Banque Cantonale de Genève
1. General information
BCGE takes the protection of your personal data and your privacy very seriously. The purpose of this Notice is to explain the procedures used by the Banque Cantonale de Genève (the "Bank") in its capacity as "Data Controller" / "Data Processor" within the framework of its activities to collect and process personal data (this term is defined in Question 1 below). This Notice is in addition to, but does not replace, the terms of the contractual agreements between the Client and the Bank (including the articles of the General Conditions relating to outsourcing, data protection and banking secrecy).
Some applications and services, such as TWINT or online account opening, are governed by specific conditions of use that contain data protection information that the Client must consult and accept before using them.
2. Data processing
2.1. What Personal Data is processed by the Bank?
Within the framework of its activities, the Bank collects and processes Personal Data concerning the "Client", as well as Personal Data concerning Related Persons. For the purposes of this Notice, the term "Client" also includes prospects whose Personal Data is processed by the Bank.
The term "Related Person" refers to any natural person about whom the Client, or a third party, has transmitted Personal Data to the Bank within the framework of business relations with the Bank. A Related Person may, for example, designate (i) the beneficial owner of an account, (ii) an authorised representative of a company, (iii) the legal representative of a person, (iv) a person opening an account in the name of a third party, (v) the holder of a power of attorney and (vi) the order giver for a payment. It is the Client's responsibility to communicate to any Related Person the information contained in this Notice. The Client and each Person Related to the Client are hereinafter referred to as the "Data Subject".
The term "Personal Data" refers to any information that can be used to identify a Data Subject directly (e.g. first name, surname) or indirectly (e.g. a passport number). The Bank processes the following categories of Personal Data in particular with regard to the Data Subject :
|Types of Personal Data||Examples|
Name, address, telephone number, e-mail address, professional contact information, photographs, video and audio recordings
Date of birth, country of birth
Means of identification issued by public authorities
Passport, identity card, tax identification number, social security number
Professional experience, power of representation, possible sanctions or proceedings
Account history information, bank details
Information relating to transactions or investments
Current and past investments, investment profile, investment preferences, amounts invested, number and value of financial instruments held, role played in a transaction (seller / buyer), details of a transaction
2.2. Where does the Personal Data processed by the Bank originate from?
The Bank collects the following Personal Data :
- directly from each Data Subject, for example when the Client contacts the Bank or fills in a Bank form; and/or
- indirectly from external sources, including publicly available sources (e.g. UN or EU sanctions lists), information available through subscription services (e.g. Bloomberg) or through other third parties (e.g. a business introducer or external asset manager).
2.3. Why is the Personal Data processed by the Bank?
The Bank processes Personal Data for the following purposes (objectives) :
2.3.1. The procedures for processing Personal Data listed below are based on the fulfilment of a contractual obligation towards a Data Subject, it being specified that some of these processing operations may also be based on other justifiable grounds, namely :
- opening an account and/or setting up a business relationship with the Bank, including all procedures related to the identification of a Data Subject;
- any other financial services related to the account, including financial services expressly requested by the Client; and
- managing, administrating and distributing collective investment schemes, including services related to such activities (e.g. processing applications for the subscription, conversion and redemption of units of collective investment schemes).
2.3.2. The procedures for processing Personal Data listed below are based on a legal or regulatory obligation, it being specified that some of these processing operations may also be based on other justifiable grounds, namely :
- providing information on the Bank's products and services to the Data Subject;
- monitoring compliance with legal obligations in the area of financial market regulation;
- any form of cooperation with competent authorities, in particular supervisory authorities, authorities responsible for combating money laundering and terrorist financing and authorities involved in the automatic exchange of information in tax matters (including the Common Reporting Standard and the US Foreign Account Tax Compliance Act (FATCA));
- any measure to implement international sanctions in accordance with the procedures established by the Bank, including the processing of Personal Data for screening purposes;
- any risk management measures, including market, credit, operational, liquidity, legal and reputation risks;
- recording telephone conversations and electronic communications with Data Subjects in order to combat fraud and other criminal offences;
- assessing the risks to which the Bank is exposed and the decision-making process for risk management.
2.3.3. The procedures for processing Personal Data listed below are based on the legitimate interests of the Bank, it being specified that some of these processing operations may also be based on other justifiable grounds, in particular in the following cases :
- evaluating certain characteristics of Data Subjects by automated processing of Personal Data ("profiling") (refer also to Question 5);
- any processing aimed at developing the business relationship;
- any processing aimed at improving the Bank's internal organisation and procedures, including risk management;
- use of Personal Data for marketing purposes, unless the Data Subject has objected to the use of his or her Personal Data for this purpose;
- any processing necessary to enable the Bank to establish, enforce or oppose a current or future claim, or to enable the Bank to handle an investigation by a public authority, in Switzerland or abroad; and
- recording telephone conversations and electronic communications with Data Subjects for the purpose of protecting the Bank's interests, analysing and improving the quality of the services and products offered, training Bank staff and controlling risks.
