Depending on which products and services the Bank provides for you, it can process the following categories of personal data. The Bank’s policy is to process as little personal data as necessary.

2.1.1 Former, current and potential customers (or prospective customers)

These include, in particular, the following:

• Master and inventory data such as name, address, telephone number, e-mail address, date of birth, nationality, profession, economic and family circumstances, financial goals, investment knowledge and experience, contract number and duration, identification and authentication data, e.g. login for eBanking, documents to establish the customer's identity, such as an identity document or passport, information about the account, securities account, cards and payments, about current or completed transactions, contracts, products, services; information about third parties, such as life companions, family members, authorised representatives and advisors who are also affected by a data processing.
• Fiscal domicile and any other documents and information which may be relevant in terms of tax.
• Transaction or order and risk management data, for example, information on the beneficiary, counterparty or third-party banks in the case of transfers or card payments and, where applicable, details of issued mandates, information concerning your assets, real estate, lines of credit, credit rating, investment products, risk and investment profile, cases of fraud, enquiries, consultations, conversations and physical or electronic correspondence.
• Personal data requiring special protection (sensitive personal data), such as biometric data for voice recognition during telephone calls for the identification of the caller.
• Recordings of telephone calls between you and the Bank, if applicable, or video recordings of your visit to our premises or your use of our ATMs.
• Marketing data, such as the needs, wishes, interests, preferences, information about the use of products, services or contact and communication channels.
• Technical data such as internal and external identifiers, trade numbers, IP addresses, location in apps (for example ZKB TWINT), records of accesses or changes.

2.1.2 Visitor information (i.e. visitors of branches or websites)

These include, in particular, the following:

• Master data and inventory data, such as name, telephone number, e-mail address, address, date of birth and personal data collected using a form.
• Recordings of telephone calls between you and the Bank, if applicable, or video recordings of your visit to our premises or your use of our ATMs.
• Technical data, such as internal or external identifiers, IP addresses, and logs of access or changes.
• Marketing data, for example, needs, wishes, preferences and interactions.
• Data that is transmitted to us on account of your visit to our websites or that you provide to us (e.g. using a form).

2.1.3 Supplier Employee Data

These include, in particular, the following:

• Master data and inventory data such as name, address, position, telephone number, e-mail address, date of birth, contract number and duration, and information on current or concluded services, products or projects.
• Recordings of telephone calls between you and the Bank, if applicable, or video recordings of your visit to our premises or your use of our ATMs.
• Technical data, for example internal and external identifiers, trade numbers, IP addresses, records of accesses or changes.

The period for which personal data is stored is determined according to statutory retention obligations resp. the purpose for which the data in question are processed.

As a rule, the Bank stores personal data for the duration of the business relationship or term of the contract and subsequently for a further five, ten or more years (depending on the applicable legal basis). This corresponds to the interval of time within which legal claims can be brought against the Bank. Current or anticipated legal or supervisory authority proceedings can lead to data being stored beyond this period.

The Bank can process the personal data described in section 2.1 in connection with the provision of its own services as well as for its own purposes or those required by law. These include, in particular, the following:

• Customer onboarding procedures, review, conclusion, implementation, processing and administration of the business relationship and products and services provided by a universal bank (e.g. communication, verification of identity, evaluation of applications, loan decisions, lines of credit, financial planning, payments, invoices, accounts, cards, investment, stock exchange, pensions, foundation, succession planning and insurance, eFinance, customer service, and communication).
• Statistics, planning or product development, business decisions (for example, the determination of indicators relating to the use of services, utilisation figures, transaction analyses, development of ideas for new products or the evaluation or improvement and review of existing products, services, processes, technologies, systems and returns).
• Monitoring and management of risks, business reviews, establishment of businesses, timely business processing (for example, combating fraud, investment profiles, limits, market, credit or operational risks, and system, product and employee training).
• Brokerage of third-party products and services such as credit or debit cards.
• Marketing, market research, customer relationship management, customer recovery, comprehensive service, advice and information concerning the range of services offered, preparation and provision of tailor-made services (for example, direct marketing, print and online advertising, customer, promotional or cultural events, sponsoring, prize draws, measurement of customer satisfaction, future customer needs or behaviour or assessment of customer, market or product potential).
• Statutory or regulatory audit, information, disclosure or reporting obligations with respect to courts, authorities, compliance with official orders (for example, identity verification, automatic exchange of information with foreign tax authorities, orders by the FINMA, public prosecutor’s offices, in connection with combatting fraud or money laundering or the financing of terrorism or for the purpose of recording and monitoring communications).
• Protecting the Bank’s interests and securing its claims in cases where claims are brought against the Bank or Bank customers as well as protecting the security of the customer and employees.
• Operation of the website (e.g. for technical administration and further development of ZKB websites).
• Any other purposes of which the Bank has informed you.

