In its capacity as the Data Controller, PKB Privatbank SA, with registered office at Via S. Balestra 1, 6901, Lugano (Switzerland) (“PKB” or the ”Bank”), collects and processes the personal data (“Personal Data”, equivalent to the “Client Data” referred to in the General Terms and Conditions) of data subjects (“Data Subjects” and each individually a “Data Subject”) within the context of its relations with existing or prospective clients.
With this Notice, PKB wishes to provide you in particular with the following information concerning the processing of Personal Data:
- the type of Personal Data processed and the sources of Personal Data;
- the purpose and manner in which PKB collects, uses and stores the Personal Data of Data Subjects;
- the legal basis for processing Personal Data;
- how the Bank protects Personal Data;
- those persons who have access to Personal Data and with whom they are shared;
- the period of time for which Personal Data are stored
- the rights of Data Subjects and the rules applicable to their exercise.
1. Scope of this Data Privacy Notice
This Notice applies to all situations in which PKB processes your Personal Data.
2. What Personal Data are processed and what sources are Personal Data obtained from?
2.1 Source of Personal Data
The Personal Data held by the Bank is normally collected from Data Subjects within the context of the contractual relationship with them. Where necessary in order to provide services, the Bank may obtain Personal Data from publicly available sources (e.g. lists containing credit information, land registers, commercial registers, daily newspapers, the internet) or from authorised third parties (e.g. credit ratings or commercial information agencies).
If necessary with regard to the contractual relationship, the Bank may also obtain information concerning its business relationships, such as for example information concerning any joint card or account holders, company members (including other shareholders or beneficiaries), dependents or family members, representatives or agents. In such cases, the Bank will provide that notice to any third party holders of Personal Data.
2.2 Within the context of the services provided by the Bank and of the commercial relations
PKB collects the following Personal Data to the extent permitted under the legislation applicable from time to time:
- personal information such as name, tax ID, date of birth, identity documents (i.e. copy or national identity card or passport), telephone number, postal and email addresses, as well as data concerning family members, such as for example spouse’s/partner’s name and work-related information, for example current position and previous professional experience;
- financial information, including records of payments and transactions along with information relating to assets owned (including real estate), balance sheets, liabilities, taxes, revenues, earnings and investments (including investment objectives);
- tax domicile along with other tax documents and information;
- where contractually provided for, knowledge and experience in the field of investment;
- details concerning your involvement with the products and services that you use, including electronic communications through various channels, such as for example email and mobile applications;
- recordings of telephone conversations between the client and PKB, including in particular information relating to the telephone conversation recorded, such as the telephone number, the caller’s number, the recipient’s number, forwarding numbers, the date and time of calls and messages, call duration, and routing information;
- where relevant, details concerning any mandates granted to third parties;
client identification information, such as the client, contract, relationship or account number, including identification data for accounting purposes.
2.3 In the event of access to the Bank’s website or applications
In the event that the Data Subject accesses the website or any of the Bank’s applications using a mobile device, to the extent permitted under the legislation applicable from time to time, PKB collects information concerning: your activities in relation to the products and services offered by the Bank, the data transmitted by your browser or the device used by you, which is recorded automatically by the Bank’s server, including the date and time of access, the name of the file consulted, the volume of data transmitted, the services obtained, your device, your browser, along with your language, domain and IP address (additional data will only be recorded through the PKB website with your voluntary consent, for example when registering or submitting a request).
Cookies, tracking technologies and other instruments (e.g. web beacons, pixels, gifs, tags, unique identifiers) may be used in order to collect and process information from the various channels and devices used by you, including the devices that you use to interact with the Bank for the purpose of accessing PKB websites, PKB platforms, products, services and mobile device applications.
For further information concerning the processing of Personal Data obtained as a result of access to the website and the usage of cookies and other tracking technologies in relation to PKB websites, please refer also to the Website Usage and Cookie Policy available on the Bank’s website.
