Privacy Policy

The following information is intended to give you an overview of the processing of your Personal Data by Cornèr and your rights under data protection law. Specifically, which information is processed and how it is used, depends significantly on the services requested and/or agreed on and on the way you interact with us.

Please note, in particular, that Cornèr provides both banking services (e.g., payment transactions, retail and private banking, mortgages as well as online trading via Cornèrtrader) and payment card services (Cornèrcard), and that your information may be processed differently according to the service obtained. Additional information and legally binding data protection provisions may also be found in the General Terms and Conditions for the relevant product.

The provision of financial services implicates the involvement of a number of third parties which offer their services on their own without our influence (e.g. providers of financial messaging services, stock exchanges, payment card schemes). Regarding services provided by such third parties we recommend to read their relevant statutory provisions and privacy policies.

2.1 In general

We process Personal Data that we obtain from you, e.g. in the course of our business relationship. To the extent necessary to provide our services, we also process Personal Data lawfully obtained from publicly available sources (e.g., debtors lists, land registers, commercial registers, newspapers, Internet) or information transmitted to us by authorized third parties (e.g., credit reference or business information agencies).

This Privacy Policy also applies to persons who have no contractual relationship with Cornèr but whose information is processed by Cornèr for other reasons (e.g., persons who write or otherwise contact us; visitors of our websites; recipients of information and marketing communications; contact persons of our suppliers; purchasers and other business partners; participants in competitions, contests and customer events; visitors of our premises).

2.2 In connection with the offering of our services and products

In the context of our business activity, depending on the concrete relationship with you, we process following Personal Data:

• personal identification information, such as first and last names, date and place of birth, nationality, domicile; contact details, such as telephone number, postal address and e-mail-address; information about your family (e.g. marital status, name of your partner or children); this information may be collected also with respect to prospective clients;
• professional information about you, if applicable, e.g., job title and professional experience; this information may be collected also with respect to prospective clients;
• customer identification documents (including a copy of the identity card or passport), authentication data (e.g., specimen signature) and details on the grant of power-of-attorney, where applicable;
• your tax domicile and other tax-relevant information and documents;
• identifiers that we assign to you, such as your customer or account number, your credit card number or other internal identification numbers;
• financial data that you share with Cornèr or collected by Cornèr itself (data on customers, bank accounts and payment cards) during the application process for the requested service or the effective period of a contractual relationship (e.g., in connection with issuing account or assets statements, in case of asset management and transfer, investment advisory, granting of loans, refunds or collection of outstanding claims or when handling insurance claims);
• financial information and financial background, including an overview of payments and transactions and information about your assets (including real estate), financial reports, liabilities, taxes, earnings, capital gains and investments (including your investment objectives), along with information about your financial situation (e.g., credit standing, scoring/rating information, origin of assets) and about your knowledge concerning financial products, your level of investment expertise and experience;
• order data (e.g., payment orders) and transaction data. With respect to payment cards, transaction data (details of purchases and cash withdrawals) may also include, for example, the point of acceptance; the amount of the transaction; the date and time of the transaction; the mode of use of the card (e.g., online, contactless); the number of failed attempts to enter the PIN; the selected currency. More detailed information will be collected only in certain transactions. In such cases, however, Cornèr will generally be unable to identify what was actually purchased;
• Information in connection with clients' risk assessments such as client due diligence data (including periodic review results), client risk profiles, data to assess suitability/appropriateness, client qualification data (e.g. status as qualified investor), screening alerts (transaction screening, name screening), tax data or complaint information;
• Information on the products and services you use as well as information arising from the performance of our contractual obligations (e.g., volumes of payment transactions, performance of a portfolio managed as part of an asset management contract or within the scope of an advisory mandate, execution of transactions with securities, foreign exchange and CFD transactions using Cornèrtrader);
• any records of phone and video calls between you and Cornèr (including phone log information such as your phone number, calling-party number, receiving-party number, forwarding numbers, time and date of calls and messages, duration of calls, routing information, and types of calls) as well as any video-records of our surveillance systems on occasion of your physical visit to our premises or ATM;
• When you access our websites, our online offers or our apps, we also collect and store information about you use of the website, platform or apps (usually, data related to your activity during your visit, date and time of the access, accessed file, transmitted data volume, performance of the access, information about your device and your web browser, browser language and requesting domain, IP address, information that you have voluntarily provided). The information processed depends on the relevant product and feature, on the website you are accessing as well as on your choices in the relevant cookie management banner available on the website. For further information, please refer to the Cookie Policy published on the relevant website.
• More in general, we collect details of our interactions with you and the products and services you use, including electronic interactions across various channels such as e-mails and mobile applications.

