received in accordance with the applicable data protection rules. In addition, when a concerned person exercises his rights, the Bank may first ask to provide proof of identity. The Bank may also ask to provide additional information in the event that a request is unclear. If the Bank is unable to comply with the request, it will provide an explanation.

To exercise his or her rights, the concerned person is requested to use the contact details provided in Section 11.

6.2. Right to object to data processing for marketing purposes

In certain cases, the Bank processes personal data for direct marketing purposes. The concerned person has the right to object at any time to the processing of personal data for such purposes, including profiling insofar as it is related to such direct marketing. In the event of an objection to processing for direct marketing purposes, the personal data shall no longer be processed for these purposes.

To lodge an objection, the concerned person is requested to use the contact details provided in Section 11.

7. Obligation to provide data

Within the scope of the business relationship, the concerned person is required to provide the personal data necessary to initiate and conduct a business relationship and to fulfil the related contractual obligations, or the data required by law. Without such data, the Bank is in principle unable to enter into or perform a contract with its clients. Specifically, the provisions of the Anti-Money Laundering Act require the Bank to verify identity before entering into a business relationship. To enable the Bank to comply with this legal obligation, the concerned person is required to provide the necessary information and documents and to notify the Bank without delay of any changes that may occur in the course of the business relationship. In the absence of the necessary information and documents, the Bank is not permitted to enter into or continue a business relationship.

8. Use of automated decision-making procedures

As a rule, the Bank does not make decisions solely on the basis of automated procedures to establish and implement the business relationship. If the Bank uses such procedures in individual cases, it will inform the client separately to the extent required by law. A right of objection will be granted in certain circumstances.

9. Profiling by the Bank

In some cases, the Bank automatically processes client/counterparty data for the purpose of assessing certain personal aspects (profiling). Here are some examples:

  • the law requires measures to be taken against money laundering, anti-fraud and the financing of terrorism and crimes that pose a threat to assets. In this context, the Bank also carries out data assessments (e.g. in payment transactions);
  • the Bank may carry out profiling of clients/counterparties to comply with regulatory and contractual requirements (e.g. for determining the risk or investment profile of clients/counterparties);
  • to provide services to its clients, the Bank may use profiling tools.

10. Data Security

The Bank takes appropriate technical measures (e.g. encryption, pseudonymisation, logging, access control or data backup) and organizational measures (e.g. instructions for our employees, confidentiality agreements or reviews) to ensure the security of the information collected and processed and to protect it against unauthorized access, misuse, loss, falsification or destruction. Access to personal data is only granted to clients/counterparties in cases of actual need.

However, it is generally impossible to completely rule out security risks: some residual risks are most often unavoidable. In particular, since perfect data security cannot be guaranteed for communication by e-mail, instant messaging or similar means of communication, the Bank recommends sending confidential information by particularly secure means.

11. Data controller and contacts

The unit responsible for data processing is the Bank's data protection officer (DPO), who can be contacted at the following addresses:

Banca Credinvest SA
Via G. Cattori 14
6900 Lugano
Phone: +41 58 225 70 28

Cookie bar

We use cookies and other tracking technologies to improve your experience and analyse our website traffic.

Please consult our Privacy Policy for more information.

By clicking on “Accept”, you consent to your data being collected

You can change your cookie settings and disable cookies, except for essential functional ones, at any time.