Data protection

Data privacy notice from BCV Group companies (“BCV Group”), and in particular Banque Cantonale Vaudoise (“BCV”)

BCV Group is firmly committed to protecting its customers’ personal data and to collecting and processing such data transparently and in compliance with the Swiss Federal Act on Data Protection (the “Act”). For the purposes of this notice, the term "Client" also includes prospects whose personal data is processed by the Bank.

This notice describes customers’ data-protection rights and informs data subjects of the types of personal data processed by BCV and how BCV uses them, as well as the legal basis for its policy. This notice supplements both the contractual documentation governing the relationship between BCV and its customers (including Articles 17 to 19 of BCV’s General Conditions on outsourcing, data protection, and banking confidentiality) and the specific terms and conditions applicable to BCV’s various digital products and channels (particularly websites and mobile applications).

1. Types and sources of personal data

The term “personal data” refers to all information relating to an identified person (e.g., through their first and last name) or identifiable person (e.g., through a name or passport number). In the course of its business, BCV must collect and process personal data on the customer and related persons (hereinafter referred to collectively as the “data subject”), such as the representative of a legal entity, a trustee, a beneficial owner, the recipient of a payment order, or the holder of a power of attorney over one of the customer’s accounts. BCV asks the customer to provide any such related persons with the information contained in this document.

Depending on the product or service provided, BCV may be required to process the following types of personal data:

• Personal information, such as name, passport number, date of birth, mailing address, email address, telephone number, conservator’s name (if applicable), information on family members such as spouse’s and children’s names, marital status and know-your-customer (KYC) documents.
• Work-related information, such as profession, job title, employer’s name and work experience.
• Banking information, such as bank account details and bank card number.
• Financial information, such as bank transactions, payment advices and information on income (salary, investment income, etc.), movable assets and real estate, debts (e.g., extract from the debt collection office, taxes (e.g., tax domicile), and other commitments (e.g., a loan from another bank).
• Experience and product knowledge, such as customer segment, investor profile, investment knowledge and experience, details on BCV’s discussions with the customer in this regard, and the products and services the customer uses.
• Relationships, e.g., client relationship manager, power of attorney, principal, beneficial owner.

This information may be collected by BCV directly from each data subject or, in some cases, from public sources (such as a telephone directory or the United Nations sanctions list) or third parties (such as an intermediary or wealth screening services).

2. Personal data processing by BCV: legal basis, purposes

2.1 Legal basis

BCV processes data subjects’ personal data on the following legal grounds:

• Where there is a legitimate interest for BCV, without infringing on the data subject’s interest in personal data protection.
• To perform a contractual obligation with regard to a data subject.
• To fulfill a legal or regulatory obligation.
• In response to a request for judicial assistance or in support of legal proceedings or any other form of cooperation with the competent authorities.
• With the consent of the data subject, or if BCV plans to process the data on other legal grounds than those listed above, or if required by the Act.
   

2.2 Purposes

In keeping with the legal grounds set out in section 2.1 above, BCV processes personal data mainly for the following purposes:

1. To identify data subjects when they open an account and/or enter into a business relationship with BCV, and to assess the customer’s credit application.
2. To effectively manage the business relationship with the customer and to execute transactions in accordance with the customer’s instructions and the contractual terms.
3. To improve BCV’s functioning, products, services and internal processes, including in the area of risk management.
   
4. To further develop the business relationship, such as by proposing other products or services that may interest the customer, and to use the personal data for marketing purposes, unless the data subject objects to their personal data being used for this purpose.
   
5. To enable BCV to determine facts, exercise its rights or defend itself from a current or future claim, or to respond to an investigation carried out by a public authority in Switzerland or abroad.
   
6. To fulfill its legal and regulatory obligations, particularly with regard to combating money laundering when BCV applies international sanctions in accordance with its established procedures (which includes, for example, processing personal data for verification and screening purposes), but also with regard to managing market, credit, operational, and liquidity risks.
   
7. When recording telephone conversations and electronic communications with data subjects, to combat fraud and other crimes, to protect BCV’s interests, to analyze and improve the quality of the products and services it provides, to train its employees, and to manage its risks.
   
8. To comply with requests from authorities in charge of criminal proceedings, supervisory authorities, authorities in charge of combating money laundering and the financing of terrorism, and authorities involved in the automatic exchange of information for tax purposes (including under the Foreign Account Tax Compliance Act (FATCA)).
   
