PRIME PARTNERS S.A. (PPSA) DATA PROTECTION STATEMENT
1 Confidentiality: a pillar of PPSA’s corporate culture
Since its foundation in 1998, PPSA has made a constant and determined effort to protect its clients’ data as much as possible.
It has made this a pillar of its corporate culture, given that it can only survive with the trust of its clients and cannot afford to disappoint.
Personal data protection has become more topical than ever in a world where societal and technological change facilitate access to this data, often excessively so.
PPSA therefore welcomed the European Union’s new General Data Protection Regulation when it entered into force on 25 May 2018. It is key legislation, which should increase privacy for all of us.
By making this statement, PPSA wishes to explain to its clients how this important regulation affects them.
PPSA is also pleased to note that, in Switzerland, the current comprehensive overhaul of the data protection act incorporates most of these new European measures. The new act should enter into force during 2019.
2 Object of the GDPR
Pursuant to its first article, the GDPR establishes rules to protect natural persons with regard to the processing of personal data and the free movement of such data.
It also protects the fundamental rights and freedoms of natural persons and in particular their right to personal data protection.
3 Material scope of the GDPR
This Regulation applies to the processing of personal data, whether fully or partially automated, and to the non-automated processing of personal data contained or likely to appear in a file.
4 Territorial scope of the GDPR
Beyond companies registered in the EU, the GDPR also applies to those - such as PPSA - incorporated outside the EU but which provide goods or services to European residents and process their personal data as a result (extraterritoriality of the regulation: article 3 of the GDPR).
5 Who are the “Data Subjects” concerned by PPSA’s processing of personal data?
“Data Subjects” are:
5.1 existing individual clients with whom PPSA has entered into a business relationship;
5.2 potential individual clients with whom PPSA is looking to enter into a business relationship;
5.3 any individual or entity (“Related Person”) about whom the client or a third party provides PPSA with information and/or otherwise known to PPSA through the business relationship.
A Related Person may in particular be:
5.3.1 the director, manager or employee of a company;
5.3.2 the trustee, settlor or protector of a trust;
5.3.3 the nominee or beneficial owner of the business relationship or account;
5.3.4 the controller;
5.3.5 the beneficiary of a specific payment;
5.3.6 any representative or agent (holder of a power of attorney or a right to information about the business relationship or account);
5.3.7 any other person or entity maintaining a relationship with the client that is relevant to the business relationship with PPSA.
IN THIS CONTEXT, PPSA REQUIRES THE CLIENTS CONCERNED TO CONTACT ALL RELATED PERSONS AND SEND THEM THIS STATEMENT
6 Who is responsible for processing Data Subjects’ personal data, and whom should Data Subjects contact at PPSA if they have any questions about the GDPR?
PPSA has responsibility for processing the personal data of these clients, or Data Subjects, as its management bodies determine the processing methods and purposes (article 4, point 7 GDPR).
It is solely to comply with Swiss and foreign laws and regulations governing its independent investment management activities, and to ensure the proper performance of the contracts that it has concluded with its clients, that PPSA is required to process this personal data. It can do so either as data controller, or as joint data controller, for example together with its clients’ custodians (hereinafter “Data Controller”).
It can also act as “Data Processor”: for example, this would apply if a Luxembourg life insurance company were to ask it to collect personal data on an individual subscribing to, paying the premium on or being the beneficiary of a policy.
Any client who is a Data Subject of PPSA and has questions about this statement may contact his or her client relationship manager or the Data Protection Officer (DPO) at the following address:
Prime Partners S.A.
PPSA Data Protection Officer, DPO
15 rue des Alpes,
7 How does PPSA process personal data?
PPSA is subject to certain confidentiality and/or secrecy requirements, arising for example from current federal laws on data protection, contracts, professional secrecy and banking secrecy. Personal data that is processed is subject to these obligations, which PPSA endeavours to fulfil scrupulously.
This statement describes the way in which PPSA processes - i.e. collects, records, stores, edits, views, extracts or deletes - personal data entrusted to it by Data Subjects (hereinafter “Processing” or “Processing operations” article 4, point 2 GDPR).
