1. Our commitment to privacy
Bank Vontobel Europe AG (“Vontobel”, “us” or “we”) highly appreciates your interest in Vontobel and our products and services. Your privacy is important to us and we want you to feel comfortable using our products and services and visiting our websites. It is a major concern for Vontobel that your personal data1 is treated in a responsible manner and in compliance with legal requirements. To this end, we take precautions, such as implementing robust technical and organizational security measures including password encryptions, firewalls, authentication technologies, access management, employee awareness-raising and training, and appointment of a Data Protection Officer.
Vontobel is committed to complying with applicable data protection laws and regulations including the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”; “GDPR”) and the Swiss Federal Act on Data Protection of 25 September 2020 and its implementing ordinances (“FADP”) and thus to ensuring the protection and confidentiality of your personal data.
2. Responsible entity and contact details
The following entity (including its branches) is responsible for data processing:
Bank Vontobel Europe AG
Alter Hof 5
Vontobel has appointed a Swiss Representative for the affiliated group entities outside Switzerland in accordance with Art. 14 and 15 FADP:
Bank Vontobel AG
3. Source and categories of personal data
For the purposes outlined in section 5, we may collect personal data, to the extent legally permitted, from the following sources:
- We may collect personal data from you in your capacity as a Data Subject in the context of our current or potential business relationship or when using Vontobel Services (for example, for account opening, during an advisory discussion, for making an enquiry, as part of your registration on our websites, when signing up for newsletters events, when participating in discussion boards or other social media functions on our websites, or when providing information relating to a job application registration); we may also collect personal data from our shareholders and investors;
- Personal data may be provided to us by an organization or legal entity that is a Business Partner of Vontobel if you are a representative of such Business Partner or otherwise linked to our Business Partner as a Data Subject;
- Personal data that is necessary for the facilitation of Vontobel Services may be transmitted to us via technical infrastructure (for example, via our websites, login information, Apps, or via collaborations with financial or information technology providers, market places, exchanges, trading infrastructures or securities houses;
- We may collect personal data from third parties, such as authorities (for example, sanction lists), providers of risk management, search information or intelligence solutions (for example, Worldcheck), (credit) rating agencies, information offices, consumer reporting entities, analytics providers, as well as from Vontobel affiliated entities;
- We may collect personal data that is publicly available (for example, public register information, public social media platforms, debtor directories, land registers, commercial registers and registers of associations, the press and the Internet).
The categories of personal data processed may include the following:
- Master data, such as name, address, e-mail address, phone number and other contact details, date of birth, gender, nationality, marital status, partner type data (employed / self-employed), identification data (for example, passport or ID, driver’s license number, social security number), authentication and certification data (such as specimen signature), contract related data (for example, business/account and contract number, and other account and contract information);
- Risk management, transaction and/or order data, such risk and investment profiles, fraud regulatory history, transaction data (for example, payment data), order data including online banking (such as payment orders), and information regarding your financial situation (for example, creditworthiness data, scoring/rating data), data with respect to beneficiaries, data on investment products, origin of assets, information and records on your professional knowledge of and/or experience with financial instruments, CVs, criminal records or any other relevant information;
- Technical data, such as IP addresses, browser plug-in types and versions, cookies, internal and external identifiers, logging data, record of access and changes, content accessed by the website user including relevant meta data (for example, time and date of access);
- Marketing and sales data, such as preferences, wishes, requested reference material, advertising scores, documentation data (for example, consultation protocols);
- Other data comparable with the above categories, whereby personal data may also be related to third parties (for example, family members, beneficiaries, beneficial owners, authorized representatives, or advisors who might also be affected by the data processing), and other data transmitted to us if you or a third party voluntarily provides personal data (for example, by completing a registration form or comment field, registering for a newsletter or using certain services). We also collect and process data from our shareholders and investors; in addition to master data, this includes information for the relevant registers, shareholdings, movements in holdings, payouts (in the context of dividends), information relating to the exercise of their rights and the management of events (for example, general meetings).
