Data Privacy Statement
BBVA SA (the "Bank") cares about your privacy and is committed to give your personal data a high level of protection. This notice aims to inform you about the data the Bank collects and processes, as well as the reasons for processing it and the rights you have.
Please read the following information carefully. Should you have any questions or comments, do not hesitate to contact dpo@bbva.ch or BBVA SA, Data Protection Office, Selnaustrasse 32/36, 8001 Zurich, the entity responsible for the processing of your data: :
1. Who is responsible for the data processing and how can you contact them?
The following entity is responsible for the data processing:
BBVA S.A. Data Protection Office
Selnaustrasse 32/36
8001 Zurich, Switzerland
E-mail: dpo@bbva.ch
2. What kind of personal Data does the Bank collect?
For the purpose of this notice, "personal data" means any information in relation to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly. Depending on the product or service we provide to you, the Bank collects and processes your personal data (e.g. as a former or current customer or as a prospective customer), including the following:
- Personal identification and contact data (name, date of birth, gender, nationality, marital status, address, e-mail, telephone, etc.);
- KYC ("Know Your Customer") information such as copy of your passport or other identification document, nomination of a mandate, family details (name of your partner or children, for example), source of wealth, information related to criminal convictions or offenses, press releases, political affiliations, as well as further compliance information and any other personal data;
- Where permitted by law and/or necessary for the services or products offered, we collect and process special categories of personal data such as biometric information (e.g. Touch-ID, video and online identification), health information (e. g. for insurance products), racial or ethnic origin or religious or philosophical beliefs;
- Your tax domicile(s) and related documents and information;
- Professional and business information about you as well as knowledge and experience in investment matters including your investment objectives, financial information (income, wealth, liabilities, revenues, etc.);
- Payment and transaction records, financial statements;
- Numeric identifiers assigned to you such as customer or account number;
- Records of telephone calls or exchange of electronic communication (emails, for example) between you and the Bank and the products and services you use including electronic interactions;
- In case you access our website, our server will record the data transmitted by your browser automatically. The information recorded will include the date and time you accessed the website, the files you accessed, the data volume transmitted, the performance, what kind of web browser you are using as well as the language, the requesting domain and the IP address. You can find additional information directly on our website.
We can use our own cookies and third-party cookies to improve our services, personalize our website, facilitate browsing for our users, provide a better experience when using the website, identify problems to improve the site, take measurements and produce usage by analyzing the general use of the website. To find out how we use cookies and other tracking technologies in relation to BBVA SA websites, please also consult our Cookie Policy.
The source of our data is usually our customers, but we do, in some cases, collect information from publicly available sources such as national authorities, commercial registers or other third-party sources such as credit rating agencies, wealth screening services or other entities of the BBVA Group, where permitted by law or based on your consent when required by law.
Please keep in mind that we collect and process data not only of account holders but also of any person involved in the business relationship such as authorized representatives, persons holding a power of attorney and beneficial owners. You should inform them accordingly and provide a copy of this Data Privacy Statement to those individuals.
3. What is the purpose of processing your data?
We collect and process personal data for at least one of the following purposes:
a) For fulfillment of our contractual obligations
The main reason for the collection and processing of your personal data is the onboarding and the fulfillment of our anti-money laundering obligations as well as our contractual obligations towards you.
The Bank needs to process your data in order to be able to provide you with banking and financial services such as advisory or discretionary mandates, to carry out transactions, payments, credit services or any other banking services. Such processing will be done mainly on the basis of the specific product or service agreed with you. Further details about the related purposes can be found in the relevant contract documents, terms and conditions (including the General Banking Conditions).
b) For purposes of legitimate interests of the Bank
When the legitimate purposes allow it, we process your data beyond the effective fulfillment of our contractual and legal or regulatory obligations in order to safeguard the Bank's legitimate interests. Examples of legitimate interest are:
- Guarantee the Bank's IT security and operation
- Defense in legal disputes and assertion of legal claims as well as prevention and clarification of possible crimes and breaches of contracts.
- Evidence in all types of proceedings (judicial, administrative, regulatory etc.).
- Development of our banking services and products, of our business as well as of our marketing or advertising.
- Reviewing and optimizing procedures
- Training and quality assurance
- In relation to the credit business, consulting and exchanging information with offices such as debt registers to investigate credit worthiness and credit risk.
- Risk Controls and Risk Management at the Bank
- Video surveillance of our premises to provide security
c) Due to legal and regulatory obligations
As a Swiss bank, our activities are subject to various legal and regulatory obligations, which is why we have to comply with them, including the obligation to inform the authorities, regulators and other government bodies (such as tax and supervisory authorities, etc.), as well as certain participants in the financial markets, like depositaries, stock exchanges and other financial institutions. You can find more details about the purposes of data processing in the relevant contract documents, terms and conditions (including the General Banking Conditions).
