1. General
This Privacy Policy provides information about how a partner of Aquila AG (“Partner“) obtains and processes personal data on its own responsibility in its capacity as a financial institution or under the Aquila Partner Model in joint responsibility with Aquila AG (“Aquila”, together with the Partner, “Joint Controller“).
“Personal data” means all information relating to an identified or identifiable natural person. “Processing” means any handling of personal data, irrespective of the means and procedures applied, in particular the collection, storage, retention, use, revision, disclosure, archiving, deletion or destruction of personal data.
It is possible that any other documents, such as conditions of participation or similar declarations, regulate specific data processing.
If the data subject provides the Partner or Joint Controller with personal data of other persons (e.g. family members, work colleagues or employees), the data subject must ensure that these persons are aware of this Privacy Policy. Their personal data may only be disclosed to the Partner or Joint Controller if the data subject is authorised to do so and the personal data is correct.
2. Controller and Contact
The Partner who has provided you with or brought to your attention this Privacy Policy in the context of an enquiry or correspondence, a customer relationship or other contractual relationship is in principle responsible for the processing of your personal data. The Partner and Aquila may each be individually or jointly responsible for data processing. Aquila may also act as a Data Processor in relation to the Partner.
Regardless of whether the Partner is solely or with Aquila jointly responsible for data processing, you may contact the Partner for data protection concerns:
Sonnenberg Wealth Management AG
Gartenstrasse 19
8002 Zurich
+41 58 680 59 00
info@sonnenberg-ag.ch
3. Collection and processing of personal data
The Partner as well as the Joint Controller primarily obtain and process personal data that is provided to them by the data subject, e.g. when opening a business relationship, in the context of the execution of contracts, the use of products and services or on websites or other applications. They also process personal data which is collected in the context of the use of products or services and is transmitted to the Partner or Joint Controller. The Partner as well as the Joint Controller may, to the extent permitted, obtain personal data from publicly accessible sources, from authorities or from other third parties.
4. Categories of personal data
The Partner and the Joint Controller process various categories of personal data. The most important categories are the following:
- Master and inventory data (e.g. name, address, nationality, date of birth, information regarding account, custody account, concluded transactions and contracts, information on third parties affected by data processing, such as spouses, authorised representatives and advisors).
- Technical data (e.g. business numbers, IP addresses, internal and external identifiers, records of access).
- Transaction, order and risk management data (e.g. details of beneficiaries of transfers, beneficiary bank, amount of transfers, details of investment products).
- Financial data (e.g. creditworthiness data, information on assets, liabilities, risk and investment profile)
- User and prospect data (e.g. users of the Partner’s websites)
- Marketing data (e.g. preferences, needs)
- Communication data (e.g. contact data such as email address, telephone number)
- Other data (e.g. video or audio recordings, access data)
Many of these data are disclosed to the Partner by the data subject himself/herself. The categories of personal data that the Partner and the Joint Controller receive from third parties include, in particular, information from public registers, information obtained in connection with official and legal proceedings, creditworthiness information, information on compliance with legal requirements such as those relating to combating fraud, combating money laundering and terrorism financing or export restrictions, information from banks, insurance companies, distribution and other contractual partners of the Partner or Joint Controller relating to the use or provision of services, information from the media and the internet, address and, where applicable, other socio-demographic data (in particular for marketing and research) and data in connection with the use of third-party websites and online offers where this use can be attributed to the data subject.
5. Purposes of the processing
The Partner processes personal data primarily to provide its own services, to process contracts with clients and business partners and to comply with legal obligations. Aquila supports the Partner within the framework of the Aquila Partner Model with central services in the areas of Legal, Compliance & Risk, Fiduciary & Accounting, as well as IT and Administration. As part of these services, Aquila processes personal data together with the Partner as Joint Controller for the purpose of providing these management, coordination and control functions.
In addition, the Partner or the Joint Controller process personal data, where permitted and appropriate, for the following purposes:
- Conclusion and fulfilment of contracts, execution, processing and administration of products and services (e.g. invoices, payments, financial planning, investments, pension provision, insurance).
