Duty to inform about personal data collection
The following information is intended to give� you an overview of the processing of your personal data by Cornèr Banca SA (hereinafter also referred to as "Cornèr", "we” or "us") and your rights under data protection law. Specifically which information is processed and how it is used, depends significantly on the services requested and/or agreed on. Please note, in particular, that Cornèr provides both banking services (e.g., payment transactions, retail and private banking, mortgages and online trading via Cornèrtrader) and payment card services (Cornèrcard), and that your information may be processed differently according to the service obtained.
Additional information and legally binding data protection provisions may also be found in the General Terms and Conditions for the relevant product.
Regarding services provided by third party providers, please also read the relevant statutory provisions and the privacy policies of such third party providers (e.g. providers of financial messaging services, stock exchanges, payment card schemes) that offer services independently from Cornèr.
- Who is responsible for data processing and whom can I contact?
Cornèr Banca SA, via Canova 16, 6900 Lugano
E-mail: firstname.lastname@example.org and email@example.com
If you prefer a contact in the European Union, you may write to the following e-mail address: EUrepresentative@corner.com
- What information do we collect and use?
2.1. In general
We process personal data that we obtain from our customers in the course of our business relationship. To the extent necessary to provide our services, we also process personal data lawfully obtained from publicly available sources (e.g., debtors lists, land registers, commercial registers, newspapers, Internet) or information transmitted to us by authorized third parties (e.g., credit reference or business information agencies).
2.2. In the course of our services and business relationships
In connection with providing our services, we collect various personal data; including:
- personal information, such as first and last names, date and place of birth, nationality, domicile, telephone number, postal address and e-mail-address, as well as information about your family e.g., the name of your spouse, partner or children;
- personal information that is shared with Cornèr or collected by Cornèr itself (data on customers, bank accounts and payment cards) during the application process for the requested service or the effective period of a contractual relationship (e.g., in connection with issuing account or assets statements, in case of asset management and transfer, investment advisory, granting of loans, refunds or collection of outstanding claims or when handling insurance claims);
- information provided by customers participating in the loyalty or bonus programs of Cornèr (or associated partners), entered during registration for the bonus program or while participating in that program, on the appropriate website of Cornèr or of its partner, or when using the Cornèr App;
- customer identification documents (including a copy of the identity card or passport), authentication data (e.g., specimen signature) and details on the grant of power-of-attorney, where applicable;
- financial information and financial background, including an overview of payments and transactions and information about your assets (including real estate), financial reports, liabilities, taxes, earnings, capital gains and investments (including your investment objectives), along with information about your financial situation (e.g., credit standing, scoring/rating information, origin of assets) and about your knowledge concerning financial products, your level of investment expertise and experience;
- your tax domicile and other tax-relevant information and documents;
- occupational information about you, if applicable, e.g., job title and professional experience;
- identifiers that we assign to you, such as your customer or account number, your credit card number or other internal identification numbers;
- order data (e.g., payment order) and transaction data. With respect to payment cards, transaction data (details of purchases and cash withdrawals) may include, for example, the point of acceptance; the amount of the transaction; the date and time of the transaction; the mode of use of the card (e.g., online, contactless); the number of failed attempts to enter the PIN; the selected currency. More detailed information will be collected only in certain transactions. In such cases, however, Cornèr will generally be unable to identify what was actually purchased;
- data that Cornèr obtains lawfully from third parties (e.g., intermediate banks, the Central Office for Credit Information (ZEK) or the Consumer Credit Information Office (IKO), government agencies, credit reference agencies, employers, other Cornèr Group companies, publicly available databases or registers such as local.ch or the commercial register), or that is legitimately shared with Cornèr by a third party (e.g., a credit reference agency);
- risk information Cornèr collects or generates for risk management purposes such as client due diligence data (including periodic review results), client risk profiles, data to assess suitability/appropriateness, client qualification data (e.g. status as qualified investor), screening alerts (transaction screening, name screening), tax data or complaint information;
- documentation data (e.g., customer advisor's meeting notes);
- details on our mutual business relationship and on the products and services you use, as well as information arising from the performance of our contractual obligations (e.g., volumes of payment transactions, performance of a portfolio managed as part of an asset management contract or within the scope of an advisory mandate, execution of transactions with securities, foreign exchange and CFD transactions using Cornèrtrader);
- possibly, recordings of telephone conversations between you and Cornèr and video recordings during your visits to our premises;
as well as other data similar to the above-mentioned categories.
