Legal

Privacy policy statement

This privacy policy statement informs you about how Zürcher Kantonalbank handle your personal data.

1. General

When it comes to the issue of data protection too, Zürcher Kantonalbank (the Bank) is committed to an open, transparent and customer-friendly approach. By personal data the Bank means information which relates to a particular or identifiable person. The Bank interprets processing as referring to any handling of personal data, irrespective of the means and methods used, in particular the collection, storage, use, adaptation, publication, archiving or destruction of personal data.

Additional conditions (for example general terms and conditions or terms of use) apply to certain forms of data processing, for example in the case of apps offered by the Bank such as ZKB TWINT, ZKB eBanking Mobile or the Bank’s social media presence. These are available on the corresponding websites or in the corresponding apps.

1.1 General terms and conditions of business

The provisions set forth in Art. 15 to 17 of the General Terms and Conditions (AGB), January 2022 issue, contain general references to data protection, in particular in connection with the performance of contracts.

1.2 Data security

The Bank undertakes to protect your privacy in line with the applicable laws, in particular through the rules on banking secrecy and the law governing data protection. The Bank takes numerous precautions to ensure this, such as the implementation of technical and organisational security measures (e.g. the use of firewalls, personal passwords as well as encryption and authentication technologies, access restrictions, awareness-raising and training of employees).

2. Scope of processing

2.1 Categories of personal data

Depending on which products and services the Bank provides for you, it can process the following categories of personal data. The Bank’s policy is to process as little personal data as necessary.

The Bank processes customer data. These include, in particular, the following:

  • Master data and inventory data, for example name, address, date of birth, contract number and duration, documents confirming the customer’s identity, information relating to the account, securities account, conducted transactions or relating to third parties such as life companions, authorised agents and advisers who are also affected by the data processing.
  • Fiscal domicile and any other documents and information which may be relevant in terms of tax.
  • Transaction or order management and risk management data, for example information on the beneficiary in the case of transfers or card payments, beneficiary bank, if applicable details of issued mandates, information concerning your assets, investment products, risk and investment profile, cases of fraud.
  • If applicable, recordings of telephone conversations between you and the Bank.
  • Marketing data, for example requirements, wishes, preferences.
  • Technical data, for example internal and external identifiers, trade numbers, IP addresses, records of accesses or changes.

The Bank processes data relating to potential customers and visitors (i.e. visitors to branches or websites in particular). These include, in particular, the following:

  • Master data and inventory data, for example name, address, date of birth.
  • Technical data, for example internal and external identifiers, IP addresses, records of accesses or changes.
  • Marketing data, for example requirements, wishes, preferences.

The Bank processes supplier data. These include, in particular, the following:

  • Master data and inventory data, for example name, address, date of birth, contract number and duration, information relating to the account or conducted transactions.
  • Technical data, for example internal and external identifiers, trade numbers, IP addresses, records of accesses or changes.

2.2 Origin

In order to fulfil the purposes according to point 2.4, the Bank can collect personal data with the following origin:

  • Personal data communicated to the Bank, for example in connection with the opening of a business relationship, an advisory consultation, products and services or on the Bank’s websites.
  • Personal data which are generated in connection with the use of products or services and which are communicated to the Bank through the technical infrastructure or through collaborative processes, for example in connection with websites, eBanking, apps, in connection with payment transactions and securities trading or during the course of cooperation with other financial or IT service providers or marketplaces and exchanges.
  • Personal data from third-party sources, for example the Zentralstelle für Kreditinformationen (Central Office for Credit Information – ZEK), the Informationsstelle für Konsumkredit (Consumer Credit Information Office – IKO), authorities, other companies within the Bank’s group or sanction lists maintained by the UNO, the SECO and the EU.

2.3 Period for which the data is stored

The period for which personal data is stored is determined according to statutory record-keeping obligations and the purpose for which the data in question are processed.

As a rule, the Bank stores personal data for the duration of the business relationship or term of the contract and subsequently for a further five, ten or more years (depending on the applicable legal basis). This corresponds to the interval of time within which legal claims can be brought against the Bank. Current or anticipated legal or supervisory authority proceedings can lead to data being stored beyond this period.

