1. Preamble: the new Federal Data Protection Act
The Federal Assembly of the Swiss Confederation has completely overhauled the old Federal Data Protection Act of 19 June 1992.
The new Data Protection Act (hereinafter DPA) and its implementing ordinance (DPO) came into force on September 1st, 2023. The DPA led to the repeal of the old law.
Prime Partners (hereinafter PPSA) is subject to the Data Protection Act (article 2, paragraph 1, letter a of the Act).
In accordance with the principle of transparency, PPSA hereby wishes to explain to all its clients and prospective clients, as well as to its business partners and service providers, the broad scope of this law and in particular :
- PPSA’s obligations and rights
- Rights and obligations of relevant parties as defined in Chapter 2 ;
- How PPSA has organized itself to process the data of relevant parties in accordance with the organizational and security provisions described in Articles 7 and 8.
Moreover, this declaration supplements PPSA’s General Terms and Conditions given to its clients and prospective clients.
2. Useful definitions
2.1 Personal data
Any information relating to an identified or identifiable natural person. In other words any client, prospective client, business partner or service provider, as well as any person linked to them.
2.2 Relevant party
The natural person (client, prospective client, business partner or service provider) whose personal data is being processed.
2.3 Related parties
Related parties are natural persons who, directly or indirectly, have a link with the client, prospective client, business partner or service provider.
This category of persons includes, in particular, the joint holder of an account, the holder of a power of attorney, the beneficiary of a right to information or e-banking access, as well as any person about whom the client or prospective client provides PPSA with information, such as, for example, members of his family, his advisers (lawyer, notary, tax expert, real estate agent, banker or others), the beneficial owner, the controlling person, the director, manager or employee of a company, the settlor, the protector or the beneficiaries of a Trust or Foundation, the subscriber, the person actually paying the premiums or the policyholder of a life insurance policy, his employer or a sub-contractor.
2.4 Sensitive personal data (sensitive data)
Those are listed in article 5, para. 1, lettre c DPA.
2.5 Processing and data controller
Processing is defined as any operation relating to personal data, whatever the means and procedures used, in particular the collection, storage, use, communication, archiving, erasing or deletion of data.
The data controller is the private individual who, alone or jointly with others, determines the purposes and means of the processing of personal data. In this case, it is PPSA.
2.6 Communication
This is the act of transmitting personal data or making it accessible.
2.7 Subcontractor
A private individual who processes personal data on behalf of the data controller (e.g. an IT service provider).
3. Principles governing the DPA (article 6 DPA and 1 DPO)
In summary, they are as follows:
- Data processing must be lawful.
- It must comply with the principle of good faith and proportionality.
- Personal data may only be collected for specific purposes that are identifiable by the relevant party.
- The data controller must ensure that personal data is accurate: to this end, it shall take all appropriate steps to rectify, erase or delete data that is inaccurate or incomplete in relation to the purposes for which it was collected or processed.
- Personal data is deleted or rendered anonymous as soon as it is no longer required for the purposes for which it is to be processed.
- The processing of certain personal data, in particular so-called sensitive data, requires the informed consent of the relevant party.
4. Organization and data security (Art. 7 and 8 DPA)
PPSA is responsible for processing the personal data it collects as part of its wealth management business.
To comply with the requirements of Articles 7 and 8 of the DPA and Articles 2 and 3 of the OPDo, PPSA has put in place organizational and technical measures:
- To ensure that personal data, including sensitive data, is processed in strict compliance with the provisions of the DPA and in particular with the principles set out in Article 6 of the Act and Article 1 of the DPO.
- So as to guarantee adequate security of the personal data collected in relation to the risk involved (article 3, para. 2 DPO).
5. Distinction to be made
It should be remembered that there is a tripartite relationship between the Client, the Custodian Bank and PPSA.
To define the responsibility of each of the three parties with regard to the DPA, it is important to clearly differentiate their respective roles:
— The client grants PPSA a discretionary management mandate or an advisory mandate for assets deposited with a bank of the client’s choosing (the Custodian Bank).
In this contractual relationship, PPSA will have to collect a certain amount of personal data on its client, who is the «relevant party» within the meaning of Article 5 of the Data Protection Act. PPSA will act primarily as data controller within the meaning of that same article.
