Data Protection Notice

Data protection

I. General information

The protection of your personal data and privacy is of paramount importance to Banque Cantonale de Genève (the “Bank").
The purpose of this data protection notice (the "Notice") is to describe the processes for collecting and processing Personal Data (this term is defined in Question 1 below) carried out by the Bank in its capacity as data controller in the context of its activities.
This Notice supplements, but does not replace, the terms of the contractual agreements between the Client (as defined in Question 1 below) and the Bank (including the articles of the General Terms and Conditions relating to data protection, banking secrecy and outsourcing).

Certain applications and services, such as TWINT, the BCGE Debit Mastercard, and online account openings, are governed by specific conditions of use, which contain additional information relating to data protection, that the Client must read over and, if applicable, accept before using.



II. Data processing

1. What Personal Data is processed by the Bank?

Within the framework of its activities, the Bank collects and processes Personal Data concerning natural persons ("Clients") as well as Personal Data concerning Related Persons (term defined below). For the purposes of this Notice, the term "Client" also includes any natural person who is a prospective Client and whose Personal Data is processed by the Bank.

The term "Related Person" refers to any natural person about whom the Client, or a third party, has transmitted Personal Data to the Bank within the framework of business relations with the Bank. A Related Person may be, for example, (i) the beneficial owner of an account, (ii) a director, employee, officer or authorised representative of a company, (iii) the legal representative of a person, (iv) a person who opens an account on behalf of a third party, (v) the originator and/or beneficiary of a payment, (vi) a trustee, or a beneficiary, settlor or protector of a trust, (vii) a control holder or (viii) any representative or agent, including a proxy holder. It is the Client's responsibility to communicate to any Related Person the information contained in this Notice. The Client and each Related Person are hereinafter referred to as the "Data Subject".

The term Personal Data refers to all information relating to a natural person who is identified (e.g. by a passport) or identifiable (e.g. by reference to an AVS number or a combination of several elements specific to the person concerned, such as date of birth, place of origin and canton of residence). The Bank processes the following categories of Personal Data in particular with regard to Data Subjects:

Types of Personal Data Examples
Identifying data

Name, address, telephone number, e-mail address, professional contact information, photographs, video and audio recordings

Personal characteristics

Date of birth, country of birth

Means of identification issued by public authorities

Passport, identity card, tax identification number, social security number

Information about one’s family situation

Marital status, number of children

Professional information

Professional experience, power of representation, professional contact details, title

Financial information

Account history information, credit history information, bank details, extract from the debt collection and bankruptcy register

Information relating to transactions or investments

Current and past investments, investment profile, investment preferences, amounts invested, number and value of financial instruments held, role played in a transaction (seller / buyer), details of a transaction

Information from exchanges between the Data Subject and the Bank

Calls, meetings, exchanges of emails and/or text messages, telephone conversations

Security and management data

References, records of presence on the Bank's premises

Verification data (e.g. Know Your Client)

Reputation and background checks, possible sanctions or proceedings

2. Where does the Personal Data processed by the Bank come from?

The Bank collects the following Personal Data:

  • directly from each Data Subject, for example when the Data Subject contacts the Bank or fills in a Bank form; and/or
  • indirectly from external sources, including publicly available sources (e.g. UN or EU sanctions lists), information available through subscription services (e.g. Bloomberg) or through other third parties (e.g. a business introducer or external asset manager).

 

3. Why is the Personal Data processed by the Bank?

The Bank may process Personal Data for the purposes listed below:
A. The Personal Data processing procedures listed below are based on the implementation of a contractual obligation towards a Data Subject:

  • the opening of an account and/or the setting up of a business relationship with the Bank, including all procedures related to the identification of a Data Subject;
  • compliance with the applicable contractual clauses;
  • any other financial services related to the account, including financial services expressly requested by the Client;
  • the sending of information of an administrative nature (for example, an update of the Bank's General Terms and Conditions); and
  • the management, administration and distribution of collective investment schemes, including services related to such activities (e.g. processing applications for the subscription, conversion and redemption of units of collective investment schemes).


