Duty to inform about personal data collection
Cornèr Europe AG ("Cornèr Europe", "we", "us") issues payment cards and provides related services. The company is part of the Cornèr Bank Group, a private and independent Swiss banking group that offers the full range of traditional banking services and has established itself in the market in the areas of private banking, credit financing, online trading (Cornèrtrader) and payment cards (Cornèrcard). The Cornèr Bank Group consists of the parent company Cornèr Bank Ltd. in Lugano, the four branches in Chiasso, Geneva, Locarno and Zurich, the subsidiaries Cornèr Europe AG (Vaduz), Cornèr Bank (Overseas) Limited (Nassau), Cornercard UK Ltd. (London), Diners Club Italia S.r.l. (Milan) and Dinit d.o.o. (Slovenia).
The protection of the personal sphere and data of our clients is of great concern to us and is at the heart of our activities. The protection of privacy and the customer data entrusted to us is therefore one of our fundamental tasks.
This data protection declaration describes in detail how Cornèr Europe understands and deals with information and personal data.
The following information is intended to give you an overview of the processing of your personal data by Cornèr Europe and your rights under data protection law. Specifically which information is processed and how it is used, depends significantly on the services requested and/or agreed on.
Additional information and legally binding data protection provisions may also be found in the General Terms and Conditions for the relevant product.
Please also note the relevant legal provisions and privacy statements of the card schemes (e.g. Visa) and other service providers who provide their services as part of the payment processes independently of Cornèr Europe.
1. Who is responsible for data processing and whom can I contact?
Cornèr Europe AG, Städtle 17, 9490 Vaduz
2. What information do we collect and use?
2.1. In general
We process personal data that we obtain from our customers in the course of our business relationship. To the extent necessary to provide our services, we also process personal data lawfully obtained from publicly available sources (e.g., debtors lists, land registers, commercial registers, newspapers, Internet) or information transmitted to us by authorized third parties (e.g., credit reference or business information agencies).
2.2. In the course of our services and business relationships
In connection with providing our services, we collect various personal data; including:
- Personal information such as surname, first name, date of birth, place of birth, nationality, place of residence, telephone number, address and e-mail address as well as documents for establishing customer identity (copy of your identity card or passport) and authentication data (e.g. specimen signature). Furthermore, data of persons close to you may be processed insofar as this is necessary to fulfil the legal obligations of Cornèr Europe.
- personal information that is shared with Cornèr Europe or collected by Cornèr Europe itself (data on customers and payment cards) during the application process for the requested service or the effective period of a contractual relationship (e.g., in connection with issuing assets statements, in case of asset transfer, or collection of outstanding claims or when handling insurance claims);
- personal information provided by customers participating in the loyalty or bonus programs of Cornèr Europe (or associated partners), entered during registration for the bonus program or while participating in that program, on the website or on dedicated product websites or Apps of Cornèr Europe or of its partner, or when using the Self Service Portal of Cornèr Europe;
- financial information and financial background, including an overview of payments and transactions and information about your assets financial reports, liabilities, taxes, along with information about your financial situation (e.g., credit standing, scoring/rating information, origin of assets);
- your tax domicile and other tax-relevant information and documents;
- If applicable, professional information about you, such as job title and professional experience;
- identifiers that we assign to you, such as your customer or account number, your payment card number or other internal identification numbers;
- transaction data from the use of the cards (data relating to purchase and cash withdrawal details). Such data may include, for example, the point of acceptance; the amount of the transaction; the date and time of the transaction; the mode of use of the card (e.g., online, contactless); the number of failed attempts to enter the PIN; the selected currency. More detailed information will be collected only in certain transactions. In such cases, however, Cornèr Europe will generally be unable to identify what was actually purchased. If certain payment card products require the transmission of detailed information regarding the use of the card, we will inform you separately (e.g. in the terms and conditions of the corresponding product);
- data that Cornèr Europe obtains lawfully from third parties (e.g., intermediating banks, the Central Office for Credit Information (ZEK) or the Consumer Credit Information Office (IKO), government agencies, credit reference agencies, employers, other Cornèr Group companies, publicly available databases or registers such as local.ch or the commercial register), or that is legitimately shared with Cornèr Europe by a third party (e.g., a credit reference agency);
- risk information Cornèr Europe collects or generates for risk management purposes such as client due diligence data (including periodic review results), client risk profiles, screening alerts (transaction screening, name screening), tax data or complaint information;
- details on our mutual business relationship and on the products and services you use, as well as information arising from the performance of our contractual obligations;
- possibly, recordings of telephone conversations between you and Cornèr Europe;
as well as other data similar to the above-mentioned categories.
