PRIVACY NOTICE FOR CLIENTS – SWITZERLAND
DATA PROTECTION UNDER THE SWISS DATA PROTECTION LAW
To run our business, Carlyon Services GmbH, processes information about natural and legal persons (“Personal Data”), including information about our prospective, current and former clients (“you”).
Carlyon Services GmbH takes your privacy seriously. This Privacy Notice (“Notice”) contains information on what Personal Data Carlyon Services GmbH collect(s), what we do with that information, and what rights you have.
As part of our commitment to protect your Personal Data we want to inform you in a transparent manner:
- why and how Carlyon Services GmbH collects, uses and stores your Personal Data;
- the lawful basis for the use of your Personal Data; and
- what your rights are in relation to such processing and how you can exercise them.
1 What does this Notice cover?
This Notice applies to any and all forms of use (“processing”) of Personal Data by us if you are a former, current or prospective client of Carlyon Services GmbH.
2 What types of Personal Data do we collect?
For prospective clients with whom we have not yet made contact, we may collect (to the extent permitted by applicable law):
- Personal identification details (such as name, address, gender, nationality), contact information (such as telephone, e-mail address)
- information related to the professional profile (such as directorship / positions and professional networks) and information related to company ownership and financial background.
- For former and current clients or prospective clients with whom we are taking steps to enter into a business relationship, we collect (to the extent permitted by applicable law):
- personal details such as your name, identification number, date of birth, compliance related documents (including a copy of your national identity card or passport), phone number, address and domicile, electronic address, and family details such as the name of your spouse or partner;
- financial information, including payment and transaction records and information relating to your assets (including fixed properties), financial statements, liabilities, taxes, revenues, earnings and investments (including your investment objectives);
- tax domicile and other tax-related documents and information;
- where relevant, professional information about you, such as your job title and work experience;
- your knowledge of and experience in investment matters;
- details of our interactions with you and the products and services you use, including electronic interactions across various channels such as e-mails and mobile applications;
- any records of phone calls between you and Carlyon Services GmbH, specifically phone log information such as your phone number, calling-party number, receiving-party number, forwarding numbers, time and date of calls and messages, duration of calls, routing information, and types of calls;
- where relevant, details of your nomination of a mandate;
- identifiers we assign to you, such as your client, business relation, contract, partner or account number, including identifiers for accounting purposes;
3 For which purposes do we process your Personal Data and what legal basis do we rely on?
3.1 Purposes of processing
We always process your Personal Data for a specific purpose and only process the Personal Data which is relevant to achieve that purpose. In particular, we process Personal Data, within applicable legal limitations, for the following purposes:
a) Client Onboarding. For example:
- to verify your identity and assess your application (including the need for guarantees or other securitisation tools if you apply for credit). For legal and regulatory compliance checks (for example, to comply with anti-money laundering regulations, and prevent fraud), please see Section e) below.
b) Client Relationship Management. For example, to:
- manage our relationship with you, including communicating with you in relation to the products and services you obtain from us and from our business partners, handling customer service-related queries and complaints, facilitating debt recovery activities, making decisions regarding credit or your identity
- help us to learn more about you as a client, the products and services you receive, and other products and services, including those offered by us, Carlyon Services GmbH, and our business partners, you may be interested in receiving, including profiling based on the processing of your Personal Data, for instance by looking at the types of applications, platforms, products and services that you use from us, how you like to be contacted;
- collect and analyse your individualised and personal or anonymous and group-based activity and potential interests in the use of our products and services
c) Product implementation and execution. For example, to:
- provide products and services to you and ensuring their proper execution, for instance by ensuring that we can identify you and make payments to and from your accounts in accordance with your instructions and the product terms;
- perform underwriting.
d) Engaging in prospecting and business development and / or protecting and enhancing our brand. For example, to:
- evaluate whether and how Carlyon Services GmbH may offer products, services and events, including those offered by us, and our other business partners, that may be of interest to you;
- contact you for direct marketing purposes about products and services we think will be of interest to you, including those offered by us, Carlyon Services GmbH and our other business partners.