If necessary in connection with the products and services that we are preparing or providing to you, we may also collect information about additional cardholders or account holders, business partners, dependent persons or family members, representatives and authorized signatories. If you are a legal entity, we may collect information about your directors, employees, shareholders or beneficial owners. You should give such persons a copy of this Privacy Policy before providing us with information concerning them.

2.3 Special categories of Personal Data (including biometric data)

In some cases, to the extent permitted by the applicable law, we collect special categories of Personal Data, such as your biometric data, health information, political opinions or affiliations, racial or ethnic origin, religious or philosophical beliefs, information relating to criminal convictions or offences.

With respect to biometric data, please note that the identification and authentication procedure for the use of payment solutions linked to our payment cards (e.g. the services of Wallet Service Providers such as Apple Pay, Samsung Pay) as well as for the access to Cornèr's applications on your devices (e.g. Apps on your smartphone) may be performed using biometric identification systems such as fingerprints, face ID, voice recognition, etc. Please be aware that such biometric identification procedures are managed by the relevant service provider and/or operator of the operating system without any influence of Cornèr. Any biometric data used for such identification and authentication procedures are stored on your device only. Cornèr has no access to your biometric data. We therefore recommend to you to read the privacy policy of the relevant service provider or operator.

2.4 Source of the Personal Data

The Personal Data mentioned above are mainly provided by the persons interacting with us. The customers may provide their Personal Data to us in the context of applications for obtaining our services of products, by participating in the loyalty or bonus programs of Cornèr (or associated partners), by participating to events, competitions organized by us, by using our websites, online tools or our mobile Apps, by contacting us by mail, e-mail, phone or other electronic channels, etc.

We may also collect the Personal Data mentioned above from third parties, to extent permitted by law, e.g., intermediate banks, the Central Office for Credit Information (ZEK) or the Consumer Credit Information Office (IKO), government agencies, credit reference agencies, employers, other Cornèr Group companies, publicly available databases or registers such as local.ch or the commercial register, etc.

We always process personal data for a specific purpose and only to the extent necessary to achieve that purpose. The main purposes of such data processing are as follows:

3.1 Purposes of processing

a. Negotiations of contracts and client onboarding:

• ­this includes verification of your identity and evaluation of your application (including assessment of your credit standing and of the need for any collaterals if you apply for a loan), and
• running of checks on compliance with statutory or regulatory requirements (e.g., compliance with anti-money-laundering and anti-fraud laws and regulations);

b. Performance of the contract, including provision of banking products and services

• ­Data processing for the purpose of the management of our relationship with you, e.g., concerning the products and services provided by us and by our business partners, to handle customer service issues and complaints, to facilitate debt collection, in deciding whether or not to grant a loan, to clarify your place of residence (for example, if we can no longer reach you);
• Data processing to provide banking products and services (including Cornèrtrader) and to ensure their correct performance, e.g., through proper identity checks and by making account deposits and withdrawals in accordance with your instructions and with the terms and conditions of the relevant product. The purposes of the data processing primarily depend on the specific order. They may include demand analysis, advising, asset management, as well as the performance of transactions. To measure credit risks and risks of default in lending transactions (e.g. mortgage underwriting, trade finance), we may also consult with credit information agencies and share information with them (e.g., debt collection register);
• In connection with payment cards we process the collected data to perform the card agreement and manage the relationship. Please note the following in this regard:
  • Regarding the use of the card, the transaction information is transmitted by the points of acceptance (merchants or ATMs) to Cornèr. Such transmission generally takes place over the global networks of the international card organisations Mastercard, Visa and Diners (please refer to the privacy policies of the relevant card organisations). We subsequently check, authorize and bill the transactions to the cardholder.
  • Regarding the authorization of transactions, Cornèr checks whether a transaction is performed by the authorized cardholder or whether it might be a fraudulent transaction. Cornèr may take various fraud prevention measures at its discretion. Each transaction is automatically compared with predetermined sets of rules and conditions in order to detect signs of possible misuse. In addition, when possible, transactions are checked for significant deviations from the usual patterns of card use (e.g., in terms of time or place). If Cornèr obtains indications of possible card misuse, Cornèr, when possible, takes action to prevent such abuse (e.g., by contacting the cardholder or by denying authorization for a transaction).
  • Moreover, the cardholder's data are processed in the transaction complaint and chargeback process, e.g., in order to clarify unknown transactions or in case of unjustified debits. In that process, transactions are verified in detail. Data is also collected and processed for the settlement of insurance claims, in order to clarify the claims in cooperation with our insurance partner.
  • If payment cards are marketed by Cornèr's partner companies as private cards to consumers or as corporate cards to the corresponding companies and their own clients, information about the cardholder's use of the payment card (e.g., transaction data) is forwarded to the corresponding partner companies.
• We process personal data in order to send information related to the services or products subscribed by the clients (e.g. about amendments to the services or products, about new features, about maintenance works, about temporary unavailability, etc.).