2.3. During the use of our websites and applications
- Website visits: When you visit our websites, the personal data we process depends on the relevant product offer and feature. Such data may include technical data such as information about the date and time of access to our website, the duration of the visit, the pages consulted, information about the hardware used, the quantity of data transmitted and the outcome of the access, information about your web browser, the browser language and the requesting domain and the IP address (no additional data will be recorded by our website unless you make such disclosures voluntarily, e.g., in the course of registration or a query). We use such data for providing the website, for reasons of IT security and to improve the user-friendliness of the website. We also use "Cookies": i.e., files that are stored on your terminal when you visit our website. In many cases, cookies are necessary in order for the website to function and are automatically deleted after the visit. Other cookies are used to personalize our product offer or allow us to display targeted advertising on third-party websites and are stored for a certain time. Moreover, we use services such as Google Analytics & Adobe Analytics (cookies stored 30 days max.), which collect detailed information about the visitors’ behaviour on the relevant website. We may also integrate functions of service providers like Facebook, which may lead to that service provider receiving information about you, but in most cases we do not know the website visitors’ names.
- Online offers and apps: When you make use of our online offers, we also process personal data (even if you do not purchase any goods or services). Such information includes the type of offer, data about the customer account and how it was used, and information about the installation and use of mobile applications ("Apps").
- Why do we process your data? (purpose of processing)
We always process personal data for a specific purpose and only to the extent necessary to achieve that purpose. The main purposes of such data processing are as follows:
- Negotiations and formation of contracts, including to confirm your identity and evaluate your application (including any need for guarantees or other collateral), if you apply for a loan, and to run checks on compliance with statutory or regulatory requirements (e.g., compliance with anti-money-laundering and anti-fraud laws and regulations);
- Risk management and provision of banking products & services
- Data processing to meet Cornèr’s internal operational requirements for credit and risk management, system or product development and for planning, insurance, audit and administrative purposes;
- Data processing to provide banking products and services (including Cornèrtrader) and to ensure their correct performance, e.g., through proper identity checks and by making account deposits and withdrawals in accordance with your instructions and with the terms and conditions of the relevant product. The purposes of the data processing primarily depend on the specific order. They may include demand analysis, advising, asset management, as well as the performance of transactions. To measure credit risks and risks of default in lending transactions (e.g. mortgage underwriting, trade finance), we may also consult with credit information agencies and share information with them (e.g., debt collection register);
- Regarding payment cards, we process the collected data to perform the card agreement and manage the relationship. Please note the following in this regard:
- Cornèr processes the collected data for risk management purposes, in order to identify the risks associated with issuing cards (e.g., credit and market risks). This is necessary, in particular, because Cornèr assumes the financial risk of the cardholder relationship (credit risk). Cornèr therefore draws up individual risk profiles, which are used to assess credit risk, among other things. The authorization to process data for risk purposes is irrevocable, because Cornèr needs to do so in order to calculate and control its financial risk. The only way to oppose to such data processing is by terminating the card agreement.
- Regarding the use of the card, the transaction information is transmitted by the points of acceptance (merchants or ATMs) to Cornèr. Such transmission generally takes place over the global networks of the international card organisations Mastercard, Visa and Diners (see the privacy policies of the relevant card organisations). We subsequently check, authorize and bill the transactions to the cardholder.
