The following entity (including its branch offices) is responsible for data processing:
Vontobel 3a Pension Fund Foundation
Telephone: +41 58 283 71 11
You can also contact our Swiss and/or global Data Protection Officer:
– Group DPO: firstname.lastname@example.org
– Swiss DPO: email@example.com
We process personal data that we receive in a general way or receive from you in your capacity as a data subject. We process personal data that we have received from our current and/or potential clients in the context of our business relationship. If it is necessary for the provision of our services, we process personal data that we have lawfully received (e.g. for the performance of contracts or with your consent) from other entities of the Vontobel Group or from other third parties (such as private commercial databases). In addition, we process personal data from publicly accessible sources (e.g. lists of debtors, land registers, commercial registers and association registers, the press, the Internet) that we may lawfully receive and process. Furthermore, we process personal data of data subjects, such as name, address and other contact details (telephone number, email address), title, date of birth, gender, nationality, marital status, data on the type of partner (employed/self-employed), identification data (such as identification number, tax number), certification data (such as a specimen signature), contract-related data, order data including online banking (e.g. payment orders) and information about your financial situation (such as creditworthiness data, scoring/rating data, origin of assets), resumes, register of convictions or other information that is publicly available or accessible via third-party providers. In addition to the categories of data mentioned, we also process advertising and sales data (including advertising scores), documentation data (such as minutes of advisory meetings) and other data comparable to the categories mentioned.
If we process special categories of data relating to you, we do so because it is necessary for the filing, enforcement or representation of a legal claim, for reasons of material public interest or if you have expressly permitted Vontobel to process this data (insofar as legally permissible). In this sense, we may under certain circumstances process biometric data that is classed as sensitive personal data. In this respect, your express consent is required in a separate procedure.
We process the aforementioned personal data in accordance with the provisions of the applicable data protection laws.
We process data in order to perform our contractual obligations within the context of providing financial services or to take steps prior to entering into a contract within the context of acquiring mandates. The purpose of the data processing is primarily determined by the respective product. Such purposes include, in particular, needs analyses, advice, asset management and support, and the execution of transactions. Further details on the purposes of data processing are set out in the relevant contractual documents and in the terms and conditions.
We are subject to various legal obligations (global and national) and to the requirements of the authorities. Other processing purposes are identity verification, fraud prevention and money laundering prevention, compliance with tax checking and reporting requirements, and the assessment and management of risks within the Bank and the Group.
If necessary, we process your data beyond the actual performance of our contractual obligations in order to safeguard our legitimate interests or those of a third party, except where such interests are overridden by your interests, fundamental rights or fundamental freedoms which require the protection of personal data. In addition to the following examples, we also obtain personal data from publicly available sources for the purpose of client acquisition:
– consultation of and data exchange with information bureaus (e.g. debt register) in order to investigate creditworthiness and credit risks in the lending business and to investigate the requirement to maintain an account with a low basic balance and basic accounts
– enforcement of legal claims and representation in legal disputes
– ensuring IT security and IT operations
– prevention and investigation of criminal offenses
– video surveillance to protect the right of the owner to keep out intruders, to collect evidence in the event of robbery or fraud, or to demonstrate availability and deposits, e.g. at ATMs, office entrances – measures for building and property security (e.g. access control)
– measures for the enforcement of the right of the property owner
– measures for the purpose of corporate management and further development of services and products
– Group risk management.
The data processing purposes described in sections 4.1 to 4.3 are each based on a legal obligation/power. Therefore, we do not require any prior consent from you in these cases.
Finally, the lawfulness of the processing may be based on your consent to the processing of personal data for specific purposes (such as transfer of data within the Group, analysis of commercial activities for marketing purposes, etc.). This consent may be withdrawn at any time.
Please note that withdrawal of consent is only effective for the future. Any processing carried out before consent was withdrawn is not affected.
Within Vontobel, those entities that require your data to comply with their contractual, legal and regulatory obligations are granted access to your data.
Service providers and vicarious agents commissioned by us may also be granted access to data for the purposes stated if they maintain client confidentiality and adhere to our written instructions in accordance with data protection laws and rules. These are companies in the banking services, IT services, logistics, printing services, telecommunications, collection, consulting, and sales and marketing sectors. With regard to the forwarding of data to recipients outside of Vontobel, it should first of all be noted that we as a bank are obliged to maintain confidentiality about client-related facts and assessments of which we are aware. We may disclose information about you only if we are required to do so by law, if you have given your consent, if we are authorized to disclose banking information and/or if processors appointed by us ensure compliance with the legal obligations.
In accordance with these requirements, recipients of personal data may be, for example:
– authorities and institutions (such as the Swiss National Bank, the Swiss Financial Market Supervisory Authority, tax authorities, criminal prosecution authorities), provided a legal or official obligation exists
– other companies within Vontobel for the purpose of risk control on the basis of a legal or regulatory obligation
– other credit institutions and financial service providers, comparable institutions and data processors to whom we forward your personal data in order to implement a business relationship with you (in particular: processing of bank references, support/maintenance of EDP/IT applications, archiving, document processing, call center services, compliance services, controlling, data screening to combat money laundering, data destruction, purchasing/procurement, space management, property valuation, credit processing, collateral management, collection, client management, marketing, media technology, reporting, research, risk control, expense accounting, telephony, video identification, website management, investment services, share register, fund management, auditing, payment processing).
Other data recipients may be all entities to which you have authorized the forwarding of data or in respect of which you have released us from legal obligations by agreement or consent.
