Privacy and Data Protection Policy
1. Introduction
Banca del Sempione SA (hereinafter the “Bank”) issued this “Privacy and Data Protection Notice” (hereinafter the “Privacy Policy”) in the light of the Swiss Federal Data Protection Act (“LPD”) and, as far as necessary for relations with EU customers, of the General Data Protection Regulation of the EU (“GDPR”). In this regard, the Bank has adapted its policies regarding the processing and use of personal data, the confidentiality of which was already previously largely protected by the obligation to maintain banking secrecy (see this point to our General Conditions). The purpose of this information is to inform you about the way in which your information is managed and collected within the contractual framework agreed with the Bank, on the reasons for the collection, the possible sharing and the time for which they will be kept. We therefore ask you to read this Privacy Policy which provides detailed information on the protection of your personal data and to bring it to the attention of any person whose information you provide us with. Detailed information on which data will be processed and which method will be used depends on the services requested or agreed.
2. Interested Parties
In this Notice, the Bank explains how it collects, processes and protects personal data relating to the following subjects:
- Bank customers;
- prospective customers;
- People who are in the process of opening an account with the Bank (“Customers”)
- individuals whose information is provided by a Customer to the Bank or to which the Bank
becomes aware of the services provided by the Bank to a customer (“Linked Persons”).
The information of the aforementioned subjects is protected by the statutes of the banking secrecy which
prohibit disclosure to third parties, unless otherwise authorized by the subjects themselves.
3. Data protection officer and contacts
The responsible department is the Data Protection Officer of the Bank, which can be contacted at the following addresses:
Banca del Sempione SA
Data Protection Officer
Via Pietro Peri, 5
6900 Lugano
Switzerland
E-mail: dpo@bancasempione.ch
For those who wish to contact the representative of the data controller in the European Union, the following contact details are given:
Accademia SGR S.p.A.
Representative of the data controller in the UE
Piazza A. Diaz 6, Milano
Italy
E-mail: privacy@accademiasgr.it
4. Types of personal data that the bank collects
We collect and use your personal data to the extent necessary in the context of our activities, depending on the nature of the service we provide and to comply with applicable laws and regulations.
We may collect various types of personal data about you, including:
- identification information (e.g., full name and surname, ID card and passport and relative number present on the identification document, nationality, place and date of birth, gender, photograph, IP address);
- contact information (e.g., address and email address, phone number);
- family situation (e.g., marital status, number of children);
- tax statute (e.g., tax ID or other identification code for tax purposes);
- education and employment information (e.g., level of education, remuneration);
- banking, financial and transactional data (e.g., bank account details, credit card number transfer of assets, activities, declared investor profile, credit history, debt, source of wealth and expenses);
- data about our products and services, including banks, financial and transactional data;
- data from your interactions with us through our Head Office and branches, our website, emails, phone conversations;
- background checks to evaluate solvency / over-indebtedness and
- any recordings of telephone conversations between you and the Bank and video recordings during your visits to the Bank;
- data that our servers automatically record when you visit the Bank’s website or our social media, your activity in relation to our products and services, the data transmitted by your browser or the device that you used and automatically recorded by our server (i.e. IP address, the type of device used, the type of browser used, the pages of the Bank’s website you visit, the date and duration of access and other technical information).
These data are used for reasons of computer security and to improve the ease of use of the site. We also use cookies, tracking scripts and other means such as, for example, pixel, tag, unique identifiers, to collect and process the above information and to keep track of your preferences and improve the quality of the products and services offered. For the use of cookies and other tracking scripts used by the Bank, please also refer to the “Information on cookies and other tracking scripts” available here. We never ask for, collect or actively store particularly sensitive personal data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data, data concerning your sexual orientation or data relating to criminal convictions and offences, unless it is required by law. In the case of corporate clients or institutional investors, we may collect information on directors, representatives, employees, shareholders or beneficiaries. Before providing such information to the Bank, please provide a copy of this Policy to such persons.
