Privacy Policy of CembraPay AG
1 What is this Privacy Policy about?
The protection of your personal data and fair and transparent data processing are important to us. Therefore, we would like to inform you about our data processing and provide you with the information you need to exercise your rights.
Further information can be found in the respective product and service-specific terms and condi- tions, on our website, in loyalty and added-value program conditions of our cooperation partners (see list section 6 below) and, if appicable, in further applicable privacy policies.
2 Who are we?
The following company (“we”, “us” or “Cembra”) is responsible for data processing according to this Privacy Policy:
CembraPayAG
Bändliweg 20
8048 Zurich
Switzerland
Our Data Protection Officer will be happy to answer any questions and concerns you may have in connection with our data protection practices.
Cembra Money Bank AG
Data Potection Officer
Bändliweg 20
8048 Zurich
Switzerland
3 When, for whom and for what is this Privacy Policy intended?
This Privacy Policy applies to any processing of personal data in connection with all of our busi- ness activities in all our business areas. It is applicable to the processing of both existing and future personal data.
4 What personal data do we process for which purposes, from which sources and on which legal basis?
The personal data we process originate, on the one hand, from you as existing or future cus- tomers and, on the other hand, from publicly accessible sources (e.g., the media or Internet), from Cembra Group companies, from government agencies bodies (e.g., residents’ registration authorities, the land registry, the commercial registry or debt collection offices) and from third parties (e.g., external credit assessors, the Central Credit Information Office [ZEK] or the Consu- mer Credit Information Office [IKO] and other information offices).
Depending on the occasion and purpose, we process different personal data, e.g., personal de- tails (name, address and other contact data, date and place of birth as well as nationality), iden- tification data (e.g., identity document data), authentication data (e.g., signature samples, patterns of behaviour and movement) and terminal device and access data (e.g. details of the device manufacturer and type, operating system, device ID and IP address, access code storage of the user name or login keys or use of other login functions (e.g. Face or Touch ID)). In addition, this may include instruction, transaction and risk management data (e.g., payment transaction data, data from the advisory and data from processing of contractual relationships), information about your financial situation (e.g., informa- tion on income and assets, creditworthiness, scoring/rating data [see explanation in section 4 b below], information on the origin of assets, current or completed loan agreements), tax-relevant information (information on where you are registered for tax purposes and any other relevant documents and information) as well as contractual and documentation data (e.g., information on the account, custody account, concluded transaction or about third parties such as civil partners, Number and year of birth of the children or authorised representatives, consultation minutes and discussion minutes).
Particularly sensitive personal data are data that enjoy special protection (e.g., information on ethnic origin, political opinion, religious and ideological beliefs, genetic and biometric data, health data or information on criminal convictions). Such data will only be processed with your consent or based on a legal foundation.
Please note that consent to processing of personal data not requiring special protection – should it be required – are usually given on other grounds, depending on the particular case, e.g., to comply with the provisions on banking secrecy. Such consent does not change anything about the fact that when processing personal data not requiring special protection, we do not rely on consent, but on the legal foundations mentioned below.
Among other things, we process personal data in the following situations for the following pur- poses and on the legal foundations mentioned below. Data processing may also be based on several legal foundations.
a. For the conclusion, execution and enforcement of agreements
The processing of personal data occurs to provide banking and financial services in the context of concluding, executing and enforcing the agreements with our customers or to implement precontractual measures that occur on pursuant to a request of yours. The purpose of data processing depends primarily on the specific product and, among other things, may include opening, managing and closing accounts, analysing your needs, advice and support as well as the execution of transactions. Further details on the purpose of the data processing can be found in the respective contractual documents, terms and conditions and, if applicable, other documents made available to you.
