Data Privacy

Personal Data include any information relating to an identified or identifiable natural person and are set out below.

The Personal Data we process may be based on law, such as banking regulations, financial market supervision and/or anti-money laundering and anti-terrorist financing regulations, the Swiss Code of Obligations (“CO”), on social security laws, on our overriding private interest, including the conclusion or performance of a contract, on an overriding public interest and on your consent, and may also be based, cumulatively, on one or other of the aforementioned reasons. The personal data  collected by the Bank include in particular:

• Personal information such as your name, national identification number, date of birth, anti-money laundering compliance documents, telephone number, home address and email address, as well as family information, such as the name of your spouse, partner or children;
• Sensitive information such as data on health, or racial or ethnic origin, data on criminal and administrative prosecutions or sanctions;
• Financial information, including payment and transaction records, information relating to your assets (including real estate), your financial statements, liabilities, taxes, income, profits and investments (including your investment objectives) and generally your risk profile;
• Details of our interactions with you and the products and services you use, including electronic interactions across various channels such as emails and mobile apps;
• Identifiers that we assign to you, such as your customer number, business relationship number, partner number, contract or account number, including identifiers for accounting purposes;
• Identification data issued by government departments and other registers: identity cards, passports, certificate of incorporation, articles of association, share registers;
• Information relating to criminal convictions or offences;
• Address for tax purposes and other documents and information related to your taxation;
• The AVS number and other documents and information related to an employment contract with the Bank or for the purpose of entering into an employment contract with the Bank, such as information about your education and various jobs, evaluation of your performance and, where applicable, behavioural data or data relating to personality traits;
• Professional information about you, such as your job title and professional experience, your remuneration with your current or former employer;
• Information relating to your investment knowledge and experience;
• Your financial situation, investment objectives, investment risk tolerance, and ESG preferences (Environmental, Social and Governance criteria);
• Any recording of telephone calls between you and the Bank, in particular telephone log information such as your telephone number, calling number, called number, call forwarding numbers, time and date of calls and messages, length of calls, forwarding information and types of calls, primarily in consideration of market abuse rules (supervision of financial markets and transparency);
• Management and security data, e.g., records of being at our premises;
• Visual and video surveillance media, for example, from video surveillance at our premises for security purposes;
• Use of cookies, traceability technologies and other means (e.g., web beacons, pixels, unique identifiers) to collect and process information about you from different channels and devices you use, including emails and devices you use to interact with us to access our websites, platforms, products, services and mobile device applications. To find out about how we use cookies and other traceability technologies in relation to our website, please refer to our Cookies Policy.

In certain circumstances, we may ask you for your prior or explicit consent to collect and process certain categories of Personal Data. For example:

• for reference information (e.g., your current or former employer);
• to comply with applicable law, in particular, the DPA or the CO.

If an applicant or employee provides the Bank with information about their family or any other third party (e.g., emergency contacts or references), you must, prior to providing us with such information, inform the persons concerned that you will be disclosing their Personal Data to us and provide them with a copy of the information contained in this Notice

We process your Personal Data for a specific purpose and only those Personal Data necessary for the following purposes:

Onboarding

• To verify your identity and that of Related Persons;
• To carry out legal checks and other regulatory compliance checks (to comply with anti-money laundering and anti-terrorist financing regulations). As a result, the Bank may use information technologies to identify the level of risk associated with a Data Subject or a Related Person or a specific activity (use of WorldCheck or LexisNexis banking databases). This may mean that we send the personal data of a Data Subject or a Related Person to a company in the group to which the Bank belongs, or to a Swiss external service provider, in order to benefit from specific compliance knowledge.

Compliance (in order to adhere to anti-money laundering and anti-terrorist financing regulations and tax laws)

• To carry out statutory and regulatory compliance checks, in particular, as part of the on-boarding process, and periodic compliance controls, including in order to adhere to anti-money laundering and anti-terrorist financing regulations, fraud prevention regulations and the screening of sanctioned countries to prevent financial crime. As a result, we may use information technologies to identify the level of risk associated with a Data Subject or a Related Person or a specific activity (use of WorldCheck or LexisNexis banking databases). This may mean that we send the personal data of a Data Subject or a Related Person to a company in the group to which the Bank belongs, or to a Swiss external service provider, in order to benefit from specific compliance knowledge;
• To comply with our regulatory and compliance obligations, including with respect to the recording and monitoring of communications, disclosures to tax authorities, relevant supervisory authorities and other regulatory, judicial and governmental bodies or in connection with procedures and investigations or crime prevention;
• To respond to any procedure, request for mutual criminal or administrative assistance, criminal or administrative investigation (including requests prior to a formal investigation) from a public or judicial authority;
• To receive and process complaints;
• To receive and process internal complaints, queries or reports from employees or third parties submitted to Human Resources (“HR”);
• To carry out the background checks necessary for the recruitment of employees, including verification of any existing or potential conflict of interest or any other factor likely to restrict or prevent the recruitment of an applicant within the Bank, and also to prevent and detect offences, including fraud or criminal activity, misuse of our products or services as well as to safeguard the security of our IT systems, architecture and networks.