— The client opens an account with the Custodian Bank. He will enter into a contract with the Custodian Bank covering a range of services, including custody, brokerage and foreign exchange.
In this contractual relationship, the Custodian Bank will collect various personal data about its client (the relevant party). The Custodian Bank will therefore also act as data controller.
The client will inform the Custodian Bank that he has granted PPSA a discretionary management mandate or an advisory mandate and that PPSA is authorized to act freely on his account. By means of this instruction (the powerof attorney for the management of the account), the Client authorizes PPSA to get access to the personal data collected on him by the Custodian Bank.
— The third contract that forms this tripartite relationship is the one that governs the collaboration between PPSA and the Custodian Bank and deals, among other things, with the joint application of the DPA.
In this third contract, it is apparent that PPSA or the custodian bank is, as applicable, either the data controller or the subcontractor. The responsibilities are not the same.
Thus, when PPSA requests an account statement or a transaction advice to justify a high risk transaction, the Custodian Bank acts as a subcontractor responsible for communicating the client’s personal data to PPSA.
With regard to FATCA or the automatic exchange of information (AEOI) in taxmatters , the Custodian Bank has an obligation to report to the US or to the Swiss authorities, which is not the case for PPSA acting as a wealth manager. If PPSA has information that the Custodian Bank does not have, the latter may request it. In this case, PPSA will act as a subcontractor.
6. PPSA data controller / Contact
As part of its activities as a wealth manager, PPSA collects and processes personal data on :
- Its existing clients ;
- Potential clients (prospects);
- Related parties within the meaning of section 2.3 above ;
- Business partners (e.g. business introducers);
- Service providers (e.g. IT).
The data controller, in this case PPSA, provides the relevant party with adequate information about the collection of personal data, whether or not it is collected from them (article 19 DPA and 13 DPO).
Under Article 20 of the DPA, PPSA may :
- Be released, in exceptional cases, from its duty of information;
- Be authorized to restrict or defer the communication of information.
The relevant party undertakes to contact the «related parties» within the meaning of section 2.3 above and to forward this Declaration to them for their information.
For any questions regarding this Declaration or, more broadly the processing of personal data of the relevant parties or of persons linked to them, their relationship manager may be contacted directly or, alternatively, PPSA’s Data Protection Officer, whose address is as follows:
Prime Partners S.A.
PPSA Data Protection Officer, DPO
15, rue des Alpes,
1201 Geneva
Switzerland
7 Categories of personal data processed by PPSA
The categories of personal data processed by PPSA include the following:
7.1 With regard to clients, including prospective clients and related parties
7.1.1. Personal identification information (such as name, nationality, place and country of birth, domicile or country of residence), contact details (such as telephone, e-mail address) and family information (such as marital status, name of spouse and children).
7.1.2 ID copies issued by public bodies (passport, identity card, driver’s license, residence permit, tax identification number, social security number and work permit).
7.1.3 Information relating to the professional situation (field of activity or professional background, position, name of employer and professional experience).
7.1.4 Financial information, wealth overview (assets including real-estate), contingent liabilities, income, banking transactions and, in special circumstances, an extract from the Debt Collection and Bankruptcy Register and an extract from the Criminal Record.
7.1.5 Copies of private law contracts (such as contracts for the sale of assets or real-estate properties) and invoices.
7.1.6 Copies of official documents issued by public bodies, notaries or executors of wills in estate matters (such as death certificates, certificates of inheritance, notarial or holographic wills, executor’s powers, matrimonial regime contracts).
7.1.7 In the event that PPSA enters into a business relationship with :
- A Swiss or foreign company, copies of the documents attesting its existence (such as an extract from the Commercial Register or equivalent, identification by passport or identity card of the company’s governing bodies, in particular the directors, as well as those holding power of attorneys and copies of audited balance sheets for commercial companies).
- A Trust, copies of the documents attesting its existence (such as copies of the Trust Deed, Letter of Wishes, identification by passports or identity cards of the Grantor/Settlor, Trustees, Protectors and list of beneficiaries if designated).
- A Swiss or foreign Foundation, copies of the documents attesting its existence (such as the Articles of Association, the Foundation Regulations, identification by passports or identity cards of the Founder, the members of the Foundation Board, the member of the Supervisory Board and the list of beneficiaries if designated).
