DATA PROTECTION POLICY OF SOCIETÀ BANCARIA TICINESE
The following information from Società Bancaria Ticinese (the Bank) is intended to provide you with an overview of the processing of personal data by the Bank, in its capacity as data controller, and of the rights granted to you under data protection legislation.
The purpose of this information notice is to explain how the Bank collects and manages your data, why it is collected and used, whether it is shared and how long it is kept.
Details on the type of data processed and the way it is used vary depending on the services requested or agreed upon
Data 'processing' means any operation concerning personal data, regardless of the means and procedures used, namely the collection, recording, storage, use, modification, communication, archiving, erasure or destruction of data.
Contact details of the Bank and the Data Protection Service
Società Bancaria Ticinese SA
Data Protection Service
Piazza Collegiata 3 6500 Bellinzona
1. What data is processed by the Bank?
The Bank collects and uses the data obtained from the business relationship it has with you, including your personal data (including data worthy of special protection), i.e. data that either identifies you directly (e.g. first name and surname, address, e-mail address, telephone number, etc.) or which, in combination with other information, enables such identification (e.g. account number).
In addition to data communicated directly by you to the Bank, it also collects and uses data obtained through public sources (e.g. Internet, (social) media, printed media, land registers, trade registers for companies, foundations or associations) as well as data provided by third parties.
The Bank processes the following personal data in particular:
- generalities (e.g. full name, gender, address and other contact details, date and place of birth, nationality, residence, marital status);
- legitimisation data (e.g. ID data, AHV number);
- authentication data (e.g. deposited signature);
- data arising from the performance of contractual obligations, in particular services or transactions (e.g. account or payment transaction data, including information on the originator and the beneficiary);
- tax information and documents (e.g. tax declaration, tax domicile, tax code or other identification code for tax purposes);
- advertising and sales data;
- documentation data (e.g. advisory minutes);
- information about your personal and professional background and financial situation (e.g. compliance and/or regulatory information, such as credit reports, origin of assets and funds, financial experience and knowledge) and/or company information (such as the company's activities, purpose, ownership structure, organisational structure and number of employees);
- personal data deserving of special protection, such as your biometric data, information on your religious, ideological or political opinions or activities, information concerning your health or any criminal convictions or sanctions;
- personal data of related third parties, such as beneficial owners, employees, family members, signatories, agents and/or representatives;
- data transmitted and automatically recorded as part of the use of the Bank's websites, mobile applications or other electronic services (digital services). This data includes the date and time of access, the name of the file retrieved, the amount of data transmitted, the success of access, your web browser, browser language, the requesting domain and IP address. Further information on this can be found in the provisions for the respective digital service;
- data from any recordings of telephone conversations with the Bank;
- other data comparable to the categories mentioned.
2. For what purposes and on what legal basis are your personal data processed by the Bank?
a) For the fulfilment of contractual obligations and the implementation of pre-contractual measures
The processing of personal data enables the Bank to provide the services contractually agreed with you and to implement measures in the pre-contractual phase. The purpose of the data processing is, in the first instance, related to the banking products you have requested (e.g. accounts, loans, securities, transfers, brokerage). The Bank uses your data, among other things, for the identification of persons, document verification, needs analysis, consulting, wealth management, asset planning, financing and credit services, negotiation and execution of transactions. Details are set out in the contractual documentation or in the General Terms and Conditions.
b) For the protection of legitimate interests
For the protection of its own legitimate interests or those of third parties, the Bank also processes data for the following purposes:
- prevention and investigation of crimes;
- verification and analysis of its needs and optimisation of direct contact with the customer;
- risk management;
- establishment, exercise or defence of a right in court;
- consultation and exchange of data at or with public bodies (e.g. the debt enforcement register) for the determination of solvency and non-payment risks in credit transactions;
- advertising or market research and opinion polls;
- guarantee of IT security and IT functionality of the Bank;
- outsourcing of functions and services of the Bank or to service providers and auxiliaries engaged by the Bank;
- video surveillance to defend the inviolability of the home or for the collection of evidence in cases of aggression and fraud;
- security measures for buildings and installations (e.g. access controls);
- business management measures as well as for the further development of services and products;
- collection of personal data from publicly accessible sources for customer acquisition.
c) Based on your consent
If you have given the Bank your consent to process personal data for specific purposes (e.g. analysis of transaction data for marketing purposes), the Bank may lawfully process the data on that basis. You have the right to withdraw your consent at any time. Please note that the révocation is only valid for the future. Any processing already carried out at the time of the révocation is excluded.
d) Based on legal requirements or in the public interest
The Bank must comply with various legal obligations (e.g. those imposed by the Banking Act, the Financial Services Act, the Collective Investment Schemes Act, the Money Laundering Act, the Mortgage Bond Act, the relevant FINMA ordinances and circulars, or tax laws) and supervisory guidelines of the banks (e.g. the Swiss National Bank and FINMA). The purposes of the processing include, among others, the verification of solvency, identity and age, the prevention of fraud, money laundering the fulfilment of reporting and control obligations under tax law as well as the analysis, examination, assessment and management of risks.