Managing the business relationship

• To manage our contractual relationship with you, including communicating with you about the products and services we provide to you and dealing with customer service issues and complaints. As a result, your personal data may be sent to a company in the group to which Bank of Nassau 1982 Limited belongs in order to provide financial products and services;
• To assess whether and how we can offer you products and services and suggest events that may be of interest to you.

Risk management

• For active management of risks which must be identified, restricted and controlled. These include, for example, managing compliance and risks relating to credit, payment default, liquidity processes and image and audit, as well as operational and legal risks;
• For risk management on the basis of consolidated supervision at the level of the group to which the Bank belongs;
• To conduct regular audits and/or reviews concerning you or Related Persons.

Human resources management

• For the recruitment and management of applications, and in particular to determine the suitability of an applicant’s qualifications. This may mean that we send the personal data of a Data Subject to a company in the group to which the Bank belongs, or to an external specialised company, in order to benefit from specific human resources knowledge;

• To manage our HR records and update the employee database, employment contracts or rights of access to the premises and systems used by the Bank, including when this includes biometric data;
• For the assessment of the integrity of applicants and employees (e.g., by requesting and checking extracts from prosecution records or criminal records), managing conflicts of interest or obtaining information relating to own investments;
• To set up internal or external training, which may take place face-to-face, virtually, via chat or using any other method;
• For other purposes that are necessary for the conclusion and performance of employment contracts.

Marketing and communication

• To organise internal or external events, whether in person or in virtual form, and for any activity promoting products, services or brands related to the Bank;
• To provide personalised information about services and products, for example, in the form of newsletters, or about the websites managed by the Bank.

Managing external service providers

• To manage our contractual relations with our external service providers, such as logistics, mail and parcel delivery, messaging, printing and archiving service providers, and to coordinate and evaluate the services provided to the Bank;
• To ensure the payment and posting of invoices from external service providers or to monitor the performance of the services rendered to the Bank;
• To organise calls for tenders; to carry out tasks for the preparation or performance of existing contracts;
• To manage our IT resources, including infrastructure management and business continuity, and also to update rights of access to the premises and systems used by Bank.

Other purposes

• To comply with statutory obligations related to accounting and to ensure compliance with legislation on markets in terms of financial instruments, subcontracting, business abroad and qualifying holdings;
• To record conversations or images (e.g., video surveillance) to ensure the safety of people, assets, property and buildings, as well as critical IT infrastructures and systems and also to ensure training and communication needs.

Change of purpose

We only use your Personal Data for the purposes for which we collected them, unless we reasonably consider that we need to use them for another reason and that this is compatible with the original purpose.

If we need to use your personal data for purposes that are unrelated to the original purpose, we will inform you and provide you with the legal basis for doing so.

Information concerning a change of purpose in this regard may be provided through an amendment to this Notice. We therefore strongly encourage you to consult this Notice on a regular basis.

We may process your personal data without your knowledge or consent, in accordance with the above rules, where we are required or permitted by law to do so.

We may share your Personal Data with third parties, including third party service providers and other companies within the group to which the Bank belongs.

We require third parties to ensure the security of your data and process them in accordance with applicable law.

Third parties

• Companies in the group to which the Bank belongs;
• Recipients of payments, beneficiaries, intermediaries, correspondent banks and custodians, certain listed companies and their service providers (e.g., SRD II), clearing agency and clearing and settlement system;
• Other financial institutions;
• Lawyers, auditors.

Service providers

• Suppliers of computer hardware, software and outsourcing, mail service providers as well as compliance and mortgage analysis service providers that are contractually bound to confidentiality.

Public authorities or regulators

• Public authorities, regulators, stock exchanges or clearing companies, government bodies, courts or tribunals or parties to a lawsuit where we are required to disclose information under applicable law or regulation, at the request of public authorities or regulators or to protect our legitimate interests.

In the context of our Business Relationship, we do not share data with third parties outside Switzerland, subject to payment recipients, beneficiaries, intermediaries, correspondent banks and custodians, clearing agency and clearing and settlement system, other financial institutions or public authorities or regulators.