Please note that certain of our service providers (e.g. Intrum AG, LexisNexis GmbH) process personal data for specific services and purposes under their own responsibility. In this respect, their data protection policies apply (see also section 6).
b. In the context of a balance of interests
In addition, we also process your data to protect our legitimate interests, provided that they are not outweighed by your interests. The following is a non-exhaustive list of processing purposes that represent legitimate interests:
• Analysis, monitoring and control of the credit risk (scoring);
• Fraud prevention;
• Advertising measures, market research, marketing evaluations, preparation and offering of customized services (e.g., direct marketing, print and online advertising, customer, interest- ed party or cultural events, sponsoring, competitions, determining customer satisfaction, assessment of future customer needs or behavior or evaluation of customer, market or prod- uct potential) for our own offers and for offers of Cembra Group companies and cooperation partners and delivery of these offers to your postal, e-mail or telephone address (e.g., via SMS), in eService or a mobile app, provided you have not objected to the use of your data and make use of corresponding services;
• Processing of data for loyalty and added value programs of cooperation partners and forwar- ding of selected data required for the operation and improvement of loyalty and added value programs. Apart from customer, status, control and card data of customers, this can also be cumulative turnover figures for individual or all merchants. Transaction details are not forwarded in this connection. Additional information on the loyalty and added value program can be found in the terms and conditions of the relevant products. The cooperation partners use these data for their own purposes and in their own responsibility and in accordance with their own data protection regulations (in this context, their data protection policies must also be observed);
• Visiting websites, use of Cembra eService: When you visit our website or install and use one of our mobile apps, depending on the offer and functionality, we process information such as log data, in the case of websites for instance information about the time of the access to our website, duration of the visit and pages retrieved. We use these data for IT security purposes, but also to improve the user-friendliness of the website and its functions and to personalize the offer. For these purposes, we also use analysis services, such as Google Analytics. Detailed information on the use of the website used is collected in this connection. For these purposes, we can use for example “cookies” and similar technologies. Cookies are small files stored on your terminal when you visit our website. Further information can be found on our website under Cookies (as well as Cookie Banner and Policy) and in the product-specific contractual and, if applicable, data protection provisions;
• Protection of rights, e.g., to enforce claims in court, prior to litigation and out of court and before domestic and foreign authorities or to defend ourselves against claims. We can have the chances of success clarified by third parties in this connection or submit documents to authorities. Authorities may also request that we disclose documents containing personal data;
• Ensuring IT security and IT operations of Cembra;
• Prevention and investigation of criminal offences;
• Contact inquiries on your part to our customer service;
• Telephone discussions may be recorded, for example, for quality checks and training purposes; in individual cases they can serve to preserve evidence;
• Measures for the building and system security (e.g., access controls and video surveillance);
• Corporate transactions: We can also process personal data to prepare and process company takeovers and sales and the acquisition or sale of assets, such as receivables or real estate and similar transactions;
• Evaluation, planning, statistics, product developments and business decisions (e. g., improve- ment and review of existing products, new products and services, procedures, technologies, systems, yields, capacity utilization figures).
c. Due to legal requirements or in the public interest
We process your personal data to meet our regulatory, supervisory and statutory obligations to clarify, inform and report (e.g., in the case of disclosure orders or instruction by the Swiss Finan- cial Market Supervisory Authority [FINMA], as part of the automatic exchange of information with foreign tax authorities or in connection with combating money laundering and the financing of terrorism).
5 Do you have an obligation to provide personal data?
Usually, you are not obliged to provide us with personal data. However, we are not able to enter into a contractual relationship with you if you do not provide us with the personal data required for a business relationship and the fulfillment of contractual obligations or which we are legally obliged to collect (e.g., information required for identification, such as name, place and date of birth, nationality, address and identification document data).
6 With whom do we share your personal data?
Within Cembra, those departments, employees and other bodies have access to your personal data which require such access in order to perform their tasks. In addition, we may outsource individual or entire business areas and services to Cembra Group companies and to third parties in Switzerland and abroad, assign claims and rights and enter into cooperations with partners. If necessary, your personal data will be forwarded to these recipients. We ensure that the data pro- tection and banking secrecy laws are adhered to by such third parties by diligent selection of such processors and the conclusion of adequate contracts.
In particular, this involves services and cooperation in the following areas:
• IT services, e.g., services in the areas of data storage (hosting), cloud services, mailing of advertising material, data analysis, etc.;
• credit checks;
• fraud prevention;
• authorisation of transactions;
• creditworthiness assessing, address information and debt collection, e.g., if claims are not paid timely (e.g., Intrum, CRIF, Teledata);
• advisory services, e.g., services of tax advisors, lawyers, business consultants, employee recruitment advisors;
• administration of contractual relationships including debt enforcement, e.g., application and contract processing, invoicing and processing of direct debits, enforcement of due claims;
• document and card production;
• compliance and data management;
• cooperation with partners, e.g., IKEA, Conforama Suisse Holding SA, Touring Club Schweiz, FNAC, Intrum AG, LexisNexis GmbH;
• cooperation with insurance partners, e.g., AXA Versicherungen AG or Generali Personenversi- cherungen AG, and
• cooperation with brokers, such as agents and garages.
