Privacy

Data Protection Notice

Thank you for your interest in the products and services of Banca Popolare di Sondrio (SUISSE) – hereinafter referred to as BPS (SUISSE) or the “Bank”.

Please read this notice carefully before using the products and services of the Bank or supplying your personal data. Any supplementary terms and conditions that apply to the products and services of BPS (SUISSE) will be provided when you purchase these services.

By proceeding with the use of the Bank’s services or products or browsing on its website, you confirm your express consent to the Bank’s privacy policy, set out in this document. If you do not agree with its content, we would ask that you stop browsing the pages of the relevant website or using the product or service concerned.

The Bank reserves the right to amend its privacy policy at any time without notice. 

1.    Object and purpose of this data protection notice
The Bank places great importance on the protection of privacy and the processing of the personal data of users of BPS (SUISSE) services. BPS (SUISSE) is aware that personal data is entrusted to it and takes its obligation to protect and safeguard this data very seriously. Consequently, this document sets out the types of data collected when you use the Bank’s products and services, visit its websites, use its mobile applications (“apps”) or sign up for any services (generally referred to as “BPS (SUISSE) services”). It outlines the purpose for which it is collected, the manner in which it is processed, the entities to which it could be transmitted and the security measures adopted to protect it.

At the same time, we inform you of your rights under data protection legislation. Please be aware that the personal data actually processed and used in each case varies, largely depending on the products and services of our Bank that you sign up to and use.

The policy set out here applies to any data acquired by BPS (SUISSE) by means of your use of BPS (SUISSE) services. It does not apply to any product or service that is controlled by third parties not associated with the Bank and that you might access by following links from the BPS (SUISSE) websites.

2.    Recipients of this data protection notice
The following information on data protection relates to the personal data of:

• Natural persons who are interested in the products and services of the Bank or who are already its clients;
• All other natural persons who are in contact with or have a role in the context of a relationship with the Bank (e.g. authorised agents, custodians, representatives or employees of legal entities, visitors to our website and persons who complete a registration on our website);
• Beneficial owners of our clients or of the assets deposited with our Bank that we are obliged to examine under anti-money laundering regulations).

3.    Data controller and contact details
The controller under the provisions relating to data protection is:
Banca Popolare di Sondrio (Suisse) SA
Via G. Luvini 2a
CH-6900 Lugano
www.bps-suisse.ch

If you have any questions about data protection at BPS (SUISSE), you can contact:
Banca Popolare di Sondrio (Suisse) SA
Data Protection
Via Maggio 1
CH-6900 Lugano
dataprotection@bps-suisse.ch
 
4.    Sources of data
In the context of the business relationship with clients, the use of BPS (SUISSE) services, registration on a website or discussions with Bank employees, the Bank will receive your personal data. 
In order to provide services, BPS (SUISSE) may also potentially obtain personal data from freely accessible public sources (e.g. land, commercial and association registers, the press, the Internet) or be given it by third parties (e.g. credit reporting agencies). 

5.    Types of data processed
The type of personal data processed depends mainly on the purpose of processing. BPS (SUISSE) will only ever collect and process the data that it needs for the purposes that it pursues. 
Such data may include: 