3. Who can access your personal data?
Within the Bank, access to personal data is only granted to those departments that need them for the fulfilment of contractual and legal obligations (need-to-know principle). For the same purpose, personal data may be processed by service providers and auxiliaries engaged by the Bank. These are companies operating, among others, in the fields of IT (e.g. hosting and data processing, IT development, support and management), administration of financial instruments and other financial activities (e.g. payments, execution of transactions and services, reporting and expense management), asset management services and ancillary activities, and trading-related services, execution and processing of financial instruments and other financial activities, compliance and risk management functions, accounting (financial accounting and controlling), lending and credit services as well as other back office and middle office activities, as well as lawyers, auditors and insurers who provide us with legal, auditing, accounting or insurance services. If, on the Bank's behalf, it is necessary for such service providers to process your data, they shall be contractually obliged to comply with the applicable data protection and/or banking secrecy requirements. The Bank will therefore only pass on information about you if this is stipulated in the agreements you have concluded with it, if required by legal provisions, if you have given your consent (e.g. to carry out a financial transaction on your behalf) or if the Bank is authorised to pass on banking information. Given these prerequisites, the recipients of personal data may be, among others:
- public authorities, bodies and institutions (e.g. the Swiss National Bank, FINMA, financial or judicial authorities) in the presence of a legal or administrative obligation;
- other credit or financial services institutions or equivalent bodies to which the Bank transmits personal data in the context of its business relationship with you (e.g. correspondent banks, custodian banks, brokers, stock exchanges, fund management companies or information institutions);
- service providers and auxiliaries engaged by the Bank;
- other recipients of the data for which you have given your consent.
4. Does the Bank transmit your personal data abroad?
The Bank transmits your personal data to countries outside Switzerland if:
- is necessary for the execution of its orders (e.g. payment and securities orders);
- is required by law (e.g. reporting obligations under tax and criminal law);
- this is provided for in your agreements with the Bank or in the General Terms and Conditions or if you have given your consent otherwise.
5. How long are your data stored?
The Bank processes and retains your personal data only for the period necessary to fulfil its contractual and legal obligations. Once this necessity ceases to exist, the data are periodically deleted, unless they are required for further processing that may be necessary for the following reasons:
- for the fulfilment of obligations under tax and commercial law (e.g. in accordance with the Swiss Code of Obligations, the VAT Act, the Federal Act on Direct Federal Taxation, the Federal Act on Harmonisation
direct taxes of the cantons and municipalities, the Federal Stamp Tax Act or the Withholding Tax Act);
- for the fulfilment of special rules that oblige the bank to retain data (e.g. requirements laid down by FINMA);
- for the assertion, exercise or defence of legal claims.
6. What are your data protection rights?
Under the applicable data protection legislation, you have the following rights:
- request information on the personal data concerning you that are stored at the Bank;
- request the rectification of such data if inaccurate;
- request the deletion of data if the Bank cannot or should not retain them;
- request restriction of processing
- whether you have disputed the correctness of the data stored at the Bank and whether the respective audit has not yet been completed,
- if the bank is obliged to cancel but you oppose it;
- oppose processing by the Bank
- if the Bank processes the data only on the basis of its own legitimate interests, in which case it will suspend the processing unless its own interests prevail or if it must process the data to protect its rights, or
- if the processing takes place in connection with direct advertising;
- request the transmission of the personal data you have provided to the Bank in a generally available, machine-readable and commonly used format;
- require, in the case of an automated individual decision, that it be verified by a natural person. You also have the right to state your opinion on the matter.
The right to appeal to the competent data protection supervisory authority is also provided for, where relevant.
The rights indicated may be restricted, deferred or even refused in accordance with the provisions of the Data Protection Act.
7. What data do you have to provide?
The Bank requires data that are necessary for the initiation and maintenance of the business relationship and for the fulfilment of the contractual and/or legal obligations associated with it, without which the conclusion or performance of the contract is generally not possible.
In particular, according to the regulations for combating money laundering and the financing of terrorism, the Bank is obliged, before entering into a business relationship with you, to identify you by means of an identity document and to collect and record data such as your address, nationality, first name and surname, place and date of birth and details of your identity document. To enable the Bank to fulfil these obligations, you are required to provide the necessary information. Should these details change in the course of the business relationship, you are also obliged to inform the Bank immediately. If you do not provide the Bank with the requested information, the business relationship cannot be established or maintained.
8. Is an automated decision-making process implemented?
Generally, for the initiation and management of the business relationship, the Bank does not use any automated decision-making processes. If, exceptionally, such a process is implemented, you will be informed separately if required by law.
9. Where can the Bank's Data Protection Notice be viewed?
The Bank reserves the right to unilaterally amend this Policy, informing you in an appropriate manner of any changes
10. How can you contact the Bank?
If you have any questions about the use of your personal data, you can contact your advisor or the data protection officer (see the Bank's contact details).