Legal basis for the processing of personal data
We take the protection of your personal data very seriously and treat your personal data confidentially. It is possible to use our website without providing any personal data. However, if you wish to make use of a special service offered by our company via our website, it may be necessary to process personal data. If the processing of personal data is necessary and there is no legal basis for such processing, we will generally obtain your consent. Based on Article 13 of the Swiss Federal Constitution and the data protection provisions of the Swiss Confederation (Data Protection Act, DSG), every person is entitled to protection of their privacy and protection against misuse of their personal data.
Data erasure and storage duration
We adhere to the principles of data minimisation in accordance with Art. 5 para. 1 lit. c GDPR and storage limitation in accordance with Art. 5 para. 1 lit. e GDPR. We only store your personal data for as long as is necessary to achieve the purposes stated here or as provided for by the retention periods stipulated by law. After the respective purpose no longer applies or after these retention periods have expired, the corresponding data will be deleted as quickly as possible.
Note on the transfer of data to third countries
Tools from companies based in third countries are also integrated on our website. If these tools are active, your personal data may be transmitted to the servers of the respective companies. The level of data protection in third countries generally does not correspond to EU data protection law. There is therefore a risk that your data may be passed on to authorities in these countries. We have no influence on these processing activities.
External links
This website or our app may contain links to third-party websites or to other websites under our responsibility. If you follow a link to a website outside of our responsibility, please note that these websites have their own data protection information. We accept no responsibility or liability for these third-party websites and their data protection notices. Therefore, before using these websites, please check whether you agree with their privacy policies.
You can recognise external links either by the fact that they are displayed in a different colour from the rest of the text or underlined. The cursor indicates external links when you move it over such a link. Only when you click on an external link will your personal data be transferred to the destination of the link. In particular, the operator of the other website will receive your IP address, the time at which you clicked on the link, the page on which the link was clicked and other information that you can find in the data protection information of the respective provider.
Please also note that individual links may lead to data being transferred outside the European Economic Area. This could give foreign authorities access to your data. You may not be entitled to any legal remedies against this data access. If you do not want your personal data to be transferred to the link destination or even exposed to unwanted access by foreign authorities, please do not click on any links.
Rights of the data subject
As a data subject within the meaning of the statutory data protection regulations, you have the opportunity to assert various rights. These are the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to object, the right to lodge a complaint with a supervisory authority and the right to data portability.
Right of cancellation:
Some data processing can only take place with your express consent. You have the option to withdraw your consent at any time. However, this does not affect the lawfulness of data processing up to the point of revocation.
Right to object:
If the processing is based on Art. 6 para. 1 lit. e or f GDPR, you as the data subject can object to the processing of personal data concerning you at any time for reasons arising from your particular situation. You also have this right in the case of profiling based on these provisions within the meaning of Art. 4(4) GDPR. If we cannot demonstrate a legitimate interest in the processing that outweighs your interests, rights and freedoms or if the processing serves the assertion, exercise or defence of legal claims, we will refrain from processing your data after the objection has been made.
If the processing of personal data serves the purpose of direct marketing, you also have the right to object at any time. The same applies to profiling in connection with direct advertising. Here too, we will no longer process personal data as soon as you object.
Right to lodge a complaint with a supervisory authority:
If you believe that the processing of personal data concerning you infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, without prejudice to any other administrative or judicial remedy.
Right to data portability:
If your data is processed automatically on the basis of consent or fulfilment of a contract, you have the right to receive this data in a structured, commonly used and machine-readable format. You also have the right to request the transfer and provision of the data to another controller, insofar as this is technically feasible.
Right of access, rectification and erasure:
You have the right to obtain information about your processed personal data regarding the purpose of the data processing, the categories, the recipients and the duration of storage. If you have any questions on this topic or other topics relating to personal data, you can of course contact us using the contact details provided in the legal notice.
Right to restriction of processing:
You may request the restriction of the processing of your personal data at any time. To do so, you must fulfil one of the following conditions:
- You contest the accuracy of the personal data. You have the right to request the restriction of processing for the duration of the verification of accuracy.
- If the processing is unlawful, you can request the restriction of the use of the data as an alternative to erasure.
- If we no longer need your personal data for the purposes of processing, but you need the data for the establishment, exercise or defence of legal claims, you may request the restriction of processing as an alternative to erasure.
- If you object to the processing in accordance with Art. 21 para. 1 GDPR, a balance will be struck between your interests and ours. Until this balancing has taken place, you have the right to request the restriction of processing.
Restriction of processing means that, apart from being stored, the personal data may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Name and address of the controller
The controller within the meaning of the General Data Protection Regulation and other data protection regulations is:
Clanq AG
Zahnradstrasse 22
8005 Zurich
Switzerland
Mail: [email protected]
Phone: +41 43 588 10 22
Name and address of the data protection officer
The data protection officer of the controller is:
dsgvoschutzteam.com – Lukmann Consulting GmbH
Dipl. Ing. Walter Lukmann
Packerstrasse 183
A-8561 Söding
Telephone: +43 660 60 888 01
E-mail: [email protected]
Data processing on the website by Clanq AG
Provision of the website (web host)
Our website is hosted by:
Cloudflare Germany GmbH
Rosental 7, 80331 Munich
Germany
The server location is USA.
When you visit our website, we automatically collect and store information in so-called server log files. Your browser automatically transmits this information to our server or to the server of our hosting company.
These are:
- IP address of the website visitor’s end device
- Device used
- Host name of the accessing computer
- Operating system of the visitor
- Browser type and version
- Name of the retrieved file
- Time of the server request
- Amount of data
- Information on whether the retrieval of the data was successful
This data is not merged with other data sources.