7.1.8 The client’s or prospective client’s financial knowledge and experience, risk appetite, investment objectives and investment preferences.
7.1.9 The bank identification (IBAN), such as bank details and credit card numbers.
7.1.10 The tax domicile and other documents and information relating to the client’s tax status.
7.1.11 The instructions given by the client to PPSA by any means of communication, as well as the supporting documents required by law and regulations to justify the movements of funds carried out by the client.
7.1.12 Documents and information provided by the client or prospective client when they have PEP or PEP-linked status.
7.1.13 For the purpose of checking a client’s or prospective client’s reputation and background, data relating to them or «related parties» found on the Internet or in specialized search engines (such as World-Check, Polixis or others).
7.1.14 Data relating to the client or prospective client, provided by Swiss or foreign government bodies (such as SECO, OFAC and others) and relating in particular to sanctions.
7.2 With regard to business partners and service providers
All personal data listed under numbers 7.1.1 / 7.1.2 / 7.1.3 / 7.1.7, para. 1 / 7.1.9 / 7.1.10 / 7.1.13 / 7.1.14.
OASI, VAT, TIN and IBAN numbers, extracts from the Commercial Register or equivalent documents, extracts from the Debt Collection and Bankruptcy Register and extracts from the Criminal Record.
8 Methods and sources of personal data collection
Personal data is collected:
— DIRECTLY from the relevant parties as defined in Chapter 2: they alone are responsible for the accuracy and veracity of the personal data they provide to PPSA.
— INDIRECTLY from external sources providing information to the public such as :
- Publications and databases made available by private bodies (such as World-Check, Polixis or others) or public bodies (such as the OFAC, SECO, UN or EU
sanctions lists, Commercial Registers, Debt Collection and Bankruptcy Registers, the Criminal Records Register or others). - Internet.
- Social networks.
- Third parties (such as money laundering prevention authorities, civil, criminal and administrative authorities, custodian banks, correspondent banks or business introducers).
9 Legal basis and purpose of personal data processing
9.1 Legal basis
Under Article 6 of the DPA, data must be processed lawfully, in other words on a clear legal or contractual basis.
Thus, PPSA processes personal data relating to its clients, prospective clients, business partners or service providers exclusively in order to satisfy :
— Its CONTRACTUAL OBLIGATIONS arising from the various contracts it has entered into with its counterparties (e.g. discretionary management mandate or investment advisory mandate, business introducer contract, collaboration contract with custodian banks, service or outsourcing contract).
— Its LEGAL AND REGULATORY OBLIGATIONS resulting from all the laws and regulations to which PPSA is subject and, in particular, the Federal Act on Combating Money Laundering and the Financing of Terrorism (AMLA), the Financial Services Act (FinSA) and the Financial Institutions Act (FinIA), the DPA and their implementing ordinances.
9.2 Purposes of personal data processing
PPSA processes personal data for the following purposes in particular:
- Identifying the «relevant parties» and the «related parties».
- Ensuring the proper management and monitoring of the business relationship with the client and the execution of transactions in accordance with the client’s instructions and the requirements of the AMLA and its implementing ordinances (e.g. the processing of high-risk transactions or transactions initiated by clients classified as high-risk, in particular PEPs and PEP-linked individuals).
- Carrying out legal and other regulatory compliance checks (e.g. on AMLA, implementation of international sanctions, FATCA and AEI in tax matters).
- Being able to respond to any procedure or request from an administrative authority and to cooperate with them (e.g. FINMA, Supervisory Organization, MROS or a Swiss or foreign judicial authority).
- Preventing fraud, active or passive corruption and the provision of financial or other services to persons subject to permanent economic and trade sanctions.
- Complying with the terms of applicable contracts.
- Implementing risk management and internal control measures.
- Establishing, exercising and/or defending current or future rights in legal actions, investigations or similar proceedings.
- Providing documentation on a product or service offering to the client.
- Ensuring compliance with Swiss and foreign financial market legislation.
- Carrying out regular audits or reviews in relation with a relevant party as defined in Chapter 2.
9.3 Personal data that PPSA does not process
PPSA does not process personal data for commercial prospecting purposes (MARKETING).