2.4 Purposes

The Bank can process the personal data described under point 2.1 in connection with the provision of its own services as well as for its own purposes or those required by law. These include, in particular, the following:

  • Customer registration procedures, the conduct, processing and administration of the business relationship and products and services provided by a universal bank (for example verification of identity, evaluation of applications, loan decisions, financing, financial planning, payments, invoices, accounts, cards, investment, stock exchange, pensions, foundation, succession and insurance, eFinance, customer service, communication).
  • Statistics, planning or product development, business decisions (for example the determination of indicators relating to the use of services, utilisation figures, transaction analyses, development of ideas for new products or the evaluation or improvement and review of existing products, services, processes, technologies, systems and returns).
  • Monitoring and management of risks, business reviews, establishment of businesses, timely processing of business (for example combating fraud, investment profiles, limits, market, credit or operational risks as well as system and product training).
  • Marketing, market research, comprehensive service, advice and information concerning the range of services offered, preparation and provision of tailor-made services (for example direct marketing, print and online advertising, customer, promotional or cultural events, sponsoring, prize games, measuring customer satisfaction, future customer needs or behaviour or assessing customer, market or product potential).
  • Statutory or regulatory information, disclosure or reporting obligations with respect to courts, authorities, compliance with official orders (for example the automatic exchange of information with foreign tax authorities, orders by the FINMA, public prosecutor’s offices, in connection with money laundering or the financing of terrorism or for the purpose of recording and monitoring communications).
  • Protecting the Bank’s interests and securing its claims in cases where claims are brought against the Bank or Bank customers as well as protecting the security of the customer and employees.
  • Any other purposes of which the Bank has informed you. 

2.5 Bases for the processing of personal data

Depending on which products and services the Bank may provide for you or the purpose for which the personal data are processed, the data processing is carried out on the following basis:

  • Conclusion or performance of a contract or commencement of a business relationship with you or for the purpose of fulfilling the Bank’s obligation arising from such a contract or business relationship.
  • If necessary, in order to protect the Bank’s legitimate interests, for example statistics, planning or product development, business decisions; monitoring and management of risks, business reviews; marketing, market research, comprehensive service, advice and information concerning the range of services offered, preparation and provision of tailor-made services – where no objection has been lodged; protecting the Bank’s interests and securing the claims of the Bank, its customers and employees.
  • If necessary in order to fulfil statutory or regulatory obligations or perform duties in the public interest.
  • If necessary on the basis of your consent .1

Consents which are obtained for other reasons, for example due to the provisions concerning banking secrecy according to the Federal Law on Banks and Savings Banks (BankG), are not affected by this section.

2.6 Are you subject to an obligation to provide personal data?

If personal data which the Bank processes are necessary in order to fulfil statutory or regulatory obligations or for the conclusion or performance of a contract or the commencement of a business relationship with you, it may be the case that the Bank cannot accept you as a customer or cannot provide you with products or services if the Bank is unable to process this personal data. In this case we will inform you accordingly.

2.7 Existence of automated individual decision-making in individual cases, including profiling

The Bank also reserves the right in future to analyse and evaluate customer data (including data of affected third parties, see point 2.1) in automated form in order to recognise key personal characteristics of the customer or in order to predict developments and create customer profiles. These serve in particular the purpose of business reviews and in order to provide individual advice on, and provide, offers and information which the Bank and companies within its group may make available to the customer.

Customer profiles may in the future also lead to automated individual decisions, for example automated credit rating decisions or in order to accept and execute orders submitted by the customer in eBanking by automated means.

The Bank will ensure that a suitable contact person is available if the customer wishes to express an opinion concerning an automated individual decision and such a possibility of expressing an opinion is required by law.

2.8 Categories of intended recipients, guarantees and disclosure abroad

Within the Bank, only those departments receive access to your personal data which require this for the conclusion or performance of a contract or the commencement of a business relationship, in order to fulfil statutory or regulatory obligations or perform duties in the public interest.

The Bank only discloses customer data to third parties in the following cases – depending on the nature of the products and services used:

  • In order to execute orders, i.e. in relation to the use of products or services, for example to payees, beneficiaries, authorised account users, intermediaries as well as correspondence banks, other parties involved in a transaction, service providers, exchanges or marketplaces, reporting of certain stock exchange transactions to international transaction registers.
  • With the consent of the customer, to affiliated companies for the purpose of providing comprehensive customer services and for the purpose of outsourcing.
  • On the basis of statutory obligations, legal justifications or official orders, for example to courts or supervisory authorities in the area of the law governing financial markets or tax matters or, where necessary, in order to protect the Bank’s legitimate interests in Switzerland and abroad. The latter applies in particular in the event of legal steps or public statements against the Bank being initiated or threatened by the customer, in order to secure the Bank’s claims against the customer or third parties, in connection with the collection of the Bank’s claims against the customer and in order to restore contact with the customer after contact with the competent Swiss authorities has been broken off.