e) Compliance and Risk Management and / or Crime Prevention, Detection and Investigation. For example, to:
- carry out legal and regulatory compliance checks in particular as part of the onboarding process and periodic compliance checks, including to comply with anti-money laundering regulations and fraud prevention;
- meet our on-going regulatory and compliance obligations (e.g., laws of the financial sector, antimoney laundering and tax laws), including in relation to recording and monitoring communications, disclosures to tax authorities, financial service regulators and other regulatory, judicial and governmental bodies or in proceedings and investigating or preventing crime;
- reply to any actual or potential proceedings, requests or the inquiries of a public or judicial authority;
- prevent and detect crime, including fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks.
f) Other purposes. For example:
- for Carlyon’s Services GmbH prudent operational management (including credit, compliance and risk management, technological support services, reporting, insurance, audit, systems and products training and administrative purposes);
- to undertake transactional and statistical analysis, and related research; or
- to exercise our duties and/or rights vis-à-vis you or third parties.
3.2 Basis for processing of Personal Data
Carlyon Services GmbH processes your Personal Data within the applicable legal framework. Where required and depending on the purpose of the processing activity (see Section 3.1), the processing of your Personal Data will be one of the following grounds:
a) we have obtained your implied or explicit consent (see Section 3.2.1);
b) the processing is necessary to safeguard the legitimate interests of Carlyon Services GmbH or of third parties (including but not limited to the data protection and privacy interest of our clients or other involved individuals) or to safeguard overriding public interests, without unduly affecting your interests or fundamental rights and freedoms (see Section 3.2.2);
c) the processing is required to comply with legal or regulatory obligations. For example, in the context of the state supervision in Switzerland and abroad that the business operations of Carlyon Services GmbH are subject to, Carlyon Services GmbH may be obliged to carry out investigations and gather, report and/or disclose information relevant to the business activities, including your Personal Data.
Where the Personal Data we collect from you is needed to meet our legal or regulatory obligations or enter into an agreement with you, if we cannot collect this Personal Data there is a possibility, we may be unable to onboard you as a client or provide products or services to you (in which case we will inform you accordingly).
3.2.1 Data processing based on consent
3.2.2 Data processing based on legitimate interest
A legitimate interest of Carlyon Services GmbH is in particular considered in the following instances, provided such interests are not overridden by your data protection and privacy interests.
The processing is necessary:
- to pursue certain of the purposes in Sections 3.1 above such as manage our relationship with you and to help us to learn more about you as a client, the products and services you receive, and other products and services you may be interested in receiving (see Section 3.1 b) above);
- to prevent fraud or criminal activity, misuses of our products or services as well as the security of our information, IT systems, architecture and networks (see Section 3.1 e) and g) above);
- to take steps to improve our products and services and our use of technology and to conduct market research (see Section 3.1 f) above);
- to exercise our rights under Articles 26 and 27 of the Federal Constitution of the Swiss Confederation, including our freedom to conduct a business and right to property;
- when we make the disclosures referred to in Section 5 below, providing products and services and assuring a consistently high service standard across Carlyon Services GmbH and keeping our customers, employees and other stakeholders satisfied; and
- to reply to any actual or potential proceedings, requests or the inquiries of a public or judicial authority (see Section 3.1 e) above).
4 How do we protect Personal Data?
All Carlyon Services GmbH employees accessing Personal Data must comply with our internal rules and processes in relation to the processing of your Personal Data to protect them and ensure their confidentiality.
Carlyon Services GmbH has also implemented adequate technical and organisational measures to protect your Personal Data against unauthorised, accidental or unlawful destruction, loss, alteration, misuse, disclosure or access and against all other unlawful forms of processing.
5 Who has access to Personal Data and with whom are they shared?
5.1 Within Carlyon Services GmbH
We usually share Personal Data with our employees for the purposes indicated in Section 3.1, to ensure a consistently high service standard across our group, and to provide services and products to you.
5.2 Outside Carlyon Services GmbH
5.2.1 Third Parties
We transfer Personal Data to other credit and financial services institutions and comparable institutions to perform the business relationship with you. In particular, when providing products and services to you, we will share Personal Data with persons acting on your behalf or otherwise involved (depending on the type of product or service you receive from us), including, where relevant the following types of companies:
- a party acquiring interest in, or assuming risk in or in connection with, the transaction (such as an insurer);
- issuers of securities (including third parties appointed by them) in which you have an interest, where such securities are held by third party banks for you;
- payment recipients, beneficiaries, account nominees, intermediaries, correspondent and agent banks (including custodian banks);
- clearing houses, and clearing or settlement systems and specialised payment companies or institutions such as SWIFT;
- market counterparties, upstream withholding agents, swap or trade repositories, stock exchanges;
- other financial institutions, credit reference agencies or credit bureaus (for the purposes of obtaining or providing credit references);
- any third-party fund manager who provides asset management services to you; and
- any introducing broker to whom we provide introductions or referrals.
