In this Privacy Statement, the term “personal data” means any information that identifies, or could reasonably be used to identify, an identified or identifiable natural person (data subject).
If you have questions about the processing of your personal data or other data protection concerns, you can contact us using these contact details.
B. Purpose of data processing and legal basis
We use the data collected primarily to enter into and perform contracts with our customers and business partners, in particular in connection with the provision of financial services and the purchase of products and services from our suppliers and subcontractors, and to comply with domestic and foreign legal obligations.
In addition, in accordance with applicable law and where appropriate, we may process personal data for the following purposes which are in our (or, where applicable, a third party’s) legitimate interests [EU requirement], such as:
- Providing and developing our products, services and websites, apps and other platforms on which we operate;
- Communicating with third parties and handling their requests (e.g. applications, media inquiries);
- Advertising and marketing (including the organization of events), unless you have objected to the use of your data for this purpose (if you are part of our customer base and receive advertising, you can object at any time and we will put you on a blacklist against further advertising mailings);
- Assertion of legal claims and defense in legal disputes and official proceedings;
- Prevention and investigation of crimes and other misconduct;
- Ensuring our operations, including our IT, websites, apps, and other applications.
If you have given us your consent to process your personal data for certain purposes (e.g. when registering to receive newsletters), we process your personal data within the scope of and on the basis of this consent, unless we have another legal basis if we need one. Consent given can be revoked at any time, but this does not affect the data processed before the revocation.
C. Collection and processing of personal data
We primarily process personal data that we receive from our customers and other business partners as well as from other persons in the course of our business relationships with them or that we collect from users in the operation of our websites, apps and other applications.
Insofar as we are permitted to do so, we obtain certain personal data from publicly accessible sources (e.g. land register, commercial register, press, Internet, debtors’ register,) or we obtain such information from affiliated companies of HanseMerkur Trust Swiss AG, from public authorities or other third parties (such as [distribution partners], [custodian banks], etc.). Apart from the data you have provided to us directly, the categories of data we receive about you from third parties include, but are not limited to, information from public registers, data we receive in connection with administrative or judicial proceedings, information relating to your professional role and activities (e.g., to enter into and perform contracts with your employer), information about you in correspondence and discussions with third parties, information about you provided to us by persons associated with you (family members, consultants, legal representatives, etc.) to enter into or perform contracts with you or with your cooperation (e.g., powers of attorney), information required by law such as. e.g. for anti-money laundering purposes, bank details, details about you that can be found in the media or on the Internet (where specified in individual cases, e.g. in connection with job applications, media reports, marketing/sales, etc.), your address and any interests and other socio-demographic data (for marketing purposes), data relating to your use of our websites (e.g., IP address, MAC address of your smartphone or computer, information about your device and settings, cookies, date and time of your visit, pages and content accessed, applications used, referring website, localization data).
In principle, we store this data for 12 months after the end of the processing purpose. This period may be longer if required for evidentiary reasons or to meet legal or contractual requirements.
D. Cookies / tracking and other relevant information about the use of our website
When you visit our website, your user-specific data (e.g. IP address, web browser, operating system) and technical data (e.g. URLs of accessed pages, execution of a search query) are collected and analyzed anonymously.
The aforementioned data is collected and processed for the purposes of system security and stability, error and performance analysis, and internal statistical purposes, and enables us to optimize our website.
When subscribing to our content or submitting a contact form/customer login, we process the data required to provide the requested service. Depending on the service, the following data may be processed: Email address, first name, last name, title, full address, subject and message.
If you have given us your consent to process your personal data for certain purposes (e.g. if you subscribe to a newsletter or make an inquiry), we process your personal data within the scope of and on the basis of this consent, unless we have another legal basis if we need one. Consent given can be revoked at any time; however, this does not affect the data processed until revocation.
In principle, we store technical data for 12 months.
When you contact us via the contact form, by e-mail, telephone or chat, by letter or by other means of communication, we collect the data exchanged between you and us, including your contact details and the marginal data of the communication. If we record or listen to telephone conversations or video conferences, for example for training and quality assurance purposes, we will notify you. Such recordings may only be made and used in accordance with our internal policies and legal requirements.
In principle, we store this data for 12 months from the last exchange with you. This period may be longer if required for evidentiary reasons, to meet legal or contractual requirements, or for technical reasons. Emails in personal mailboxes and written correspondence are generally retained for at least 10 years. Recordings of (video) conferences are generally retained for 24 months. Chats are also generally retained for 24 months.
Cookies and their use
In some cases, we use “cookies” to tailor our services as closely as possible to your needs. Cookies are small files that cannot perform any actions on their own and are stored on your computer or mobile device when you visit or use one of our websites. Cookies store specific settings about your browser and data related to exchanges with the website through your browser. When a cookie is activated, it can be assigned an identification number that identifies your browser and enables the use of the information contained in the cookie. There are basically two different types of cookies: temporary cookies and permanent cookies. We use temporary cookies that are automatically deleted from your mobile device or computer after the browser session ends. We also use persistent cookies to store user preferences (e.g., language, auto-login), [to understand how you use our services and content,][and][to show you customized offers and advertisements (which may also happen on websites of other companies; should your identity be known to us, these companies do not learn your identity from us; they only know that the same user visiting their website has previously visited a specific website)]. They remain stored on your computer or mobile device for a long time after the browsing session. They are automatically deactivated after a certain time.
Notwithstanding this, you can set your browser to reject cookies, to save them for one session only, or to delete them prematurely. Most browsers are preset to accept cookies. If you block cookies, it is possible that certain functions (such as language settings, shopping cart, order processes) will no longer be available to you.