4. Special categories of personal data
To the extent that we process any special categories of personal data or sensitive personal data relating to Data Subjects, we will do so only if the processing is necessary for the establishment, exercise or defense of a legal claim, for reasons of substantial public interest, if you have given your explicit consent to Vontobel to process such data (where legally permissible), or where we are otherwise legally permitted to process such data.
In that sense, we may for example process biometric data that is classified as sensitive personal data. In this respect, your explicit consent will be required in a separate procedure to obtain a biometric identification (for example, Touch ID or other biometric identification) in order to be used for access to certain applications.
5. Purposes and legal basis of processing
We process personal data in compliance with data protection laws and regulations, for the following purposes:
5.1. For fulfillment of contractual obligations
We may process your personal data for the purpose to provide Vontobel Services to our Business Partners or to perform pre-contractual measures. The processing is primarily determined by the specific product or service (for example, financing and financial planning, investments, pensions, e-Banking, succession planning, credits, securities, deposits, or client referral, etc.) and may include, for example, needs assessments, advice, asset management and support, as well as carrying out transactions. You can find additional details about the purposes of personal data processing in the relevant contract documents and terms and conditions.
5.2. For compliance with a legal obligation or in the public interest
As a financial institution we are subject to various legal and/or regulatory obligations locally and globally, such as bank regulatory requirements (where applicable), obligations under company law, statutory or other legal/regulatory requirements.
This may include, for example, legal and/or regulatory disclosure, notification and reporting obligations to authorities, courts, including anti-money laundering and anti-terrorist financing regulation (for example, automatic exchange of information with foreign tax authorities, prosecution departments, etc.) and other suitability and due diligence assessments. Other purposes of processing may include assessment of creditworthiness, identity and age verification, anti-fraud measures, fulfillment of tax legal and regulatory (for example, reporting) obligations, fulfillment of obligations under company law (for example, keeping the share register, handling and conducting general meetings and dividend distributions, delivery of semi-annual and annual reports), as well as the assessment and management of risks within Vontobel.
5.3. For the purposes of safeguarding legitimate interests
Where necessary, we may process your personal data in order to safeguard the legitimate interests pursued by us or a third party, which does not unduly affect your interests or fundamental rights and freedoms; in particular:
- Consulting and exchanging data with information offices or other third parties (for example, the debt register) to investigate solvency, creditworthiness and/or credit risks;
- Measures for business management and further development of Vontobel Services (for example, reviewing and optimizing procedures for needs assessment);
- For statistical purposes (for example, presentation of shareholder developments, preparation of overviews and evaluations);
- Marketing, marketing communications or market and opinion research, unless you have objected to the use of your personal data (section 9.3);
- Ensuring information technology security;
- Asserting legal claims and defense in legal disputes;
- Prevention and investigation of crimes;
- Video surveillance or similar measures to protect the right of owners of premises to keep out trespassers, for collecting evidence in hold-ups or fraud, or to prove availability and deposits (for example, at ATMs and office entrances);
- Other measures for building and site security (for example, access admittance controls);
- Group risk management.
5.4. On basis of your consent
Insofar as you have consented to the processing of personal data for specific purposes (such as analysis of trading activities for marketing purposes, etc.), the lawfulness of such processing is based on your consent. Any consent granted may be withdrawn at any time. Please be advised that the revocation shall only have effect for the future. Any processing that was carried out prior to the withdrawal shall not be affected thereby.
6. Recipients of personal data
As a financial institution we are under a duty to maintain professional confidentiality . We may only disclose your personal data to other Vontobel affiliated entities or third parties for the purposes listed in section 5, and only if a legal basis listed in section 5 exists.
In particular, for the purposes stated in section 5, we may commission service providers who are contractually bound to confidentiality, including banking secrecy or other professional confidentiality (as applicable), and to complying with our instructions under data protection laws and regulations.
