Basler Kantonalbank (BKB) hereby issues the Privacy Statement below pursuant to the Swiss Data Protection Act (FADP) and with reference to its upcoming revision, and to the new data protection and privacy regulation of the European Union (EU), entering into force on 25 May 2018. Although the General Data Protection Regulation (GDPR) is an EU regulation, various considerations make it of relevance for BKB. Among other things, Swiss data protection legislation is historically closely tied to EU regulations, the anticipated changes to the Swiss Data Protection Act (FADP) are strongly influenced by the GDPR, and the GDPR imposes high standards of personal data protection with extraterritorial reach. Under certain circumstances, companies outside the EU are required to comply with the provisions of the GDPR.
Data protection information
The following data protection information provides an overview of how your data is collected and processed.
We are providing the following information to give you an overview of how we will process your data and of your rights under data protection law. The details of what data will be processed and what methods will be used largely depend on the services applied for or agreed upon.
1. Who is responsible for data processing and how can you contact them?
Responsibility held by:
The Bank’s data protection office:
Data Protection Office
Name and contact details of the EU representative:
Lachner Westphalen Spamer
Partnerschaft von Rechtsanwälten mbB
D-60325 Frankfurt am Main
2. What sources and data do we use?
We process personal data obtained from our clients in the course of doing business. Where needed to provide our services, we also process personal data obtained from publicly accessible sources (e.g. land registers, commercial registers, the press, the Internet) or legitimately shared with us by other companies within the BKB Group or by other third parties (such as credit bureaus or collaborating partners).
Relevant data comprises personal information (name, address and other contact details, date and place of birth, and nationality), identification data (e.g. details of identity documents), and authentication data (e.g. signature specimens). In addition, it may also include order data (such as payment orders), data from the performance of our contractual obligations (e.g. sales data in payment transactions), information about your financial situation (e.g. creditworthiness data, scoring/rating data, origin of assets), advertising and sales data (including advertising scores), documentation data (e.g. consultation records) and other data similar to the categories mentioned.
For data processed in the use of digital services (“digital channels”), please see the additional privacy information for each service or application (such as personal finance management applications incorporating data from third-party sources such as credit card providers).
3. For what purpose do we process your data (purpose of processing) and on what legal basis?
We process personal data in conformity with applicable legal provisions governing data privacy:
a. For fulfilment of contractual obligations
Data is processed to execute banking transactions and provide financial services in the performance of our contracts with our clients or to carry out pre-contractual measures pursuant to a request. The purposes of data processing primarily depend on the specific product (e.g. bank account, loan, securities, deposits, client referral) and may among other things include needs assessments, advice, asset management and support, as well as execution of transactions. Further details on the purposes of data processing can be found in the relevant contract documents and terms and conditions of business.
b. In the context of balancing interests
Where required, we process your data beyond the actual performance of the contract in pursuit of our own or third parties’ legitimate interests. Examples:
- Consulting and exchanging data with information offices (e.g. debt collection register) to investigate creditworthiness and credit risks in the lending business
- Reviewing and optimizing needs assessment procedures for the purpose of direct client contact and/or client acquisition
- Advertising or market and opinion research, providing that you have not opted out of use of your data
- Asserting legal claims and defence in legal disputes
- Ensuring the bank’s IT security and IT operations
- Preventing and investigating crimes
- Measures to ensure building security, including video surveillance to protect building security, to collect evidence in the event of robberies or other crimes, or for evidence of instructions and deposits, e.g. at ATMs
- Voice recordings as permitted by law, regulations and contractual provisions
- Building and installations security measures (e.g. access controls)
- Business management and risk control measures within BKB and the BKB Group and further development of services and products
c. On the basis of your consent
If you have granted us consent to process your personal data for specific purposes, this processing is legal on the basis of your consent. Consent may be withdrawn at any time. Withdrawal of consent does not affect the legality of data processed prior to withdrawal.
d. Pursuant to statutory provisions or in the public interest
Furthermore, as a bank, we are subject to various legal obligations, i.e. statutory, regulatory or professional requirements (such as the Swiss Banking Act, Collective Investment Schemes Act, Anti-Money Laundering Act, Mortgage Bond Act, tax laws, Swiss Bankers Association guidelines) as well as other bank regulatory directives and requirements (for instance, from Swiss National Bank and FINMA).
Purposes of processing include assessment of creditworthiness, identity and age checks, fraud and money laundering prevention, fulfilment of control and reporting obligations under tax laws, and measuring and managing risks within BKB and the BKB Group.
4. Who receives your data?
Within BKB, those units that require your data to meet our contractual and legal obligations will have access to it. Service providers and vicarious agents appointed by us can also receive access to data for these purposes. Service providers (particularly so-called order processors) are engaged in compliance with the provisions of banking and privacy law. External service providers for their part are subject to banking confidentiality and to legal requirements governing data privacy. In particular, these include companies in the categories of banking services, IT services, logistics, printing services, telecommunications, collections, advising and consulting, and marketing and distribution.