Instead of operating this website on our own server, we can also have it operated on the server of an external service provider (hosting company), which we have named above in this case. The personal data collected by this website is then stored on the hosting company’s servers. In addition to the data mentioned above, the web host also stores contact requests, contact data, names, website access data, meta and communication data, contract data and other data generated via a website for us, for example.
The legal basis for the processing of this data is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the technically error-free presentation and optimisation of this website. If the website is accessed in order to enter into contractual negotiations with us or to conclude a contract, Art. 6 para. 1 lit. b GDPR serves as a further legal basis. In the event that we have commissioned a hosting company, there is an order processing contract with this service provider.
Use of local storage items, session storage items and cookies
Our website uses local storage items, session storage items and/or cookies. Local storage is a mechanism that enables the storage of data within the browser on your end device. This data usually contains user preferences, such as the ‘day’ or ‘night’ mode of a website, and is retained until you delete the data manually. Session storage is very similar to local storage, whereas the storage period only lasts during the current session, i.e. until the current tab is closed. After that, the session storage items are deleted from your end device. Cookies are information that a web server (server that provides web content) stores on your end device in order to be able to identify this end device. They are either stored temporarily for the duration of a session (session cookies) and deleted at the end of your visit to a website or permanently (permanent cookies) on your end device until you delete them yourself or they are automatically deleted by your web browser.
These objects may also be stored on your device by third-party companies when you visit our website (third-party requests). This enables us as the operator and you as a visitor to this website to utilise certain third-party services that are installed on this website. Examples of this include the processing of payment services or the display of videos.
These mechanisms can be used in a variety of ways. They can improve the functionality of a website, control shopping basket functions, increase the security and convenience of website use and carry out analyses of visitor flows and behaviour. Depending on the individual functions, these must be categorised under data protection law. If they are necessary for the operation of the website and intended to provide certain functions (shopping basket function) or serve to optimise the website (e.g. cookies to measure visitor behaviour), they are used on the basis of Art. 6 para. 1 lit. f GDPR. As the website operator, we have a legitimate interest in the storage of local storage items, session storage items and cookies for the technically error-free and optimised provision of our services. In all other cases, local storage items, session storage items and cookies are only stored with your express consent (Art. 6 para. 1 lit. a GDPR).
If local storage items, session storage or cookies are used by third-party companies or for analysis purposes, we will inform you about this separately in this data protection notice. Your required consent will be requested and can be revoked at any time.
Use of external services
External services are used on our website. External services are services from third-party providers that are used on our website. This can be done for various reasons, for example for embedding videos or for the security of the website. When using these services, personal data is also passed on to the respective providers of these external services. If we do not have a legitimate interest in the use of these services, we will obtain your consent as a visitor to our website, which can be revoked at any time, before using them (Art. 6 para. 1 lit. a GDPR).
Content management system
A content management system enables the creation, editing, organisation and presentation of digital content. We use a content management system to create content for our website. This enables us to design a more appealing website.
We base this processing on a legitimate interest (Art. 6 para. 1 lit. f GDPR).
Our legitimate interest lies in the technically error-free presentation and optimisation of the website.
WordPress
We use the WordPress service on our website. The provider of the service is Automattic Inc, 60 29th Street #343, 94110 San Francisco (CA), USA.
As this service is hosted locally on the web server, no data is transferred to third parties.
Display optimisation
We use tools to optimise the presentation of our website. Among other things, these tools help us to display the website in other languages or to make it more accessible.
Processing only takes place if you consent to this data processing (via our consent banner on the website). The legal basis for this processing is consent (Art. 6 para. 1 lit. a GDPR). Without your consent, data will not be processed in the manner described above. If you withdraw your consent (e.g. via the consent banner or other options provided on this website), we will terminate this data processing. This does not affect the lawfulness of the processing that took place before you withdrew your consent.
WPML
We use the WPML service on our website. The provider of this service is OnTheGoSystems Ltd, 22/F 3 Lockhart Road, Wanchai, Hong Kong, China.
As this service is hosted locally on the web server, no data is transferred to third parties.
We base this processing on a legitimate interest (Art. 6 para. 1 lit. f GDPR).
This application is required to ensure the unrestricted functionality of the website. This is a language tool that is considered essential.
Consent management
In order to comply with data protection requirements, we use a consent management tool on our website. We use this tool to obtain the necessary consent for the setting of cookies or the use of external services. The consents are stored.
The processing is necessary for the fulfilment of a legal obligation to which the controller (website operator) is subject. Art. 6 para. 1 lit. c GDPR is therefore used as the legal basis for processing.
Usercentrics
We use the Usercentrics service on our website. The provider of the service is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany.
Further information can be found in the provider’s data protection information at the following URL: https://usercentrics.com/de/datenschutzerklaerung .
Newsletter tools
As part of our marketing activities, we offer you the opportunity to subscribe to our newsletter via our website. To subscribe to the newsletter, you go through a registration process during which we check whether you are the owner of the e-mail address provided and whether you agree to receive our newsletter. The data will remain with us or with the newsletter service commissioned by us for the duration of your voluntary registration until you unsubscribe from the newsletter. If you unsubscribe from the newsletter, you will be deleted from the distribution list. This list will not be merged with other data. However, cancellation of the newsletter subscription does not mean that data stored for other purposes (e.g. customer accounts) will also be deleted.
Data will only be processed if you consent to this data processing (via our consent banner on the website). The legal basis for this processing is consent. Without your consent, data will not be processed in the manner described above. If you withdraw your consent (e.g. via the consent banner or other options provided on this website), we will terminate this data processing. This does not affect the lawfulness of the processing that took place before you withdrew your consent.
Mailerlite
We use the Mailerlite service on our website. The provider of the service is MailerLite Limited, Ground Floor, 71 Lower Baggot Street, Dublin 2, D02 P593, Ireland.
Use of the service may result in data being transferred to a third country (USA).
