Information on compliance with current data protection requirements by Bergos AG.
A. Introduction
Bergos AG (hereinafter referred to as “Bank” or “we”) is generally bound by Swiss data protection legislation, specifically the Swiss Federal Data Protection Act (“FADP”) dated 25 September 2020 and the corresponding implementing provisions, namely the Data Protection Ordinance (“DPO”). The EU General Data Protection Regulation (“GDPR”), which entered into force on 25 May 2018, is only indirectly applicable to our business and only to some of our business relationships.
Nevertheless, with this document we would like to take account of the greater transparency requirements of recent data protection legislation, in particular the GDPR (Articles 13, 14 and 21) and to inform you about how the Bank collects, uses and protects personal data. It contains in particular a description of how you as a data subject can make use of your rights.
B. Important Questions
1. Who is responsible for data processing and whom can I contact?
Bergos AG
Kreuzstrasse 5
P.O. Box
8034 Zurich
Switzerland
Phone +41 44 284 20 20
Email info@bergos.ch
You can contact our company’s Data Protection Office at:
Bergos AG
Data Protection Office
Kreuzstrasse 5
P.O. Box
8034 Zurich
Switzerland
Phone +41 44 284 21 02
Email dataprotection@bergos.ch
Our representative in the EU is:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
Email info@datenschutzpartner.eu
2. Which sources and data do we use?
We process personal data that we acquire from you in the course of our business relationship. To the extent that is necessary for the provision of our services, we also process personal data which we have lawfully acquired from publicly available sources (such as the press or internet) and which we are allowed to process, as well as data that has been lawfully transmitted to us by third parties.
Personal data of relevance includes personal details (name, address and other contact details, date of birth, place of birth, nationality), data regarding proof of identity (such as identity card details) as well as authentication data (such as a signature sample). This can also include order details (such as payment orders, financial instrument orders), information about your financial situation (such as information on your creditworthiness and the origin of your assets), data withheld for record-keeping purposes (such as investment advice protocols), register details, data about how you have used our telecommunication services (such as when you accessed our website) as well as other data comparable with the specified categories.
3. Why do we process your data (purpose of processing) and what is the legal basis for this?
The Bank processes your personal data primarily in order to comply with our obligations arising from our contractual banking relationship with you, in particular to perform your orders and to engage in all other activities typical of a financial services institution. The purpose of data processing is predominantly dictated by the specific product in question (for instance an account or securities) and may include demand analyses, advisory services, portfolio management and the execution of transactions.
As a Bank, we are also bound by legal obligations (for example the Banking Act, Anti-Money Laundering Act, tax laws) as well as requirements imposed by banking regulators (such as the Swiss Financial Market Supervisory Authority “FINMA”). In this regard, we process your data for purposes in relation to anti-fraud and anti-money laundering activities, compliance with tax monitoring and reporting obligations, and risk assessment and management. We also process your data to safeguard our own legitimate interests or those of third parties, for instance
-
- marketing, unless you have objected to the use of your data;
-
- establishing legal claims and defenses in the event of litigation;
-
- ensuring IT security and the continued operation of the Bank’s IT services;
-
- preventing and investigating criminal activity;
-
- activities related to building and facility security (e.g. access control);
-
- activities related to business management and the ongoing development of products and services (where relevant, including the review and optimization of demand analysis methods and directly addressing customers).
Where you provide or have provided consent to process personal data for certain purposes (for example for marketing), processing will be performed on the basis of your consent. Where consent is provided, it can also be withdrawn at any time. Please note that withdrawal of consent only has effect for the future. Processing performed before the withdrawal of consent is not affected by this.
4. Who has access to your data?
Within the Bank, access to your data will be provided to those offices that require it to fulfil our contractual and statutory obligations. External data processors commissioned by us may also receive data for these purposes. Such companies operate in particular in the IT services, printing services and consulting and advisory industries. To process payments, we use the digital services of third-party providers, which involves the use of externally developed software. If you conduct business in currencies and derivatives through us, for example, you should refer to the relevant contract documents and terms of business for further details on the processing and communication platforms and interfaces employed.