- Regarding the authorization of transactions, Cornèr checks whether a transaction is performed by the authorized cardholder or whether it might be a fraudulent transaction. Cornèr may take various fraud prevention measures at its discretion. Each transaction is automatically compared with predetermined sets of rules and conditions in order to detect signs of possible misuse. In addition, when possible, transactions are checked for significant deviations from the usual patterns of card use (e.g., in terms of time or place). If Cornèr obtains indications of possible card misuse, Cornèr, when possible, takes action to prevent such abuse (e.g., by contacting the cardholder or by denying authorization for a transaction).
- Moreover, the cardholder's data are processed in the transaction complaint and chargeback process, e.g., in order to clarify unknown transactions or in case of unjustified debits. In that process, transactions are verified in detail. Data is also collected and processed for the settlement of insurance claims, in order to clarify the claims in cooperation with our insurance partner.
- If payment cards are marketed by Cornèr's partner companies as private cards to consumers or as corporate cards to the corresponding companies and their own clients, information about the cardholder's use of the payment card (e.g., transaction data) is forwarded to the corresponding partner companies.
- The management of our relationship with you, e.g., concerning the products and services provided by us and by our business partners, to handle customer service issues and complaints, to facilitate debt collection, in deciding whether or not to grant a loan, to clarify your place of residence (for example, if we can no longer reach you);
- Measures to improve our products and services and the technologies we use, including verification and updates of our systems and processes, and for market research purposes, in order to find out how we can improve our existing products and services or what other products and services we might sell;
- Information and direct marketing: We process personal data in order to send out information and advertisements (including through push notifications) concerning products and services which, in our opinion, may be of interest to you, including the products and services sold by us, by the Cornèr Group companies or by our business partners. For example, when you sign up for a newsletter or SMS notification service, we process your contact data; in the case of e-mails, we also process information about your use of the messages (e.g., whether you opened an e-mail and downloaded the embedded images), so that we can tailor our offers to you and generally improve them. To find out more about you as a customer, we may also create profiles, e.g., by analysing which types of our products and services you use, how you wish to be contacted, etc. You can opt out of being sent information (block on advertising) or generally revoke any prior consent you may have given to data processing for marketing purposes by sending Cornèr a written request to that purpose, including by e-mail (see information below on the right to object);
- In connection with its products, Cornèr may create customer, consumption and preference profiles from personal and transaction data collected for marketing purposes or to comply with specific legal and regulatory requirements (e.g. determination of the customer investment profile in the areas of private banking and on-line trading), which enable Cornèr to develop and offer attractive products and services to customers. Cornèr may send customers such information about its own products and services or those of its partners via the available communication channels (e.g., by post, e-mail, push notifications). Every customer can opt out of being sent information (block on advertising) or generally revoke any prior consent given to data processing for marketing purposes by sending Cornèr a written request to that purpose, including by e-mail (see information below on the right to object);
- Customer events: We also process personal data when we hold customer events (e.g., advertising events, sponsoring events, cultural and sports events). Such data may include the first and last names of the participants and/or prospective customers, their postal and/or e-mail address and possibly other information, such as their date of birth, depending on the circumstances. We process such information in order to carry out the customer events but also in order to make direct contact with you. For further information, see the relevant terms and conditions of participation. Every customer can opt out of being sent information (block on advertising) or generally revoke any prior consent given to data processing in the context of such customer events by sending Cornèr a written request to that purpose, including by e-mail (see information below on the right to object);
- Competitions, contests and similar events: We occasionally organize competitions, contests and similar events. In so doing, we process your contact data and information about your participation in order to carry out the competitions and contests, and if necessary in order to communicate with you about such events and for advertising purposes. For further information, see the relevant terms and conditions of participation. Every customer can opt out of being sent information (block on advertising) or generally revoke any prior consent given to data processing for such competitions, contests and similar events by sending Cornèr a written request to that purpose, including by e-mail (see information below on the right to object);