Further information can be found in the provider’s data protection information at the following URL: https://www.mailerlite.com/legal/privacy-policy .
Interface software
Business processes are cheaper, faster and more error-free if they are automated with the help of software via interfaces. This allows them to be efficiently integrated into company processes via your own website or social networks. We use interface software on our website to link different applications with each other and to transfer personal data securely from one application to another.
Processing only takes place if you consent to this data processing (via our consent banner on the website). The legal basis for this processing is consent (Art. 6 para. 1 lit. a GDPR). Without your consent, data will not be processed in the manner described above. If you withdraw your consent (e.g. via the consent banner or other options provided on this website), we will terminate this data processing. This does not affect the lawfulness of the processing that took place before you withdrew your consent.
Google APIs
We use the Google APIs service on our website. The provider of the service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Use of the service may result in data being transferred to a third country (USA). The provider is certified in accordance with the EU-U.S. Data Privacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider’s data protection information at the following URL: https://policies.google.com/privacy .
Web fonts
This site uses so-called web fonts for the standardised display of fonts, which are provided by an external provider and are loaded by the browser when the website is accessed. The provider of the web font becomes aware that our website has been accessed from your IP address, as your browser establishes a direct connection to the provider of the web font.
Processing only takes place if you consent to this data processing (via our consent banner on the website). The legal basis for this processing is consent (Art. 6 para. 1 lit. a GDPR). Without your consent, data will not be processed in the manner described above. If you revoke your consent (e.g. via the consent banner or other options provided on this website), we will terminate this data processing. This does not affect the lawfulness of the processing that took place before you withdrew your consent.
Google Fonts
We use the Google Fonts service on our website. The provider of the service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The use of the service may result in data being transferred to a third country (USA). The provider is certified in accordance with the EU-U.S. Data Privacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider’s data protection information at the following URL: https://policies.google.com/privacy .
Websecurity
We use tools on our website that protect against unauthorised access, spam or other attacks. This increases the security of our website.
We base this processing on a legitimate interest (Art. 6 para. 1 lit. f GDPR).
Our legitimate interest is to be able to guarantee the security of our website and to protect us from unauthorised access, spam and other attacks.
Google Recaptcha
We use the Google Recaptcha service on our website. The provider of the service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Use of the service may result in data being transferred to a third country (USA). The provider is certified in accordance with the EU-U.S. Data Privacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider’s data protection information at the following URL: https://policies.google.com/privacy .
Data processing in the app by Clanq AG
Google Play Store |
|
| Purpose: | Our app is offered in the Google Play Store. When it is downloaded by a Google Play Store customer, the data required for the download is transferred to the store. This includes the user name, e-mail address, Google Play Store customer number and individual device ID. It is not possible to download the app from the Google Play Store without transmitting this data. Data processing is carried out exclusively by the Google Play Store and is beyond our control. |
| Data categories: | No personal data |
| Deletion period: | No further data processing, therefore no deletion required |
| Groups of persons: | APP users |
| Legal basis: | 2. fulfilment of contract (Art. 6 para. 1 lit. b) GDPR) |
| Categories of recipients: | APP Store und Cloud Provider |
App Store |
|
| Purpose: | Our app is offered in the App Store. When it is downloaded by an App Store customer, the data required for the download is transmitted to the store. The user name, e-mail address, App Store customer number and individual device ID are recorded. It is not possible to download the app from the App Store without transmitting this data. Data processing is carried out exclusively by the App Store and is beyond our control. |
| Data categories: | No personal data |
| Deletion period: | No further data processing, therefore no deletion required |
| Groups of persons: | APP users |
| Legal basis: | 2. fulfilment of contract (Art. 6 para. 1 lit. b) GDPR) |
| Categories of recipients: | APP Store und Cloud Provider |
Registration of users |
|
| Purpose: | In order to use our app, it is necessary to register by providing personal data. It is necessary to provide your surname, first name and an e-mail address. A password must also be set. |
| Data categories: | User accounts, personal identification data |
| Deletion period: | 6 months after the end of the business relationship, excluding other statutory retention periods |
| Groups of persons: | APP users |
| Legal basis: | 2. fulfilment of contract (Art. 6 para. 1 lit. b) GDPR) |
| Categories of recipients: | Internal department |
Opening an account |
|
| Purpose: | In order to use the app, an account must be opened. In addition to other personal data, a telephone number is required. The following data is also required to set up the account: Salutation, first and last name, address (street, house number, city, postcode) marital status, date of birth, place of birth, nationality, email, employment status, tax liability in the USA and copy of ID card |
| Data categories: | Professional activities Image records, Electronic identification data, Financial identification data, Personal details, Personal identification data |
| Deletion period: | In accordance with the statutory retention obligations |
| Groups of persons: | APP users |
| Legal bases: | 2. fulfilment of contract (Art. 6 para. 1 lit. b) GDPR and 3. consent (Art. 6 para. 1 lit. a) GDPR) |
| Categories of recipients: | Internal department |
| Confirmation e-mail | |
| Purpose: | By registering by e-mail, an e-mail will be sent to the address provided. This is done to confirm the e-mail address via a confirmation code (double opt-in procedure). To verify the e-mail address, we also process: the time the confirmation e-mail is sent, the time the confirmation link is opened and the IP address. |
| Data categories: | Electronic identification data, personal identification data |