3. For which purposes is Personal Data processed and what is the legal basis?
3.1 Purposes of processing
We process your Personal Data, in accordance with the legislation applicable from time to time, solely to carry out activities strictly related to and necessary to the following purposes:
- Client onboarding. For example in order to:
– check your identity and assess your application (including any need for guarantees if a credit application is submitted), and also take decisions in relation to a credit application or client identity. For legal and legislative compliance checks (for example in order to ensure compliance with legislation on the combatting of money laundering and fraud prevention).
The provision of Personal Data for this purpose is mandatory as it is necessary in order for the Bank to comply with a legal obligation or for the performance of a contract. The failure to provide such data will prevent the Bank from entering into the contract.
- Provision of products and services. For example in order to:
– provide you with the products and services requested by you and guarantee their proper execution, for example by ensuring that it is possible to identify you and to make payments from and to your current accounts as instructed by you and in accordance with the agreement entered into; perform the contract concluded.
The provision of Personal Data for these purposes is mandatory as it is necessary in order for the Bank to comply with a legal obligation or for the performance of a contract. The failure to provide such data will prevent the Bank from performing the contract.
- Compliance & Risk Management. For example in order to:
– carry out legal and regulatory compliance checks, in particular during the course of the onboarding process, and regular compliance checks, inter alia for the purpose of compliance with legislation on the combatting of money laundering and fraud prevention;
– comply with regulatory and compliance obligations applicable from time to time (for example, laws on banking, finance, money laundering and tax), also in relation to the recording and monitoring of communications, disclosures to the tax authorities, banking and financial services regulatory authorities and other legislative, judicial or governmental bodies or within the context of procedures or activities pertaining to the investigation and prevention of crime as well as dispute management;
– receive and manage complaints, requests or reports made by you or by a third party;
– respond to any request received from a public or judicial authority;
– combat and investigate crime, including fraud or misuse of the products or services offered by the Bank, as well as to maintain IT system, architecture and network security.
The provision of Personal Data for these purposes is mandatory as it is necessary in order for the Bank to comply with a legal obligation. The failure to provide such data will prevent the Bank from entering into or performing the contract.
3.2 Legal basis for processing Personal Data
PKB processes your Personal Data in accordance with the legislation applicable from time to time. The legal basis for the processing of your Personal Data will be as set out below:
- processing is necessary for the conclusion and performance of a contract between you and the Bank and/or to fulfil your specific requests prior to entering into a contract;
- processing is necessary in order to comply with the statutory or regulatory obligations to which PKB is subject;
- processing is necessary to protect the legitimate interests of PKB or of a third party (or to uphold overarching reasons of public interest, provided that this does not unduly interfere with your own interests or your fundamental rights and freedoms).
If PKB is unable to collect the data required in order to comply with a statutory or regulatory obligation or to conclude a contract with you, the Bank may be unable to accept you as a client or to provide you with the products or services requested (in which case you will be duly informed).
3.2.1 Processing based on the need to pursue a legitimate interest
The legal basis for processing may be the pursuit of a legitimate interest of PKB, unless your interests in or fundamental rights and freedoms requiring protection of the Personal Data override that interest, in the following situations:
- to prevent fraud or crime, misuse of the products or services offered by the Bank, and to maintain information and IT system, architecture and network security;
- in relation to the offer of products and services, to ensure a consistently high quality of service throughout the PKB Group and to guarantee client satisfaction;
- to exercise the rights of the Bank in either judicial or extra-judicial proceedings before foreign or national authorities. For example, the Bank may investigate its prospects of success of a dispute or file documents with an authority. When doing so, the Bank may be required to process your Personal Data or to forward them to third parties in Switzerland or abroad, within the necessary limitations and legal constraints;
- to facilitate credit recovery activity on the part of the Bank.
3.2.2 Processing based on the need to comply with a legal obligation
Processing may be based on the need to comply with applicable statutory or regulatory obligations (e.g. laws on finance, tax or the combatting of money laundering), also in relation to the recording and monitoring of communications, the disclosure of data to the tax authorities, banking and financial services regulatory authorities and other supervisory and/or other supervisory and/or national authorities and for the purposes of detecting or preventing crime.
4. How do we protect Personal Data?
All staff of PKB having access to Personal Data is required to comply with the internal rules and procedures applicable to the processing of your Personal Data in order to protect them and guarantee their confidentiality.