5. Source of Personal Data
Personal data listed above are provided directly by the interested party or may be obtained from other sources, such as:
- publications / databases made available by authorities;
- our corporate customers or service providers;
- publicly available sources such as, but not limited to: credit rating agencies, commercial registries, asset screening services and fraud prevention agencies or data intermediaries acting in compliance with data protection laws and regulations;
- the Bank’s website or third-party websites / social media pages containing information made public by the user.
6. Purposes and legal basis for processing personal data
6.1 To comply with our contractual obligations
Personal data are processed for the purpose of entering into or performing a contract to which you are a contractual party, for the products and services requested or to fulfil obligations, in the following ways:
- provide information related to our products and services;
- provide products and services and ensure their correct fulfilment, in accordance with your instructions and the terms of the product subscribed to;
- assist you and answer your questions;
- assess whether we are able to offer you a product or service and under what conditions.
6.2 To respect our legal and regulatory obligations
The Bank may process your personal data to fulfil various legal and regulatory obligations, including:
- banking and financial regulations;
- prevention of money laundering and terrorist financing;
- prevention of money laundering and terrorist financing;
- compliance with legislation on sanctions and embargoes;
- fight against tax fraud and the fulfilment of tax inspection and notification obligations;
- monitor transactions to identify those that deviate from the normal routine;
- define the credit risk score and the repayment capacity;
- record, when necessary, telephone calls, chats, e-mails, etc.;
- collect your information to establish your risk profile in the context of providing financial services;
- respond to an official request from a public authority duly authorized by law.
6.3 For legitimate interest
When required, we process your personal data in order to pursue legitimate interests on our part or on behalf of third parties, including, but not limited to, the improvement of our products and services, quality assurance and administrative purposes, the assessment of legal claims and defence in legal disputes, for your interests and only when your fundamental rights do not prevail over these interests.
6.4 As a result of your consent
We process some particularly sensitive personal data (e.g. data concerning health, the intimate sphere, data concerning administrative and criminal prosecutions and sanctions, data concerning social welfare measures) on the basis of your explicit consent. You may revoke your consent at any time in the manner set out in point 10. The revocation of consent does not affect the lawfulness of data processing in the period prior to it. In any case, it may result in the interruption of the service provision.
7. Entities with which we share data
Ogni ufficio della Banca che necessita dei suoi dati personali per ottemperare ai nostri obblighi contrattuali e legali avrà accesso a tali dati. I fornitori di servizi esterni alla Banca possono ricevere dati per tali scopi se osservano le normative inerenti alla protezione dei dati. Si tratta di società di servizi bancari, servizi IT, logistica. ENTITIES WITH WHICH WE SHARE DATA Every bank office that needs your personal data to comply with our contractual and legal obligations will have access to such data. Service providers outside the Bank may receive data for these purposes if they comply with data protection regulations. These are banking services companies, IT services, logistics. Regarding the transfer of data to recipients outside our Bank, it should first be noted that, as a credit institution, we are required to maintain confidentiality for all matters and assessments relating to the customers we come to know (Banking Secrecy under our general conditions). We may transmit information that concerns you only if the legal provisions require it or if you have given your consent (e.g. to process a financial transaction you ordered) and / or if the Bank is authorized to provide information. Based on these requirements, the recipients of personal data may be, by way of example, but not limited to:
- bodies governed by public law and financial institutions (e.g. Swiss National Bank, FINMA, financial authorities, criminal prosecution authorities) based on an obligation imposed by law or authority;
- credit institutions and other financial or similar institutions to which we transfer your personal data for business purposes (depending on the contract, e.g. correspondent banks, custodian banks, stockbrokers, fund management companies, stock exchanges values, information centers).