| Deletion period: | In accordance with the statutory retention obligations |
| Groups of persons: | APP users |
| Legal basis: | 2. fulfilment of the contract (Art. 6 para. 1 lit. b) GDPR) |
| Categories of recipients: | Internal department |
Transfer of data to Cornèr Bank |
|
| Purpose: | After entering all the data required to open the account, you will receive Cornèr Bank’s terms and conditions. If these are accepted, the data specified in 30.04 will subsequently be transferred to Cornèr Bank. |
| Data categories: | Professional activities, Financial identification data, Personal details, Personal identification data |
| Deletion period: | In accordance with the statutory retention obligations |
| Groups of persons: | APP users |
| Legal basis: | 2. fulfilment of contract (Art. 6 para. 1 lit. b) GDPR) |
| Categories of recipients: | Banks |
Verification via ID-Now |
|
| Purpose: | ID-Now is used for verification. You must identify yourself with an ID card. |
| Data categories: | Image recordings, public identification data, personal details, personal identification data |
| Deletion period: | In accordance with the statutory retention obligations |
| Groups of persons: | APP users |
| Legal basis: | Fulfilment of legal obligation (Art. 6 para. 1 lit. c) GDPR Fulfilment of contract (Art. 6 para. 1 lit. b) GDPR |
| Categories of recipients: | External participants |
Maintenance and updates |
|
| Purpose: | MindNow AG continuously develops the app. Necessary maintenance work is carried out and updates are installed. |
| Data categories: | Electronic identification data |
| Deletion period: | In accordance with the statutory retention obligations |
| Groups of persons: | APP users |
| Legal basis: | 2. fulfilment of contract (Art. 6 para. 1 lit. b) GDPR) |
| Categories of recipients: | Software developer |
Communication |
|
| Purpose: | We use customer.io to send news, information, messages and specific notifications. The data remains on servers in the EU. |
| Data categories: | Personal details, personal identification data, agreements and contracts |
| Deletion period: | In accordance with the statutory retention obligations |
| Groups of persons: | APP users |
| Legal bases: | 2nd fulfilment of contract (Art. 6 para. 1 lit. b) GDPR) |
| Categories of recipients: | Software manufacturer |
Optimisation |
|
| Purpose: | In order to constantly improve and optimise our products and services, Mixpanel carries out an analysis. Mixpanel only analyses figures of purchased products for us. |
| Data categories: | Number of products purchased |
| Deletion period: | In accordance with the statutory retention obligations |
| Groups of persons: | APP users |
| Legal basis: | 4. balancing of legitimate interest Art. 6 para. 1 sentence 1 lit. f) |
| Categories of recipients: | Internal department Software manufacturer |
Chat and customer support |
|
| Purpose: | It is possible to communicate via a chat function and email. We use Gleap for this. |
| Data categories: | Electronic identification data, customer message, personal identification data |
| Deletion period: | In accordance with the statutory retention obligations |
| Groups of persons: | APP users |
| Legal basis: | 2. fulfilment of contract (Art. 6 para. 1 lit. b) GDPR) |
| Categories of recipients: | Software manufacturer |
Analysis |
|
| Purpose: | In order to continuously improve our app, we analyse the app and its users. We use Firebase for this. |
| Data categories: | Electronic identification data |
| Deletion period: | In accordance with the statutory retention obligations |
| Groups of persons: | APP users |
| Legal basis: | 3rd consent (Art. 6 para. 1 lit. a) GDPR) |
| Categories of recipients: | Software manufacturer |
Cornèr’s privacy policy
As part of our business activities, Cornèr Banca SA (hereinafter also referred to as ‘Cornèr’, ‘we’ or ‘us’) processes data about natural and legal persons (‘personal data’). Personal data includes data about customers (existing and former customers), potential new customers, business partners and their employees, and other persons who are in contact with us (hereinafter also referred to as ‘you’).
1. Purpose of this privacy policy
The following information is intended to provide you with an overview of the processing of your personal data by Cornèr and of your rights under data protection laws. Which information is processed in detail and how it is used depends largely on the services requested or agreed and on the way in which you communicate with us.
Please note in particular that Cornèr offers both banking services (e.g. for payment transactions, private customer business and private banking, mortgages and online trading via Cornèrtrader) and services relating to payment card services (Cornèrcard) and that your data may be processed differently depending on the services used. Further information and legally binding data protection provisions can also be found in the General Terms and Conditions of the respective product.
Several third-party providers are involved in the provision of financial services who offer their services without our influence (e.g. providers of financial messaging services, stock exchanges, payment card systems). With regard to the services provided by such third-party providers, we recommend that you observe their relevant regulations and data protection guidelines.
2. What personal data do we process?
2.1 General information
We process personal data that we receive from you, for example in the course of our business relationships. Insofar as this is necessary for the provision of our services, we also process personal data that we have lawfully obtained from publicly accessible sources (e.g. debtor lists, land registers, commercial registers, newspapers, Internet) or that have been transmitted to us by authorised third-party providers (e.g. credit agencies or credit reference agencies).
This Privacy Policy also applies to individuals who have no contractual relationship with Cornèr but whose data is processed by Cornèr for other reasons (e.g. individuals who write to us or otherwise contact us, visitors to our websites, recipients of information and marketing communications, contacts of our suppliers, buyers and other business partners, participants in competitions, prize draws and customer events, visitors to our premises).
2.2 In connection with the services and products we offer
As part of our business activities, we process the following personal data, depending on the specific relationship with you:
- Personal identification data, e.g. first and last names, date and place of birth, nationality, place of residence, contact details, e.g. telephone number, postal address and e-mail address, information about your family, e.g. marital status, name of your partner or children. This information may also be collected from potential new customers.
- Professional information about you, if applicable, e.g. job title and professional experience. This information may also be collected from potential new customers.