In addition, the Bank has put in place adequate technical and organisational measures in order to protect Personal Data against the risks of destruction, loss, alteration, abuse, disclosure, unauthorised, accidental or unlawful access, as well as all other unlawful forms of processing.
5. Who has access to Personal Data and with whom are they shared?
5.1 Within the PKB Group
For the purposes set out in section 3.1 above, the Bank shares Personal Data with other companies of the PKB Group for the purpose of ensuring a high quality of service and in order to provide its clients with the requested products and services.
5.2 Outside PKB and the PKB Group
5.2.1 Third parties
In the course of managing the contractual relationship with you, PKB transfers Personal Data to other financial and credit institutions as well as to other similar institutions. In particular, when providing you with products and services, the Bank may share Personal Data with persons acting on your behalf or who are otherwise involved in the transaction (depending upon the type of product or service that you receive from the Bank) including, if relevant, the following types of companies:
- any party acquiring an interest or taking on a risk in relation to a transaction (for example an insurer);
- credit card companies and other providers of payment services and platforms;
- issuers of securities (including third parties appointed by them) in which you hold an equity interest, where those securities are held on your behalf by the Bank as custodian;
- beneficiaries of payments, beneficiaries or joint holders of current accounts, intermediaries, correspondent banks and agents (including custodian banks);
- clearing houses or clearing and liquidation systems as well as companies specialising in payments or institutions such as SWIFT;
- market counterparties, upstream withholding agents, swap or commercial archives, stock exchanges;
- other financial institutions, credit reference agencies or credit offices (for the purpose of obtaining or providing credit references);
- third party fund managers that provide you with asset management services; and
- any broker to which we issue instructions.
5.2.2 Service providers
Under certain circumstances, PKB may share Personal Data with its service providers, which are subject to a contractual duty of confidentiality, such as providers of IT, software and outsourcing services, logistical services, postal services, couriers, printing and archival services, suppliers of marketing and communication services, facility management services, providers of market data services, providers of transport and travel management services and others. In such cases, PKB endeavours to ensure that these operators comply with data protection standards in order to guarantee data security.
Where PKB transfers your Personal Data to third party service providers that process data on behalf of PKB, it ensures that these providers comply with the Bank’s data security standards so that your Personal Data remains secure. Service providers must comply with a list of technical and organisational security measures, irrespective of their location, including measures relating to: (i) information security management; (ii) information security risk assessment and iii) information security measures (for example, logical access controls, protection against malware and hacking, data encryption, as well as backup and recovery management).
5.2.3 Public or regulatory authorities
Where required, Personal Data may be disclosed to public, regulatory, judicial or governmental authorities, inter alia where provided for under laws or regulations, in accordance with professional standards or codes of conduct, or upon request by such authorities.
5.2.4 Other
Subject to the limits set out in and for the purposes of section 3.1 above, Personal Data may be disclosed to the following persons:
- a potential buyer, transferee, partner or seller, and their advisors, in relation to an actual or potential transfer, merger or sale of the entirety or any part of any business or asset of PKB, or of any related right or interest, or the purchase of or the implementation of a merger with any business;
- any legitimate recipient of communications provided for under applicable laws or regulations.
6. For which period of time are Personal Data stored?
The Bank will retain your Personal Data for as long as is necessary for the purposes referred to in section 3.1 above, and under all circumstances at least for the duration of the contractual relationship.
In addition, the Bank will retain Personal Data whenever there is a legitimate interest in doing so. This may be the case, in particular, where the Bank requires Personal Data for the purpose of the establishment, exercise or defence of its rights, for archiving purposes, in order to guarantee IT security or until the expiry of limitation periods pertaining to contractual or non-contractual aspects of the relationship with the Bank.
In addition, the Bank will retain your Personal Data for the period provided for under applicable legislation (e.g. for the duration of the retention periods provided for under tax or company law or legislation on money laundering).
Under certain circumstances, should the Bank wish to store your Personal Data for a longer period of time, it will seek your consent.