PPSA DOES NOT DO PROFILING within the meaning of the DPA, i.e. the automated processing of personal data consisting in using such data to evaluate certain personal aspects relating to a «relevant party», in particular analyzing or predicting elements concerning his/her economic situation, health, personal preferences, interests, reliability, behavior, location or travels.
In principle, PPSA DOES NOT PROCESS SENSITIVE PERSONAL DATA within the meaning of Article 5(c) of the DPA, which requires the client to be informed and to give their prior consent (Article 6(7)(a) of the DPA). If, however, it were to do so on an exceptional basis, PPSA would inform the «relevant party» and obtain their prior consent.
9.4 Refusal by the «relevant party» to provide personal data
The provision of personal data may be mandatory for the client by virtue of certain legal and regulatory provisions, e.g. the AMLA with regard to the identification of the co-contracting client and the beneficial owner. If the client refuses to provide such personal data, PPSA may terminate the business relationship or even report the matter to the MROS.
10 Disclosure of personal data to third parties
10.1 In Switzerland
In the course of its business, PPSA may be required to communicate personal data to :
- Civil or criminal judicial authorities.
- Administrative authorities (e.g. MROS or tax authorities).
- Financial market participants (such as custodian banks, correspondent banks, brokers, suppliers of financial services or products, credit card issuers, financial market supervisory authorities).
- Subcontractors for outsourced services in the areas of legal and compliance, risk management, accounting and IT, all of whom are subject to the DPA and contractually bound to confidentiality.
- Often on the instructions of the client himself, to lawyers, notaries, accountants, tax experts or other consultants who are also subject to the DPA and bound by confidentiality.
- PPSA’s external auditors, the Supervisory Organization and FINMA.
10.2 Outside of Switzerland
Personal data may be communicated to judicial and administrative authorities or financial market participants (e.g. custodian and correspondent banks, financial market supervisory authorities) outside of Switzerland, in compliance with international agreements on mutual assistance in civil, criminal, administrative and tax matters and the provisions of the DPA, in particular Articles 16 and 17 of the said Act and Articles 8 to 12 of the DPO (see also Appendix 1 DPO).
If a communication is made to a country that does not offer an adequate level of protection within the meaning of the DPA, PPSA will ensure that appropriate technical, operational and legal safeguards are in place to protect the personal data concerned.
11 Privacy
In the course of its business as a wealth manager, PPSA is subject to confidentiality obligations arising in particular from professional secrecy under article 69 FinIA (breach of professional secrecy), in certain cases from banking secrecy under article 47 of the Federal Act on Banks and Savings Banks (Banking Act), and from breach of the duties of diligence and discretion under articles 61 and 62 of the DPA itself.
All personal data collected by PPSA is therefore covered by these legal provisions.
However, PPSA draws the attention of each relevant party to the fact that in certain situations expressly provided for by law, professional secrecy or banking secrecy or the duties of diligence and discretion may be waived. In this respect, reference is made to PPSA’s General Terms and Conditions.
12 Length of time personal data is kept or archived
The period for which personal data is archived or retained depends on the retention period laid down by Swiss legislation and regulations, and the purpose for which the personal data is processed.
In accordance with Swiss legislation, PPSA is obliged to keep personal data for a period of 10 YEARS after the end of the business relationship or after the end of the transaction.
However, a longer retention period may be justified in order to enable PPSA to establish facts, to exercise its rights, to defend itself against a current or future claim or to enable it to deal with an investigation by a public authority, in Switzerland or abroad.
13 Rights of the relevant party in relation to his/her personal data (Articles 25 to 29 of the DPA and 16 to 22 DPO)
13.1 Subject to the limitations set out in this Declaration and the provisions of the DPA and the DPO, the «relevant party» may exercise the rights set out below free of charge, with the exceptions described in Article 19 DPO:
13.1.1 Request access to personal data held by PPSA and receive a copy.
The information to which the «relevant party» is entitled is described in Article 25 DPA. When the «controller», in this case PPSA, has personal data processed by a subcontractor, it remains obliged to provide the information requested.
The «relevant party» cannot waive the right of access in advance.
The «controller» must provide the information within 30 DAYS (article 18 DPO).
Under article 26 of the DPA, the data controller may REFUSE, RESTRICT OR DEFER communication of the information requested, for example if the law obliges it to do so, if the interests of a third party so require or if the request for access is manifestly unfounded or litigious.