5.2.2 Service Providers
In some instances, we also share Personal Data with our suppliers, who are contractually bound to confidentiality, such as IT hardware, software and outsourcing providers, logistics, mail, courier, printing services and storage providers, marketing and communication providers, facility management companies, market data service providers, transportation and travel management providers and others. When we do so we take steps to ensure they meet our data security standards, so that your Personal Data remains secure.
Where Carlyon Services GmbH transfers your data to service providers processing data on our behalf, we take steps to ensure they meet our data security standards, so that your Personal Data remains secure. Service providers are thereby mandated to comply with a list of technical and organisational security measures, irrespective of their location, including measures relating to: (i) information security management; (ii) information security risk assessment and (iii) information security measures (e.g., physical controls; logical access controls; malware and hacking protection; data encryption measures; backup and recovery management measures).
5.2.3 Public or regulatory authorities
If required from time to time, we disclose Personal Data to public authorities, regulators or governmental bodies, where we are required to disclose information by applicable law or regulation, under a code of practice or conduct, at their request, or to safeguard our legitimate interests.
- A potential buyer, transferee, merger partner or seller and their advisers in connection with an actual or potential transfer or merger of part of Carlyon Services GmbH business or assets, or any associated rights or interests, or to acquire a business or enter into a merger with it;
- Any legitimate recipient required by applicable laws or regulations.
5.3 Data transfers to other countries
The Personal Data transferred within or outside Carlyon Services GmbH as set out in Sections 5.1 and 5.2, is in some cases also processed in other countries. We only transfer your Personal Data abroad to countries which are considered to provide an adequate level of data protection, or in the absence of such legislation that guarantees adequate protection, based on appropriate safeguards (e.g., standard contractual clauses adopted by the European Commission or another statutory exemption) provided by local applicable law.
A copy of these measures can be obtained by contacting our Group Data Protection Office. If and to the extent required by applicable law, we implement the necessary legal, operational and technical measure and/or enter into an agreement with you before such transfers.
6 How long do we store your data?
We will only retain Personal Data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements. To help us do this, we apply criteria to determine the appropriate periods for retaining your Personal Data depending on its purpose. As far as necessary, we will keep your data for the duration of our working relationship subject to applicable legal and regulatory requirements. In addition, we might process your data after the termination of our working relationship for compliance or risk management in accordance with the applicable laws as well as pursuant to various retention and documentation obligations or if it is in Carlyon’s Services GmbH legitimate interest.
7 What are your rights and how can you exercise them?
7.1 Your rights
You have a right to access and to obtain information regarding your Personal Data that we process. If you believe that any information we hold about you is incorrect or incomplete, you may also request the correction of your Personal Data.
You also have the right to:
- object to the processing of your Personal Data;
- request the erasure of your Personal Data;
- request restriction on the processing of your Personal Data; and/or
- withdraw your consent where Carlyon Services GmbH obtained your consent to process Personal Data (without this withdrawal affecting the lawfulness of any processing that took place prior to the withdrawal).
When Personal Data is processed for direct marketing purposes, your right to object extends to direct marketing, including profiling to the extent it is related to such marketing.
Where we process your Personal Data on the basis of your consent, or where such processing is necessary for entering into or performing our obligations under a contract with you, you may have the right to request your Personal Data be transferred to you (known as the ‘data portability’ right). You also have the right to ask us for information regarding some or all of the Personal Data we collect and process about you.
7.2 Exercising your rights
To exercise the above rights, please:
- To avoid delay in dealing with your request, please enclose with your signed letter a copy of your passport or identity card and mail it to us
8 Changes to your Personal Data
We are committed to keeping your Personal Data accurate and up to date. Therefore, if your Personal Data changes, please inform us of the change as soon as possible.
9 Updates to this Notice
This Notice was updated in January 2022. We reserve the right to amend it from time to time. Any amendment or update to this Notice we will make available to you here. Please visit our website frequently to understand the current Notice, as the terms of this Notice are closely related to you.
If you have any questions or comments about this Notice, please contact the Group Data Protection Office at firstname.lastname@example.org