- Customers’ identity documents (e.g. a copy of their ID card or passport), authentication data (e.g. specimen signature) and detailed information on the granting of power of attorney, if applicable
- Your tax residence and other tax-relevant information and documents the identifiers assigned to you by us, e.g. your customer or account number, your credit card number or other internal identification numbers
- Financial data (data about customers, bank accounts and payment cards) that you provide to Cornèr when applying for the requested service or during the term of a contractual relationship or that Cornèr has collected (e.g. when preparing statements of account or statements of assets, when managing and transferring assets, when providing investment advice, granting loans, making refunds, collecting outstanding receivables or processing insurance claims)
- Financial information and information about financial circumstances, including an overview of payments and transactions as well as information about your assets (including real estate), financial statements, liabilities, taxes, income, capital gains and investments (including your investment objectives) as well as information about your financial situation (e.g. creditworthiness, scoring/rating information, origin of assets), your knowledge of financial products and your level of knowledge and experience in the investment sector
- Order data (e.g. payment orders) and transaction data With regard to payment cards, transaction data (detailed information on purchases and cash withdrawals) may also include, for example, the point of acceptance, the amount of the transaction, the date and time of the transaction, the type of use of the card (e.g. online, contactless), the number of failed attempts to enter the PIN and the selected currency. Detailed information is only collected for certain transactions. In these cases, however, Cornèr is not able to determine what was purchased.
- Information relating to customer risk assessments, e.g. customer due diligence data (regular review of results), customer risk profiles, suitability/appropriateness assessment data, customer qualification data (e.g. qualified investor status), screening alerts (screening of transactions or names), tax data or complaints information,
- Information about the products and services you use and information from the fulfilment of our contractual obligations (e.g. volume of payment transactions, performance of a portfolio managed under an asset management agreement or under an advisory mandate, execution of securities transactions, foreign exchange transactions and contracts for difference with Cornèrtrader),
- Any recordings of telephone conversations you have with Cornèr employees (including telephone log data such as your telephone number, the telephone number of the caller, the telephone number of the call recipient, forwarding numbers, date and time of calls and messages, call duration, forwarding information and type of calls) and any video recordings from surveillance systems during visits to our premises or use of our ATMs.
- When you access our websites, our online offers or our apps, we also collect and store information about your use of the website, platform or apps (usually data relating to your activities during your visit, date and time of access, files accessed, volume of data transmitted, execution of access, information about your device and web browser, language of the web browser and requesting domain, IP address, information that you may have provided voluntarily). Which information is processed depends on the respective product and the respective function, on the respective website you access and on your selection in the corresponding cookie management display on the website. For more information, please refer to the cookie policy published on the relevant website.
- More generally, we collect detailed information about our interactions with you and about the products and services you use. This also includes information about electronic interaction via various channels such as email and smartphone apps.
If necessary in connection with the products and services we prepare or provide to you, we may collect information about additional cardholders or account holders, business partners, dependants or family members, representatives and authorised signatories. If you are a legal entity, we are authorised to collect information about your officers, employees, shareholders or beneficial owners. You should provide these individuals with a copy of this Privacy Policy before you provide us with information about them.
2.3 Special categories of personal data (including biometric data)
In some cases, to the extent permitted by applicable law, we collect special categories of personal data, e.g. biometric data, health data, information about political opinions or affiliations, skin colour or ethnic origin, religious or philosophical beliefs and information about criminal convictions or offences.
With regard to biometric data, please note that the identification and authentication process for the use of payment solutions in connection with our payment cards (e.g. the services of wallet service providers such as Apple Pay or Samsung Pay) and for access to Cornèr’s apps on your devices (e.g. smartphone apps) may be carried out using biometric identification systems such as fingerprints, facial recognition, voice recognition, etc. Please note that such biometric identification procedures are carried out by the respective service provider or operator of the operating system without any influence from Cornèr. All biometric data used for such identification and authentication procedures are stored exclusively on your device. Cornèr does not have access to your biometric data. We therefore recommend that you read the privacy policies of the relevant service providers or operators.
2.4 Source of the personal data
The personal data mentioned above is primarily provided to us by the people who interact with us. Customers may provide us with their personal data in the context of requests to use our services or products, by participating in Cornèr’s (or our partner companies’) customer loyalty or bonus programmes, by participating in events and competitions organised by us, by using our websites, online tools or our mobile apps, by contacting us by post, email, telephone or other electronic channels, etc.
To the extent permitted by law, we are also authorised to obtain the above-mentioned personal data from third-party providers, e.g. from intermediary banks, from the Central Office for Credit Information (ZEK) or the Information Office for Consumer Credit (IKO), from authorities, credit agencies or credit reference agencies, employers or other companies of the Cornèr Bank Group, from publicly accessible databases such as local.ch or the commercial register, etc.
3. Why do we process your data? (Purpose of the processing)
We always process personal data for a specific purpose and only to the extent necessary to fulfil this purpose. The main purposes of processing such data are as follows:
3.1 Purposes of processing
a. Contract negotiations and customer onboarding:
Verifying your identity and assessing your application (including assessing your creditworthiness and the need for collateral if you are applying for a loan)
Carrying out checks to ensure compliance with legal or regulatory requirements (e.g. compliance with anti-money laundering and anti-fraud regulations)
b. Fulfilment of the contract, including the provisions for banking products and services
- Data processing for the purpose of managing our business relationship with you, e.g. in relation to the products and services provided by us and our business partners, to deal with customer service queries and complaints, to facilitate debt recovery, when deciding whether to grant loans, to clarify your place of residence (e.g. if we can no longer contact you)
- Data processing for the purpose of providing banking products and services (including Cornèrtrader) and to ensure their correct implementation, e.g. through appropriate identity checks and account withdrawals or deposits in accordance with your instructions and the general terms and conditions of the product concerned. The data processing purposes are primarily dependent on the respective order. These may include, for example, demand analyses, advisory services, asset management and the execution of transactions. To measure credit risks and default risks in loan transactions (e.g. mortgage lending, trade finance), we are also authorised to consult credit agencies and exchange information with them (e.g. debt collection registers).