The term data processors refers to third parties who process personal data on behalf of and for the purposes of the Bank, for example IT, marketing, sales or communication service providers, collection agencies, fraud prevention agencies, credit agencies or consulting firms. If personal data is communicated to such a contract processor, they may only process the received personal data in the same way as the Bank itself. The Bank selects its contract processors carefully and places them under a contractual undertaking to guarantee confidentiality and banking secrecy in Switzerland as well as the security of the personal data.

Depending on the nature of the product or service being used, personal data may under certain circumstances also need to be disclosed to third parties (incl. contract processors) based in countries in which no adequate level of data protection prevails (see also Art. 16 AGB and information with reference to the applicability of Swiss banking secrecy and data protection; these also apply mutatis mutandis to prospective customer, visitor and supplier data). For example, the United States of America does not provide for an adequate level of data protection. When communicating personal data to such a country, the Bank demands that the recipient take appropriate measures to protect personal data (for example by means of the agreement of so-called EU-standard clauses, other precautions or on the basis of justifying grounds; a copy of the EU-standard clauses can be obtained from us free of charge).

3. Rights

You have the right to information, rectification, erasure, restriction, objection, as well as – where applicable – the right to data portability. In addition you have the right to lodge a complaint with a competent data protection supervisory authority (see point 5).

The Bank accepts information requests in writing together with a clearly legible copy of a valid official identity document (for example passport, identity card, driving licence) at the following address: Zürcher Kantonalbank, Data Protection Advisor, Legal & Compliance, Postfach, 8010 Zürich.

The right to erasure and the right to object are not unlimited rights. Depending on the individual case, overriding interests may necessitate further processing. The Bank will examine each individual case and notify you of the result. If personal data is processed for the purpose of direct marketing, your right to object also extends to direct marketing, including profiling for marketing purposes. You can lodge an objection to direct marketing at any time by sending the Bank a notification to this effect (see point 5).

You can at any time withdraw your consent to the Bank processing your personal data. Please note that such a withdrawal of consent only has effect for the future. Processing which took place prior to withdrawal of consent is not affected.

If the Bank fails to meet your expectations with respect to the processing of personal data, if you wish to complain about the Bank’s data protection practices or if you wish to exercise your rights, please notify the Bank of this (see point 5). Among other things, this gives the Bank the opportunity to address your concerns and if need be make improvements. In order to assist the Bank in responding to your enquiry, we request that you provide a correspondingly detailed notification. The Bank will look into your concerns and will reply within an appropriate period.

4. Changes in personal data

The Bank is obliged to process the personal data accurately and keep it up to date. Please notify the Bank of any changes in your personal data using the usual communication channel.

5. Contact details and exercising your rights

The Bank is responsible for the processing of personal data:

Zürcher Kantonalbank
Head Office Zurich
Bahnhofstrasse 9
8001 Zurich

You can address general questions, suggestions and comments to your client advisor.

You can address your questions in connection with data protection to the following departments: Zürcher Kantonalbank, Data Protection Advisor, Legal & Compliance, Postfach, 8010 Zürich or send us a message by e-mail to: datenschutz@zkb.ch.

EU representative according to Art. 27 GDPR: VGS Datenschutzpartner UG, Am Kaiserkai 69, 20457 Hamburg, Germany, e-mail: info@datenschutzpartner.eu.

If you are not satisfied with the Bank’s response, you have the right to lodge a complaint with the data protection authority in the jurisdiction within which you live or work or in the place in which, in your view, a problem arose in relation to the personal data.

6. Updating of the privacy policy statement

This privacy policy statement was last updated in January 2023. It explains in general terms the way your personal data is processed by the Bank. This privacy policy statement does not constitute a part of any contract between the Bank and you. The Bank reserves the right to amend this privacy policy statement from time to time. In the event of such amendment you will be informed in an appropriate manner depending on how we usually communicate with you, for example via the website zkb.ch.

 

Last updated: January 2023