   

BCV may process personal data when evaluating certain aspects of data subjects through automated data processing (“profiling”), in particular to provide tailored offers and advice or to provide information on BCV’s products and services, or aspects of affiliated entities or business partners. If BCV makes individual decisions based on automated data processing in its business relationships with customers, it will comply with applicable legal and regulatory requirements.

3. Disclosure of personal data

3.1 Disclosure to third parties

In order to provide its products and services, BCV may disclose personal data to:

• Third parties involved in the transaction or acting on the customer’s behalf, such as the operator of a financial market infrastructure (e.g., an exchange), a broker, a correspondent bank, a sub-custodian, or an issuer;
  
• External service providers, such as for IT services and hosting;
  
• Providers of audit, analysis, and advisory services, such as economic information companies, marketing agencies, audit firms, and other external advisory services.

In accordance with Article 17 of its General Conditions, BCV contractually requires its service providers to protect and maintain the confidentiality of the personal data that they process.

3.2 Disclosure to authorities

Personal data may be disclosed to public, judicial, or administrative authorities or to regulatory or governmental bodies (such as supervisory authorities), upon their request. personal data may also be disclosed to these entities so that BCV can determine facts, exercise its rights or defend itself from a current or future claim, or respond to an investigation carried out by a public authority in Switzerland or abroad.

3.3 Cross-border disclosure

Although BCV mainly processes personal data in Switzerland, it may also have reason to disclose personal data outside of Switzerland to the providers mentioned in section 3.1 above, and it complies with Swiss law in this regard. This principally concerns countries whose data protection regulations have been recognized as “adequate” with regard to Swiss law. If BCV must exceptionally disclose personal data in a State that cannot guarantee adequate protection as set out in the Act, BCV will put in place appropriate technical, organizational, and legal measures to protect the personal data, including binding contractual commitments with the personal data recipient. A current list of the countries concerned may be obtained by writing to the address mentioned in section 5.

With regard to the disclosure of personal data to authorities outside Switzerland within the meaning of section 3.2 above, BCV complies with the applicable legal provisions on international judicial assistance and with FINMA’s provisions on the direct transmission of non-public information to foreign authorities and entities.

Personal data may also be disclosed in other countries based on instructions given to BCV by the account holder (or their representative) or based on specific services that the account holder (or their representative) may request from BCV. For example, if BCV receives payment instructions in a currency other than CHF, it will disclose personal data concerning the payment originator to the correspondent bank outside Switzerland. Similarly, certain personal data concerning investors may have to be disclosed outside Switzerland in connection with investments in certain vehicles or to comply with other regulatory or legal obligations applicable to BCV depending on the situation.

With regard to the use of Visa Debit cards issued by BCV, personal data relating to transactions made with the card (such as the card number, transaction amount and date, acceptance point, or, in the case of transactions such as car rentals or hotel or flight reservations, the account holder’s name) may be disclosed to SIX (partner for card issuance and transaction processing) and VISA (more than 200 countries are part of the VISA network).

4. Storage period

The length of time personal data are stored depends on the applicable legal and regulatory storage period as well as the purpose for which they are processed. BCV generally stores personal data for 10 years after the business relationship ends. A longer storage period may be justified to enable BCV to determine facts, exercise its rights or defend itself from a current or future claim, or to respond to an investigation carried out by a public authority in Switzerland or abroad.
 

5. Data subjects’ rights in relation to their personal data

Data subjects have the following rights with regard to their personal data, subject to the applicable regulations, particularly in the event of a legal restriction, the overriding interest of a third party, or an unjustifiable request:

• The right to access their personal data.
• The right to have them corrected if they are inaccurate or incomplete. In this regard, BCV seeks to ensure that the personal data are accurate and up to date. If the data change, the data subject should inform BCV as soon as possible.
• The right to oppose and/or request to limit the processing of their personal data. The data subject can object to the use of their personal data for marketing purposes (including profiling) or withdraw their consent. However, the customer should be aware that if BCV does not have certain data about the customer, it may not be able to provide the customer with certain products or services that require such data to be processed.
• The right to request the deletion of their personal data. However, this right is not absolute and may be limited by overriding interests that require the ongoing collection of personal data. 

To exercise the rights set out in this section, data subjects must inform BCV in writing by sending a letter to the address below together with a copy of their valid ID card or passport.

Banque Cantonale Vaudoise
Legal Department
Place Saint-François 14
1001 Lausanne
Switzerland
 

6. Amendments

BCV reserves the right to amend this notice at any time, including in the case of a change in data protection legislation or in BCV’s personal data processing practices. Any updates will be published on BCV’s website at www.bcv.ch/en/Legal-information.

January 2024 version