Under these requirements, recipients of personal data may include, for example:
- Credit and financial service institutions (such as banks, stock exchanges, clearing houses, etc.) and comparable institutions and service providers, including brokerage or financial services, investment services, share register, fund management, auditing services, payment transactions, call-center services, compliance services, controlling services, data screening services for anti-money laundering and antiterrorist financing purposes, data destruction services, purchasing/procurement services, space management services, real estate appraisals, loan processing services, collateral management, collection, payment card processing (debit/credit cards) services, customer management, media technology services, reporting, research, risk controlling, expense accounting, telephony services, video identification, website management, and other support functions; – Vontobel affiliated entities (including branches), for example for fulfillment of contractual obligations, risk management, or for the performance of services that we have outsourced to Vontobel affiliated entities;
- (Other) service providers commissioned with the processing of personal data, including information technology services (such as cloud platforms), logistics, printing services, telecommunications, archiving, advice and consulting, sales and marketing and other support functions; – Professional advisers such as consultants, auditors, tax advisors, proxy voting agents, legal counsels, law firms and other service providers;
- Supervisory authorities, regulators, tribunals or courts if so directed, permitted or required under applicable law (for the avoidance of doubt, such obligations may also exist vis-à-vis authorities of third countries without a direct relationship to you, which, for example, may wish to verify the equal treatment of clients from their country with regard to trading conditions, best execution or fair allocation of securities and profits);
- (Other) public authorities and institutions (such as Swiss National Bank, financial authorities, criminal prosecution authorities, etc.) insofar as a statutory or official obligation exists, if we pursue our legitimate interests or claims, or as otherwise may be required or permitted under applicable law.
Other recipients of data may include those for which you have given consent to the disclosure of personal data or with respect to which you have exempted us from confidentiality requirements by agreement or consent.
7. Transfer of personal data abroad
Your personal data may only be transferred to countries or international organizations outside Switzerland and the EU/EEA (so-called “Third Countries”, which includes any country outside the EU/EEA) if one of the following applies:
- The transfer is required for the fulfillment of our (pre- )contractual obligations (for example, for the execution of your orders) or is required by law (such as reporting obligations under tax law);
- In the context of commissioned data processing as stated in section 6; – If you have given us your explicit consent;
- If the transfer is necessary for the establishment, exercise or defense of legal claims, or
- As otherwise legally permitted under data protection laws and regulations.
For data transfers within Vontobel (including affiliated entities and branches), a list of the countries globally in which Vontobel operates can be found here: vontobel.com/locations
In the context of commissioned data processing (section 6), your personal data will only be transferred to Third- Countries if the relevant country (or data protection framework applicable to such country) is considered to provide an adequate level of data protection by the relevant authorities or institutions, or in the absence of such adequacy decision, if the recipient guarantees adequate protection based on appropriate safeguards provided by data protection laws and regulations (for example, Standard Contractual Clauses issued by the European Commission, and adapted to local law as required), or statutory exemptions provided by data protection laws and regulations (for example, your explicit consent).
A copy of the appropriate safeguards is available (please note that these may under certain circumstances be adapted to the specific case) and may also be requested from our Group Data Protection Officer (firstname.lastname@example.org) at: vontobel.com/privacy-policy
8. Storage period
We process and store your personal data as long as it is necessary for the performance of our contractual and statutory obligations. In this regard, it should be noted that our business relationship is usually a continuing obligation, which may last for several years. We have processes in place to review, at various points, the different categories of data that we hold to ensure that we do not hold these for an excessive period of time. If the data is no longer required for the processing purposes (section 5), or if we are otherwise legally obliged to delete the data, it is regularly deleted, unless its further processing – for a limited time – is necessary for other legal purposes or as may be legitimate and legally permitted, such as:
– Compliance with record retention periods under applicable laws and regulations (for example civil, tax, securities and other laws and regulations);
– Preservation of evidence and/or all forms of relevant information when a lawsuit, litigation or government investigation is filed, threatened or reasonably anticipated, which requires us to keep records for an undefined period of time.
9. Your rights
9.1. In general
By data protection laws and regulations, Data Subjects have under certain conditions the right of information, the right of access, the right of rectification, the right to erasure, the right to restrict processing, the right to object, and if applicable, the right to data portability. Furthermore, if applicable, you have the right to lodge a complaint with a relevant supervisory authority. You may withdraw any provided consent to the processing of personal data at any time. Please note that the withdrawal will only take effect in the future. Any processing that was carried out prior to the withdrawal shall not be affected thereby.