- Monitoring and controlling risks (e.g. investment profiles, anti-money laundering, thresholds, utilisation figures, market risks).
- Planning, business decisions (e.g. development of new or assessment of existing services and products).
- Marketing, communicating, informing about and reviewing the service offering (e.g. print and online advertising, customer, prospects or other events, identifying future customer needs, assessing a customer, market or product potential).
- Fulfilment of legal or regulatory obligations to provide information or to report to courts and authorities, fulfilment of official orders (e.g. reporting obligations to FINMA and foreign supervisory authorities, automatic exchange of information with foreign tax authorities, orders from public prosecutors in connection with money laundering and terrorist financing).
- Prevention and investigation of criminal offences or other misconduct (e.g. through internal investigations).
- Safeguarding the interests and securing the claims of the Partner, if any, of Aquila AG, e.g. in the event of claims against the Partner or claims of the Partner against third parties.
- Ensuring operations, in particular of the IT, the website and other platforms.
- Preparation and execution of transactions relating to the acquisition or sale of companies or parts of companies or other transactions under corporate law.
Insofar as consent has been given to process personal data for specific purposes (e.g. when registering for a newsletter), the personal data will be processed within the scope of and based on this consent, insofar as no other legal basis is given and necessary. Consent given can be revoked at any time, but this has no effect on data processing that has already taken place.
6. Data security
The Partner undertakes to protect personal data for the data processing’s for which it is responsible in accordance with the applicable laws. Where Aquila is jointly responsible, it shall ensure the protection of personal data together with the Partner. The protection of personal data includes appropriate technical and organisational security measures (e.g. access restrictions, firewalls, personalised passwords as well as encryption and authentication technologies, training of employees, etc.).
7. Disclosure to third parties and data transfer abroad
The Partner or Joint Controller disclose personal data to the following third parties (recipients) in the following cases:
- For outsourcing in accordance with section 8 and for the purpose of customer care to other service providers.
- For order execution, i.e. when products or services are used.
- Due to legal obligations, legal justification or official orders, e.g. to courts, supervisory authorities, tax authorities or other third parties.
- To the extent necessary to protect the legitimate interests of the Joint Controller, e.g. in the event of legal action threatened or initiated by clients against Aquila or the Partner, in the event of public statements, to secure claims of Aquila or the Partner against clients or third parties, in the event of the collection of claims, etc.
- With the consent of the data subjects to other third parties.
Recipients of personal data are usually in Switzerland. Particularly when using certain products or services of the Joint Controller, personal data may also be disclosed to third parties outside of Switzerland (e.g. Europe or the USA).
Where a recipient is located in a country without an adequate level of data protection, the Partner or the Joint Controller shall contractually oblige the recipient to comply with the applicable data protection (e.g. with standard contractual clauses), unless the recipient is already subject to a legally recognised set of rules to ensure data protection or the Joint Controller cannot rely on an exemption provision.
8. Outsourcing of business areas or services (outsourcing)
The Partner as well as the Joint Controller outsource certain business areas and services in whole or in part to third parties.
The service providers who process personal data on behalf of the Partner or the Joint Controller for this purpose (so-called processors) are carefully selected. Whenever possible, the Joint Controller uses processors domiciled in Switzerland. The processors may be entitled to have certain services provided by third parties.
The processors may only process personal data received in the same way as the Partner as sole controller or the Joint Controller themselves and are contractually obliged to ensure the confidentiality and security of the data.
9. Automated decisions in individual cases including profiling
The Partner as well as the Joint Controller reserve the right to process personal data automatically in the future, in particular in order to identify essential personal characteristics of the customer, to predict developments and to create customer profiles. This serves in particular the assessment and further development of offers and the optimization of the provision of services.
In the future, customer profiles may also lead to automated individual decisions (e.g. automated acceptance and execution of customer orders in CRM). In such cases, it is ensured that a contact person is available if a data subject wishes to comment on an automated individual decision and such a possibility to comment is provided for by law.
10. Use of websites and cookie policy
When a person visits the Partner’s websites, the web server automatically records details of their visit (e.g. the website from which the visit takes place, the visitor’s IP address, the content of the website that is accessed, including the date and duration of the visit). Such tracking data is used to optimise the websites visited and provide information on how the visitor informs himself about and uses the products, services and offers. As a rule, however, it does not allow any conclusions to be drawn about the identity of the visitor. In this respect, no personal data is processed.
However, if the visitor provides personal data, e.g. by filling in a registration form or message field for newsletters etc., the Partner may use this data in particular for the following, in addition to the purposes set out in section 5:
- for customer and user administration;
- to inform the visitor about services and products;
- for marketing purposes (e.g. sending newsletters);
- for the technical “hosting” and further development of the websites.
When visiting the websites, the visitor’s data is transported via the internet, i.e. an open network accessible to everyone. Data transmitted via electronic media (including e-mail) cannot be effectively protected against access by third parties. This entails the risk that data may be disclosed or its content changed, that the identity of the sender (e.g. e-mail) as well as the content of the message is faked or manipulated in some other way by unauthorised persons, that viruses may be released, that technical transmission errors, delays or interruptions may occur, that data may be transmitted uncontrolled abroad, where data protection requirements may be lower than in Switzerland, etc. The risk of such manipulation may also arise.
By using the websites, visitors confirm their express agreement with this Privacy Policy and the risks mentioned.
In addition, by using the Partner’s websites, a visitor consents to the use of cookies. Cookies are small files that are stored on the visitor’s computer to track the corresponding website visit and navigation between different pages and/or to save settings (e.g. selected language). Cookies are used to collect statistical data on the frequency and time of visits to individual website areas and help to design tailored, useful and user-friendly websites. The visitor can opt out of the use of cookies at any time by deleting the cookies set by the website. Deletion is possible via the settings in the visitor’s internet browser.
Occasionally, the Partner uses third-party components (such as plug-ins) to enhance the user experience and online advertising campaigns. These components may also use cookies for similar purposes. Neither these third parties nor the Joint Controller have access to the data collected by the other through cookies. Finally, the Partner may also use cookies in the context of advertisements on third party websites with which the Partner has marketing relationships. To the extent that third parties collect anonymised information about the use of the websites and other websites, the Partner may use this anonymised data to improve the effectiveness of advertising.
This title of this Privacy Policy only applies to data that the Partner receives as a result of the use of its website. It does not apply to third-party websites, even if the visitor accesses them through links on a Partner website. Neither the Partner nor the Joint Controller have any influence on the content and data protection practices of third-party websites and cannot accept any responsibility for them.
11. Duration of storage
The duration of the storage of personal data depends on the purpose of the respective data processing and/or legal retention and documentation obligations, which amount to five, ten or more years depending on the applicable legal basis. As soon as the personal data is no longer required for the above-mentioned purposes, it is deleted or made anonymous as far as possible.
12. Rights of the data subjects
Anyone can request information from the Partner as to whether personal data about him/ her is being processed. There is a right of objection or restriction of processing and, where applicable, the right to data portability. Incorrect data can be corrected. Furthermore, the deletion of personal data can be requested, unless legal or regulatory obligations (e.g. legal retention obligations of business-relevant data) or technical hurdles prevent this. The deletion of data may have the consequence that certain services can no longer be provided. In addition, where applicable, there is a right of appeal to a competent authority. Where the Partner or Joint Controller process personal data on the basis of consent, this consent may be revoked at any time. It should be noted that the Partner or Aquila AG reserve the right invoke the restrictions provided for by law on their part, for example if they are obliged to retain or process certain data, have an overriding interest in doing so (insofar as they are entitled to rely on this) or require it for the assertion of claims.
In order to support the Partner in responding to your request, we ask for a corresponding, comprehensible message. We will review and respond to the concerns within a reasonable period of time.
13. Changes
The Partner alone as well as together with Aquila AG may amend this data protection declaration at any time without prior notice. The current version published on the website of the Partner or Aquila AG shall apply.