- Regarding fulfilment of our ongoing regulatory and compliance obligations (e.g., financial, anti-money-laundering and tax laws), including in connection with the recording and monitoring of communications, the disclosure of data to tax authorities, financial regulatory authorities and other supervisory and/or national authorities and for crime detection or prevention;
- Law enforcement: We process personal data in various situations in order to enforce our rights, e.g., in order to enforce our claims in or out of court and to enforce or defend ourselves against claims before foreign or domestic authorities. For instance, we may inquire into the chances of success in litigation or file documents with an authority. In so doing, we may process your personal data or forward it to third parties in Switzerland and abroad, to the extent necessary and permissible;
- Measures to prevent and investigate crimes and to ensure the safety of our customers, employees and other third parties;
- Measures to secure the property owner's rights, including facility and building security measures (e.g., access control). This includes videosurveillance in appropriately labelled areas in order to protect the property owner's rights, to collect evidence in case of robbery or fraud, or to have proof of deposits and withdrawals (e.g., at ATMs);
- Ensuring IT security and IT operations of Cornèr (including processing of personal data in test environments, where the information is generally pseudonymized in advance);
- To perform transaction analyses and statistical analyses and similar analyses;
- For the operational business management of Cornèr and its affiliated companies (“Cornèr Group”) (including credit and risk management, insurance, auditing, system and product training and similar administrative purposes);
- Business partners: We work together with various companies and business partners, e.g., with suppliers, with commercial purchasers of goods and services, with joint venture partners and with service providers (e.g., IT-service providers). In so doing, we process personal data concerning the contact persons in those companies (e.g., names, position, title and communications with us), for contract preparation and performance, for planning and bookkeeping purposes and other contract-related purposes. Depending on the field of business, we may also be required to run more detailed checks on the relevant companies and their employees, e.g., through a security check. In that case, we collect and process further information. We may also process personal data to improve customer guidance, customer satisfaction and customer loyalty (Customer/Supplier Relationship Management);
as well as for other purposes of which you will be informed on a case-by-case basis.
Much of the aforementioned processing is performed to fulfil contractual obligations or for pre-contractual measures at your request (items a), b), c)ii., c)iii., c)iv., c)v., d), q)).
Other processing is performed when required by law or in the public interest (items a), j), p)). For instance, such legal obligations may arise from the Swiss Banking Act, the Collective Investment Schemes Act, the Anti-Money Laundering Act, the Consumer Credit Act, the Mortgage Bond Act, as well as various tax laws and FINMA regulatory ordinances.
Finally, some forms of data processing are intended to protect our legitimate interests or those of third parties in the context of a weighing of interests (items c)i., e), f), g), h), i), k), l), m), n), o)). If you would like further details about the weighing of interests, please contact us (contact details in section 1).
In specific cases, we will ask for your consent for personal data processing for certain purposes (e.g., transfer to third parties for their own marketing purposes). Such consent must be given separately and can be revoked at any time.
- Who will receive my data?
Regarding the transfer of data to recipients outside Cornèr, you should first remember that we, as a bank, are bound to secrecy concerning all customer-related facts and evaluations that come to our attention. We are permitted to disclose information about you only when so required by law, or you have granted your consent (e.g., in order to carry out a financial transaction that you ordered from us or when using your credit card) or when we are authorized to disclose certain information.
4.1 Within the Cornèr Group
Within Cornèr, your data is made available strictly on a need-to-know basis for the performance of our contractual and statutory obligations.
We may transfer personal data to other Cornèr Group companies for intra-Group management purposes (including for risk management pursuant to statutory or administrative obligations) and for various processing purposes. In so doing, your personal data may be processed and linked with personal data from other Cornèr Group companies for the relevant purposes.
4.2 Third parties
When we provide you with products and services, we give personal data to individuals who are acting on your behalf or otherwise participating in the transaction (depending on the type of products or services you make use of), including the following types of companies described below, where applicable.