Your Personal Data will be erased or anonymised upon expiry of those periods.
7. What are your rights and how can you exercise them?
7.1 Your rights
In relation to your Personal Data processed in accordance with this Notice, you may exercise at any time the following rights in accordance with the applicable legislation:
- the right to obtain confirmation from the Bank whether or not any Personal Data concerning you is being processed and, should it be the case, obtain access to such Personal Data and to other information referred to in this document;
- the right to obtain from the Bank without undue delay the rectification of any inaccurate Personal Data concerning you. Taking account of the purposes of processing, the Data Subject has the right to have incomplete Personal Data completed, also by submitting additional data;
- the right to obtain from the Bank without undue delay the cancellation of Personal Data, under the circumstances provided for by the applicable law, including but not limited to where the Personal Data is no longer necessary in relation to the purposes for which they were collected or otherwise processed or where the consent on which the processing of your Personal Data is based has been withdrawn by you and there is no other legal ground for the processing. Please note that the Bank will be unable to cancel your Personal Data where the processing thereof is necessary, for example for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;
- the right to obtain the limitation of processing of your Personal Data under the circumstances provided for under applicable legislation, including for example: if you object that your Personal Data being processed is inaccurate or if your Personal Data is required by you for the establishment, exercise or defence of a right in court, even though the Data is no longer necessary for the Bank for the purposes of the processing;
- the right to object at any time to the processing of Personal Data where processing occurs for the performance of a task carried out in the public interest or in the exercise of official authority vested on the Bank or for the pursuit of a legitimate interest by the Bank or a third party. Should you decide to exercise the right to object as described herein, the Bank will refrain from any further processing of your Personal Data, unless there are legitimate grounds to process them (grounds overriding the interests, rights and freedoms of the Data Subject), or unless processing is necessary for the establishment, exercise or defence of a right. If Personal Data is processed for direct marketing purposes, you have the right to object at any time to the processing of your Personal Data that has been processed for that purpose, including profiling insofar as related to any such direct marketing.
Where the processing of Personal Data is based on your consent, you have the right at any time to withdraw that consent. That withdrawal of consent will not affect the lawfulness of processing before its withdrawal.
In the event that Personal Data is processed on the basis of your consent or where that processing is necessary for the performance of a contract or in order to take steps at your request prior to entering into a contract, where the processing is carried out by automated means, you have the right to:
- receive your Personal Data which you have provided to the Bank in a structured, commonly used and machine-readable format (e.g. on a computer and/or tablet);
- transmit those data to another data controller without hindrance from the Bank.
The above rights may be exercised as provided for under applicable legislation.
PKB will comply with any such requests, withdrawals of consent or objections in accordance with applicable data protection law. For this purpose, the Bank will ask you to prove your identity and/or to provide information enabling your request to be fully understood.
In order to exercise the above rights, you can:
- write to PKB Privatbank SA, attn. Legal & Compliance, Via S. Balestra 1, 6900 Lugano (Switzerland);
- send an email to the following email address: legal.compliance@pkb.ch
In order to avoid any delays in dealing with your request, please enclose a copy of your passport or identity card along with the signed letter, or attach it to the email.
8. Alteration of your Personal Data
The Bank undertakes to keep your Personal Data correct and up to date. Accordingly, in the event of any change to your Personal Data, you must inform the Bank as soon as possible concerning the change.
9. Controller and Data Protection Officer
The Data Controller is PKB Privatbank SA, with registered office at Via S. Balestra 1, 6901, Lugano (Switzerland).
PKB has appointed a Data Protection Officer (DPO).
The Data Protection Officer can be contacted at the following email address: legal.compliance@pkb.ch
10. Updates to this Notice
This Notice was most recently updated on 31 October 2021. The Bank reserves the right to amend this document whenever it considers appropriate. Any change or update to this Notice will be published in the legal section of the PKB website. Please consult the PKB website at regular intervals in order to obtain the up-to-date Notice, as the terms of this Notice are specifically relevant for you.
Please do not hesitate to contact the Data Protection Officer using the addresses mentioned in section 9 above with any queries or requests for clarification in relation to this Notice.