Privacy Policy — Fyducia SA

— 01

Definitions

1.1 Personal information

Any information relating to an identified or identifiable natural person.

1.2 Sensitive data

These include, among others:

religious, philosophical, political or trade union opinions;
data on health, private life or ethnicity;
genetic data;
uniquely identifiable biometric data;
information on criminal or administrative history;
social assistance data.

1.3 Processing

Any operation on personal data, such as collection, recording, storage, use, modification, communication, archiving, erasure or destruction.

1.4 Data subject

The natural person to whom the personal data being processed refer.

— 02

Data controller and data protection officer

The data controller is:

Fyducia SA

Via the Executive Board
Corso Elvezia 1 · 6900 Lugano · Switzerland
CHE-407.824.754 IVA · Tel. +41 91 910 98 74
info@fyducia.com · www.fyducia.com

— 03

Types of data collected

During the provision of services, Fyducia SA may process personal information and sensitive data. These may include:

3.1 Information collected from the client

personal data such as name, surname, address, telephone number and e-mail;
date and place of birth;
gender;
marital status, dependents (name and age) and relationship with the client;
copies of identity documents, such as passports and driving licences;
social insurance number, social security number or tax code;
nationality, residence for tax purposes and country of residence;
activity, income and source of wealth;
assets, investments, assets held and liabilities;
knowledge and experience in investment matters;
details of any third party representatives.

3.2 Data obtained from third parties

publicly available information from public records, such as trade registers, business registers, with details on companies, shareholders and assets owned;
other information from third-party sources, such as asset valuation services, reputational agencies, anti-fraud agencies and/or intermediaries.

3.3 Information related to the services provided by Fyducia SA

contract number;
assets covered by the financial services provided by Fyducia SA;
data relating to transactions with financial instruments;
statements and accounting documents.

3.4 Personal data worthy of special protection and other information

In addition to the above, and in particular in order to comply with legal obligations (including the Anti-Money Laundering and Terrorist Financing Act, AMLA), Fyducia SA may collect, either from the client or from third party sources, personal data that is worthy of special protection, such as opinions, political offices or affiliations, and, to the extent permitted by law, information relating to criminal convictions and offences.

If relevant to the services provided, Fyducia SA may request information on other persons, such as business partners (including shareholders and beneficial owners), dependents or family members, representatives and agents. The client is encouraged to forward a copy of this notice to the relevant persons before providing us with such information.

— 04

Purpose of data processing

The processing by Fyducia SA only takes place where permitted by law and in particular for the following purposes:

the correct and complete execution of the contract concluded with the client (as well as the preceding acts necessary for the conclusion of the contract);
fulfilment of legal obligations (in particular anti-money laundering, financial, tax and accounting regulations);
protection of the legitimate interests of Fyducia SA, provided that the interests and fundamental rights of the client do not prevail.

Specifically, personal data may be processed by Fyducia SA in order to:

identify the contractor, confirm and verify his or her identity;
initiate a business relationship, and possibly offer services and/or financial instruments in favour of the client;
monitor the business relationship and analyse the execution of the contract in accordance with the client's situation and directives, and carry out the necessary suitability and/or appropriateness checks;
carry out business and administrative operations and activities, including the keeping of accounts and internal controls;
comply with applicable legal and regulatory provisions and/or industry practices;
comply with requests and/or measures issued by the competent authorities and/or supervisory bodies;
conduct legal, administrative, enforcement and/or criminal proceedings and to possibly obtain legal advice or to ascertain, exercise or defend rights recognised by law;
transmit to the client information and announcements about events, products and services offered by Fyducia SA, at the client's request or of his or her presumed interest.

Personal data may be processed by means of both paper and computer files (including portable devices, if necessary) and processed in the manner strictly necessary to fulfil the above-mentioned purposes. To this end, the data subject undertakes to provide his or her personal data correctly, completely and truthfully and to the extent necessary for the aforementioned purposes.

— 05

Legal basis for processing

Fyducia SA processes personal data lawfully, in accordance with Articles 5–9 DPL, where the processing:

is necessary for the performance of the contract signed by the data subject or the execution of pre-contractual measures taken upon request;
is necessary to fulfil legal obligations incumbent on Fyducia SA;
is based on the express consent of the data subject.

— 06

Consequences of non-disclosure of personal data

Important

For the proper execution of the contract as well as to fulfil any legal obligations incumbent on Fyducia SA, the data subject undertakes to provide the necessary personal data; otherwise, if personal data is not provided, the contractual relationship under the contract cannot be completed and Fyducia SA may be prevented from fulfilling its legal obligations.

— 07

Data retention

Fyducia SA stores personal data for the period of time necessary to fulfil the purposes for which it was collected or to comply with legal, regulatory, accounting or reporting obligations.

— 08

Disclosure of data

The personal data of the data subject may be communicated to the following categories of recipients, for the purposes listed above:

entities that provide services for the management of the information system used by Fyducia SA and telecommunications networks (including e-mail);
firms or companies within the scope of assistance and consultancy relationships as well as auditing firms and supervisory bodies;
agents, auditors, service providers and professional consultants processing information in the above situations as data controllers on our behalf and/or as joint data controllers with respect to their obligations;
authorities responsible for fulfilling legal obligations and/or provisions of public bodies, upon request;
courts and/or judicial, enforcement, criminal or administrative authorities, any competent court, mediator, arbitrator, ombudsman, tax, regulatory or government authority;
any third party in the context of restructuring operations (including investments), aggregation, merger, transfer or disposal of Fyducia SA;
other financial institutions or intermediaries, stock exchanges, etc., as appropriate;
other parties, with the client's consent.

Personal data may only be transferred abroad if the Federal Council has determined that the legislation of the recipient state or international body guarantees adequate data protection.

Within the scope of the above-mentioned purposes, Fyducia SA uses certified and secure service providers who are established and process personal data in Switzerland, in the countries of the European Union and in the USA (limited to encrypted data). The disclosure of personal data to third countries that do not provide adequate data protection is therefore excluded; disclosures based on the express prior consent of the data subject or on his or her explicit instructions or made on the basis of a legal obligation remain reserved.

— 09

Rights of the data subject

According to the DPL, the data subject has the following rights in particular (non-exhaustive list):

Right to information about the possible processing of personal data concerning the data subject.

Right of access to one's own personal data being processed.

Right to obtain rectification of inaccurate or outdated personal data.

Right to be informed in writing and free of charge if their personal data are being processed.

Right to withdraw consent to data processing given in the past.

Right to express an opinion on an automated individual decision or request that it be reviewed by a natural person.

Right to have data handed over or to demand that they be passed on to a third party.

Right to request that data processing be stopped, that disclosure to third parties be prevented, or that personal data be rectified or destroyed.

Without prejudice to any other administrative or judicial remedy, if the data subject considers that the processing of data relating to him is in breach of the DPL, he has the right to lodge a complaint with the Federal Data Protection Commissioner (SDPC).

The data subject may exercise his or her rights by sending a complaint to Fyducia SA. Fyducia SA reserves the right to request specific information from the client to confirm his or her identity and to guarantee his or her right to access information (or to exercise other rights). This is an additional security measure aimed at preventing the disclosure of personal data to persons who are not authorised to do so.

— 10

Changes to this Privacy Policy

Fyducia SA reserves the right to update this Privacy Policy at any time by informing clients in writing of such changes or by updating the Privacy Policy on our website: www.fyducia.com. The client may from time to time be notified by other means regarding the processing of personal data relating to him or her.