The types of personal data that are actually processed and used within each specific individual case are heavily dependent on the services requested or agreed upon.
Scope of data processing and legal basis
Data are processed by the Bank in accordance with applicable data protection law. The main objectives pursued are illustrated below:
a. Compliance with contractual obligations
Personal data are processed for the purpose of providing banking and financial services in relation to the performance of contracts with our clients or in order to take steps, upon request, prior to entering into a contract. The scope of the respective personal data processing is established primarily with reference to the specific contract and/or banking product (e.g. account operation, credit, mortgage, securities transactions / deposit, etc.) and may also involve execution and assistance in relation to banking advice, asset management and assistance, analysis of needs and execution of transactions. Further information and specific details concerning the extent to which your personal data are processed are also available in the relevant contractual documentation and in our General Terms and Conditions.
b. Processing on the grounds of consent
If you have consented to the processing of your personal data for a specific purpose (e.g. analysis of particular data for marketing purposes), that consent constitutes the legal basis for data processing. Any consent provided to us may be withdrawn at any time. Please note that any withdrawal of consent does not have retroactive effect. It does not affect any data processing carried out before consent was withdrawn.
c. Protection of legitimate interests
Any processing of personal data other than for the purpose of compliance with a specific contract is carried out exclusively where such processing is necessary in order to uphold the legitimate interests of the Bank or of third parties. Such a scenario may arise for example under the following circumstances:
- advertising operations or market analysis and opinion surveys, unless usage of the data is objected to;
- measures intended to optimise services and products as well as operational management;
- measures for the establishment or exercise of legal claims and defence in the event of litigation;
- work carried out in order to safeguard our IT security and operability;
- measures relating to the prevention and detection of criminal offences as well as the collection of evidence (e.g. in the event of robberies and cases involving fraud);
- measures to protect real property (e.g. video surveillance).
d. Compliance with legislative requirements or on public interest grounds
The processing of personal data may also be required due to legal requirements or on public interest grounds. The Bank is subject to various legal requirements, including statutory obligations (e.g. the Swiss Federal Act on Banks, the Swiss Anti-Money Laundering Act, the Swiss Cartel Act, the Swiss Criminal Code, the Swiss Federal Act on Collective Capital Investment Schemes, the Swiss Federal Act on Mortgage Bonds, as well as FINMA ordinances and circulars, in addition to tax legislation) as well as the provisions on banking supervision issued by FINMA and the Swiss National Bank.
What types of data are used
We process the personal data that we collect within the ambit of the business relationship with the client. Where necessary for the purpose of providing our services, we also process any personal data that we have obtained in a permitted manner from publicly accessible sources (e.g. registers of debtors, land registers, commercial registers, etc.) or that are lawfully transmitted to us by third parties (e.g. credit information centres, pension funds, authorities, etc.).
The personal data that are actually processed include specifically particulars (name, address and other contact data, date and place of birth and nationality), identification data (e.g. data contained in an identification document) along with any other authentication data (e.g. specimen signature).
The data processed may also relate to instructions (e.g. payment orders), data necessary in order to comply with our contractual obligations (e.g. payment transaction data), information concerning your financial circumstances (e.g. information regarding solvency, the origin of assets, etc.), advertising and distribution data, documentation data (e.g. minutes of consultation meetings) as well as other data similar to the categories mentioned.
Access to personal data
The departments that will have access to personal data within the Bank will be those that require them in order to comply with our contractual and legislative obligations.
Service providers and auxiliary staff deployed by us may also receive personal data for the purposes indicated, provided that banking secrecy is maintained. For the purposes of the above, service providers and auxiliary staff mean companies operating within the categories of banking services, IT services, logistics, printing, telecommunications, collection, advice and consulting as well as distribution and marketing.