The Bank draws the attention of each Data Subject to the following points :
- The Bank is subject to confidentiality obligations, which stem in particular from banking secrecy. The Personal Data that the Bank processes is also subject to these obligations. The Bank draws the Client's attention to the relevant article in the General Conditions, which specifies the cases in which the Client releases the Bank from its legal obligations of confidentiality (including banking secrecy).
- If Personal Data is processed for purposes other than those referred to in Question 3, the Bank shall inform the Data Subject in advance.
- In the absence of certain Personal Data concerning the Client (or if the Client exercises his right to object to the processing of Personal Data / refer to Question 8 below), the Bank may not be able to provide the Client with the service or product for which the processing of such Personal Data is required
2.5. Does the Bank use "profiling" or "automated individual decision-making"?
The Bank assesses certain characteristics of a Data Subject through automated procedures of Personal Data processing ("profiling"), in particular to provide personalised offers and advice or information on the Bank's products and services. The Bank may also use profiling to identify the level of risk associated with a Data Subject (for example in the context of combating money laundering and terrorist financing).
If the Bank were to use "automated individual decision-making" in the future in its business relations with its clients, it would do so in accordance with the applicable legal and regulatory requirements.
2.6. Does the Bank communicate Personal Data to third parties?
The Bank reserves the right to communicate Personal Data :
- to administrative (e. g. prudential supervisors) or judicial authorities or to financial market participants (e. g. operators of a financial market infrastructure, such as an exchange, a broker, a correspondent bank, a sub-custodian, an issuer, a financial market supervisory authority or their representatives);
- to subcontractors in the context of outsourcing, in accordance with its General Conditions;
- to the Bank's auditors and certain service providers of the Bank and
- to affiliated entities.
2.7. Is Personal Data communicated outside Switzerland?
The Bank may disclose, transfer and/or store Personal Data outside Switzerland :
- in the context of the conclusion or execution of contracts directly or indirectly related to the business relationship (i.e. a contract concluded with a Data Subject or with a third party, but in the interest of a Data Subject), for example in the context of outsourcing, in accordance with the relevant article of the General Conditions;
- if such a transfer is necessary to safeguard the greater public interest;
- if such a transfer is necessary to enable the Bank to establish, enforce or oppose a current or future claim, or to enable the Bank to handle an investigation by a public authority, in Switzerland or abroad; and
- in exceptional cases, when such a transfer is required by the applicable regulations (in particular in order to comply with reporting obligations in stock exchange transactions).
If such a transfer of Personal Data is made to a country that does not offer an adequate level of protection of Personal Data (from a Swiss perspective), the Bank shall ensure, if required by the applicable regulations, that it obtains the consent of the Client or that it puts in place adequate safeguards, in particular contractual agreements, which may take the form of standard contractual clauses laid down by the European Commission. Any Data Subject may contact the Data Protection Officer for further information on this subject.
2.8. How long is Personal Data stored?
The Bank stores Personal Data for as long as necessary to fulfil the intended purpose. The Bank deletes or anonymises Personal Data when it is no longer required for the purpose for which it was collected,
- subject to the legal and regulatory obligations applicable to the Bank with regard to the storage of documents and information; and
- subject to cases in which a longer storage period is necessary to enable the Bank to establish, enforce or oppose a current or future claim, or to enable the Bank to handle an investigation by a public authority, in Switzerland or abroad (e.g. setting up a legal hold).
2.9. What rights does a Data Subject have in relation to his or her Personal Data?
Under the applicable regulations, each Data Subject has the following rights with regard to his or her Personal Data :
- the right to access their Personal Data;
- the right to have their Personal Data rectified if it is inaccurate or incomplete;
- the right to oppose the processing of their Personal Data;
- the right to request a limit on the processing of their Personal Data; and
- the right to request the deletion of their Personal Data when it is no longer necessary for the purposes for which it was collected or processed or when the Data Subject has withdrawn his/her consent (in cases where the processing of the Personal Data in question is based on the consent of the Data Subject).
The Bank expressly draws the attention of all Data Subjects to the fact that they may, at any time and without justification, object to the use of their Personal Data for marketing purposes, including profiling if it serves this purpose, by the Bank or by third parties, or that, if consent is required by law for the processing of Personal Data, they may revoke this consent by writing to the Data Protection Officer (refer to the Question 10 below).
As indicated in Question 3, the exercise of some of the rights referred to above may result in the Bank no longer being able to provide certain products or services.
2.10. Additional information
The Bank, in its capacity as "Data Controller" / "Data Processor", can be contacted at the following address :
Banque Cantonale de Genève
17, quai de l'Ile
If you are not satisfied with the answer provided by the Bank, you have the right to contact the Federal Data Protection and Information Commissioner.
If a Data Subject wishes to obtain additional information relating to the matters covered in this Notice, the Data Protection Officer appointed by the Bank may be contacted at the following address : firstname.lastname@example.org
The Bank reserves the right to amend this Notice at any time.