The purpose of this personal data protection declaration (hereinafter the “Declaration“) is to inform all natural persons concerned by the collection, storage and processing of data (hereinafter the “persons concerned”) about the manner in which Banque Thaler SA, Rue Pierre Fatio 3, 1211 Geneva 3, Switzerland (hereinafter “Banque Thaler”) collects, stores and processes data.

Banque Thaler’s business is constantly evolving and this Declaration may be subject to change.

Banque Thaler collects or processes personal data and information (hereinafter “data”) of the persons concerned in a lawful and confidential manner, respecting their personality and fundamental rights.

This data is collected and processed solely for the purposes of the services contracted or in the context of related discussions with Banque Thaler (e.g. custody and/or wealth management, investment advice, granting of credit, employment contract or other), hereinafter the “Services“.

To ensure this, Banque Thaler has appointed a Data Protection Officer (DPO) whose email address is cmorel@banquethaler.com.

Our representative in the European Union for data protection matters is Ludo Wyns (ludo.wyns@llink.biz).

The person concerned understands that the collection of data by Banque Thaler or from third parties and their processing is necessary for the performance of the Services agreed or envisaged with Banque Thaler and for the preservation of its legitimate interests and compliance with its legal obligations.

In accordance with the legal provisions in force, the person concerned, by contracting or being in discussions concerning services with Banque Thaler, gives his consent and accepts the fact that data is or will be collected and processed and thus adheres to this Declaration.

3.1.  Data types

Banque Thaler collects the following data (non-exhaustive list) from persons concerned (current or potential customers, business introducers, third-party managers, trustees, administrators of private investment vehicles, lawyers, banks, other financial intermediaries, counterparties, employees, members of its board of directors or others):

• Identification data: in particular (i) identification data (surname, first name, title, photo, gender, date of birth and death, specimen signature, tax number, AVS), (ii) structural identification data (information relating to investment entities), (iii) data on commercial and professional activities, (iv) personal or professional links with third parties, (v) media exposure, (vi) information available in national or international, public or private databases, etc. ;
• Identification data issued by public services and other registers: in particular (i) identity cards and passports, (ii) extracts from the commercial register, (iii) certificates of incorporation, (iv) articles of association, (v) share registers;
• Employment contract data: Employment contract, annual appraisals, specifications, correspondence ;
• Location data: personal, business or investment entity addresses;
• Personal and business electronic identification and communication data: telephone numbers, e-mail addresses, WhatsApp, etc. ;
• Data collected for the purpose of assessing the creditworthiness of the person concerned ;
• Financial data: identification and bank account numbers, financial means/wealth, income, investments, types of financial transactions carried out.
• Data necessary for regulatory purposes in order to comply in particular with requirements relating to (i) anti-money laundering, (ii) market abuse rules or (iii) financial services and financial market infrastructure, including international financial regulations (e.g. FATCA, QI, automatic exchange of tax information etc.).

3.2.  Purpose of data collection

Data is collected by Banque Thaler for the following purposes:

• The opening and maintenance of the contractual relationship or the start of the business relationship with Banque Thaler (hereinafter referred to as the “business relationship”) in connection with the person concerned and any person or entity about which the data subject or a third party provides information and of which Banque Thaler becomes aware in connection with the business relationship (hereinafter referred to as the “related person“) ;
• Payment services or any other services provided by Banque Thaler’s service providers and subcontractors as part of a business relationship ;
• The management, administration, investment and distribution of financial products, including all related services ;
• Compliance with legal and regulatory obligations to which Banque Thaler is subject, in particular with regard to (i) anti-money laundering, (ii) market abuse rules or (iii) financial services and financial market infrastructure, including international financial regulations (e.g. FATCA, QI, automatic exchange of tax information etc.);
• Weighing up and protecting the interests of Banque Thaler or third parties, e.g. prevention and analysis of possible criminal offences, risk management, exercising rights and defending against disputes, IT security, security of buildings and installations;
• Banque Thaler marketing activities (newsletters, invitations to events, etc.).

3.3.   Information collected directly from the persons concerned

Banque Thaler collects and records all information relevant and necessary to the exercise of its activity, which is communicated to it within the framework of the services or by any other means in its customer, supplier and human resources management systems.

The person concerned may decide not to communicate certain information. However, this decision may have the effect of depriving him of certain services or functionalities offered as part of the services. This refusal may also make it impossible for Banque Thaler to enter into or maintain a business relationship. In certain cases, the refusal to provide certain data required by law or applicable regulations may lead Banque Thaler to obtain this information by other means, in particular if it is required to do so by law, and/or to report the business relationship to the criminal or anti-money-laundering authorities (hereinafter MROS).

3.4.   Information collected from third parties

As part of its services, Banque Thaler may also collect data from third parties (in particular business introducers, account holders, trustees, administrators of private investment vehicles, lawyers, banks, other financial intermediaries, providers of international sanctions lists, databases, or from trustworthy persons, such as investigators). Data collected from third parties is processed in the same way as data collected directly from the persons concerned.