- In connection with payment cards, we process the data collected to fulfil the card contract and to manage the business relationship. Please note the following in this context:
- As far as the use of the card is concerned, the transaction information is transmitted to Cornèr by the acceptance points (merchants or ATMs). Such transmissions are generally made via the global networks of the international card companies Mastercard, Visa and Diners (please refer to the data protection guidelines of the card companies concerned). We then check and authorise the transactions and charge them to the cardholder.
- With regard to the authorisation of transactions, Cornèr checks whether a transaction is made by the authorised cardholder or whether it could be a fraudulent transaction. Cornèr is authorised to take various fraud prevention measures at its own discretion. Each transaction is automatically analysed according to predefined rules and conditions to identify signs of possible misuse. In addition, where possible, transactions are checked for significant deviations from normal card usage patterns (e.g. in terms of time or location). If Cornèr identifies indications of possible card misuse, Cornèr will, if possible, take measures to prevent misuse (e.g. by contacting the card issuer or the card issuer’s authorised representative).
- In addition, the cardholder’s data is processed in the procedure for complaints and chargebacks of transactions, for example to clarify unknown transactions or unjustified debits. In this procedure, transactions are checked in detail. Data is also collected and processed for the settlement of insurance claims in order to clarify the insurance claims in cooperation with our insurance partner.
- If payment cards from Cornèr’s partner companies are sold as private cards to consumers or as corporate cards to the relevant companies and their own customers, information about the use of the payment card by the cardholder (e.g. transaction data) is forwarded to the relevant partner companies.
- We process personal data in order to send information about the services and products that customers have ordered (e.g. information about changes to services or products, about new product features, about maintenance work, about temporary outages, etc.).
c. Fulfilment of compliance, risk management and crime prevention requirements
- We process data to meet our ongoing regulatory and compliance obligations (e.g. in relation to financial, money laundering and tax laws), including in relation to recording and monitoring communications, sharing data with tax authorities, financial regulators and other regulators or national authorities, detecting or preventing criminal offences and complying with disclosure requirements to authorities.
- We process data to fulfil operational requirements for credit and risk management, e.g. to determine credit and market risks in connection with the issuing of payment cards or the granting of loans. Such data processing is necessary in particular because Cornèr assumes the credit risk as part of the contractual relationship for the use of payment cards or the credit agreement relationship. In this context, Cornèr creates individual risk profiles that are used, among other things, to assess the credit risk. You are not entitled to object to our data processing for risk analysis purposes, as Cornèr needs this data to calculate and control its financial risks. You can only object to such data processing by terminating the contractual relationship with us.
- Measures to prevent and investigate criminal offences and to ensure the security of our customers, employees and third parties: In connection with payment cards, we process data, including the monitoring of transaction data, for fraud prevention.
d. Managing relationships with our business partners, including the fulfilment of contracts concluded with them
- We work with various companies and business partners, e.g. suppliers, professional purchasers of goods and services, joint venture partners and service providers (e.g. IT service providers). We process personal data about the contact persons in the companies concerned (e.g. name, position, title and communication with us) for contract preparation and execution, for planning and booking purposes and for other contract-related purposes.
- Depending on the industry, we may also be obliged to carry out more detailed checks on the companies concerned and their employees, e.g. as part of a security check. In this case, we collect and process additional information.
e. Measures to improve our products and services and the technologies we use
- This includes verifying and updating our systems and processes in general and for market research purposes to determine how we can improve our products and services or what new products and services we could sell.
- Carrying out transaction analyses, statistical analyses and similar analyses.
- We are also authorised to process personal data in order to improve customer advice, customer satisfaction and customer loyalty (customer/supplier relationship management).
f. Information and direct marketing / events and competitions for customers
- We process personal data in order to send information and advertising (including by means of push notifications) relating to our products and services that we believe may be of interest to you. This also includes products and services offered by us, by other Cornèr Bank Group companies or by our business partners. For example, if you sign up for a newsletter or SMS notification service, we will process your contact details. In the case of e-mails, we also process information about your use of the messages (e.g. whether you have opened an e-mail and downloaded the embedded graphics) in order to tailor our offers to your requirements.
- In connection with its products, Cornèr is authorised to create profiles about customers and their consumption and preferences for marketing purposes from the personal data and transaction data collected. This enables Cornèr to develop and offer attractive products and services for its customers. Cornèr is authorised to send customers such information about its own products and services or about the products and services of partner companies using the available communication channels (e.g. by post, e-mail, push notification).
- Events for customers: We also process personal data when we organise events for customers (e.g. promotional events, sponsorship events and cultural and sporting events). Such data includes, for example, the first and last name of the participants or potential new customers, their postal or e-mail address and possibly, depending on the circumstances, other information such as their date of birth. We process such information in order to organise the customer events, but also to contact you directly. For further information, please refer to the applicable conditions of participation.
- Competitions, prize draws and similar events: From time to time, we organise competitions, prize draws and similar events. We process your contact details and information about your participation in order to organise the competitions and contests, to communicate with you about such events if necessary and to use this data and information for advertising purposes. For further information, please refer to the applicable conditions of participation.
- You can object to the sending of information (advertising block) or revoke your consent to data processing for marketing purposes by sending Cornèr a written request, optionally also by e-mail (see information below on the right to object).
g. Examples of other purposes
- Legal purposes: We process personal data in various situations in order to assert our rights, e.g. to assert our claims in court or out of court and to enforce or defend ourselves against claims before foreign or domestic authorities. For example, we may investigate the prospects of success in legal disputes or submit documents to an authority. In doing so, we are authorised to process your personal data or forward it to third parties in Switzerland and abroad, insofar as this is necessary and permitted. This also includes debt collection proceedings in Switzerland or abroad. (For this purpose, we are authorised to commission third parties, such as debt collection companies).