• Basic personal details (e.g. surname, first name, nationality, date of birth, address, telephone number, e-mail address, qualifications, interests, marital status, any signature rights, data from identity document);
• Identification and authentication data (e.g. data obtained from video identification, voice recognition, client or account number, login data, specimen signatures);
• Data relating to the execution of transactions or compliance with contractual obligations (e.g. bank transfers, other payments, payment recipients and motives, withdrawals, compliance information);
• Data on your financial situation (e.g. credit standing, rating/score and creditworthiness with regard to lending, assets and their origin, financial objectives, budgets, portfolios and watchlists, obligations, income, sales figures and investments, knowledge and experience of investment matters, risk and investment profile, investment objectives); 
• Data relating to real estate (e.g. address, purchase price, valuation information – value, property type, dimensions, amenities, year of construction, condition – and other information useful for scrutinising and managing a financing and/or real estate transaction); 
• Audio and video recordings (e.g. telephone conversations or video footage on the Bank’s business premises);
• Pension information (e.g. details of vested-benefit and retirement accounts, retirement age, information on life and old-age insurance); 
• Tax information (all documents and information supplied, including documents that may contain details of religious denomination); 
• Contract and product information (e.g. details on the products and services that you use, details of card limits and card usage, information on additional card and account holders, representatives and authorised agents, credit data, information on your account or custody account or on contracts entered into as well as information relating to additional services that we provide); 
• Information on documentation or information arising from contact with third parties (e.g. consultation or meeting minutes, file notes, references);
• Interaction and behavioural data as well as information relating to your needs, preferences and interests (e.g. information on your use of BPS products and services, BPS websites and BPS (SUISSE) apps, as well as information on your use of its cooperation partners’ offerings; information on your preferred contact and communication channels; based on an analysis of this interaction and behavioural data: information on your preferences for and interests in certain products and services); 
• Data in the public domain that can be obtained on you (e.g. land and commercial register data, information from the media and the press); 
• Data relating to (potential) proceedings or investigations instigated by agencies, authorities, courts, organisations or other bodies; 
• Data required in order to comply with statutory obligations, such as combating money laundering or in connection with export restrictions; 
• Insofar as necessary and only to the extent permitted by law: data subject to special protection, such as biometric data, information on your state of health, information on your political opinions or affiliations, religious or philosophical beliefs, information on criminal proceedings or convictions, or information on welfare measures; 
• Technical data that can be linked to you (data collected when you access the Bank’s websites, apps and social media channels, i.e. data that is transmitted by your browser or device (smartphone) and that is automatically recorded by the BPS (SUISSE) server, e.g. IP address, MAC addresses of electronic devices, data on these devices (e.g. make, model, screen, memory) and their settings (e.g. language, keyboard), cookies, features used, date, time and duration of access, name of file opened and content viewed, web browser, domain requested, orders placed or attempted, referring websites and information on location, client ID and version of app installed).

6.    Purpose of data processing
Personal data will be used:

• to communicate with clients: BPS (SUISSE) uses the data provided to communicate with the client, to give them information or to comply with their requests;
• to comply with contractual obligations: the purposes of data processing are primarily related to the specific product (e.g. bank account, lending services, purchases of real estate and securities, custody accounts, client references) and may include requirements in terms of verification, execution, valuation, advice, asset management and support, as well as the execution of transactions;
• to comply with statutory requirements or serve the public interest: BPS (SUISSE) is subject to various statutory and regulatory requirements (including the Banking Act, the Collective Investment Schemes Act, the Swiss Federal Act on Combating Money Laundering and the Financing of Terrorism, the Mortgage Bond Act, the Financial Services Act, FINMA ordinances and circulars, tax laws) and is supervised by financial authorities (including the Swiss National Bank and FINMA). The purposes of this processing include checks on identity, the prevention of fraud and money laundering, compliance with monitoring and information obligations under tax law, and the assessment and management of risks within the Bank. Data relating to third parties (e.g. beneficial owners or your partner) may also need to be processed in order to comply with the law;
• to broker third-party products and services: BPS (SUISSE) may process your personal data in order to obtain quotations from its cooperation partners (e.g. credit cards, insurance companies), if you are interested;
• for market research and marketing purposes: BPS (SUISSE) is committed to further developing and improving its products. To this end, it processes your personal data by performing analyses of your usage patterns (including in the context of your use of websites and apps) and the Bank may organise blanket or tailored marketing campaigns on this same basis;
•  to protect its own rights: BPS (SUISSE) may process your personal data in order to assert its rights in and out of court before Swiss and foreign authorities or to defend itself against claims asserted against it;
• for client and user management;
• to inform clients about products and services;
• to safeguard the IT security and IT operations of BPS (SUISSE);
• to help prevent and investigate crime;
• for video surveillance purposes, to protect the right of the owner of the premises, to prevent access to unauthorised persons, to collect evidence on robbery or fraud, or to prove the availability and deposit of cash, e.g. at ATMs;
• for building and system security (e.g. access controls);
• for risk management at the Bank;
• for other purposes stated in connection with the use of certain products and services or with express consent granted to the Bank. Please note that consent granted to the Bank can be withdrawn at any time, but does not have retroactive effect. Therefore, withdrawal of consent does not relate to data processing operations carried out prior to notification of withdrawal.

