The client data of Zürcher Kantonalbank (hereinafter referred to as “the Bank”) is subject to Swiss bank-client confidentiality and data protection law in Switzerland and is treated confidentially by the Bank.
Within the Bank, access to client data is only granted to such parties that require it in order to enter into, conclude or execute a contract or business relationship or on the basis of legal and regulatory obligations.
The Bank may engage service providers in order to be able to offer Group-owned or third-party products and services. These service providers process client data on behalf of and for the purposes of the Bank, e.g. for payment transactions, subscription and redemption of fund units, printing and dispatch of bank documents, development and operation of information and communication technologies (e.g. IT infrastructures, platforms or applications), marketing, sales or communication services, debt collection, combatting fraud, credit reporting or advisory services.
If customer data is disclosed to service providers of this kind, they are only permitted to process the data contained therein to the extent that the Bank itself does. The Bank carefully selects its service providers and contractually obliges them to warrant confidentiality by means of technical and organisational measures.
Due to the Bank’s operating model and the technologies used, the service providers engaged by the Bank may have a foreign connection. For example, this may be the case if a service provider belongs to a foreign parent company, if its registered office is abroad or if it processes data abroad.
Service providers with a foreign connection can especially be called upon to develop and operate IT infrastructures, platforms and applications, e.g. in order to use cloud-based services such as Microsoft Office applications, to use filters against viruses or to ward off attacks against the IT infrastructure (so-called DDoS attacks).
In such cases, the Bank also agrees on technical and organisational measures to ensure the confidentiality of client data with the service providers and, for example, to protect it against cyber criminals. However, the possibility remains that foreign authorities may order the surrender of client data on the basis of the foreign connection and the foreign law applicable as a result. Swiss bank-client confidentiality cannot prevent such a disclosure, and the data may be processed by the foreign authorities in accordance with their applicable foreign law, e.g. for their own investigations or proceedings. Depending on the applicable foreign law, there may not be an adequate level of data protection in place compared to Switzerland, and comparable rights (e.g. access or disclosure restrictions) may be lacking.