- Measures to secure property ownership rights, including security measures for facilities and buildings (e.g. access control). This also includes video surveillance in appropriately labelled areas to protect the owner’s rights, to collect evidence in the event of robbery or fraud or to obtain proof of deposits and withdrawals (e.g. at ATMs).
- Ensuring Cornèr’s IT security and operations (including the processing of personal data in test environments where the information is generally pseudonymised in advance).
- For the operational management of Cornèr and Cornèr’s subsidiaries (‘Cornèr Bank Group’) (including credit and risk management, insurance, auditing, system and product training and similar administrative purposes), and for such other purposes as may be notified to you on a case-by-case basis.
3.2 Basis of the processing
A large part of the above-mentioned processing takes place in order to fulfil contractual obligations or, at your request, to carry out pre-contractual measures (paragraphs a), b), d)).
Processing also takes place in cases where this is required by law or is in the public interest (paragraphs a), c)). Statutory obligations of this kind may arise, for example, from the Swiss Banking Act, the Collective Investment Schemes Act, the Anti-Money Laundering Act, the Consumer Credit Act, the Mortgage Bond Act and various tax laws and ordinances of the Swiss Financial Market Supervisory Authority FINMA.
Part of the data processing serves to protect our legitimate interests or the legitimate interests of third parties as part of a balancing of interests (paragraphs e), f), g), h)). If you would like further details on the balancing of interests, you are welcome to contact us (contact details in section 12).
In certain cases, we rely on your express or implied consent for the processing of personal data for certain purposes. Such consent can be withdrawn at any time.
3.3 Obligation to provide information
In the course of our business relationship, you must provide personal data that we require for the initiation and execution of our business relationship and for the fulfilment of the associated contractual obligations. You must also provide data that we are required to collect by law. Without such data, we will not be able to enter into or fulfil the contract (in which case we will inform you of this fact).
Before we can enter into a business relationship with you, we are required by anti-money laundering legislation to verify your identity using your identification documents and to record and store your first and last name, place and date of birth, nationality, address and identification document details. In order for us to comply with this legal requirement, you must provide us with the information and documents required by the Anti-Money Laundering Act and notify us immediately of any relevant changes during the course of our business relationship. If you do not provide us with the required information and documents, we will not be able to initiate or maintain our business relationship.
4. Who receives my data?
4.1 Within the Cornèr Bank Group
At Cornèr, your data will only be made available on the basis of necessity (need-to-know principle) for the fulfilment of our contractual and legal obligations.
We are authorised to transfer personal data to other companies of the Cornèr Bank Group for internal group management purposes (including for risk management in application of legal or administrative regulations) and for the processing purposes listed above. Your personal data may be processed for the relevant purposes and linked to personal data of other Cornèr Bank Group companies.
4.2 Third parties
When we provide you with products and services, we will share your personal data with persons acting on your behalf or otherwise involved in the transaction (depending on the nature of the products or services you use). This may include the types of organisations described below.
Other credit and financial services institutions or similar institutions to whom we disclose your personal data (e.g. depending on the contract, partner banks, custodian banks, external asset managers, fund managers, brokers, stock exchanges, central counterparty clearing houses (CCPs), upstream paying agents, swap or trade repositories and clearing houses and clearing or settlement systems and specialised payment service providers or payment institutions such as SWIFT).
Parties involved in a transaction (e.g. payee, beneficiary, authorised signatory of an account, intermediary) or who assume a risk in the course of or in connection with the transaction (e.g. an insurer).
If you have a payment card with us, the relevant card company (Visa, Mastercard, Diners Club) and the acquiring companies that have entered into agreements with individual merchants to accept these cards.
Other financial institutions, credit or business rating agencies (for obtaining or providing credit reference information and credit checks).
4.3 Service providers
Your data may also be passed on to the service providers or subcontractors commissioned by us for the above-mentioned purposes if they enter into appropriate confidentiality agreements. These include providers of banking services (including investment services), IT services (including hosting service providers and providers of cloud services), logistics, printing, telecommunications, debt collection services (including the commissioning of debt collection companies based in Switzerland or abroad), payment transactions, rating agencies, advice and consulting as well as sales and marketing. In these cases, we protect your personal data in a way that ensures that the subcontractor complies with our data security standards.
4.4 Government authorities or supervisory authorities
If necessary, we also disclose personal data to government authorities, supervisory authorities or state bodies (e.g. the Swiss National Bank, FINMA, law enforcement authorities) if this is required by law, ordinances or other rules of conduct or if disclosure is requested by these authorities or bodies.
4.5 Other cases
In the event of the sale of all or part of our company to another company or in the event of a reorganisation of our company, personal data will be passed on in order to enable you to continue using the products and services concerned. As a rule, we also pass on personal data to potential buyers if we are considering the complete or partial sale or the complete or partial spin-off of a division of the company. We take appropriate precautions to ensure that such potential buyers ensure the security of the data.
We disclose personal data to the extent necessary to exercise or enforce legal rights – including our rights, the rights of our employees and the rights of other rights holders – or to respond to requests from individuals or their representatives who wish to enforce their own rights or the rights of others.
5. Will my data be transferred to third countries or to an international organisation?
The recipients mentioned in the previous section may process the personal data abroad. We transfer your personal data to other countries whose legislation guarantees an adequate level of data protection (in particular the EEA countries) or, in the absence of such legislation guaranteeing adequate protection, on the basis of appropriate safeguards (e.g. standard contractual clauses adopted by the European Commission or other legal derogations) or with your consent. If and to the extent required by applicable law, these safeguards – in particular the standard contractual clauses adopted by the European Commission – may be supplemented by appropriate legal, operational and technical measures. Please contact us if you would like to review the agreed data transfer guarantees.
Your data may also be transferred to third countries or within third countries if this is necessary for the execution of your orders (e.g. payment orders or securities trading orders), if such data transfer is required by law (e.g. tax reporting obligations) or if you have expressly consented to this purpose.