We can also forward your personal data for business purposes (e.g., for credit risk, fraud preven- tion and marketing purposes) to recipients within the Cembra Group for their own purposes. As a result, your personal data can also be processed and linked for the respective purpose together with personal data that comes from another Cembra Group company. You can find a current list of our Group companies at www.cembra.ch/group.
Forwarding of personal data is possible also in other cases. We can disclose your personal data to third parties if it is in our legitimate interest or you have authorised us to do so and are even obliged to do so if this is legally required (normally, to authorities).
7 When do we transfer personal data abroad?
We can outsource our services abroad (see preceding section). Personal data can also be transmit- ted abroad during the execution of agreements or transactions, e.g., during the implementation of payment orders or the handling of payments. The recipients of your personal data may be abroad – and also outside the European Union (“EU”) or the European Economic Area (“EEA”, this includes the Principality of Liechtenstein, for example). The relevant countries may not have laws that protect your personal data to the same extent as in Switzerland or in the EU or EEA. If we transmit your personal data to such a third country, we shall secure the protection of your personal data in an appropriate manner. This may include the conclusion of data adequate processing agreements with the recipients of your personal data in such countries. Adequate agreements may include ones which have been approved, set up or recognised by the European Commission and Federal Data Protection and Information Commissioner (FDPIC). Transmission is also permitted to recipi- ents (see also Trans-Atlantic Data Privacy Framework) who have confirmed to observe high data protection standards.
8 Does profiling take place and do we perform automated decisions?
We can process your personal data to create profiles, e.g., for analysing, evaluating and decision- making. Such processing can be performed by us and our Group companies for fraud prevention (e.g., in credit card payments) and for risk management purposes. Moreover, we use profiles to enable us to provide you with individual advice and personalized offers. You can object to the processing of your data for advertising purposes at any time (cf. section 11).
We may make automated decisions on a case-by-case basis for the conclusion or fulfilment of a contractual relationship. If these decisions lead to negative legal consequences or significant impairments, you have the right to request that the decision be reviewed by a natural person.
9 How do we protect your personal data?
We apply appropriate technical and organisational security measures in order to ensure the securi- ty of your personal data, e.g., to protect you against unauthorised or unlawful processing and the risk of loss and to prevent any unintentional change, undesired disclosure or unauthorised access.
10 How long do we store your personal data?
We store your personal data for as long as is necessary for the purpose for which we collected it. Furthermore, we may also store your personal data for longer for statutory retention requirement. For example, a ten-year retention period after termination of the contract or cancellation of the account applies for most documents. In addition, we store your personal data if we have a legitimate interest in the storage, e.g., if limitation periods are running, if we need personal data to enforce or defend against claims and for archiving purposes. As soon as your personal data is no longer required for the above-mentioned purposes, it will be deleted or anonymised.
11 What rights do you have?
Each person affected has particular rights pursuant to the data protection law applicable to them, especially the following rights:
• the right to information;
• the right to rectification;
• the right to deletion;
• the right to restriction of processing;
• the right to object to the further processing of your personal data and
• the right to transfer of particular personal data.
In addition, you have the right to file an objection to the data protection authority, in Switzerland to the Federal Data Protection and Information Commissioner (FDPIC).
You can revoke your consent for the processing of personal data at any time. Please bear in mind such revocation of consent will only have effect for the future. Data processing that occurred befo- re the revocation remains unaffected.
Consent obtained for other reasons, e.g., on account of provisions on bank-client confidentiality pursuant to the Federal Act on Banks and Savings Banks (BankA), remains unaffected.
Moreover, you can object to the processing of your personal data for the purpose of advertising at any time by notifying us.
12 Updates and Amendments of this Privacy Policy
This Privacy Policy is valid as of May 2024.
We may amend this Privacy Policy at any time without prior notice. The current Privacy Policy can be found on the website at www.cembrapay.ch/en/privacy.
In the event of ambiguities the German text of this Privacy Policy precedes.