The data is usually collected during the customer on-boarding process, but also during the maintenance of the business relationship, in order to verify your identity, for example, and conduct other compliance checks, in order to meet our legal obligations according to anti-money-laundering regulations, tax legislation, as well as to prevent fraud. The Bank needs to collect the personal data in order to meet these legal and regulatory obligations. If we cannot collect your personal data for the mentioned purposes, we may be unable to provide products or services to you.
d) Upon your consent
As long as you have granted us consent (required in certain cases), the Bank can process your data for a certain purpose, such as analyzing your trading activities for marketing purposes or disclosure of data to your providers, asset managers, tax advisors, accountants or other persons. Once you have given us your consent, you can withdraw it at any time with effect for the future.
e) For profiling purposes
Some of your data might be processed automatically, in order to assess certain personal aspects (profiling). Profiling is used due to legal and regulatory requirements to combat money laundering, terrorism financing and other offenses that pose danger to assets. We also can process data automatically to notify and advise you regarding specific products or services that could be of interest for you, where permitted by law or based on your consent when required by law.
4. Is the decision-making automated?
In principle, we do not use any fully automated decision-making processes either in the onboarding process or during the maintenance of the business relationship. If we do use this process in exceptional cases, we will inform you accordingly, to the extent legally required.
5. Who can have access to your data?
We do not share your personal data with third parties without your consent unless we are required to do so by law or we do so at your request.
In order to fulfil our contractual obligations towards you, we share some of your personal data with third parties such as outsourcing providers, correspondent banks, credit card issuers, payment providers, custodians, brokers, exchanges, clearing houses, trade repositories and other credit or financial services institutions. We are also required, in some cases (e.g. as required by law or applicable regulation or in order to safeguard our legitimate interests), to share information with public or regulatory authorities such as FINMA (Switzerland’s independent financial-markets regulator), external auditors, courts, government bodies or other law enforcement agencies, for example.
The Bank can give access to entities that provide services to the Bank to your personal information, such as IT partners, hosting providers, fraud prevention or credit reference agencies, among others. In these cases, inter alia the Bank legally binds them to confidentiality and data protection as well as takes the necessary steps to ensure the service providers meet our data security standards in order to keep your data secure.
To the extent permitted by applicable law or regulation, your personal data may be held or stored on cloud platforms belonging to Swiss third party service providers, subject to contractual obligations of confidentiality and data protection.
Any other legitimate recipient for which you have given us your consent or where required by applicable law or regulation.
In some cases, the recipients of personal data can be located outside Switzerland. If the relevant country has not been determined by the Federal Data Protection and Information Commissioner to provide an adequate level of protection, the Bank requires the data recipients to apply appropriate measures to protect personal data, e.g., by signing a binding legal agreement to comply with the data protection level in Switzerland and by taking organizational and technical measures. Transfers outside Switzerland are only made where the transfer is made to countries that can demonstrate equivalent standards of security and other relevant data processing requirements, except we have obtained your express written consent.
6. How long do we store your data?
We will store your data as long as necessary to fulfil the purpose for which it was collected or to comply with legal and regulatory obligations. In general, the Bank will retain personal data for the period of your business relationship or contract with the Bank plus at least 10 years, in order to respond to or make legal claims following the termination of the business relationship or contract, for example. In some cases (e.g., in the case of legal proceedings), this period can be longer. The Swiss Financial Supervisory Authority (FINMA) has also laid down numerous requirements, such as recording external and internal telephone calls of all employees engaged in securities trading, as well as all electronic correspondence for two years.
In case you request your data to be deleted, we will assess the request and delete the data, in case the data is no longer required to fulfill any contractual, regulatory or legal obligation.
7. What are your rights?
The applicable laws give you, as data subject, the following rights related to your personal data:
- Right of access: You have the right to obtain information regarding your personal data that the Bank processes and/or to know if the Bank processes your personal data and, where that is the case, you have the right to know the purpose of the processing, the categories of the data concerned and the recipients of the personal data, among others.
- Right of rectification: You have the right to request the rectification of inaccurate or incomplete personal data about you.
- Right to erasure ("Right to be forgotten") and right to restriction of processing: You have the right to ask BBVA SA to stop processing your data or to delete it. Please keep in mind that these rights are not absolute, as there may be overriding interests that require us to keep processing your personal data in order to fulfill legal or regulatory obligations. The Bank will, in any case, assess your request and respond in due time.
- Right to data portability: You have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to have your personal data transmitted to another controller without hindrance.
- Right to revoke your consent: You have the right to object to the processing of your personal data, where the process is based on your consent, unless the Bank demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedom or exercise or defense of legal claims. Where your personal data is processed for direct marketing purposes, you have the right to withdraw your consent at any time.
If you are affected, you have the right to complain to a competent supervisory authority for data protection.
Some of the above rights are subject to restrictions in some cases (e.g. by applicable law or regulation), and exercising these rights may make us unable to enter into or continue a business relationship with you or to provide you with products or services.
8. Changes to your personal data
In order to keep your personal data up to date, we kindly ask you to inform us of any changes as soon as possible.
9. Exercising your rights