Below is a list of the countries to which we may transfer your data:
- EEA countries
- USA
- Israel
- Brazil
6. How long will my data be stored?
We store your personal data for as long as is necessary for the purpose for which we collected it or to fulfil legal or regulatory requirements, which may be specified in more detail in our internal guidelines.
In the case of contracts, we store your personal data for at least the duration of the contractual relationship. In this context, please note that our business relationship is designed to be a long-term contractual relationship over many years.
In addition, we store personal data if we have a legitimate interest in storing it. This may be the case in particular if we need personal data to enforce or defend against claims, for archiving purposes, to maintain IT security or as long as the limitation period for contractual or non-contractual claims is still running. As a rule, ten-year limitation periods are common, for example. However, there are also many cases in which five-year or even one-year limitation periods apply.
We also store your personal data for the duration of the applicable statutory retention period (e.g. to comply with retention periods under tax or commercial law or to comply with the 10-year retention period under the Anti-Money Laundering Act). Please note that we are obliged by the provisions of the financial supervisory authorities to record external and internal telephone conversations and the electronic correspondence of certain bank employees.
If necessary, we will contact you and ask for your consent if we wish to store your personal data for a longer period of time.
After these periods have expired, we will delete or anonymise your personal data.
7. What rights do I have under the Data Protection Act?
Every data subject has the right of access to their personal data, the right to rectification or erasure, the right to restriction of processing, the right to object to data processing and – where applicable – the right to data portability. You also have the right to lodge a complaint with a competent data protection supervisory authority, where applicable.
You can withdraw your consent to the processing of your personal data at any time. Please note that such a cancellation will only be effective for the future. Processing that took place before the revocation is not affected. Such a cancellation may lead to the termination of the business relationship we have with you.
To exercise your rights, please use the contact details provided in section 12.
Please help us to ensure that your personal data is accurate and up to date: If your personal data changes, please let us know as soon as possible.
Please also note that your rights of access, cancellation or objection are not absolute, as they may not apply in certain circumstances or may be subject to exceptions. We will comply with your requests in accordance with the applicable data protection regulations. If necessary, we will also ask you to provide proof of your identity when exercising your rights. We may also ask you for additional information if your request is unclear. If we are unable to fulfil your request, we will provide you with an explanation.
8. To what extent is the decision-making process automated?
As a rule, we do not use a fully automated decision-making system for the initiation and continuation of a business relationship. Should we use such methods in certain cases, we will inform you of this separately, insofar as this is required by law.
9. Is profiling used?
In certain cases, we process your data automatically for the purpose of evaluating individual aspects of your person (profiling). For example, we use profiling in the following cases:
- We are obliged by laws and regulations to combat money laundering, terrorist financing and white-collar crime. We also analyse data for this purpose (e.g. payment transactions). In addition, we may create a customer profile in order to fulfil regulatory and contractual requirements (e.g. determining the customer investment profile in the areas of private banking and online trading). Such measures also contribute to your own protection.
- We use a scoring procedure to assess your creditworthiness. This involves calculating how likely it is that a customer will not be able to fulfil their payment obligations in accordance with the contract. This calculation may include, for example, income, expenditure, existing liabilities, occupation, employer, length of employment, experience from our previous business relationships, contractual repayment of loans and information from credit agencies. The scoring is based on a scientifically recognised mathematical-statistical procedure. The score values determined help us to decide whether we should enter into contracts for certain products and are incorporated into ongoing risk management (which means that they are also used in the course of our business relationship with you).
- So that we can provide you with information and advice on products tailored to your needs, we use analytical tools that enable needs-based communication and advertising, including market and opinion research. In this context, we may create profiles, for example by analysing which types of our products and services you use, how you would like to be contacted, etc.
10. Data security
Cornèr takes appropriate technical measures (e.g. encryption, pseudonymisation, logging, access control, data backups, etc.) and organisational measures (e.g. instructions to our employees, confidentiality agreements, checks, etc.) to ensure that the information collected and processed is protected against unauthorised access, misuse, loss, falsification and destruction. Access to your personal data is only permitted on a need-to-know basis.
Nevertheless, it is generally impossible to completely rule out security risks: Certain residual risks are usually unavoidable. As complete data security cannot be guaranteed, especially when communicating by e-mail, instant messaging or similar means of communication, we recommend that you send confidential information by particularly secure means (e.g. by post).
11. Information about your right of cancellation
11.1 Right to object to the processing of your personal data for direct marketing purposes
In certain cases, we process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
If you object to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
11.2 Right to object on a case-by-case basis
You have the right to object at any time to the processing of personal data concerning you that is carried out in the public interest or on the basis of a balancing of interests.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims. Please note that in the event of such an objection on your part, we will no longer be able to provide services for you or maintain a business relationship with you.
Your objection can be made informally and should be sent to the following address if possible:
Cornèr Banca SA, Via Canova 16, 6900 Lugano, Switzerland
E-mail: [email protected] and [email protected]
If you use several Cornèr products or services (e.g. a bank account, a payment card, a Cornèrtrader account, etc.), please indicate which types of processing you are objecting to when exercising your right to object. If you are unclear about the scope of your objection, please contact us to clarify the matter.
12. Who is responsible for data processing and who can I contact?
Cornèr Banca SA, Via Canova 16, 6900 Lugano, Switzerland
E-mail: [email protected] and [email protected]
If you prefer a contact person in the European Union, you can send a letter to the following e-mail address [email protected]
This policy was updated in October 2022. We reserve the right to amend it if necessary. Any changes or updates we make to this policy will be made available to you here. Please visit the Cornèr website regularly to ensure that you are always fully aware of the latest version and the data protection provisions that apply to your personal data.
All of the above information has been translated by machine translator from the German language.