Google Analytics and similar services
In the context of the use of our Internet pages, pseudonymized usage profiles are created and, as explained in section 5 above, small text files stored on your computer are used. The information generated by such cookies about your use of this website is transmitted to the servers of the providers of these services, stored there and processed for us. In addition to the data mentioned in section 4 above, we receive the following information:
- Navigation path that a visitor follows on the website
- Dwell time on the website or subpage
- Subpage on which the internet page is left
- Country, region or city from where access is made
- End device (type, version, color depth, resolution, width and height of the browser window)
- Returning or new visitor
The tools, programs and instruments we use in the context of analyzing web behavior include Google Analytics, Google Tag Manager, Google Ads, YouTube (embedded videos), Userlike and MailChimp.
The information generated by cookies about your use of this website (including your IP address) is usually transmitted to a Google server in the USA and stored there. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You can prevent the installation of cookies by changing your browser settings. In this case, however, you may not be able to use all the functions of the website in full. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.
Social Media Plug-ins
In addition, we use plug-ins from social networks such as LinkedIn, Facebook, Twitter, or Instagram on our website. This is visible to you (typically by means of the respective icons). We have configured these elements so that they are disabled by default. If you activate them (by clicking on them), the operators of the respective social networks can record that you are on our website, from which page you are accessing, and can use this information for their own purposes. This processing of your personal data is the responsibility of the respective operator and is carried out in accordance with their data protection provisions. We do not receive any information about you from the respective operators.
E. Disclosure of data to third parties and transfer of data abroad
In the course of our business and in accordance with the aforementioned purposes of data processing, we may transfer data to third parties to the extent that such transfer is permitted and we consider it appropriate for them to process the data for us or, as the case may be, for their own purposes. In particular, the following categories of recipients may be involved:
- Our service providers (e.g. risk management & compliance, IT provider, CRM system)
- Domestic and foreign authorities, official bodies and courts
- Other parties in potential or actual legal proceedings
Some recipients are located in Switzerland, others may be located in any country worldwide. In particular, you should expect that your data will be transferred to any country in which the HanseMerkur Group is represented by subsidiaries, branches or other offices (e.g. Germany, Lichtenstein, etc.), as well as to other countries in Europe and the U.S. where our service providers are located (such as Microsoft, etc.).
If a recipient is located in a country without sufficient legal data protection, we oblige the recipient to comply with data protection (we use the revised standard contractual clauses of the European Commission for this purpose, which you can access here: www.eur-lex.europa.eu), unless the recipient is subject to a legally recognized set of rules to ensure data protection and we cannot rely on an exception. An exception may apply, for example, in the case of legal proceedings abroad, but also in cases where there is an overriding public interest or the performance of a contract requires disclosure, if you have consented or if the data has been provided by you in general and you have not objected to the processing.
F. Duration of data storage
Your data, which includes personal data, will only be processed and stored for as long as is necessary to fulfill our contractual and legal obligations or the purposes otherwise pursued with the processing, i.e. if applicable for the duration of the entire business relationship and beyond that due to statutory retention obligations and documentation requirements. It is possible that personal data will be retained for the period in which claims can be asserted against us and insofar as we are otherwise legally obligated to do so or if legitimate business interests require this (e.g. for evidence and documentation purposes). As soon as your personal data is no longer required for the aforementioned purposes, it will be deleted or anonymized as far as this is possible. For operational data (e.g. system logs, logs), shorter retention periods of 30 days or less apply.
G. Data security
We have taken appropriate technical and organizational security measures to protect your personal data from unauthorized access and misuse. These measures include issuing instructions, training, IT and network security solutions, access controls and restrictions, encryption of passwords, data storage and transmission, pseudonymization and controls.
We cannot guarantee the security of data transmission over the Internet. In particular, when transmitting data by e-mail, there is a certain risk of access by third parties.
H. Your rights
In accordance with applicable law, you have the right to access, correct and delete your personal data, the right to restrict processing or to object to our data processing, in particular for direct marketing purposes, profiling for direct marketing purposes and other legitimate interests in processing, as well as the right to obtain certain personal data for transfer to another controller (data portability). Please note, however, that we reserve the right to assert legal restrictions on our part, e.g. if we are obliged to retain or process certain data, have an overriding interest (insofar as we can rely on such interests) or need the data to assert claims.
We have already informed you of the possibility to object to/revoke your consent at any time. Please also note that the exercise of these rights may conflict with your contractual obligations and this may result in consequences such as premature termination of the contract and may be associated with costs. Should this be the case, we will inform you in advance, unless this has already been contractually agreed.
In general, the exercise of these rights requires that you can prove your identity (e.g. by providing a copy of identification documents if your identity is not otherwise apparent or can be verified by other means). To exercise these rights, please contact us using the details provided above.
In addition, any data subject has the right to assert his or her rights in court or to file a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).
I. Profiling [and automated individual decision making]
We may process your personal data partially automatically in order to evaluate certain personal aspects (profiling). Profiling enables us in particular to better inform and advise you about products that may be relevant to you. For this purpose, we may use evaluation tools that enable us to communicate with you and advertise to you as needed, including market and opinion research.
When initiating and conducting a business relationship, we generally do not use fully automated individual decision-making (such as pursuant to Article 22 of the GDPR). Should we use such procedures in certain cases, we will inform you separately about this and inform you of your rights in this regard, insofar as this is required by law.
J. Changes to this privacy statement