In order to fulfil the purposes set out in section 2.3, the Bank may collect personal data from the following sources:

• Personal data provided to the Bank, for example, in connection with the opening of a business relationship, a consultation, communication with the bank, for products and services or on the Bank’s websites and apps.
• Please only disclose personal data of third parties outside of a legal obligation if you have made the third parties concerned aware of this data protection declaration in advance.
• Personal data which are generated in connection with the use of products or services and is transmitted to the Bank through the technical infrastructure or through processes based on the division of labor (e.g, websites, eBanking, apps, in connection with payment transactions and securities trading or during the course of cooperation with other financial or IT service providers or marketplaces and exchanges.)
• Personal data from third-party sources, for example, correspondent banks involved in money transfers or the Zentralstelle für Kreditinformationen (Central Office for Credit Information - ZEK), the Informationsstelle für Konsumkredit (Consumer Credit Information Office - IK), credit reference bureaus, credit checkers, address traders, insurance companies, authorities, other companies within the Bank’s group or sanction lists maintained by the UNO, the SECO and the EU.
• Personal data that is publicly accessible, e.g. on the Internet, in the media, in public registers, such as the land register or commercial register offices.

Depending on which products and services the Bank may provide for you resp. the purpose for which the personal data are processed, the data processing is carried out based on the following:

• Entering into, conclusion or execution of a contract or business relationship with you or for the fulfilment of the Bank’s obligations arising from such a contract or business relationship (including any necessary pre-contractual measures), e.g. for lines of credit, financial planning, payments, invoices, accounts, cards, investment, stock exchange, pensions, incorporations, succession planning and insurance, eFinance, and customer service.
• Where applicable, to safeguard the legitimate interests of the Bank – for example, statistics, planning and product development, business decisions; monitoring and controlling of risks, business audits; marketing, market research, customer relationship management, comprehensive service, advice and information concerning the range of services offered, preparation and provision of tailor-made services – where no objection has been lodged; protection of the Bank's interests and securing the claims of the Bank, its customers and employees.
• Where applicable, for the fulfilment of legal or regulatory obligations of the Bank or the performance of tasks in the public interest, e.g. based on the Swiss Banking Act, Collective Investment Schemes Act, Anti-Money Laundering Act, Pfandbrief Act, FINMA Regulations and Circulars, tax laws (cf. also information on tax treaties and the exchange of information with authorities).
• Where applicable, based on your consent¹.

¹ Consents obtained for other reasons, for example, due to the provisions concerning banking secrecy according to the Federal Law on Banks and Savings Banks (BankG), are not affected by this section.

If personal data which the Bank processes are necessary in order to fulfil statutory or regulatory obligations or for the conclusion or performance of a contract or the commencement of a business relationship with you, it may be the case that the Bank cannot accept you as a customer or cannot provide you with products or services if the Bank is unable to process this personal data. In this case, we will inform you accordingly.

The Bank reserves the right in future to analyse and evaluate customer data (including data of affected third parties, see section 2.1) also in automated form in order to recognise key personal characteristics of the customer or in order to predict developments and create customer profiles. These are used in particular for business review and processing (e.g. in connection with the determination of an investment strategy, risk profiles, credit check, combating money laundering, abuse and fraud, IT security) and the individual consultation and provision of offers and information (e.g. marketing, product development and product improvement so that you only receive offers that match your interests), which the Bank and its Group companies may make available to the customer.

Customer profiles may in the future also lead to automated individual decisions, for example, automated creditworthiness decisions in order to accept and execute orders submitted by the customer in eBanking in an automated manner.

The Bank will ensure that a suitable contact person is available if the customer wishes to express an opinion concerning an automated individual decision and such a possibility of expressing an opinion is required by law.