Data is forwarded to countries outside Switzerland, the EU or the EEA (i.e. third countries) only if this is necessary to execute your orders (such as payment and securities orders), if it is required by law (e.g. through reporting obligations under tax laws), if you have given us your consent or in connection with the processing of data by data processors. If service providers in a third country are used, they are obliged to comply with the level of data protection in Switzerland and Europe and, to this end, to observe the standard contractual clauses of the EU in addition to written instructions. We take seriously our obligation to ensure that data is transferred to institutions outside the EU or the EEA only if they can demonstrate the equivalence of their security standards and other relevant data processing requirements.
We process and store your personal data for as long as is necessary to comply with our contractual and legal obligations. In this context, it is to be noted that our business relationship is an ongoing commitment over several years. We check at various points the various categories of data that we store to ensure that we do not store it for an inappropriate length of time. Data that is no longer required to comply with our contractual and legal obligations is regularly erased, unless further processing is required – for a limited period of time – e.g. for the following purposes:
– Compliance with data retention periods in accordance with commercial law and tax law: these include the Swiss Code of Obligations in conjunction with the Accounting Records Ordinance, the Federal Act on Direct Federal Taxation, the Federal Act on Value Added Tax, the Federal Act on the Harmonization of Direct Taxes of the Cantons and Municipalities, the Federal Act on Stamp Duties, the Federal Act on International Withholding Tax, the Money Laundering Act and the Banking Act. The retention and documentation periods specified therein may vary; preservation of evidence and/or all forms of relevant information, if a legal dispute can reasonably be expected to force us to retain documents indefinitely.
Every data subject has a right of access, a right to rectification, a right to erasure, a right to restriction of processing, a right to object and, where appropriate, a right to data portability. In addition, a right to lodge a complaint with the supervisory authority may be granted. Which right may be asserted depends on the legal basis chosen for the storage of the respective data.
Please note once again at this point that you can withdraw your consent to the processing of personal data at any time. Please note that withdrawal of consent is only effective for the future. Any processing carried out before consent was withdrawn is not affected.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out for reasons of public interest or to safeguard legitimate interests; this also applies to any profiling carried out on the basis of these provisions. If you object, we will no longer process your personal data, unless there are compelling reasons for processing that are worthy of protection that outweigh your interests, rights and freedoms, or the processing serves to establish, exercise or defend interests. Please note that in such cases we will then no longer be able to provide you with services and to maintain the business relationship.
In certain cases we process your personal data for the purpose of direct marketing. You have the right to object at any time to the processing of personal data concerning you for such promotional purposes; this also applies to profiling insofar as it is linked to such direct marketing. If you object to processing for the purpose of direct marketing, we will no longer process your personal data for such purposes. There are no formal requirements for filing an objection.
Within the framework of our business relationship you must provide personal data that is necessary for the initiation and implementation of a business relationship and for the performance of the associated contractual obligations or which we are legally obliged to collect. In general, without this data we would not be able to conclude a contract or execute the order, or we might not be able to perform an existing contract and would have to terminate it.
In particular, the provisions of the Money Laundering Act stipulate that we verify your identity before entering into a business relationship, for example by means of your identity card, and that we document your name, place of birth, date of birth, nationality and residential address. To enable us to comply with this legal obligation, you are obliged to provide us with the necessary information and documents and to notify us immediately of any changes occurring in the course of the business relationship. If you do not provide us with the necessary information and documents, we are not permitted to enter into or continue the business relationship you wish to have.
As a rule, we do not make decisions on the establishment and implementation of the business relationship on the basis solely of automated processing. If we use these procedures in individual cases, we will inform you separately if this is required by law. You then have the right to object to these procedures under certain circumstances.
In some cases we process your data in an automated manner in order to evaluate certain personal aspects (profiling). Examples:
– We are legally obliged to take measures against money laundering, fraud, terrorist financing and criminal offenses that pose a threat to assets. In this context, data is also evaluated (among other things in payment transactions). These measures also serve to protect you.
– In order to be able to inform and advise you in a focused manner about products, we use evaluation tools. These enable demand-based communication and advertising, including market and opinion research.
All employees who access personal data must comply with the internal rules, policies and processes governing the processing of personal data in order to protect it and ensure its confidentiality. They are also obliged to comply with all technical and organizational security measures taken to protect personal data.
Furthermore, we have taken appropriate technical and organizational measures to protect personal data against unauthorized, accidental or unlawful destruction, alteration or disclosure, against unauthorized, accidental or unlawful loss, misuse or access and against all other unlawful forms of processing. The implementation of these security measures took into account the achieved state of technological knowledge, the implementation costs, and the risks associated with the processing and the nature of the personal data; particular attention was paid to sensitive data.
Please also let us know if we do not meet your expectations regarding the processing of personal data or if you wish to complain about our data protection practices. This gives us the opportunity to investigate your concerns and make improvements if necessary. In such cases, please always send a clear written request together with a legible copy of a valid official identification document (e.g. passport, identity card) to one of the offices listed in section 1 or to the DPO. We will immediately acknowledge receipt of your request, investigate it and respond promptly. If a comprehensive response takes more than a month, taking into account the complexity and number of requests, we will inform you.
In order to comply with other legal regulations, e.g. Directive 2014/65/EU of the European Parliament (MiFID II), we are obliged in some of our legal entities to record telephone calls regarding the provision of services relating to the receipt, transmission and execution of client orders. For further details about the handling of your personal data in this regard, please refer to the full information given at: www.vontobel.com/mifid.