1) Who is responsible for your personal data and who can you contact?
Pictet Group Entities (“Pictet”, “us” or “we”) process information and personal data (“Personal Data”) relating to you and/or any Related Person of yours [Related Person(s) and you together: the “Data Subject(s)”]. We do this in connection with our existing and/or prospective business relationships, including your use of our websites and applications (together: the “Business Relationship”). We can do so either as controller or as joint controller (the “Controller”).
A “Related Person” means an individual or entity whose information that you or a third party provides to us and/or information that otherwise comes to our knowledge in connection with our Business Relationship. A Related Person may include, but is not limited to, (i) a director, officer or employee of a company; (ii) a trustee, settlor or protector of a trust; (iii) a nominee or beneficial owner of an account; (iv) a substantial interest owner in an account; (v) a controlling person; (vi) a payee of a designated payment; (vii) a representative or agent (i.e. with a power of attorney, a right to information on an account, an e-banking user); or (viii) an employer or contractor.
We therefore ask you to liaise with all of your Related Persons and to pass this Privacy Notice and the information it contains on to them.
If you have any questions about this Privacy Notice, about your Controller or, more generally, about the processing of your (or your Related Persons’) Personal Data, you can contact your relationship manager or our Data Protection Officer at any of the following addresses:
2) How do we handle your Personal Data?
We are subject to certain confidentiality and/or secrecy obligations, e.g. those arising under laws governing data protection, contracts and professional or banking secrecy, whichever may be applicable.
This Privacy Notice deals with the way we process Personal Data. That means how we collect, use, store, transmit or otherwise handle or process, operations collectively defined in this document as “Processing” or “Processing Operations”. This Privacy Notice does not replace, and remains subject to, our applicable contractual terms and conditions.
We may conduct our Processing Operations either directly or indirectly, through other parties that process Personal Data on our behalf (the “Processors”).
3) What Personal Data do we process?
Personal Data include any information relating to an identified or identifiable natural person or as defined in the applicable law.
Personal Data of Data Subjects that we process may be based on the following principal legal bases, bearing in mind that they may also rely cumulatively on other legal bases mentioned.
On the legal basis of contract performance, including the pre-contractual steps:
- identification data, e.g. names, addresses, telephone numbers, email addresses, business contact information;
- personal characteristics, e.g. date of birth, country of birth;
- work-related information, e.g. employment and job history, title, professional skills, powers of attorney;
- financial information, e.g. financial and credit history information, bank details, records from the debt collection enforcement office;
- transaction/investment data, e.g. current and past investments, investment profile, investment preferences and invested amount, number and value of shares held, role in a transaction (seller/acquirer of shares), transaction details.
On the legal basis of legal and regulatory obligations:
- identifiers issued by public bodies, e.g. passport, identification card, tax identification number, national insurance number, social security number, work permit;
- reputation checks and background checks;
- voice recording, e.g. the recording of phone calls made by or to the Controller’s representatives.
On the legal basis of our legitimate interest:
- management and security data, e.g. records of presence on our premises;
- visual and video surveillance media, e.g. video surveillance on our premises for security purposes.
On the legal basis of your prior consent:
- certain cookie information, e.g. cookies and similar technologies on websites and in emails (see our Cookies policy).
4) For what purposes and on what legal bases do we process Personal Data?
Purposes for which we process Personal Data (the “Purposes”) may be based on the following principal legal bases, bearing in mind that they may also rely cumulatively on other mentioned legal bases.
We collect and process Personal Data as necessary for pre-contractual steps and performance of a contract to which you are a party and/or a Related Person is related, which encompasses the following Processing Operations:
- the opening and management of your and/or a Related Person’s account or Business Relationship with us, including all related operations for your identification
- any other related services provided by any service provider of the Controller(s) and Processors in connection with our Business Relationship;
- management, administration and distribution of investment funds, including any ancillary services related to these activities, or the processing of subscription, conversion and redemption requests in investment funds, as well as for maintaining the ongoing relationship with respect to holdings in such investment funds;
- management of requests for proposals and/or due diligence, the provision of services (including the invoicing and payment of fees) and management of the Business Relationship and related communication with you.