We are permitted to pass on or give access to information about you to third parties only if a basis for such sharing exists (particularly a legal basis), with your consent (e.g. to execute a financial transaction you have instructed us to undertake), or if we have been authorised to issue a bank reference. Subject to these conditions, the recipients of personal data may include:
- Official instances (e.g. law enforcement authorities, supervisory authorities such as, particularly, the Swiss Federal Financial Market Supervisory Authority FINMA, debt collection and bankruptcy offices, inheritance authorities, child and adult protection authorities), where a statutory or other legal basis or obligation exists.
- Other credit and financial service institutions or comparable institutions to which we transmit your personal data in order to conduct business with you (such as correspondent banks, custodian banks, brokers, stock exchanges, depending on the contract).
- Other companies within the BKB Group for risk control pursuant to statutory or official obligation or with your consent.
5. Will data be transmitted to a third country?
Data transmission to units in countries outside Switzerland (“third countries”) will occur if
- it is necessary to execute your orders (e.g. payment and securities orders),
- it is required by law (e.g. reporting obligations under tax law) or
- you have granted us your consent.
6. How long will your data be stored?
We will process and store your personal data as long as necessary to fulfil our contractual and statutory obligations. It should be noted that our business relationship is a long-term obligation intended to last for years.
If the data is no longer required to fulfil contractual or statutory obligations, it is regularly deleted unless further processing is required – for a limited time – for the following purposes:
- Fulfilment of record retention obligations under commercial and tax law. In particular, this concerns the Swiss Code of Obligations, the Federal Act on Value Added Tax, the Federal Act on Direct Taxation, the Federal Act on Harmonisation of Direct Taxes of Cantons and Municipalities, the Federal Act on Stamp Duties and the Federal Act on Withholding Tax.
- The enforcement, exercise or defence of legal claims or special record retention regulations may require the bank to retain information for a specified or unspecified period of time.
7. What data privacy rights do you have?
In respect of the data in question, each data subject has the right of access, the right to rectification, the right to erasure, the right to restricted processing and the right of objection. Furthermore, where applicable, you also have a right to lodge a complaint with a competent data privacy supervisory authority. You may withdraw consent for us to process personal data at any time. Please note that withdrawal applies only to the future; it does not apply to processing carried out before the withdrawal.
8. Do you have an obligation to provide data?
When conducting business with us, you must provide all personal data that is required for accepting and conducting business and fulfilling the associated contractual obligations or that we are legally required to collect. Without this data we are, as a rule, unable to enter into a contract with you or to provide the services or products you have requested.
In particular, anti-money laundering regulations require us to identify you on the basis of your identification documents before establishing a business relationship and to collect and record information such as your name, place of birth, date of birth, citizenship, address and details of your identification documents. For us to be able to comply with these statutory obligations, you are required under the Anti-Money Laundering Act to provide us with the necessary information and documents and to notify us without delay of any changes over the course of the business relationship. If you do not provide us with the necessary information and documents, we will be unable to enter into or continue the business relationship you desire.
9. To what extent is there automated decisionmaking?
In establishing and conducting a business relationship, we generally do not use any fully automated decision-making processes. Should we use such a procedure in individual cases, we will inform you of this separately if required by law.
10. Will profiling take place?
We process some of your data automatically with the aim of assessing certain personal aspects (profiling). For example, we use profiling in the following cases:
- Legal and regulatory stipulations require us to combat money laundering, financing of terrorism, and offences that place assets at risk. Measures taken to this end include data assessments (including on payment transactions). These measures also serve to protect you.
- We use assessment tools to be able to inform and advise you about products in a focused manner. These tools allow communications and advertising, including market and opinion research, to be designed as needed.
- We use scoring as part of the assessment of your creditworthiness. This includes calculating the probability that clients will meet their contractual payment obligations. The calculation may take account of the client’s earning capacity, expenses, existing liabilities, occupation, employer, term of employment, the history of our business relationship, timely repayment of previous loans, and information from credit bureaus. Scoring is based on a mathematically and statistically recognised and established process. The calculated scores help us make decisions in the context of product sales and are included in ongoing risk management processes.
11. We may collect biometric data from you
Biometric data is generally classified as sensitive personal data. Accordingly, where required by applicable law, your explicit, separately granted consent will be required to use your fingerprint or other biometric identification systems for access to specific applications.
Information on right of objection under the EU General Data Protection Regulation (GDPR)
1. Right of objection in individual cases
On grounds relating to your specific situation, you have the right of objection at any time concerning processing of your personal data in the public interest or on the basis of a valid interest of the bank; the same applies to a profiling based on these grounds. If you lodge a complaint, we will cease processing your personal data unless we can show proof of mandatory, legitimate grounds for processing which outweigh your interests, rights and freedoms or if the processing serves the enforcement, exercise or defence of legal claims.
2. Right of objection to data processing for direct marketing
In individual cases we process your personal data to conduct direct marketing. You have the right to object to the processing of your personal data for this type of marketing at any time; the same applies to profiling when associated with such direct marketing. If you object to processing for direct marketing, we will cease processing your personal data for these purposes.
The objection need not be made in any specific form and should be addressed to the bank’s data protection office:
Data Protection Office
Thank you for your acknowledgement.