7.    Recipients of personal data 
Within the Bank, any unit that needs your data to comply with contractual and legal obligations or to safeguard its legitimate interests will have access to your data. In the context of compliance with contractual and legal obligations, your personal data will not be processed solely by us, but also by relevant third parties (e.g. service providers, implementing partners). In particular, the management of risks also requires clarifications with third parties and related transfers of data (e.g. to authorities, auditors and other banks). Data may also be communicated on the basis of legal requirements (e.g. when fulfilling relevant clarification, disclosure and information obligations). In processing your personal data, the data recipients are bound by legal and/or contractual provisions. For the purposes described above, we are authorised to send your personal data to the following categories of recipients in Switzerland and abroad:

• third parties involved in the execution of client orders or transactions and the provision of services (e.g. brokers, counterparties, market operators, payment beneficiaries, issuers, stock exchanges, clearing houses, central depositories, operators and other service providers);
• contractual partners, clients and persons involved: if you work for one of our contractual partners (e,g. for a client or supplier), we may send them data relating to you. We may also send personal data to persons who act on your behalf (authorised agents) or who are involved in the execution of a contract in any other way; 
• service providers (e.g. IT providers, providers of marketing, newsletter, distribution, communication, market research, press, debt collection or property services, rating agencies);
• initiators and backers of local projects (e.g. in the context of crowdfunding);
• supervisory bodies, prosecuting authorities and other agencies and authorities, including the cantonal or federal statistical offices and the Information Centre for Consumer Credit (ICC);
• parties in possible or actual legal proceedings or disputes;
• potential or actual purchasers of companies or of shares in companies and/or of assets of companies in the Banca Popolare di Sondrio Group;
• in the context of our regulatory obligations, your personal data will be forwarded to the Central Office for Credit Information (ZEK), which may send the data to its members. For more information, visit www.zek.ch; 
• our Audit Office and other third parties of which we may inform you separately (e.g. in the context of declarations of consent or data protection notices).

Before transmitting your personal data, we perform a thorough examination of the respective recipient of the data and arrange to contractually commit them to ensuring adequate protection of the data and maintaining confidentiality vis-à-vis your data. 

Please note that, when you download our apps from an app store and use them, the manufacturers of the devices concerned and/or of the operating system (e.g. Microsoft, Apple, Google) receive personal data or can analyse your usage patterns. This may enable the detection of a current, past or future client relationship between you and us, an eventuality over which we have no control and are unable to prevent.

Data on the use of the websites may be transferred to third parties where permitted by law, if BPS (SUISSE) is obliged to do so, or if it needs to transfer the data in order to exercise its rights, particularly in the event of any dispute regarding a contractual relationship. The Bank may also disclose data to service providers with the stipulation that it is used solely for the purposes for which it is provided. Any person or entity that receives data is required to comply with the applicable national and international data protection laws and with the BPS (SUISSE) data protection regulations.

The recipients of personal data may be located in Switzerland or abroad. Therefore, your personal data may be processed all over the world. Data may be transmitted abroad because this is necessary for the execution of orders (e.g. payment and/or securities orders), because this is prescribed by law (e.g. in the context of notification obligations under tax law, automatic exchange of information, etc.) or because you have given the Bank your consent to do this.

If a recipient is located in a country that does not guarantee an adequate level of data protection, the Bank shall make every effort to commit the recipient to ensuring adequate protection of the data by drafting recognised standard contractual clauses, or shall proceed only if the exceptions prescribed by law apply (e.g. your consent, the conclusion or management of a contract, the safeguarding of overriding public interests, the assertion of legal claims, or if you have made the data accessible to the general public and are not opposed to the processing thereof). 

8.    Security measures
BPS (SUISSE) has taken appropriate technical and organisational security measures to protect your personal data against unauthorised access, misuse, loss or destruction, taking into account the applicable legal and regulatory requirements.