PPSA already adheres to, and will continue to adhere to - if necessary by strengthening its organisation - the personal data processing principles set out in article 5 of the GDPR (in particular, data must be collected lawfully, fairly and transparently with regard to the Data Subject; limited to the purposes for which it is processed; appropriate, relevant, accurate or if not corrected; stored for no longer than is allowed by law; and processed in a way that guarantees a suitable level of security).
PPSA is only responsible for the processing of personal data within the bounds of this Statement. For example, it is not answerable for the processing of personal data that it is lawfully required to send to its clients’ custodians. These custodians alone are responsible for the data as soon as it enters their remit.
8 What personal data does PPSA process, and where could it come from?
8.1. Personal data could, in particular, come from:
8.1.1 the Data Subject him or herself, including a Related Person;
8.1.2 the Data Subject’s custodian or another bank;
8.1.3 an advisor, lawyer, notary, other third party or referral agent;
8.1.4 a supranational organisation (e.g. sanctions list drawn up by the UN, EU, Swiss Confederation (e.g. publication/databases opened to the public such as SECO or Official Journal lists), a canton (e.g. Registry of Commerce) or a Commune (e.g. residency permit);
8.1.5 print or electronic media;
8.1.7 specialist databases opened to the public in accordance with applicable data protection legislation (World-check/Thomson-Reuters/Bloomberg).
8.2 Personal data that PPSA processes may include in particular:
8.2.1 identification data (e.g. surname, first name, ID card or passport, nationality, birth place and date, gender, photograph, IP address);
8.2.2 contact details (e.g. postal address, telephone number, email address);
8.2.3 information on family situation (e.g. marital status, number of children, where applicable death or inheritance certificate, national insurance number, social security number);
8.2.4 information on tax status (e.g. tax identification number, amnesty certificate, indication of ordinary or special tax status);
8.2.5 professional information (e.g. job, career history, position, role, power of representation, education, salary);
8.2.6 anti-money laundering and terrorist financing data (e.g. information on the source of deposited assets, or on the Data Subject’s total wealth, political status or family/professional relations with a PEP);
8.2.7 banking and transaction data (e.g. bank account details, financial history and credit card numbers);
8.2.8 data on transactions/investments (e.g. current and past investments, questionnaire used to determine the client profile, investment profile, preferred investments and amount invested, details of transactions);
8.2.9 data needed for risk management (e.g. client risk profiles, qualified investor status or not, transaction checks, screening app alerts);
8.2.10 data resulting from communications with Data Subjects, including Related Persons and third parties (e.g. emails, letters, official notifications, telephone notes and visit reports, and telephone or electronic recordings);
8.2.11 information sent, e.g. through cookies and similar technologies on websites and in emails.
9 For what purposes and on what legal basis does PPSA process personal data?
9.1 PPSA collects and processes personal data for specific and legitimate purposes (hereinafter “Purposes”) on the legal bases set out in this document.
In general, PPSA’s processing of Data Subjects’ personal data is based on the following Purposes:
9.1.1 the performance of a contract to which the Data Subject, including any Related Person, is a party (including to implement pre-contractual measures at the request of the Data Subject or Related Person);
9.1.2 the PPSA’s duty to meet its legal and regulatory requirements;
9.1.3 the pursuit of a legitimate interest;
9.1.4 the performance of a public interest role (e.g. preventing or detecting offences).
9.2 More specifically, PPSA collects and processes personal data needed:
9.2.1 to PERFORM A CONTRACT (article 6, point 1, letter b GDPR) to which the Data Subject is a party, which includes:
18.104.22.168 the establishment of a business relationship with PPSA through the signature of a discretionary or advisory management mandate and associated legal documents, including formalities concerning the identification of the Data Subject as well as his or her profile and investor status;
22.214.171.124 assisting the Data Subject and answering any questions;
126.96.36.199 providing information on the products and services offered, and evaluating any that may be recommended to the Data Subject;
188.8.131.52 the data needed to analyse the Data Subject’s needs and execute transactions.