c. Fulfillment of compliance, risk management and crime prevention requirements

• ­We process data in order to fulfill our ongoing regulatory and compliance obligations (e.g., financial, anti-money-laundering and tax laws), including in connection with the recording and monitoring of communications, the disclosure of data to tax authorities, financial regulatory authorities and other supervisory and/or national authorities, for crime detection or prevention, for compliance with disclosure requests of authorities;
• We process data to meet operational requirements for credit and risk management, e.g. in order to identify credit and market risks associated with issuing payment cards or loans. This data processing is necessary, in particular, because Cornèr assumes the credit risk in the context of the payment card or lending relationship. In this respect, Cornèr draws up individual risk profiles, which are used to assess credit risk, among other things. You are not entitled to oppose to our data processing for risk purposes, because Cornèr needs it in order to calculate and control its financial risk. The only way to oppose to such data processing is by terminating the contractual relationship with us.
• Measures to prevent and investigate crimes and to ensure the safety of our customers, employees and other third parties; in the context of the payment cards we process data, including monitoring of transactions data, for fraud prevention purposes.
  
  

d. Managing the relationship with our business partners, including fulfillment of the agreements entered into with them

• ­We work together with various companies and business partners, e.g., with suppliers, with commercial purchasers of goods and services, with joint venture partners and with service providers (e.g., IT-service providers). In so doing, we process personal data concerning the contact persons in those companies (e.g., names, position, title and communications with us), for contract preparation and performance, for planning and bookkeeping purposes and other contract-related purposes.
• Depending on the field of business, we may also be required to run more detailed checks on the relevant companies and their employees, e.g., through a security check. In that case, we collect and process further information.
  
  

e. Measures to improve our products and services and the technologies we use

• ­including verification and updates of our systems and processes, and for market research purposes, in order to find out how we can improve our existing products and services or what other products and services we might sell;
• To perform transaction analyses and statistical analyses and similar analyses;
• We may also process personal data to improve customer guidance, customer satisfaction and customer loyalty (Customer/Supplier Relationship Management);

f. Information and direct marketing / customer events and competitions

• ­We process personal data in order to send out information and advertisements (including through push notifications) concerning products and services which, in our opinion, may be of interest to you, including the products and services sold by us, by the Cornèr Group companies or by our business partners. For example, when you sign up for a newsletter or SMS notification service, we process your contact data; in the case of e-mails, we also process information about your use of the messages (e.g., whether you opened an e-mail and downloaded the embedded images), so that we can tailor our offers to you and generally improve them.
• In connection with its products, Cornèr may create customer, consumption and preference profiles from personal and transaction data collected for marketing purposes, which enable Cornèr to develop and offer attractive products and services to customers. Cornèr may send customers such information about its own products and services or those of its partners via the available communication channels (e.g., by post, e-mail, push notifications).
• Customer events: We also process personal data when we hold customer events (e.g., advertising events, sponsoring events, cultural and sports events). Such data may include the first and last names of the participants and/or prospective customers, their postal and/or e-mail address and possibly other information, such as their date of birth, depending on the circumstances. We process such information in order to carry out the customer events but also in order to make direct contact with you. For further information, see the relevant terms and conditions of participation.
• Competitions, contests and similar events: We occasionally organize competitions, contests and similar events. In so doing, we process your contact data and information about your participation in order to carry out the competitions and contests, and if necessary in order to communicate with you about such events and for advertising purposes. For further information, see the relevant terms and conditions of participation.