8. Transfers of personal data outside of switzerland or european economic area
In determinate circostanze, ad esempio se è necessario un trasferimento di dati per eseguire il nostro contratto con lei come quando si effettua un pagamento internazionale, la Banca può trasferire i suoi dati in un altro Paese laddove l’Autorità competente lo ha riconosciuto in grado di fornire un livello adeguato di protezione dei dati. Under certain circumstances, for example if a transfer of data is required to carry out our contract with you, such as when making an international payment, the Bank may transfer your data to another country where the competent authority has recognized that it is able to provide an adequate level of data protection. For transfers to a country where the level of protection of personal data has not been recognized as “adequate” by the competent authority, we will rely on an exemption applicable to the specific situation or we will be implemented standard contractual clauses that respect the legal limits in order to ensure protection of personal data of the interested party.
9. Period of time in which we keep data of interested parties
We will retain your information for the time necessary to fulfil the purpose for which they were collected or to fulfil legal and regulatory record keeping requirements under federal legal requirements and specific Swiss banking regulations. To this end, specific criteria are applied to determine the appropriate periods for retaining your personal data according to purpose. If necessary, we will keep your data for the duration of your banking relationship in accordance with applicable legal and regulatory requirements. In addition, we may retain your data after the termination of your banking relationship for compliance and risk management purposes in accordance with applicable laws and various retention and documentation requirements, or in the Bank’s legitimate interest. If you request the deletion of your data (see point 10 for the manner of application), we will evaluate the request and, if the data are no longer necessary to fulfil any contractual, regulatory or legal obligations, or are no longer in the Bank’s interest and does not involve an unreasonable effort for the Bank, such data will be deleted.
10. Rights of the parties concerned
Depending on the data protection laws applicable to the specific situation, the interested parties have the following rights:
- access: it is possible to obtain information regarding the processing of personal data and a copy of such data;
- correction: it is possible to request that your data be amended if you believe that your personal data is inaccurate or incomplete;
- limitation of the processing of personal data;
- cancellation: it is possible to request the cancellation of personal data, to the extent permitted by law (see point 9);
- propose a complaint (enforcement).
You may exercise your rights at any time by sending a request in writing to the addresses specified in point 3.
11. Data Security
The Bank adopts technical and organizational measures to protect the personal data of interested parties, including cryptography, anonymization, access restrictions, multi-level logical defence and physical security measures. The Bank requires its employees and any third parties engaged in any activity on behalf of the Bank to comply with the appropriate standards of compliance including obligations to protect information and apply appropriate measures for the use and transfer of personal data.
12. Is there an obligation to provide your data?
In the context of a business relationship with the Bank, a Client or a Connected Individual, must provide all personal data which is necessary for the establishment and maintenance of such business relationship and the performance of the associated contractual obligations or which the Bank is legally obliged to collect. As a rule, the Bank would not be able to enter into or perform any contract or – consequently – accept and execute any order without collecting and processing personal data. In particular, provisions of anti-money laundering law require that the Bank verifies a data subject’s identity before entering into the business relationship by means of a document of evidentiary value (e.g. identity card) and that the Bank collects and records a data subject’s name, place of birth, date of birth, nationality, residential address and other data for that purpose. Other types of data collected serve, for example, to ensure that the customer receives an adequate financial service (such as investment advice or portfolio asset management) in accordance with the Federal Financial Services Act. In order for the Bank to be able to comply with these legal obligations, the data subject must notify the Bank, without undue delay, of any changes that may arise during the course of the business relationship. We reiterate that the Bank will never transmit such data to third parties except with the customer’s consent, or for the best fulfilment of its mandate, or for legal obligation, or to defend its legitimate interests: in other words, the Bank will never “sell” the collected data.
13. Is “profiling” or “automated decision-making” used?
The Bank does not perform any automated profiling activity nor any automated decision-making process.
14. Change to privacy and data protection policy
We invite you to review the latest version of this notice online and we will inform you of any substantial changes through our website or through our usual communication channels.
Date of update: 20.10.2023