9.    Data retention
BPS (SUISSE) processes and stores your personal data for as long as necessary to comply with its contractual and legal obligations or for the purpose of the processing concerned. In this context, we take into account the purpose of processing and, in particular, the need to safeguard our personal interests (e.g. to assert and defend against claims and to ensure information security). In this regard, it must be borne in mind that the business relationship with the Bank constitutes a long-term obligation of a number of years’ duration.
Data that is no longer required in order to comply with contractual and legal obligations will be erased unless it needs to be processed further – for a limited time – for the following purposes:

• To comply with record-keeping obligations under commercial and tax law, including in particular the Swiss Code of Obligations, the Swiss Federal Act on Value Added Tax, the Swiss Federal Act on Direct Taxation, the Swiss Federal Act on the Harmonisation of Direct Taxation at Cantonal and Communal Levels, the Swiss Federal Stamp Duties Act and the Swiss Federal Withholding Tax Act; 
• Specific legal retention restrictions that require banks to retain documents for an indefinite period of time.

10.    Transfer of data via the Internet
In general, the Internet (including social media, see notice) is not considered a secure environment, and data transferred via this channel may be viewed by unauthorised third parties, which risks disclosures, changes to content and technical issues. Even if the sender and recipient are resident in the same country, any data transferred via the Internet could be transmitted outside national borders to countries with a lower level of data protection than that required in the country of residence.
Please be aware that BPS (SUISSE) accepts no responsibility for the security of your data whilst it is being transferred to the Bank via the Internet.

11.    Cookies and other tracking and analytics technologies
For the purposes outlined above, on its websites and apps, BPS (SUISSE) uses so-called cookies, small text files that are stored in your browser, and/or other tracking and analytics technologies. These files are created automatically when you use the Bank’s websites and stored on your device if you do not prevent this by disabling them. Cookies serve various purposes, including to make your browsing session secure, to store temporary settings, to save your language settings during multiple browser sessions and to show you content on the website that matches your interests (you can find more details on this in the "Cookie settings" section). You can disable the use of cookies at any time in your browser settings and delete existing cookies or manage your settings by clicking here. Disabling cookies may mean that certain features can no longer be used or can only be used to a certain extent.

In its apps, the Bank may use other tracking and analytics technologies from third-party providers, e.g. software development kits (SDK), to record and analyse your usage patterns. This enables us to continuously optimise our apps and identify errors. In the settings of the relevant app, you can disable the recording of your usage data and its transmission to the supplier concerned at any time.

12.    Web analytics
To analyse and optimise its offerings, BPS (SUISSE) collects anonymised information on the use of its websites and their features. 

In the publicly accessible sections of its websites, in order to gain a better understanding of the use of its websites and thus make continuous improvements to their content and features, the Bank currently uses tools from Google Ireland Limited (hereinafter "Google"): 

• Google Tag Manager: a Google tool that does not use cookies and does not record any data. Instead, it allows the tracking codes of third parties on the site to be managed and monitored, in particular also to consider the cookie settings; 
• Google Analytics: a website analysis service provided by Google;
• Google Search Console: an analysis service provided by Google to measure the traffic and performance of the site in search results. The data comes directly from Google.

For more information, please refer to Google's privacy policy. The legal basis for using the aforementioned tools is BPS (SUISSE)’s legitimate interest. Since the Bank’s websites are an important tool for communicating with existing clients and acquiring new ones, having functioning, attractive and tailored websites at all times is essential.

13. Online marketing activities
a. Social media and other information platforms
BPS (SUISSE) is present on various platforms such as LinkedIn, Facebook, Instagram and YouTube (see information) and publishes news about the Bank and the financial sector. Please refer to the different terms of service of the individual social networks for more details.
The Bank uses these social channels as well as other information platforms to promote its products and services. By participating in the Bank's social media profiles and interacting with BPS (SUISSE) campaigns on other online platforms, you consent to your contribution being used for statistical and marketing purposes (as described in point 6).

b. Google Ads
Google Ads is an advertising service provided by Google. BPS (SUISSE) uses it to promote its products and services, offers or promotions in Google search results, as well as on third-party websites. In providing these services, Google may collect and evaluate information from visitors to web pages under its own responsibility. The Bank has no influence on the scope and further processing and use of the data by Google. For further information, please refer to the privacy policies of Google.