9.2.2 to MEET THE LEGAL AND REGULATORY REQUIREMENTS (article 6, point 1, letter e, GDPR) to which PPSA is subject, including:
184.108.40.206 Swiss regulations applicable to independent asset managers, especially those issued by the Swiss Association of Asset Managers;
220.127.116.11 PPSA’s internal rules;
18.104.22.168 legislation on combating money laundering and terrorist financing;
22.214.171.124 legislation to prevent corruption;
126.96.36.199 Swiss and foreign stock market legislation and the provisions of the Swiss penal code relating to insider trading and market manipulation;
188.8.131.52 Swiss laws on combating, preventing and detecting tax fraud;
184.108.40.206 the US Foreign Account Tax Compliance Act (FATCA);
220.127.116.11 the federal law on the automatic exchange of tax information (EAR/CRS);
18.104.22.168 the provisions of Swiss law that may require a Swiss financial intermediary such as PPSA to cooperate with the MROS and Swiss or foreign legal authorities, supervisory bodies, police or cantonal/federal tax authorities, and provide them with a Data Subject’s personal data;
22.214.171.124 Swiss legislation on international mutual assistance in criminal, administrative, tax or civil matters, with PPSA having the same disclosure obligations as those mentioned immediately above;
126.96.36.199 legal and regulatory standards applicable to PPSA regarding risk management, especially operational, financial and legal risks;
188.8.131.52 applicable legislation on international sanctions and embargos.
9.3 the PERFORMANCE OF A PUBLIC INTEREST ROLE (article 6, point 1, letter e GDPR)
The processing operations referred to in 9.2 above may be based on other legal grounds and, ultimately, be very much dependent on the performance of a public interest role (e.g. preventing or detecting fraud, other offences or crimes).
9.4 LEGITIMATE INTERESTS (article 6, point 1, letter 1 GDPR) that PPSA pursues in order to:
9.4.1 assess certain characteristics of the Data Subjects on the basis of automatically processed personal data, so that they can be classified in various client categories, such as higher-risk clients, PEPs, qualified investors and investor profiles (“Profiling”/cf. figure 10 below);
9.4.2 develop business relations with the Data Subject;
9.4.3 monitor transactions to detect any anomalies;
9.4.4 keep evidence of operations or transactions as well as communications with the Data Subject, either in person (through the issue of a visit report), by telephone (in some cases by recording or more generally writing notes on telephone conversations), by any electronic means or by post, with a view to checking instructions, enforcing or defending PPSA’s interests and rights, and managing risks;
9.4.5 improve PPSA’s internal organisation and operational activities, especially internal control;
9.4.6 manage PPSA’s financial, operational, legal and investment risks, and take appropriate decisions in these areas;
9.4.7 keep records of correspondence with custodians, lawyers, notaries, tax advisors and any other external consultants;
9.4.8 observe, exercise and/or defend rights in relation to legal action, investigations or similar procedures;
9.4.9 prevent and investigate criminal offences, including terrorist financing, for example by accessing public sources through specialist search engines;
9.4.10 collect information by analysing data for statistical purposes, for example to assess regional risks, especially in relation to cross-border financial activities;
9.4.11 manage IT security and administration, including the surveillance of access to PPSA premises;
9.4.12 in certain cases, record conversations with Data Subjects (e.g. telephone or electronic communications) to check instructions, enforce or defend PPSA’s interests or rights, or to assess, analyse and manage PPSA’s operational, financial or legal risks.
9.5 on THE BASIS OF THE Data Subject’s CONSENT (article 6, paragraph 1, letter of the GDPR)
If PPSA carries out personal data operations for purposes other than those described above, or others that require the Data Subject’s prior consent (e.g. the widespread recording of telephone conversations), this shall be requested in due course.
Such consent may be withdrawn at any time. This also applies to consent statements provided to PPSA before the GDPR entered into force on 25 May 2018. The withdrawal of consent does not affect the legal nature of personal data processing carried out before such withdrawal.
Irrespective of whether consent is given, disclosure of the Data Subject’s personal data may be mandatory if required under laws or regulations to which PPSA is subject. Refusal by the Data Subject to disclose such information could lead PPSA to terminate the business relationship established with the Data Subject, or stop providing services to him or her.
10 Does PPSA use profiling or automated decision-making?
PPSA only uses Profiling, as defined in article 4, point 4 of the GDPR, in strict compliance with the Purposes set out in point 9 above and, more specifically, point 9.4.1 above.
Other than for these Purposes, it does not use any Profiling that could, for example, be intended to develop marketing operations or analyse the specific behaviour of Data Subjects or groups of specific individuals.