- Other lending and financial services institutions or similar establishments, with which we share your personal data (for instance, depending on the contract, correspondent banks, custodian banks, external asset managers, fund managers, brokers, securities exchanges, Central Counterparty Clearing Houses (CCP’s), upstream paying agents, registers of swaps or transactions as well as clearing houses and clearing or settlement systems as well as specialized payment providers or payment institutions, such as SWIFT);
- Parties who participate in a transaction (e.g., payees, beneficiaries, authorized signatories on an account, intermediaries) or assume a risk in the course of or in connection with the transaction (e.g., an insurer);
- If you have a payment card with us, the relevant card organisation (Visa, MasterCard, Diners Club) and the acquiring companies that have agreements with individual merchants for purposes of acceptance of those cards;
- Other financial institutions, credit or business rating agencies (for the purpose of procuring or distributing credit reference information and credit checks).
4.3 Service providers
Your data may also be received for the above-mentioned purposes by the service providers or subcontractors we hire if they enter into appropriate confidentiality agreements. Such businesses include providers of banking services (incl. investment services), IT services (including hosting service providers), logistics, printing, telecommunications, debt collection, payment transactions, credit rating agencies, advice and consulting, as well as sales and marketing. In such situations, we protect your personal data in such a way as to ensure that the subcontractor complies with our data security standards.
4.4 Government authorities or regulatory authorities
If necessary, we also disclose personal data to government authorities, regulatory authorities or government agencies (e.g., Swiss National Bank, FINMA, criminal prosecution authorities), including when so required by laws or regulations or other rules of conduct, or when disclosure is demanded by such authorities or agencies.
4.5 Other cases
In the case of a sale of all or part of our business to another company or in case of the restructuring of our business, personal data will be shared to make it possible for you to continue using the relevant products and services. We usually give personal data to potential purchasers, too, if we are considering a full or partial sale or full or partial spin-off of a business unit. We take precautions to ensure that such potential purchasers will see to the security of the data.
We shall disclose personal data to the extent necessary for the exercise or enforcement of legal rights, including the rights of ourselves and of our employees and other rights-holders, or to the extent necessary in responding to inquiries by individuals or their representatives who wish to enforce their own rights or those of others.
- Will my data be transmitted to third countries or to an international organisation?
The recipients mentioned in the previous section may reside outside Switzerland and outside the European Economic Area. In that case, Cornèr will require such recipients to enter into a legally binding agreement to take appropriate measures to protect personal data, unless the receiving country is recognized as ensuring an appropriate level of data protection. Your data may also be transmitted to or within third countries to the extent necessary to carry out your orders (e.g., in the case of payment orders and securities trading orders), if such data transmission is required by law (e.g., tax reporting obligations) or if you have expressed your consent to that purpose.
Please contact us if you would like to examine the data transmission guarantees that have been agreed upon.
- How long will my data be stored?
We store your personal data as necessary for the purpose for which we collected them.
In the case of contracts, we store your personal data for at least the duration of our contractual relationship. Please note that our business relationship is set up to last for years as a long-term contractual obligation.
Moreover, we store personal data whenever we have a legitimate interest in such storage. Such may be the case, in particular, when we need personal data in order to enforce or defend against claims, for archiving purposes, to ensure IT security or as long as the limitation period on contractual or extracontractual claims is still running. For example, 10-year limitation periods are commonly applicable, but there also many cases of 5-year or even 1-year limitation periods.
Furthermore, we store your personal data for the applicable statutory retention period (e.g., compliance with retention periods under tax or commercial law or compliance with the 10-year retention period required by anti-money laundering legislation).
In certain cases, we will ask you for your consent if we wish to store your personal data longer.
Upon expiry of such periods, we delete or anonymize your personal data.
- What are my rights under data protection law?
Every data subject has the right to be informed about his or her personal data, the right to obtain its correction or deletion and to limit and/or object to its processing, and – to the extent applicable – the right to obtain a transfer of such data. Moreover to the extent it applies to you, there is a right to complain to an appropriate data protection supervisory authority.
You may revoke your consent to personal data processing at any time. Please note that any such revocation will only be applicable to the future. Any processing performed before the revocation will not be affected. Such revocation may result in the termination of the business relationship with you.
To exercise your rights, use the contact data provided in section 1.
- Am I under an obligation to supply information?