Articles 16 to 19 of the DPO govern access to personal data.
In principle, the «relevant party» must send their request for access IN WRITING OR BY ELECTRONIC MEANS to PPSA’s Data Protection Officer at the address given in point 6 above. However, the request may also be made ORALLY with the prior agreement of the Data Protection Officer.
In agreement with PPSA’s Data Protection Officer, the «relevant party» may consult their personal data at PPSA’s head office.
PPSA’s Data Protection Officer will provide the information requested in writing, electronically or orally, in the latter case with the prior consent of the «relevant party».
The information is provided in a form that the relevant party can understand.
PPSA takes appropriate measures to identify with certainty the «relevant party», . who are obliged to cooperate.
13.1.2 Require PPSA to RETURN or TRANSMIT to them, in a commonly used electronic format, their personal data that they have communicated to PPSA, in accordance with the conditions set out in article 28, paragraph 1 of the DPA and article 21 of the DPO.
The «relevant party» may also ask PPSA to transfer their personal data to another data controller, provided that the conditions set out in Article 28(1) DPA are met and that this does not require disproportionate effort.
PPSA must deliver or transmit said personal data within 30 DAYS. Delivery or transmission is free of charge, except in the cases described in Article 19 DPO. Articles 16, paragraphs 1 and 5 and 17 to 19 of the Data Protection Act apply mutatis mutandis to the methods of delivery and transmission.
Under Article 29 DPA, PPSA may REFUSE, RESTRICT or DEFER the delivery or transmission of personal data on the same grounds as those set out in Article 26, paragraphs 1 and 2 DPA.
13.1.3 Request a RECTIFICATION or DELETION of personal data if it is found to be inaccurate or incomplete. However, the right of deletion is not absolute and may be restricted on the basis of overriding interests that require the continued processing of personal data and in particular the legal obligation to retain such data.
13.1.4 Request a RESTRICTION ON THE PROCESSING of personal data whose accuracy is disputed, if the processing is unlawful or if the «relevant party» has objected to the processing. In the latter case, if the «relevant party» objects without right to the processing of all or part of their personal data, PPSA may stop offering them certain services or products, terminate the business relationship, or even report the matter to MROS.
13.1.5 Obtain a copy of the appropriate or adequate safeguards that PPSA may have implemented to transfer or access the data abroad.
13.1.6 FILE A COMPLAINT with PPSA’s Data Protection Officer regarding the processing of personal data and, if the problem is not resolved satisfactorily, file a complaint regarding the processing of personal data to the competent data protection authority.
13.2 With regard to the rights listed under points 13.1.2 to 13.1.6 above, the «relevant party» must assert them to the PPSA Data Protection Officer EXCLUSIVELY IN WRITTEN FORM.
13.3 If a «relevant party» objects to the processing of personal data, PPSA shall be entitled to continue such processing if:
- The law requires it to do so;
- The processing is necessary for the performance of the contract to which the «relevant party» is a party;
- It is necessary for the purposes of legitimate interests pursued by PPSA, including the establishment, exercise or defense of legal claims.
13.4 PPSA ensures that personal data is kept accurate and up to date.
Consequently, the «relevant party» must inform PPSA without delay of any changes to their personal data.
14 Outsourcing personal data (Articles 9 DPA and 7 DPO)
Under Article 9 of the DPA, data processing may be entrusted to a subcontractor provided that a contract or the Law so provides and that the following conditions are met:
- Only those processing operations are carried out which PPSA, as data controller, would be entitled to carry out itself.
- It is not forbidden by any legal or contractual obligation to maintain secrecy.
PPSA only subcontracts to companies based in Switzerland. These companies are themselves subject to the DPA and the DPO.
PPSA has taken all measures to ensure that the subcontractors it works with guarantee the security of the personal data subcontracted.
The subcontractor itself may only subcontract processing to a third party with the prior authorization of PPSA. PPSA is entitled to refuse such authorization.
15 Amendments to this declaration
PPSA reserves the right to modify this Declaration
16 Attached documents
— DPA
— DPO
https://www.fedlex.admin.ch/eli/cc/2022/491/fr
https://www.fedlex.admin.ch/eli/oc/2022/568/fr
17 Purpose of this declaration
The intended recipients of this declaration are mainly PPSA’s clients, prospective clients, service providers and business partners.