B. The Personal Data processes listed below are based on a legal or regulatory obligation:

  • the provision of information on the Bank's products and services to the Data Subject;
  • the monitoring of compliance with legal obligations in the area of financial market regulation;
  • any form of cooperation with competent authorities, in particular supervisory authorities, authorities responsible for combating money laundering and terrorist financing and authorities involved in the automatic exchange of information in tax matters (including the Common Reporting Standard and the US Foreign Account Tax Compliance Act [FATCA]);
  • any measure to implement international sanctions in accordance with the procedures established by the Bank, including the processing of Personal Data for screening purposes;
  • the assessment and management of risks, in particular market, credit, operational, liquidity, legal and reputational risks; and
  • the recording of telephone conversations and electronic communications with Data Subjects in order to combat fraud and other criminal offences;


C. The Personal Data processing procedures listed below are based on the Bank's legitimate interests:

  • the assessment of certain characteristics of Data Subjects using automated Personal Data processing ("profiling") (see Question 4);
  • any processing aimed at developing the business relationship;
  • any processing aimed at improving the Bank's internal organisation and internal processes;
  • any processing in connection with the management of the Bank's IT environment, in particular with a view to guaranteeing the security of its IT systems;
  • the use of Personal Data for marketing purposes, unless the Data Subject has objected to the use of his or her Personal Data for this purpose;
  • any processing necessary to enable the Bank to establish, enforce or oppose a current or future claim, or to enable the Bank to handle an investigation by a public authority, in Switzerland or abroad;
  • any processing necessary to enable the Bank to prove a transaction; and
  • the recording of telephone conversations and electronic communications with Data Subjects for the purpose of protecting the Bank's interests, analysing and improving the quality of the services and products offered, training Bank staff and controlling risks.

The Bank draws the attention of each Data Subject to the following points:

  • The Bank is subject to confidentiality obligations, which stem in particular from banking secrecy. The Personal Data that the Bank processes could also be subject to these obligations. The Bank draws the Client's attention to the relevant article in the General Conditions, which specifies the cases in which the Client releases the Bank from its legal obligations of confidentiality (including banking secrecy).
  • If Personal Data is processed for purposes other than those listed in the answer to Question 3, the Bank will inform the Data Subject in advance and, if necessary, request his or her consent.

 

4. Does the Bank use "profiling" or "automated individual decision-making"?

The Bank assesses certain characteristics of a Data Subject through automated processing of Personal Data ("profiling"), in particular to provide personalised offers and advice or information on the Bank's products and services. The Bank may also use profiling to identify the level of risk associated with a Data Subject (for example in the context of combating money laundering and terrorist financing).

The Bank does not take decisions that have legal effects or significantly affect a Data Subject exclusively by means of automated processing of Personal Data (“automated individual decisions"). If the Bank were to use "automated individual decision-making" in the future in its business relations with its clients, it would do so in accordance with the applicable legal and regulatory requirements.

 

5. Does the Bank share Personal Data with third parties?

The Bank reserves the right to share Personal Data:

  • with administrative authorities (e. g. prudential supervisors), judicial authorities and financial market participants (e. g. operators of a financial market infrastructure, such as an exchange, a broker, a correspondent bank, a sub-custodian, an issuer, a financial market supervisory authority and their representatives); 
  • with subcontractors in the context of outsourcing, as per the General Terms and Conditions;
  • with the Bank's auditors, its legal advisers and/or certain of the Bank's service providers;
  • with affiliated entities.

 

6. Is Personal Data shared outside Switzerland?

The Bank may disclose, transfer and/or store Personal Data outside Switzerland under the conditions provided for by law, in particular:

  1. in the context of the conclusion or execution of contracts directly or indirectly related to the business relationship (i.e. a contract concluded with a Data Subject or with a third party, but in the interest of a Data Subject), for example in the context of outsourcing, in accordance with the relevant article of the General Terms and Conditions;
  2. if such a transfer is necessary to safeguard the greater public interest;
  3. if such a transfer is necessary to enable the Bank to establish, exercise or oppose a present or future claim, or to enable the Bank to deal with an investigation or a request from a public authority, in Switzerland or abroad; or
  4. in exceptional cases, when such a transfer is required by the applicable regulations (in particular in order to comply with reporting obligations in stock exchange transactions).