2.8.1 Recipients

Within the Bank, only those departments receive access to your personal data which require this for the conclusion or performance of a contract or the commencement of a business relationship, in order to fulfil statutory or regulatory obligations or perform duties in the public interest.

The Bank only discloses customer data to third parties in the following cases – depending on the nature of the products and services used:

• In order to execute orders, i.e. in relation to the use of products or services, for example to payees, beneficiaries, authorised account users, intermediaries as well as correspondence banks, brokers, clearing houses, other parties involved in a transaction, service providers (e.g. Swisscom), exchanges or marketplaces, reporting of certain stock exchange transactions to international transaction registers.
• With the consent of the customer, to affiliated companies for the purpose of providing comprehensive customer services and for the purpose of outsourcing.
• On the basis of statutory obligations, legal justifications or official orders, for example, to courts, law enforcement agencies or supervisory authorities, e.g. in the area of the law governing financial markets or tax matters or, where necessary, in order to protect the Bank’s legitimate interests in Switzerland and abroad. The latter applies in particular in the event of legal steps or public statements against the Bank being initiated or threatened by the customer, in order to secure the Bank’s claims against the customer or third parties, in connection with the collection of the Bank’s claims against the customer and in order to restore contact with the customer after contact with the competent Swiss authorities has been broken off.

Contract processors are third parties who process personal data on behalf of and for the Bank, e.g. IT, marketing, market research, sales or communication service providers, logistics companies, printing service providers, financial service providers, real estate service providers, rating agencies, collection agencies, anti-fraud agencies, information and cybersecurity service providers, credit reference agencies or consulting firms. If personal data is communicated to such a contract processor, they may only process the received personal data in the same way as the Bank itself. The Bank selects its contract processors carefully and places them under a contractual undertaking to guarantee confidentiality and banking secrecy in Switzerland as well as the security of the personal data.

2.8.2 Location of disclosure

The location of the data disclosure depends on the type of product or service used. Due to our business model as a full-service bank, the following variations are possible:

• The Bank trades and holds in custody securities and financial instruments and/or executes fiduciary investments and foreign exchange transactions on behalf of the customer. In this context, foreign law and contractual provisions may require the Bank to disclose for whom it is acting. This may result in the Bank having to name specific persons or disclose information and documents to authorities and business undertakings in Switzerland or abroad. It should be noted that trading (depending on the exchange or trading facility), downstream processing stages and safekeeping may take place in third countries. The disclosure obligations vary from country to country. Furthermore, new duties of disclosure may arise at any time, or existing ones may be amended. Further information on the place of disclosure of personal data in connection with securities and financial instruments and/or fiduciary investments and foreign currency transactions has already been provided to you in connection with the specific services and products (cf. our General Terms and Conditions of Business, the terms on our products and services and our legal notices and information relating to our trading and investment business, in particular disclosure of customer data in connection with financial market and foreign exchange transactions, Shareholder Rights Directive II, country specifications for cross-border payments, Markets in Financial Instruments Regulation (MiFIR)  and SBVg guidelines (February 2016 and June 2009).
• In connection with the administration of contracts with its suppliers, the Bank may also process contact details, such as the name, e-mail address or telephone number of its contact persons (employees of suppliers). These contact details will be processed using an IT system with a server hosted in Germany.

2.8.3 Guarantees

If, in exceptional cases, personal data is disclosed in countries where there is no adequate level of data protection (see also Art. 16 of the General Terms and Conditions of Business and information regarding the applicability of Swiss banking secrecy and data protection laws; these shall apply mutatis mutandis to visitor and employee data of suppliers), the Bank shall obligate the recipient to comply with an appropriate level of data protection by concluding recognised standard contractual clauses, or the Bank will avail of a statutory exception provision (e.g. conclusion or performance of a contract, safeguarding of overriding public interests, enforcement of legal claims, or your consent).

A copy of the EU standard contractual clauses (SCC) can be obtained from us free of charge.

Zürcher Kantonalbank
Zurich Head Office
Bahnhofstrasse 9
8001 Zürich

Zürcher Kantonalbank
Data Office
P.O. Box
8010 Zürich

or send us a message by e-mail to dsr@zkb.ch

Zürcher Kantonalbank
Data Protection Officer
Legal & Compliance
P.O. Box
8010 Zürich

or send us a message by e-mail to datenschutz@zkb.ch

VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
Germany

or by e-mail to info@datenschutzpartner.eu