This information is valid for current and potential customers of Banca Credinvest SA (hereinafter the Bank").
The Bank complies with the laws and regulations on banking secrecy and data protection in order to guarantee the protection and secrecy of personal data. This document provides an overview of how we process your personal data and your rights.
The responsible unit is the data protection officer (DPO) of the Bank, who can be contacted at the following addresses:
Banca Credinvest SA
Via G. Cattori 14
Phone: +41 58 225 70 28
On the basis of the product or service provided, the Bank collects and processes the personal data of customers, in particular:
The Bank processes the personal data mentioned above in compliance with the provisions of the EU General Data Protection Regulation (EU-GDPR) for customers acquired under the freedom to provide services and the Swiss Federal Data Protection Act (DPA) for all remaining customers:
The data is processed to provide banking and financial services as part of the execution of contracts with customers or to carry out pre-contractual activities in anticipation of the conclusion of the aforementioned contracts. The purposes of data processing depend mainly on the specific product (for example, bank account, credit, securities, deposits) and may include needs analysis, advice, asset management and assistance as well as the execution of transactions.
The Bank is subject to various legal obligations (e.g. Swiss laws such as the Banking Act, the Collective Investments Act, the Money Laundering Act, the Mortgage Obligations Act, FINMA ordinances and circulars, tax laws) and banking supervision (e.g. Swiss National Bank, FINMA). Other purposes of data processing include creditworthiness assessment, identity and age verification, anti-fraud and anti-money laundering measures, fulfillment of control and notification obligations under tax laws as well as assessment and risk management in the Bank and in the Group headed by the Bank.
Where necessary, we process data beyond the limit strictly necessary for the effective fulfilment of our contractual obligations in order to pursue our legitimate interests or those of a third party, provided that these do not override the interests or fundamental rights and freedoms of customers. In addition to the following examples, we also obtain personal data from publicly available sources for customer acquisition purposes:
Where the Bank processes personal data pursuant to points 3.1, 3.2 and 3.3, it is not necessary to obtain the explicit consent of the data subject in advance.
If the data subject has consented to the processing of personal data for specific purposes (e.g. data transfer within the Group, analysis of trading activity for marketing purposes, etc.), the lawfulness of such processing is based on consent. . The consent granted can be revoked at any time. This also applies to the revocation of declarations of consent granted to the Bank before the entry into force of the GDPR, or before 25 May 2018. It should be noted that the revocation does not only have effect for the future. Not affected by the revocation, all treatments took place before the revocation.
Within the Bank, access to data is guaranteed to the operating units that need it in order to be able to fulfill the Bank's contractual, legal and supervisory obligations. Also service providers and agents representing , logistics, printing, telecommunications, collection, consultancy, sales and marketing) possibly appointed by the Bank may receive data for these purposes, as long as they comply with banking secrecy and the Bank's written instructions pursuant to the DPA and the GDPR.
With regard to the transfer of data to recipients outside the Bank, it must first be specified that the Bank's collaborators are obliged to observe the secrecy of any facts and assessments relating to the customer of which they may be aware (banking secrecy pursuant to of the General Terms and Conditions; Art.47 Federal Banking Act).
Under certain conditions, the Bank is authorized to disclose information to third parties, for example
Adequate technical and organizational measures have been adopted in order to prevent any unauthorized or illegal access to personal data provided by customers.
Data may only be transferred to countries outside Switzerland if this is necessary for the execution of client orders (e.g. payment and securities orders), if it is required by law (e.g. reporting obligations to under the tax law), if the customer has given his consent. If you use service providers in a third country, they are obliged to comply with the data protection levels in force in Switzerland and Europe, as well as with written instructions by accepting the EU standard contractual clauses.
The Bank retains personal data only for the time necessary to achieve the purpose for which they were collected or to comply with the requirements of the law, regulations or internal regulations. To this end, specific criteria are applied to determine the appropriate periods to retain personal data based on the purpose, such as proper accounting management, facilitating the relationship with the customer, defending oneself in the event of legal actions or responding to requests from the regulator. In general, the Bank retains personal data for the duration of the relationship or contract plus a further ten years, which reflects the period of time allowed for the presentation of legal actions following the termination of such relationship or contract. Pending or threatened legal or regulatory proceedings may lead to retention beyond that period.
Each interested party has the right to access (Article 8 DPA; Article 15 GDPR), rectify (Article 5 DPA, Article 16 GDPR), delete data (Article 5 DPA; Article 17 GDPR), limit the processing of data (articles 12, 13, 15 DPA; article 18 GDPR), oppose the processing of data (article 4 DPA; article 21 GDPR) and possibly have the right to data portability, allows interested parties to receive, from data controller, " the personal data concerning him provided to a data controller " so that he can transmit them to another data controller (for example, another company (Article 20 of the GDPR). Furthermore, where applicable , the data subject has the right to lodge a complaint with the supervisory authority responsible for privacy (Article 77 of the GDPR).
In some cases, we process personal data for direct marketing purposes. The data subject has the right to object at any time to the processing of personal data carried out for these purposes, including profiling to the extent that it is connected to such direct marketing. In case of opposition to the processing for direct marketing purposes, the personal data are no longer processed for these purposes. There are no formal requirements for filing an opposition.
As part of the business relationship, the data subject is required to provide the personal data necessary to start and conduct a business relationship and to fulfill the related contractual obligations or the data required by law. In the absence of such data, In principle, we are unable to enter into or perform a contract with our customers. Specifically, the provisions of the anti-money laundering law require us to verify the identity before starting a business relationship. To enable us to comply with this legal obligation, the persons concerned are required to provide us with the necessary information and documents and to notify us without delay of any changes that may occur during the business relationship. In the absence of the necessary information and documents, we are not allowed to start or continue a business relationship.
As a rule, the Bank does not take decisions solely on the basis of automated procedures, as defined in art. 22 of the GDPR, to establish and implement the business relationship. If the Bank uses these procedures in individual cases, it will inform separately to the extent that this is required by law. A right to object will be guaranteed in certain circumstances.
In some cases, we automatically process customer data for the purpose of evaluating certain personal aspects (profiling). Examples: