Data Protection Regulation | Privacy RGPD
Introduction and information
The purpose of this regulation (the “Regulation”) is to inform you and clearly explain how Gestrust SA (the “Company”; “we” referring to Gestrust SA), having its registered office in Switzerland under registration number CHE-109.656.897, processes 1 your personal data (the “Personal Data”) 2. The Regulation is intended for:
- our customers, potential future customers or individuals having dealings with the Company such as an agent, a beneficiary of record, an ultimate beneficial owner, a contact or a prospective customer;
- anyone else with whom the Company is bound by a contractual commitment;
- representatives (employees for instance) or the contacts of the aforementioned persons who are legal entities;
- visitor to our web site or our premises.
Please read the information in this Regulation carefully to clearly understand the purposes for which the Company uses your Personal Data. In particular, this document provides additional information on how your Personal Data is collected and used, your rights with regard to the protection of Personal Data and the way you can exercise them. Your Personal Data is processed in accordance with applicable statutory provisions, in particular the European Regulation 2016/679 on data protection (the “GDPR”), which came into force on 25 May 2018 throughout the European Union (the “EU”) 3.
The Company is the responsible for your Personal Data and decides why and how it is processed; therefore is acts as “controller”.
2 The term “Personal Data” includes all information concerning an identified or identifiable individual that can be attributed to a specific person. Therefore it includes any one piece of collected data that can formally identify the person.
3 It applies not only to companies based in the EU but also in certain circumstances to Swiss companies. That is the case for instance when these companies have customers in the EU and offer them goods or services in the EU, which leads the said companies to process their customers' Personal Data (name, address, e-mail, date of birth, bank details, etc.).
What types of Personal Data are collected and processed by the Company 4 ?
We collect identifying information on any natural person with whom we interact, such as the name, address (including the town/city, country, postcode), telephone number, e-mail address, signature or digital signature, or even a pseudonym if it helps identify the person. In particular, we collect the Personal Data listed below.
- Identifying data: Full name, gender, date and place of birth, postal address, nationality, taxpayer number, residence for tax purposes, etc.
- Contact data: Language, landline or mobile number, e-mail address, etc.
- Personal and socio-demographic circumstances: Marital status, family or occupational circumstances and changes in them or key moments, as well as other relations. Information concerning education and level of educational attainment.
- Overall financial standing: Occupational and personal status, solvency, remuneration, name of the employer, source of capital or funds, etc.
- DBanking, financial and transactional data: Account numbers, investment products, etc.
- Certaines Données Personnelles provenant de sources publiques ou obtenues via des tiers : Les Données Personnelles soumises à une obligation de publication (Registre du Commerce ou autre registre public) ou transmises par une institution publique telle que l’administration fiscale ou les tribunaux. Les Données Personnelles que vous avez décidé de rendre publiquement accessibles sur des réseaux ouverts (site Internet, blog, réseaux sociaux) ou qui sont issues de publications dans la presse.
- Certain Personal Data originating from public sources or obtained from third parties: Personal Data subject to a disclosure obligation (Trade & Companies Register or other public registers) or transmitted by a public institution such as the tax authority or the courts. Any Personal Data that you have opted to make publicly accessible on open networks (web site, blog, social media) or sourced from publications in the press.
How is your Personal Data collected?
We collect your Personal Data when:
- you become a client of the Company and throughout your contractual relationship with us, but also when you express an interest in our services by contacting us through the online contact form (available on www.gestrust.ch), when you sign the visitor's form when visiting our offices or even when you are filmed by our CCTV cameras;
- a person referred to in the previous paragraph communicates it to the Company (for instance your employer names you as the person to contact in connection with a contractual relationship between the Company and your employer).
Personal Data concerning third parties that you provide to the Company
When you provide us with Personal Data concerning third parties (for instance, one of your employees, contracting partners, persons to contact, etc.), you undertake to first obtain the right to disclose such Personal Data, to ensure that we can collect and process it in accordance with this Regulation, and to have complied with all requirements resulting from applicable data protection laws that must be observed in order to process such Personal Data. In particular, you must have first obtained the written consent of the third party concerned for the transmission and processing of his or her Personal Data by the Company, and you must have informed him or her of the entire contents of this Regulation.
For what purpose does the Company process your Personal Data?
We process your Personal Data primarily for the needs of our activities, namely to:
- enable us to meet our commitments and contractual obligations to you, or take measures pre-contractual at your request;
- manage our business relations (e.g., invoicing, accounting, audits, payments, payment collection, support services);
- manage access to our premises, computer systems, web sites, communication and other systems, and protect security, including the prevention of security threats or fraud.
In that respect, we also process your Personal Data for the following purposes:
- comply with current statutes and regulations binding on the Company (e.g., Anti-Money Laundering Act (“AMLA”) and the Agreement on the Swiss banks’ code of conduct with regard to the exercise of due diligence (“CDB”));
- accede to requests for communication from legal or administrative supervisory authorities 5, be they national, international, European or foreign, third parties (depository bank, lawyer or independent investment manager) or even via external software (VD Tax, AFC, etc.).
- exercise and/or defend our legal claims;
- undergo potential audits;
- maximize synergies at group level 6, more particularly with regard to the common risk assessment and client acceptance policy, the overall view of its clientele or in connection with the fight against fraud and money laundering;
- comply with all other legal obligations binding on the Company (e.g. retention of data and/or documents).
The Company may also be led to collect and process your Personal Data (i) for any other purpose connected to any of the aims mentioned in this section for which your Personal Data has been provided to us, or (ii) when such processing is needed for the purposes of the legitimate interests pursued by the Company or a third party receiving your Personal Data, provided your interests or freedoms and fundamental rights requiring protection of your Personal Data do not take precedence.
We process your data for the purposes set out in this section on the following legal basis: “performance of a contract” or to take measures “prior to entering into a contract” (article 6 paragraph 1b, GDPR), your “consent to the processing” (article 6 paragraph 1a, GDPR), or even our legitimate interests or those pursued by a third party (article 6 paragraph 1f, GDPR).
6 MPA Holding SA - CHE-112.698.525.
With whom does the Company process your Personal Data?
Within the framework of the aforementioned purposes, the Company may communicate your Personal Data to third parties, in particular:
- Gestrust SA and other affiliated companies, and to their employees;
- The supervisory and governmental authorities (such as market authorities, national and international regulators or tax authorities) to which the Company is required, under regulations currently in force, to communicate certain Personal Data (information or documents on its customers, their ultimate owners and/or beneficiary of record, their accounts and the transactions it has made);
- Any judicial or administrative authority generally speaking;
- Third parties (auditors, depository banks, independent investment managers, advisers, external lawyers, consultants);
- Subcontractors, specialized third parties and service providers for storage, administrative or operational purposes (in matters of invoicing, accounting, audit, payment collection, support, IT, security, insurance, etc.).
However, if your Personal Data is communicated to third parties in a country outside the EEA, the Company will obtain the appropriate guarantees, notably by establishing contractually binding documents ensuring that such communication is done in accordance with applicable data protection rules, thereby ensuring an adequate level of protection of your Personal Data. In such cases we will send you a copy of the said guarantees at your request.
For how long is your Personal Data stored by the Company?
Personal Data cannot be stored indefinitely, whether in paper or in electronic form, or in any other form. We erase your Personal Data when retention thereof is no longer reasonably necessary to achieve the specific aims mentioned above, or if you withdraw your consent (where appropriate), unless retention thereof is required by any applicable law 8 or otherwise permitted. In particular, we retain your Personal Data to meet our legal and fiscal obligations, for the purpose of providing evidence, for internal audits, to accede to requests for information from the competent authorities, or even to exercise and/or defend our legal rights (e.g., in the event of claims), and retain it until the end of the necessary retention period or until the claim in question is settled.
Security of your personal data
Whenever the Company transmits Personal Data, we take the necessary security measures 9, notably organizational and technical, to ensure the confidentiality, integrity and availability of the Personal Data, the processing systems and services under its control, and to ensure the security of its processing in accordance with statutory requirements, and in particular its protection against unauthorized or unlawful processing (access, disclosure, use) and against loss, destruction, accidental damage or alteration.
We also ensure that:
- only the necessary and relevant Personal Data with regard to a specific purpose is processed;
- our employees only access your Personal Data if that is relevant to their duties, and that they are bound by strict professional duty of discretion and confidentiality concerning your Personal Data;
- our premises and access to our servers and networks are protected;
- your Personal Data is always communicated to our suppliers and business partners (specialized third parties) within the limits strictly necessary for performance of the services concerned, and that these specialized third parties are selected diligently in order to ensure that any transfer or processing of the Personal Data carried out under our control is totally secure and compliant with data protection legislation.
The Company uses browsing cookies to collect information about your browsing (e.g. your language preferences). Browsing cookies improve the performance of our services and thereby your use of our web site. In particular, this adapts the presentation of our web site to the view preferences of your terminal (language used, display resolution, operating system used, etc.) during your visits to our web site, according to the terminal's viewing hardware and software. The Company does not use web analytics, advertising or social media sharing cookies.
What are your rights?
In accordance with the conditions and reservations set out in articles 7, 15, 16, 17, 18, 20, 21 and 77 of the GDPR, you have the following rights concerning your Personal Data. All requests must be made according to the procedures put in place by the Company (see below the section entitled “Contact | request for information”):
- access your Personal Data, including the right to request a copy thereof from us 11 ;
- rectification of your Personal Data;
- erasure of your personal data;
- restriction of processing of your Personal Data;
- portability of your Personal Data;
- object to the processing of your Personal Data;
- object to the processing of your Personal Data for direct marketing purposes (including the profiling related to such direct marketing): we do not keep an up-to-date list of customers for any marketing purposes, nor do we send out newsletters. However, should that be the case, on request you can object at any time to the processing of your Personal Data for direct marketing purposes. When you exercise this right, we will stop sending you advertising messages to your e-mail or postal address depending on the means of communication you have opted for. Your request will be processed as soon as possible to delete your contact from the Company's lists;
- withdrawal of your consent at any time, on the understanding that such withdrawal does not invalidate the lawfulness of the processing based on your consent prior to the withdrawal;
- lodge a complaint with a supervisory authority.
In certain circumstances, we may however be unable to accede to your request based on any of the rights listed above for legitimate and compelling reasons. In particular, we may refuse a request, in part or in full, when the processing of your Personal Data is still required, among other things to prevent fraud, to meet our legal obligations, to retain evidence, to keep a record of transactions or to exercise and/or defend our legal claims.
We draw your attention to the fact that your objection to the processing of your Personal Data for reasons other than direct marketing, or withdrawal of any consent previously granted, may lead the Company to break off its contractual relationship with you or refuse to execute a transaction.
Contact | Request for information
Any clear and precise request concerning the exercise of your rights can be made at any time free of charge, subject to manifestly groundless or excessive requests (for instance, due to the repetitiveness of the requests), by written request sent to the Company.
You can send your request:
- by post (the request must be dated and signed) for the attention of the Compliance service at: Gestrust SA, 2 rue Thalberg, CH-1204 Geneva, Switzerland
- or by e-mail at: firstname.lastname@example.org
Updating this Regulation
The Company reserves the right to modify this Regulation, more particularly to take into account more recent practices 12. Any modification to this Regulation will be notified to you appropriately via the means of communication we generally use to communicate with you. The latest version of this Regulation will always be at your disposal on the Company's web site (www.gestrust.ch), and any modifications will take effect when they are published on the web site.