You can opt out of being sent information (block on advertising) or generally revoke any prior consent you may have given to data processing for marketing purposes by sending Cornèr a written request to that purpose, including by e-mail (see information below on the right to object).

g. Other purposes, for example

• ­Law enforcement: We process personal data in various situations in order to enforce our rights, e.g., in order to enforce our claims in or out of court and to enforce or defend ourselves against claims before foreign or domestic authorities. For instance, we may inquire into the chances of success in litigation or file documents with an authority. In so doing, we may process your personal data or forward it to third parties in Switzerland and abroad, to the extent necessary and permissible; this includes also debt collection procedure in Switzerland or abroad (for this purpose we may engage third parties, such as debt collection companies);
• Measures to secure the property owner's rights, including facility and building security measures (e.g., access control). This includes video-surveillance in appropriately labelled areas in order to protect the property owner's rights, to collect evidence in case of robbery or fraud, or to have proof of deposits and withdrawals (e.g., at ATMs);
• Ensuring IT security and IT operations of Cornèr (including processing of personal data in test environments, where the information is generally pseudonymized in advance);
• For the operational business management of Cornèr and its affiliated companies ("Cornèr Group") (including credit and risk management, insurance, auditing, system and product training and similar administrative purposes);

as well as for other purposes of which you will be informed on a case-by-case basis.

3.2 Basis of processing

Much of the aforementioned processing is performed to fulfil contractual obligations or for pre-contractual measures at your request (items a), b), d)).

Other processing is performed when required by law or in the public interest (items a), c)). For instance, such legal obligations may arise from the Swiss Banking Act, the Collective Investment Schemes Act, the Anti-Money Laundering Act, the Consumer Credit Act, the Mortgage Bond Act, as well as various tax laws and FINMA regulatory ordinances.

Finally, some forms of data processing are intended to protect our legitimate interests or those of third parties in the context of a weighing of interests (items e), f), g), h)). If you would like further details about the weighing of interests, please contact us (contact details in section 12).

In specific cases, we will rely on your explicit or implicit consent for personal data processing for certain purposes. Such consent can be revoked at any time.

3.3 Obligation to supply information

In the course of our business relationship, you must supply such of your personal information as we need to initiate and conduct our business relationship and to perform the related contractual obligations and such information as we are required to collect by law. Without such data, we will not generally be able to enter into or perform the contract (in which case, we will inform you of that fact).

In particular, before we can start a business relationship with you, the anti-money laundering laws require us to check your identity by means of your identification documents and to collect and record your first and last names, place and date of birth, nationality, address and the identification document data. To enable us to meet that legal obligation, you need to provide us with the information and documents required by the Anti-Money Laundering Act, and to promptly report any relevant changes over the course of our business relationship. If you fail to provide us with the necessary information and documents we will be unable to initiate or continue our business relationship.

4.1 Within the Cornèr Group

Within Cornèr, your data is made available strictly on a need-to-know basis for the performance of our contractual and statutory obligations.

We may transfer personal data to other Cornèr Group companies for intra-Group management purposes (including for risk management pursuant to statutory or administrative obligations) and for the processing purposes listed above. In so doing, your personal data may be processed and linked with personal data from other Cornèr Group companies for the relevant purposes.

4.2 Third parties

When we provide you with products and services, we give personal data to individuals who are acting on your behalf or otherwise participating in the transaction (depending on the type of products or services you make use of), including the following types of companies described below, where applicable.

Other lending and financial services institutions or similar establishments, with which we share your personal data (for instance, depending on the contract, correspondent banks, custodian banks, external asset managers, fund managers, brokers, securities exchanges, Central Counterparty Clearing Houses (CCP's), upstream paying agents, registers of swaps or transactions as well as clearing houses and clearing or settlement systems as well as specialized payment providers or payment institutions, such as SWIFT);

Parties who participate in a transaction (e.g., payees, beneficiaries, authorized signatories on an account, intermediaries) or assume a risk in the course of or in connection with the transaction (e.g., an insurer);

If you have a payment card with us, the relevant card organisation (Visa, MasterCard, Diners Club) and the acquiring companies that have agreements with individual merchants for purposes of acceptance of those cards;

Other financial institutions, credit or business rating agencies (for the purpose of procuring or distributing credit reference information and credit checks).