We also collect and process Personal Data relating to compliance with legal and regulatory obligations to which we are subject, including to:
- provide offering documentation to Data Subjects about products and services;
- comply with legal obligations relating to accounting, compliance with legislation on markets in financial instruments, outsourcing, foreign activity and qualified participation;
- conduct audits and/or regular reviews on you or your Related Person;
- carry out any other form of cooperation with, or reporting to, competent administrations, supervising authorities, law enforcement authorities and other public authorities [e.g. in the field of anti-money laundering and combating terrorism financing (AML-CTF)], for the prevention and detection of crime under tax law [e.g. reporting of name, address, date of birth, tax identification number (TIN), account number and account balance to tax authorities under the Common Reporting Standard (CRS) or Foreign Account Tax Compliance Act (FATCA) or other tax legislation to prevent tax evasion and fraud as applicable];
- prevent fraud, bribery, corruption and the provision of financial and other services to persons subject to economic or trade sanctions on an ongoing basis in accordance with our AML-CTF procedures, as well as to retain AML-CTF and other required records for screening purposes;
- deal with active intra-Group risk management pursuant to which risks in terms of markets, credit, default, processes, liquidity and image as well as operational and legal risks must be identified, limited and monitored;
- record conversations with Data Subjects on a cloud-based solution (such as telephone and electronic communications), in particular to document and verify instructions, detect potential or actual frauds and other offences.
Furthermore, we may process Personal Data in connection with legitimate interests (including those of other Group entities) we pursue so that we can:
- assess certain characteristics of the Data Subjects on the basis of personal data processed automatically (profiling) (see also Section 5 below);
- develop our Business Relationship with you;
- improve the quality of our services and our internal business organisation and operations, including for risk assessment and to take risk management-related business decisions;
- use this information in Pictet Group entities for market studies or advertising purposes, unless Data Subjects have objected to use of their personal data for marketing;
- communicate personal data to other Pictet Group entities, in particular to guarantee an efficient and harmonised service and inform Data Subjects about services offered by Pictet Group entities;
- establish, exercise and/or defend actual or potential legal claims, investigations or similar proceedings;
- record images (e.g. video surveillance) for ensuring the security of individuals, assets, property, buildings, as well as the Pictet Group’s critical infrastructure and IT systems.
If our Personal Data Processes presuppose that you give your prior consent to doing so, we will seek your consent in due time and you will have the right to withdraw your consent at any time by contacting your relationship manager or our Data Protection Officer (see Section 1 above).
The provision of personal data may be mandatory, e.g. with regard to our compliance with legal and regulatory obligations to which we are subject. Please be aware that failing to provide such information may preclude us from pursuing a Business Relationship with, and/or from rendering our services to, you.
5) Do we rely on profiling or automated decision-making?
We may assess certain characteristics of the Data Subjects on the basis of Personal Data processed automatically (profiling), in particular to provide Data Subjects with personalised offers and advice or information on our products and services or those of our affiliates and business partners. We may also use technologies that allow us to identify the level of risks linked to a Data Subject or to activity on an account.
We generally do not use automated decision-making in connection with our Business Relationship and/or Data Subjects. If we do so, however, we will comply with applicable legal and regulatory requirements.
6) What sources do we use to collect your Personal Data?
To achieve the Purposes, we collect or receive personal data:
- directly from the Data Subjects, e.g. when they contact us or through (pre)-contractual documentation sent directly to us; and/or
- indirectly from other external sources, including any publicly available sources [e.g. UN or EU sanctions lists, OFAC – Specially Designated Nationals (SND) lists], information available through subscription services (e.g. Bloomberg, World Compliance PEP list) or information provided by other third parties.