Various elements of information may therefore be transmitted, sometimes via authorised intermediaries, in third countries, for example, with regard to payment platforms, the Directive for the exchange of shareholders of listed companies (SRD II), exchanges with the US authorities (FATCA, QI arrangement, etc.) or automatic exchange of information (AEOI; a list of countries that have entered into an agreement with Switzerland can be found on the administration website (sif.admin.ch).

In particular, we share data with third parties located in the countries of non-Member States, partners under the Automatic Exchange of Information (AEOI) and the United States on the basis of the Foreign Account Tax Compliance Act (FATCA) and the Qualified Intermediary (QI) arrangement.

Over the course of the employment relationship between you and us, and in line with the Processing Purposes of Personal Data set out under Article 2, we may transfer your Personal Data to recipients in North Macedonia. Such transfers are always made in accordance with Swiss data protection law, either because (i) an appropriate level of data protection is guaranteed by Standard Contractual Clauses that the Federal Data Protection and Information Commissioner has approved beforehand and that have been adapted to Swiss law, or (ii) a statutory exception applies.

Suitable technical and organisational measures are implemented to protect your Personal Data against destruction, loss, alteration, misuse, unauthorised, accidental or unlawful disclosure or access, and against any other unlawful form of processing.

Employees who access Personal Data must comply with our rules and processes relating to the processing of your Personal Data in order to protect them and ensure their confidentiality.

Similarly, we ask our agents to process your Personal Data in accordance with the statutory requirements and, if necessary, according to our instructions, and generally, provided that they have previously agreed to process these data confidentially and to ensure their security.

We have put in place procedures to deal with any suspected Personal Data breach. We will notify you of any breaches and will also notify the relevant supervisory authorities in accordance with applicable statutory requirements.

We may process some of your Personal Data automatically for the purpose of evaluating the personal aspects of Data Subjects as described below (profiling).

As a result, we process data automatically (as required by law) when screening money transfers via our systems in the fight against money laundering and terrorist financing, as well as to monitor any transaction with a view to identifying whether it is evading rules on market abuse, international, and national sanctions and/or embargoes.

This may also be the case as part of our assessment of your product and service needs.

We retain Personal Data for the period necessary to fulfil the purposes for which they were collected, including to meet statutory and accounting requirements; in principle, this period is ten years.

Similarly, we delete or anonymise your Personal Data (or take equivalent measures) if they are no longer necessary to achieve the Purposes, (i) subject to any statutory or regulatory requirements applicable to data retention for a longer period of time, or (ii) in order to determine, exercise and/or defend actual or potential rights in legal proceedings, investigations or similar proceedings, including legal notices that we may require to protect the relevant information.

You may exercise the rights below, free of charge, by contacting us directly on bofnrisk@bankofnassau.com.

As a result, under certain legal conditions, you have the right to:

• Request access to your Personal Data;
• Request your Personal Data in electronic format when they have been processed automatically and when they have been processed with the consent of the Data Subject or in direct connection with the conclusion or performance of a contract;
• Request the Personal Data transmitted to another controller if these data have been processed automatically, with your consent or in direct connection with the conclusion or performance of a contract, and when this does not require disproportionate effort;
• Request the rectification of your Personal Data, unless the modification is prohibited by a statutory provision or if the data are processed for archiving purposes in the public interest. If the accuracy or inaccuracy of Personal Data cannot be established, you may request that reference to its disputed nature be added to the data;
• Request the erasure of your Personal Data, when their processing is no longer necessary to achieve the purposes, subject however, to the applicable retention periods;
• Request that the rectification, erasure or destruction of data, the prohibition on processing or communication to third parties, the reference to the disputed nature or the ruling be communicated to third parties or published;
• Object to the processing of your Personal Data where we rely on our legitimate interests (or the legitimate interests of a third party) and, for a reason relating to your particular circumstances, you wish to object to such processing. In some cases, we may prove that we have legitimate or legal imperative grounds to continue processing your data;
• Revoke your consent when it has been required for the processing of your Personal Data. If you revoke your consent, we may not be able to provide you with certain products or services. We will notify you, if applicable, when you revoke your consent;
• File a complaint with the Federal Data Protection and Transparency Officer.

It is important that the Personal Data we hold about you are accurate and up-to-date. Therefore, please let us know if your Personal Data change during the course of the Business Relationship or subsequently, insofar as we may need to contact you after the end of our relationship.

We may refuse, restrict or defer the disclosure of information when (i) a law within the formal meaning provides for this, in particular to protect professional secrecy, (ii) the overriding interests of a third party require this, (iii) the access request is manifestly unfounded, in particular because it pursues a purpose in breach of data protection or is manifestly procedural, and (iv) our overriding interests require this and your Personal Data are not disclosed to a third party.

We reserve the right to make changes to this Notice at any time.

Any change made by us will be subject to the posting of a new Privacy Notice on the Bank’s website.