4.3 Service providers

Your data may also be received for the above-mentioned purposes by the service providers or subcontractors we hire if they enter into appropriate confidentiality agreements. Such businesses include providers of banking services (incl. investment services), IT services (including hosting service providers as well as providers of cloud services), logistics, printing, telecommunications, debt collection (this includes the engagement of debt collection companies domiciled in Switzerland or abroad), payment transactions, credit rating agencies, advice and consulting, as well as sales and marketing. In such situations, we protect your personal data in such a way as to ensure that the subcontractor complies with our data security standards.

4.4 Government authorities or regulatory authorities

If necessary, we also disclose personal data to government authorities, regulatory authorities or government agencies (e.g., Swiss National Bank, FINMA, criminal prosecution authorities), including when so required by laws or regulations or other rules of conduct, or when disclosure is demanded by such authorities or agencies.

4.5 Other cases

In the case of a sale of all or part of our business to another company or in case of the restructuring of our business, personal data will be shared to make it possible for you to continue using the relevant products and services. We usually give personal data to potential purchasers, too, if we are considering a full or partial sale or full or partial spin-off of a business unit. We take precautions to ensure that such potential purchasers will see to the security of the data.

We shall disclose personal data to the extent necessary for the exercise or enforcement of legal rights, including the rights of ourselves and of our employees and other rights-holders, or to the extent necessary in responding to inquiries by individuals or their representatives who wish to enforce their own rights or those of others.

The recipients mentioned in the previous section may process the Personal Data in foreign countries. We transfer your Personal Data abroad to countries whose legislation is considered to provide an adequate level of data protection (in particular the EEA-countries) or in the absence of such legislation that guarantees adequate protection, based on appropriate safeguards (e.g., standard contractual clauses adopted by the European Commission or another statutory exemption) or on your consent. If and to the extent required by applicable law, such safeguards - in particular, standard contractual clauses adopted by the European Commission - may be supplemented by appropriate legal, operational and technical measure. Please contact us if you would like to examine the data transmission guarantees that have been agreed upon.

Your data may also be transmitted to or within third countries to the extent necessary to carry out your orders (e.g., in the case of payment orders and securities trading orders), if such data transmission is required by law (e.g., tax reporting obligations) or if you have expressed your consent to that purpose.

Below you can find the list of countries we may transmit your data to:

• EEA countries
• USA
• Israel
• Brasil

We store your personal data as necessary for the purpose for which we collected them or to comply with legal or regulatory requirements, which may also be concretized in our internal policies.

In the case of contracts, we store your personal data for at least the duration of our contractual relationship. In this respect, please note that our business relationship is set up to last for years as a long-term contractual relationship.

Moreover, we store personal data whenever we have a legitimate interest in such storage. Such may be the case, in particular, when we need personal data in order to enforce or defend against claims, for archiving purposes, to ensure IT security or as long as the limitation period on contractual or extracontractual claims is still running. For example, 10-year limitation periods are commonly applicable, but there also many cases of 5-year or even 1-year limitation periods.

Furthermore, we store your personal data for the applicable statutory retention period (e.g., compliance with retention periods under tax or commercial law or compliance with the 10-year retention period required by anti-money laundering legislation). Please note that we are also required by financial regulation provisions to record external and internal telephone calls as well as electronic correspondence of certain bank employees.

If applicable, we will ask you for your consent if we wish to store your personal data longer.

Upon expiry of such periods, we delete or anonymize your personal data.

Every data subject has the right to be informed about his or her personal data, the right to obtain its correction or deletion and to limit and/or object to its processing, and - to the extent applicable - the right to obtain a transfer of such data. Moreover, to the extent it applies to you, there is a right to complain to an appropriate data protection supervisory authority.

You may revoke your consent to personal data processing at any time. Please note that any such revocation will only be applicable to the future. Any processing performed before the revocation will not be affected. Such revocation may result in the termination of the business relationship with you.

To exercise your rights, use the contact data provided in section 12.