In terms of how data is transmitted to recipients outside of the Bank, it is important to note that we are bound by confidentiality obligations regarding any and all customer-related information and assets that we acquire (“banking secrecy”). We are only permitted to disclose information about you with a legally valid order from the courts, from the competent criminal investigation authorities or from the competent supervisory authorities, or if you have instructed us to do so. Under these conditions, the following are examples of potential recipients of personal data:
-
- civil and criminal courts, police and other competent cantonal or federal authorities (for instance FINMA, Swiss Federal Tax Administration);
-
- other banks or financial services institutions or comparable institutions to whom we transmit personal data for the purpose of fulfilling the obligations arising from our business relationship with you (depending on the contract, this may for example be correspondent banks, custodian banks, stock exchanges).
Other potential recipients of data include offices to whom data is sent based on consent that you have granted us.
5. How long is your data stored for?
We process and store your personal data as required for the duration of our business relationship. We are also bound by various retention and record- keeping obligations, imposed, for example, by the Swiss Code of Obligations (“CO”) and the Anti-Money Laundering Act (“AMLA”). The retention and record- keeping periods specified therein may be up to ten years.
6. Will data be transmitted to Third Countries or an international organization?
Data will only be transmitted to Third Countries insofar as it is necessary in order to perform your orders (for instance payment or financial instrument orders), in order to comply with statutory requirements, or if you have provided us with your consent to do so.
When transferring data abroad to third parties, they are obligated to ensure the banking secrecy of Switzerland.
7. What are your data protection rights?
Any data subject has a right to information (Art. 25 FADP) as well as a right to correction, to deletion/destruction and to prohibition of processing, and to prohibit disclosure to third parties (Art. 32 FADP) and the right to data portability (Art. 28 FADP). Where applicable, data subjects also have other rights under GDPR, including the right to have processing restricted in accordance with Art. 18 GDPR and the right to lodge a complaint with a competent supervisory authority. The right to information may be limited by Art. 26 FADP and the right to data portability within the framework of Art. 29 FADP.
8. Are you required to provide data?
For the purpose of our business relationship, you only need to provide personal data as required to establish, conduct and terminate a business relationship, or data which we are required to collect by law. Without this data, we will usually have to refuse to establish or perform a contract, we may not be able to fulfil an existing contract, and may need to terminate an existing contract. In particular, we are bound by the money laundering regulations and duties of care of the CDB, which involve conclusively identifying you before a business relationship is established (for example through your identity card), and registering your name, place of birth, date of birth, nationality and private address. To enable us to comply with this statutory obligation, you must provide us with the required information and documents and report any changes immediately in the course of the business relationship. Should you fail to provide us with the necessary information and documents, we will be unable to establish the desired business relationship with you, or may, under certain circumstances, be unable to continue an existing business relationship.
9. How are individual decisions made on an automated basis?
When establishing or conducting business relationships, we generally do not employ automated decision-making processes. Should we employ such methods in the future in specific circumstances, we will notify you of this separately insofar as it is required to do so by law.
10. How are your data protected?
We implement technical and organizational measures to ensure a level of data security appropriate to the risk and the protection of your data (Art. 3 DPO). For example, we take measures to protect your data from unauthorized access, data loss, or unintended disclosure.
C. Information about your right to object
You are entitled to lodge an objection at any time for reasons relating to your personal circumstances against the processing of your personal data insofar as this data is processed in the public interest or on the basis of an interest assessment.
If you lodge an objection, we will cease to process your personal data unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or that processing is necessary for the establishment, exercise or defense of legal claims.
In individual cases, we will process your personal data for the purpose of direct marketing. You are entitled to lodge an objection against the processing of your personal data for direct marketing at any time. If you lodge an objection against the processing of your data for direct marketing, we will cease to process your personal data for these purposes.
Such an objection is not required to comply with any formal standards and should ideally be sent to:
Bergos AG
Data Protection Office
Kreuzstrasse 5
P.O. Box
8034 Zurich
Switzerland
Phone +41 44 284 21 20
Email dataprotection@bergos.ch