Whenever personal data is transmitted to persons outside our Bank, the need to guarantee banking secrecy is always a key priority. In the light of the above, personal data are thus only transmitted where required by law, if consent to transmission has been granted by the data subject, or where the Bank is authorised to release any specific information. If disclosure occurs in accordance with a legal requirement or the directions of an authority (e.g. Swiss National Bank, FINMA, tax authorities, criminal prosecution authorities), the recipients of personal data may therefore also include public offices or bodies. Personal data may also be transmitted to other credit institutes, financial service providers or similar organisations, where the personal data concerned are transmitted for the purpose of giving effect to a business relationship (e.g. correspondent banks, custodian banks, brokers, stock exchanges, etc.). Personal data may also be shared with bodies to which the relevant client has consented to the transmission of data and/or where the client released the Bank from banking secrecy in respect of such transmission.
Transmission of data abroad or to an international organisation
Personal data may be transmitted to entities or countries outside Switzerland in the following manner:
- where necessary in order to execute orders (e.g. payment and/or securities orders);
- where required by law (e.g. in accordance with tax reporting obligations, the automatic exchange of information, etc.);
- where consent to such transmission has been granted.
Archival of personal data
The Bank processes and archives personal data for as long as and insofar as is necessary in order to comply with contractual obligations or statutory requirements.
Any personal data that are no longer required for compliance with contractual obligations or statutory requirements are erased at regular intervals, unless further processing of personal data – for a designated period – is necessary for a contractual or statutory purpose.
Such purposes include compliance with retention requirements under commercial and tax law, including in particular those laid down by the Swiss Code of Obligations (CO), the Swiss Federal Act on Value Added Tax and the Swiss Federal Act on Direct Federal Taxation. They may also include any need to archive data for the purpose of securing evidence with reference to statutory limitation periods (e.g. under Articles 127 et seq CO).
With regard to any such archival of personal data, please note that our business relationships are normally configured as ongoing, long-term in personam relationships.
The Bank has adopted appropriate technical and organisation measures to protect your personal data against loss, abuse, unauthorised access, transmission and alteration. Our security measures include for example firewalls, data encryption, physical and technical access restrictions as well as periodical backups.
Rights of data subjects
Every data subject has a right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to object and – where applicable – the right to data portability. You also have the right to lodge a complaint with a competent data protection supervisory authority.
You can withdraw at any time the consent granted to us to process your personal data. Please note that any withdrawal of consent does not have retroactive effect.
Obligation to provide data
Within the ambit of our business relationship, you are under an obligation to furnish all personal data required for the purpose of the acceptance and implementation of a business relationship and compliance with the related contractual obligations, as well as any data that the Bank is obliged by law to collect. If such data are not provided, BancaStato will not as a general rule be able to conclude or implement a contract with you.
in particular, the legislation on the prevention of money laundering obliges the Bank to identify you on the basis of your identification documents before establishing a business relationship and to collect and register your name, place and date of birth, nationality, address and identification details for that purpose. In order to enable us to comply with these obligations laid down by law, you are also required to report immediately any change that may occur during the course of the business relationship. If you decide not to provide the necessary information and documents, we will not be able to establish or continue the business relationship requested by you.
Automated decision making processes and profiling
The Bank does not as a rule use any fully automated decision making process with any legal effect for the purpose of establishing or implementing business relationships.
The Bank processes personal data in part using automated procedures in order to analyse certain personal aspects (profiling). Such processing is for example used in the manner described below:
- processing of data in accordance with legal and legislative requirements on the combatting of money laundering, the financing of terrorism or offences against property. Data analysis (including in relation to payment transactions) is also carried out within this context. These measures are also intended to protect our clients;
- analytical instruments are used to provide targeted information and advice in relation to our products, enabling communications that are tailored to needs, advertising as well as market research and opinion surveys;
- solvency and sustainability levels are assessed during credit checks.
Data Processing Officer
The contact details for the Data Processing Officer at our Bank are as follows:
Banca dello Stato del Cantone Ticino
Data Processing Officer
Viale H. Guisan 5
+41 (0)91 803 71 11