In the course of our business relationship, you must supply such of your personal information as we need to initiate and conduct our business relationship and to perform the related contractual obligations and such information as we are required to collect by law. Without such data, we will not generally be able to enter into or perform the contract (in which case, we will inform you of that fact).
In particular, before we can start a business relationship with you, the anti-money laundering laws require us to check your identity by means of your identification documents and to collect and record your first and last names, place and date of birth, nationality, address and the identification document data. To enable us to meet that legal obligation, you need to provide us with the information and documents required by the Anti-Money Laundering Act, and to promptly report any relevant changes over the course of our business relationship. If you fail to provide us with the necessary information and documents we will be unable to initiate or continue our business relationship.
- To what extent is the decision-making process automated?
We do not generally use any fully automated decision-making system to initiate and to continue the business relationship. If we use such methods in specific cases, we shall inform you of it separately, to the extent required by law.
- Is profiling done?
In some cases we process your data automatically in order to evaluate certain personal aspects (profiling). We use profiling in the following cases, for example:
- We are required by laws and regulations to combat money-laundering, terrorist financing and economic crimes. We analyse data (e.g., in payment transactions) to that purpose, too. Such measures also help protect you.
- We use scoring in the assessment of your creditworthiness. This involves calculating the probability that a customer will not be able to meet his payment obligations according to the contract. For example, the calculation may include the earnings situation, expenditures, existing liabilities, occupation, employer, duration of employment, experiences from our past business relationship, repayment of loans according to the contract, as well as information from credit reference agencies. Scoring is based on a mathematical and statistically recognized and validated method. The scores calculated help us to decide whether or not to enter into agreements for certain products and are included in ongoing risk management (i.e., they are also used over the course of our business relationship with you).
- In order to inform and advise you about products in a manner tailored to your needs, we use analytics tools, which enable needs-based communication and advertising, including market and opinion research.
- Data security
Cornèr takes suitable technical measures (e.g., encryption, pseudonymization, logging, access control, data backups, etc.) and organizational measures (e.g., instructions to our employees, confidentiality agreements, reviews, etc.) to ensure the security of the information collected and processed against unauthorized access, misuse, loss, falsification and destruction. Access to your personal data is allowed on a strictly need-to-know basis.
Nevertheless, it is generally impossible to rule out security risks completely: certain residual risks are mostly unavoidable. In particular, since perfect data security cannot be guaranteed for communications by e-mail, Instant Messaging or similar means of communication, we advise you to send confidential information by especially secure means (e.g., send it by post).
- Biometric data
To the extent required by the applicable laws, we will request your separate express consent for the processing of biometric data (e.g., using your fingerprints or other biometric identification systems for personal identity checks).
You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by following this opt-out link (https://www.hotjar.com/legal/compliance/opt-out).
Information about your right to object
- Right to object to the processing of your data for direct advertising purposes
In certain cases, we process your personal data in order to perform direct advertising. You have the right to submit an objection, at any time, to the processing of your personal data for purposes of such advertising; and the same is true of such profiling as is used in direct connection with such direct advertising.
If you object to such processing for direct advertising purposes, then we shall no longer process your personal data for such purposes.
- Case-specific right to object
You have the right to object, at any time, to such processing of your personal data as is performed in the public interest or on the basis of a weighing of interests.
If you submit such an objection, we shall no longer process your personal data unless we have compelling legally protected reasons for such processing that outweigh your own interests, rights and freedoms, or unless the processing is used for the enforcement, exercise or defense of legal claims. Please note that if you make such objections, we will no longer be able to provide you with services or to maintain a business relationship with you.
Your objection, which is not subject to any conditions as to form, should be addressed whenever possible to:
Cornèr Banca SA, via Canova 16, 6900 Lugano
E-mail: firstname.lastname@example.org and email@example.com
If you make use of more than one Cornèr product or service (e.g., a bank account, payment card, Cornèrtrader account, etc.), please specify, in exercising your right to object, which types of processing you object to. If there are uncertainties concerning the scope of your objection, we shall take the liberty of contacting you to clarify the matter.