Please help us to keep your Personal Data accurate and up to date: if your Personal Data changes you are kindly required to inform us of the change as soon as possible.

Furthermore, please be aware that your rights to access, withdrawal or objection are not absolute, since under certain circumstances they do not apply or they may be subject to exceptions. We shall comply with your requests as required under applicable data protection rules. Moreover, when you exercise your rights, we may first require you to provide evidence about your identity. We may also ask you to provide additional information in the event that your request is unclear. If we are not in the position to comply with your request, we will provide you with an explanation.

We do not generally use any fully automated decision-making system to initiate and to continue the business relationship. If we use such methods in specific cases, we shall inform you of it separately, to the extent required by law.

In some cases, we process your data automatically in order to evaluate certain personal aspects (profiling). We use profiling in the following cases, for example:

• ­We are required by laws and regulations to combat money-laundering, terrorist financing and economic crimes. We analyse data (e.g., in payment transactions) to that purpose, too. Moreover, we may profile the clients in order to comply with the regulatory and contractual requirements (e.g. determination of the customer investment profile in the areas of private banking and on-line trading). Such measures also help protect you.

• We use scoring in the assessment of your creditworthiness. This involves calculating the probability that a customer will not be able to meet his payment obligations according to the contract. For example, the calculation may include the earnings situation, expenditures, existing liabilities, occupation, employer, duration of employment, experiences from our past business relationship, repayment of loans according to the contract, as well as information from credit reference agencies. Scoring is based on a mathematical and statistically recognized and validated method. The scores calculated help us to decide whether or not to enter into agreements for certain products and are included in ongoing risk management (i.e., they are also used over the course of our business relationship with you).

• In order to inform and advise you about products in a manner tailored to your needs, we use analytics tools, which enable needs-based communication and advertising, including market and opinion research. In this context we may create profiles, e.g., by analysing which types of our products and services you use, how you wish to be contacted, etc.

Cornèr takes suitable technical measures (e.g., encryption, pseudonymization, logging, access control, data backups, etc.) and organizational measures (e.g., instructions to our employees, confidentiality agreements, reviews, etc.) to ensure the security of the information collected and processed against unauthorized access, misuse, loss, falsification and destruction. Access to your personal data is allowed on a strictly need-to-know basis.

Nevertheless, it is generally impossible to rule out security risks completely: certain residual risks are mostly unavoidable. In particular, since perfect data security cannot be guaranteed for communications by e-mail, Instant Messaging or similar means of communication, we advise you to send confidential information by especially secure means (e.g., send it by post).

11.1 Right to object to the processing of your data for direct advertising purposes

In certain cases, we process your personal data in order to perform direct advertising. You have the right to submit an objection, at any time, to the processing of your personal data for purposes of such advertising; and the same is true of such profiling as is used in direct connection with such direct advertising.

If you object to such processing for direct advertising purposes, then we shall no longer process your personal data for such purposes.

11.2 Case-specific right to object

You have the right to object, at any time, to such processing of your personal data as is performed in the public interest or on the basis of a weighing of interests.

If you submit such an objection, we shall no longer process your personal data unless we have legally protected reasons for such processing that outweigh your own interests, rights and freedoms, or unless the processing is used for the enforcement, exercise or defense of legal claims. Please note that if you make such objections, we will no longer be able to provide you with services or to maintain a business relationship with you.

Your objection, which is not subject to any conditions as to form, should be addressed whenever possible to:

Cornèr Banca SA, via Canova 16, 6900 Lugano
E-mail: dataprotection@corner.ch and dataprotection@cornercard.ch

If you make use of more than one Cornèr product or service (e.g., a bank account, payment card, Cornèrtrader account, etc.), please specify, in exercising your right to object, which types of processing you object to. If there are uncertainties concerning the scope of your objection, we shall take the liberty of contacting you to clarify the matter.

Cornèr Banca SA, via Canova 16, 6900 Lugano
E-mail: dataprotection@corner.ch and dataprotection@cornercard.ch

If you prefer a contact in the European Union, you may write to the following e-mail address: EUrepresentative@corner.com

This Policy was updated in October 2022. We reserve the right to amend it from time to time. Any amendment or update to this Policy we will make available to you here. Please regularly visit the Cornèr website to be informed about the current version and to the privacy terms applicable to your Personal Data.