Furthermore, if applicable, you have the right to lodge a complaint with a relevant supervisory authority.
You may withdraw any provided consent to the processing of personal data at any time. Please note that the withdrawal will only take effect in the future. Any processing that was carried out prior to the withdrawal shall not be affected thereby.
9.2. Right to object (in general)
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on processing in the public interest and for the purposes of safeguarding legitimate interests; this includes any profiling based on those provisions within the meaning of the specific regulation. If you submit an objection, we will no longer process your personal data unless we can give evidence of mandatory, legitimate reasons for the processing, which outweigh your interests, rights, and freedoms, or where the processing serves the enforcement, exercise, or defense of interests. Please note that in such cases we may not be able to provide services or maintain a business relationship.
9.3. Right to object to the processing of data for marketing purposes
In certain cases, we may process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning yourself for such marketing purposes, which includes profiling to the extent that it is related to direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes.
10. Obligation to provide personal data
Within the scope of our business relationship, you must provide personal data which is necessary for the initiation and execution of the business relationship and the performance of the associated contractual obligations, or which we are legally obligated to collect. Without these data, we would not be able to enter into any contract or execute an order or we may no longer be able to perform an existing contract and would have to terminate it.
In particular, anti-money laundering and anti-terrorist financing regulations require that we verify your identity before entering into the business relationship, for example, by means of your identity card, and that we record your name, date and place of birth, nationality and your residential address. In order for us to be able to comply with this statutory obligation, you must provide us with the necessary information and documents and notify us without undue delay of any changes that may arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we will not be allowed to enter into or continue your requested business relationship.
11. Automated individual decision-making including profiling
In general, we do not make decisions based solely on automated processing to establish and implement the business relationship. If we use these procedures in individual cases, we will inform you of this separately, if such information is required under data protection law and regulations. In such a case, you may under certain conditions have the right to object, to state your position, and/or to request that the decision be reviewed by a natural person.
In some cases, we process your personal data automatically with the aim of evaluating certain personal aspects relating to you (“profiling”); in particular, we may carry out profiling:
- In order to meet our on-going regulatory and compliance obligations (for example, anti-money laundering, anti- fraud, anti-terrorism and tax laws), for instance by looking at how and from which geographic location you use our applications or other Vontobel Services;
- By using evaluation tools in order to provide you with targeted information and advice on Vontobel Services, whereby such tools enable demand-oriented communication and advertising, including market and opinion research;
12. Data security
All Vontobel personnel who process personal data must comply with our internal policies and rules in relation to the processing of personal data to protect them and ensure their confidentiality.
We have also implemented adequate technical and organizational measures to protect personal data against unauthorized, accidental or unlawful destruction, loss, alteration, misuse, disclosure or access, as well as against all other unlawful forms of processing. These security measures have been implemented, taking into account the state of the art of the technology, their cost of implementation, the risks presented by the processing and the nature of the personal data, with particular care for sensitive personal data. Please find further details here: vontobel.com/cyber-security.
13. Publications and subscriptions
Vontobel may communicate with you via e-mail or physical mailings containing and offering news, promotional offerings, event information or services (“Publication & Subscription Services”), subject to any restrictions under applicable laws and regulations. If you would rather not receive Publication & Subscription Services from us, you may “opt out” by following the “opt out” instructions in each e-mail footer or by contacting us.
14. Cookies and web analytics services
15. Other legislation aspects, including telephone recording
In order to comply with applicable laws and regulations, for example, Directive 2014/65/EU of the European Parliament (MIFID II), we may be obliged to record telephone conversations with reference to operations concluded in the performance of our services. For further information about the treatment of your personal data in this regard, please see our complete information at: vontobel.com/mifid
Please let us know if we do not meet your expectations with respect to the processing of personal data or if you wish to complain about our data protection practices; this gives us the opportunity to examine your issue and make improvements, where necessary.
You may contact us by using our online form (vontobel.com/data-privacy-request-form) or by sending your request to either one of the DPO email addresses or via regular mail to the contact points referred to in section 2.