7) Do we share your Personal Data with third parties?
We reserve the right to disclose or make accessible the Personal Data to the following recipients, provided this is legally or otherwise authorised or required:
- public/governmental administrations, courts, competent authorities (e.g. financial supervisory authorities) or financial market actors (e.g. third-party or central depositaries, brokers, exchanges and registers);
- Pictet Group entities or third parties that may process Personal Data. In such cases, limited Personal Data may be used by the recipients independently for their own purposes in compliance with their applicable laws;
- auditors or legal advisors.
We undertake not to transfer personal data to any third parties other than those listed above, except as disclosed to Data Subjects from time to time or if required by applicable laws and regulations applicable to them or by any order from a court, governmental, supervisory or regulatory body, including tax authorities.
8) Are Personal Data transferred outside our jurisdiction of incorporation?
In the course of our Business Relationship, we may disclose, transfer and/or store Personal Data abroad (“International Transfer”): (i) in connection with the conclusion or performance of contracts directly or indirectly related to our Business Relationship, e.g. a contract with you or with third parties in your interest; or (ii) in exceptional cases duly provided for by applicable laws (e.g. disclosures of certain trades made on an exchange to international trade registers).
International Transfers may include the transfer to jurisdictions that: (i) ensure an adequate level of data protection for the rights and freedoms of Data Subjects as regards Processing; (ii) benefit from adequacy decisions as regards their level of data protection (e.g. adequacy decisions from the European Commission or the Swiss Federal Data Protection and Information Commissioner); or (iii) do not benefit from such adequacy decisions and do not offer an adequate level of data protection. In the latter case, we will ensure that appropriate safeguards are provided, e.g. by using standard contractual data protection clauses established by the European Commission.
9) What are your rights in connection with data protection?
Subject to the limitations set forth in this Privacy Notice and/or in applicable local data protection laws, you can exercise the rights below free of charge by contacting the Data Protection Officer (see Section 1 above):
- request access to, and receive a copy of, the Personal Data we hold;
- request rectification or erasure of the Personal Data that are inaccurate;
- request that Personal Data be erased when the Processing is no longer necessary for the Purposes, or is not or no longer lawful for other reasons, subject however to applicable retention periods (see Section 10 below);
- request a restriction of Processing of Personal Data where the accuracy of the Personal Data is contested, the Processing is unlawful, or if the Data Subjects have objected to the Processing;
- withdraw your consent at any time when the Personal Data Processing is based on your consent;
- object to the Processing of Personal Data, in which case we will no longer process the Personal Data unless an exception applies;
- receive the Personal Data in structured, commonly used and machine-readable format (data portability right);
- obtain a copy of, or access to, the appropriate or suitable safeguards which we may have implemented for transferring the Personal Data abroad;
- complain to our Data Protection Officer (see Section 1 above) about the Processing of Personal Data and, failing any satisfactory resolution of the matter, file a complaint about the Processing of Personal Data with the relevant data protection supervisory authority.
If a Data Subject objects to the Processing of Personal Data, we are nevertheless allowed to continue with the Processing if it is: (i) legally mandatory; (ii) necessary for the performance of a contract to which the Data Subject is a party; or (iii) necessary for the purposes of the legitimate interests we pursue, including the establishment, exercise or defence of legal claims. We will not, however, use the Data Subject’s Personal Data for direct marketing purposes if the Data Subject asks us not to do so.
10) How long are your Personal Data kept or stored?
In principle, we retain Personal Data for as long as we need to do so to achieve the Purposes. We will delete or anonymise Personal Data (or equivalent) once they are no longer necessary to achieve the Purposes, subject however: (i) to any applicable legal or regulatory requirements to store Personal Data for a longer period; or (ii) to establishing, exercising and/or defending actual or potential legal claims, investigations or similar proceedings, including legal holds. We may enforce any or all of the above mentioned under points (i) and (ii) to preserve relevant information.
Status as at November 2022