14.    Profiling and automated individual decisions
In principle, for the purposes of establishing or fostering the business relationship, the Bank does not apply any fully automated decision-making process with legal effect.
To a certain extent, the Bank processes personal data by automated means in order to analyse specific personal aspects (profiling). This processing is used in the manner described below, for instance:

• Data processing in the context of legal and regulatory provisions to combat money laundering, the financing of terrorism or crimes that put assets at risk. Data analyses are also carried out in connection with this (in payment transactions, for instance). These measures also serve to protect our clients.
• For information and guidance regarding our products, we use analytics tools that enable communication geared towards requirements, promotion, market research and surveys.
• In the context of credit checks and loan management, we assess solvency and measure economic viability.

15.    Rights of the data subject
Every data subject has the right of access under Article 8 of the Swiss Federal Act on Data Protection (FADP), the right to rectification under Article 5 FADP, the right to erasure under Article 5 FADP, the right to restriction of processing under Articles 12, 13 and 15 FADP, the right to object, and, where applicable, the right to data portability. If, by way of an exception, the processing of your personal data is based on consent that you have given separately, you have the right to revoke this at any time with effect for the future. Where applicable, you will be entitled to lodge a complaint with a supervisory authority with responsibility for data protection.

Having given us your consent to process your personal data, you may withdraw it at any time. Once you withdraw your consent, your personal data will no longer be processed for the purpose concerned, unless overriding public or private interests or the law allow for further processing. The same applies if you refuse consent to data processing. Please bear in mind that, in this case, the Bank may be unable to provide its services. It may take up to five working days for withdrawal or objection to come into effect. Data for advertising campaigns or information of a generic nature is usually processed several weeks in advance. It is therefore possible that you will still receive advertising for a certain period of time after exercising your right of withdrawal and/or objection. You may exercise your rights by sending a signed letter to the address stated in section 3, together with a copy of your identity card or passport. 

Please note that these rights are subject to legal requirements and restrictions (e.g. we cannot delete data if we are obliged to comply with related retention obligations). We will ensure that you are informed of any restrictions. You are also entitled to these rights in relation to other parties tasked with data processing who collaborate with us under their own responsibility. To exercise your rights regarding processing, we suggest that you contact the relevant parties directly.

16.    Links to other websites
BPS (SUISSE) websites may host third-party content or links to third-party websites that it does not operate or monitor directly. Please note that these third-party sites are not covered by the privacy policy set out in this notice, and that the Bank is not responsible for their content or personal data processing principles. You are advised to consult and check the individual privacy policies or terms of use of third-party electronic services.

17.    Amendments
The Bank may amend and supplement this information at any time. The latest version is always available electronically on the website: www.bps-suisse.ch/en/privacy.php.

18.   Collection and processing of personal data in the BPS (SUISSE) application process
BPS (SUISSE) collects and processes applicants’ personal data in a number of ways. This takes place in particular when applicants complete a contact form on the BPS (SUISSE) website or when applicants send their CVs to BPS (SUISSE) speculatively by e-mail/post or in response to an advertisement published by BPS (SUISSE) on its website or a third-party site dedicated to job vacancies.

Usually, the data is provided directly by the applicant during the selection process, although in some cases it may be obtained from third parties or freely accessible public sources, following the applicant's agreement, in order to check the content of the application.

Only Human Resources has access to applicants’ personal data at the Bank. It is processed by BPS (SUISSE) to manage the application and staff selection process and to perform activities such as checking the suitability of the applicants’ experience and qualifications.

BPS (SUISSE) stores applicants’ personal data for the time required to achieve the processing purpose, unless the applicant withdraws their consent. Unless consent is withdrawn or the deadline set by the Bank expires, the data collected under the application procedure remains in the Bank's system in order to cover vacancies at a later date. In addition, it could serve to answer any question in respect of the application and possibly enable the Bank to fulfil its burden of proof under the terms of the Equality Act.

BPS (SUISSE) may use third-party IT services and/or specialist HR service providers (e.g. recruitment companies or specialist platforms). In principle, the data is processed in Switzerland. In the context of the administration, development and operation of the computer systems, it may be the case that this data is transferred outside Switzerland, to Europe or Third Countries. If this were to happen, BPS (SUISSE) would adopt safeguard measures to guarantee an adequate level of protection of the data.

Applicants have the right to access, rectify, erase, restrict the processing of, object to the processing of and request the transfer of their personal data. To exercise these rights, applicants may contact Human Resources, which will coordinate requests with the relevant departments.