Apart from the cases referred to above, if Personal Data is transferred to a country that does not offer an adequate level (from a Swiss perspective) of personal data protection, the Bank will ensure, if required by the applicable regulations, that it obtains the consent of the Data Subject or puts in place appropriate safeguards, in particular contractual undertakings, which may in particular take the form of the standard contractual clauses drawn up by the European Commission.
The list of countries to which Personal Data may be transferred is available by clicking on the following link: List of countries
The Client affirms having informed the Related Persons in this respect.
Each Data Subject may contact the Bank (see Section III below) if he or she wishes to obtain additional information on this subject.

7. How long is Personal Data stored?

The Bank retains Personal Data for as long as necessary to achieve the intended purpose (see Question 3). The Bank deletes or anonymises Personal Data when it is no longer required for the purpose for which it was collected,

  1. subject to the period necessary to enable the Bank to fulfil its operational obligations, such as, for example, the management of its client relations and/or the proper management of its accounts;
  2. subject to the legal and regulatory obligations applicable to the Bank with regard to the storage of documents and information; and
  3. subject to cases in which a longer storage period is necessary to enable the Bank to establish, exercise or oppose a current or future claim, or to enable the Bank to handle an investigation by a public authority, in Switzerland or abroad (e.g. setting up a legal hold).


8. What rights does a Data Subject have in relation to his or her Personal Data?

Under the applicable regulations, each Data Subject has the following rights with regard to his or her Personal Data processed by the Bank:

  • the right to access their Personal Data;
  • the right to request that the Bank provide him or her, in a commonly used electronic format, with the Personal Data concerning him or her that he or she has communicated to the Bank (excluding Personal Data that the Bank has received from other sources) and that the Bank processes in an automated manner (i) with his or her consent or (ii) in direct relation to the banking relationship;
  • the right to obtain information about how the Bank processes his/her Personal Data;
  • the right to have Personal Data corrected if it is inaccurate or incomplete;
  • the right to object to the processing of his/her Personal Data in the cases provided for by applicable law.
  • the right to request a limit on the processing of his or her Personal Data; and
  • the right to request the deletion of his or her Personal Data when it is no longer necessary for the purposes for which it was collected or processed or when the Data Subject has withdrawn his/her consent (in cases where the processing of the Personal Data in question is based on the consent of the Data Subject), subject to the applicable retention periods (see Question 7); and
  • the right to obtain additional information from the Bank at the address given in Section III below and, if the Data Subject considers that the answer given is not satisfactory, to contact the Swiss Federal Data Protection and Information Commissioner (https://www.edoeb.admin.ch/edoeb/en/home.html).

The Bank specifically draws the attention of each Data Subject to the fact that he or she may, at any time, contact the Bank (see Section III below) in order to,

  • oppose the use of his/her Personal Data for commercial canvassing (marketing) purposes by the Bank or by third parties;
  • where the legal basis for the processing of Personal Data is consent, to withdraw consent at any time (it should be noted that, in such a case, the Bank is still authorised to continue processing if it has another justification).

In the absence of certain Personal Data concerning the Data Subject (or if the Data Subject exercises his or her right to object to the processing of Personal Data or to withdraw consent), the Bank may not be able to provide the Client with the service or product for which the processing of such Personal Data is required.


III. Additional information about the processing of Personal Data by the Bank

For any questions or requests relating to data protection, the Bank can be contacted at the following postal and e-mail addresses:
 

Banque Cantonale de Genève
Protection des données
17, Quai de l’Ile
1204 Geneva
Switzerland
 

protectiondesdonnees@bcge.ch

*  *  *
(Ed. August 2024)

This Notice may be updated from time to time and will be posted on the Bank's website (www.bcge.ch, under "Data Protection").