3.5.   Information collected on the Bank’s website

Cookies collected on the bank’s website or ebanking are necessary for the proper functioning of our applications, but do not store any personal identification information. They may, however, store generic information (e.g. preferred connection language) to make subsequent connections more user-friendly.

Banque Thaler retains the data for as long as is necessary to fulfill the purposes for which they were collected and in accordance with the regulations applicable to the services, in principle for ten years after termination of the business relationship, respectively after the banking transaction linked to these data, in the context of banking services, in particular in accordance with the Banking Act or the Code of Obligations.

In principle, Banque Thaler deletes or anonymizes data (or takes equivalent measures) as soon as it is no longer necessary to achieve the purposes, unless :

• laws or regulations applicable to data retention require a longer retention period, or
• Banque Thaler considers it necessary in order to determine, exercise and/or defend its rights in legal proceedings, investigations or similar procedures.

Banque Thaler can use technology to identify the level of risk associated with a specific person or activity.

However, Banque Thaler does not use any automated decision-making processes (in particular on the basis of profiling) in relation to a business relationship, a person concerned or a related person.

Banque Thaler does not sell or rent data to third parties.

The data collected by Banque Thaler is accessible and used by its employees.

However, in order to provide its services, Banque Thaler may transmit certain data to third parties in Switzerland or abroad, in particular to :

• custodian or correspondent banks, financial/administrative or back office service providers; or
• IT service providers, in particular for payment transactions, or for the use of office applications that can be partially hosted in the cloud (e.g. email messaging); or
• the statutory auditors and the outsourced internal audit firm; or
• FINMA, MROS, the Public Prosecutor’s Office or other cantonal or federal authorities; or
• national and international tax authorities, in accordance with tax reporting obligations.

It is specified that :

• In relations with custodian banks, data may be transferred to national and international banks, as well as to any other financial intermediary. Data transfers are necessary for the execution of a service requested by the customer, such as a bank transfer or a financial market transaction. Such data transfers may also take place in response to a request from the custodian (e.g. application of the SRDII directives).
• As part of the implementation of the QI or FATCA regulations, data may be transferred to the Internal Revenue Service (IRS) or any other competent tax authority recognized by the IRS, subject to the express approval of the persons concerned. In the absence of such approval, data may nevertheless be transferred, but strictly within the framework of the execution of a request for international tax assistance filed by the USA.
• As part of the implementation of the Automatic Exchange of Information (AEI), data transfers can be made to any competent tax authority, it being specified that the condition of data confidentiality is a conditio sine qua non stipulated by the OECD for adherence to the AEI mechanism.
• As part of the implementation of all other regulations and services, Banque Thaler carries out an assessment of data recipients in accordance with applicable standards.

Finally, Banque Thaler may share data, in particular :

• To provide the agreed service or execute contracts for the customer or for itself;
• When authorized or required by law to comply with a valid legal process;
• To protect and defend, if necessary, the rights or property of Banque Thaler, including the security of its products and services;
• To protect the personal safety, property or other rights of Banque Thaler or its customers or employees, in particular by means of badge systems or video surveillance.

Banque Thaler undertakes to guarantee the existence of adequate levels of protection in accordance with applicable legal and regulatory requirements, in particular those relating to professional secrecy and data protection.

The data of the persons concerned will be transmitted and stored on Banque Thaler’s servers, access to which is strictly limited. Banque Thaler has taken the appropriate technical and organizational precautions to ensure that only duly authorized persons have access to the servers and has taken special precautions to protect its technical environment.

In addition, Banque Thaler is doing it utmost to protect himself against cyber-attacks, in particular by deploying the measures requested by FINMA.

In accordance with the applicable regulations, persons concerned may exercise the following rights concerning their data:

• Right to request access to stored data ;
• Right to request the portability of certain personal data;
• Right to request rectification of stored data if found to be inaccurate, unless such rectification is prohibited by law;
• Right to request restriction of processing, deletion or prohibition of processing of stored data, subject to applicable legal provisions on data retention (e.g. banking or money laundering law, QI regulations, FACTA, EAR, etc.).

In principle, the information is provided within 30 days, subject to the exceptions set out in Article 26 of the data protection act.

Even if a person concerned objects to processing of his or her data, Banque Thaler is entitled to continue such processing if it is (i) legally binding, (ii) necessary for the performance of the contract to which the object is party, (iii) necessary for the performance of a task carried out in the public interest, or (iv) necessary for the legitimate interests pursued by Banque Thaler, including the establishment, exercise or defense of legal claims.

Banque Thaler may refuse, restrict or defer the communication, delivery or transmission of information in the following cases:

• A law in the formal sense foresees it;
• The overriding interests of a third party require it;
• The request for access is manifestly unfounded.

In such cases, Banque Thaler will give its reasons for refusing, restricting or postponing the communication of information.

In case of a questions about data protection at Banque Thaler or a wish to exercise the rights mentioned above, please send a message to the address (info@banquethaler.com) or to the postal address of Banque Thaler. Oral requests will not be processed.