Furthermore, PPSA does not use automated decision-making in connection with business relations and/or Data Subjects. If it were to do so in the future, it would comply with all applicable laws and regulations.
11 Does PPSA share the personal data that it has collected with third parties?
If necessary or relevant for the achievement of the Purposes described above (article 9 above), PPSA reserves the right to disclose or make available Data Subjects’ personal data to the following recipients in particular, provided that such disclosure is legal, otherwise permitted (e.g. by contract) or required by an authority:
11.1 public or government administrations, courts, tax authorities and prosecutors;
11.2 the competent authorities (OAR, FINMA, MROS) or financial market participants (custodians, other banks - especially correspondent banks - ,brokers, stock exchanges, market authorities, service providers, credit/debit card processing service providers);
11.3 auditors, lawyers, notaries, trustees, guardians or executors of wills;
11.4 Data Processors, to whom such work has been expressly delegated by PPSA (e.g. Risk and Compliance functions), that may have to process Data Subjects’ personal data in the course of their work.
12 Does PPSA transfer personal data abroad?
PPSA may have to directly or indirectly transfer personal data outside Switzerland when:
12.1 this is needed for the performance of the contract with the Data Subject (e.g. payment instructions or trading orders);
12.2 it is required to do so by law (e.g. reporting requirements under tax legislation, or documents to be produced in response to requests for international mutual assistance);
12.3 the Data Subject has given consent.
13 What are the Data Subject’s rights in terms of personal data protection?
Subject to local data protection legislation, Data Subjects have the following rights:
13.1 RIGHT OF ACCESS, i.e. to ask to access their personal data held by PPSA, and receive a copy;
13.2 RIGHT OF RECTIFICATION, i.e. to ask to correct or complete any inaccurate or incomplete data;
13.3 RIGHT OF ERASURE, i.e. to delete all personal data when processing is no longer necessary for the Purposes referred to in point 9 above, or is no longer lawful for other reasons, albeit subject to the legally required data retention periods;
13.4 RIGHT TO RESTRICT PROCESSING of personal data where its accuracy is disputed, if such processing is unlawful, or if the Data Subject objects to such;
13.5 RIGHT TO OBJECT to the processing of personal data for reasons linked to the Data Subject’s individual circumstances;
13.6 RIGHT TO WITHDRAW CONSENT for any Data Subject who decides to do so;
13.7 RIGHT TO DATA PORTABILITY, receiving personal data in a structured, commonly used, machine-readable format;
13.8 RIGHT TO FILE A COMPLAINT with the PPSA’s Data Protection Officer and, in the absence of an amicable resolution to the problem, to refer the dispute to the competent data protection authority.
Subject to the limitations set out in this document and/or local data protection laws and regulations, Data Subjects may exercise the aforementioned rights at no charge, by contacting PPSA’s DPO.
14 For how long does PPSA keep or archive Data Subjects’ personal data?
In principle, PPSA deletes personal data or makes it anonymous when it is no longer needed for the Purposes referred to in point 9 above, albeit subject to:
14.1 Swiss laws or regulations applicable to the retention of personal data for a longer period;
14.2 to observe, exercise and/or defend real or potential rights, for example in relation to legal action, investigations or similar procedures, including retention for legal purposes, which the PPSA may require to preserve relevant information.
15 How does PPSA guarantee the security of personal data?
To guarantee personal data security for Data Subjects, including Related Persons and potential clients PPSA has been implementing for a considerable period of time internal technical and organisational measures, which moreover it continuously seeks to improve: these measures may include encryption, anonymization, access restrictions and physical security measures.
PPSA also requires its employees and all third parties carrying out operations on its behalf to comply with applicable legal standards, including protecting all information, and taking appropriate measures when transferring personal data.
16 Where can PPSA’s data protection statement be viewed?
A copy of this Statement may be requested from PPSA’s DPO by writing to the address provided in point 6 below.
This Statement may be amended at any time in accordance with applicable laws and regulations. The revised version will be sent to Data Subjects.
17 Approval and entry into force of this Statement
This Statement by Prime Partners SA, having its registered office at 15 rue des Alpes, Geneva, was drawn up and approved by PPSA’s Board of Directors at its meeting on 26 June 2018.
17.2 Entry into force
This Statement enters into force on 26 June 2018.