2.3. During the use of our websites and applications
- Website visits: When you visit our websites, the personal data we process depends on the relevant product offer and feature. Such data may include technical data such as information about the date and time of access to our website, the duration of the visit, the pages consulted, information about the hardware used, the quantity of data transmitted and the outcome of the access, information about your web browser, the browser language and the requesting domain and the IP address (no additional data will be recorded by our website unless you make such disclosures voluntarily, e.g., in the course of registration or a query). We use such data for providing the website, for reasons of IT security and to improve the user-friendliness of the website. We also use " Cookies": i.e., files that are stored on your terminal when you visit our website. In many cases, cookies are necessary in order for the website to function and are automatically deleted after the visit. Other cookies are used to personalize our product offer or allow us to display targeted advertising on third-party websites and are stored for a certain time. Moreover, we use services such as Google Analytics & Adobe Analytics (cookies stored 30 days max.), which collect detailed information about the visitors' behaviour on the relevant website. We may also integrate functions of service providers like Facebook, which may lead to that service provider receiving information about you, but in most cases we do not know the website visitors' names.
- Online offers and apps: When you make use of our online offers, we also process personal data (even if you do not purchase any goods or services). Such information includes the type of offer, data about the customer account and how it was used, and information about the installation and use of mobile applications ("Apps").
3. Why do we process your data? (purpose of processing)
We always process personal data for a specific purpose and only to the extent necessary to achieve that purpose. The main purposes of such data processing are as follows:
a) Negotiations, formation and execution of contracts, including to confirm your identity and evaluate your application (including your credit assessment and credit risks), and to run checks on compliance with statutory or regulatory requirements (e.g., compliance with anti-money-laundering and anti-fraud laws and regulations);
b) Risk management and provision of payment card products & services
o Data processing to meet Cornèr Europe's internal operational requirements for credit and risk management, system or product development and for planning, insurance, audit and administrative purposes;
o Data processing to provide payment card products and services and to ensure their correct performance, e.g., through proper identity checks and by making deposits and withdrawals on your card in accordance with your instructions and with the terms and conditions of the relevant product. To measure credit risks and risks of default we may also consult with credit information agencies and share information with them (e.g., debt collection register);
c) Regarding payment cards, we process the collected data to perform thecard agreement and manage the relationship. Please note the following in this regard:
i. Cornèr Europe processes the collected data for risk management purposes, in order to identify the risks associated with issuing cards (e.g., credit and market risks). This is necessary, in particular, because Cornèr Europe assumes the financial risk of the cardholder relationship (credit risk). Cornèr Europe therefore draws up individual risk profiles, which are used to assess credit risk, among other things. The authorization to process data for risk purposes is irrevocable, because Cornèr Europe needs to do so in order to calculate and control its financial risk. The only way to oppose to such data processing is by terminating the card agreement.
iii. When authorizing and debiting the transactions, Cornèr Europe takes various measures at its own discretion to prevent fraud and thus protect the cardholder. Transactions and authorisations are monitored for misuse and a defined set of rules can reject authorisations or transactions or temporarily block cards. As a preventive measure, cardholders are contacted in order to check whether authorisations or transactions are to be qualified as abusive.
iv. Moreover, the cardholder's data are processed in the transaction complaint and chargeback process, e.g., in order to clarify unknown transactions or in case of unjustified debits. In that process, transactions are verified in detail. Data is also collected and processed for the settlement of insurance claims, in order to clarify the claims in cooperation with our insurance partner.
v. If payment cards are marketed by Cornèr Europe's partner companies as private cards to consumers or as corporate cards to the corresponding companies and their own clients, information about the cardholder's use of the payment card (e.g., transaction data) is forwarded to the corresponding partner companies. However, the transmitted data is made anonymous in advance so that, as a rule, no conclusions can be drawn about the respective end customer.
d) The management of our relationship with you (client relationship management) , e.g., concerning the products and services provided by us and by our business partners, to handle customer service issues and complaints, to facilitate debt collection, in deciding whether or not to grant a loan, to clarify your place of residence (for example, if we can no longer reach you);
e) Loyalty programs of partner companies: Cornèr Europe may operate and manage third-party loyalty programmes. In this role, it acts as a data processor and processes personal data collected by the provider of the loyalty programme (data controller). The data processing on the part of Cornèr Europe takes place exclusively for the purposes and according to the instructions of the provider of the loyalty programme. The purposes of processing the personal data of the participants in the loyalty programme depend on the respective programme and are determined by its provider;
f) Measures to improve our products and services and the technologies we use , including verification and updates of our systems and processes, and for market research purposes, in order to find out how we can improve our existing products and services or what other products and services we might sell;
g) Information and direct marketing: We process personal data in order to send out information and advertisements (including through push notifications) concerning products and services which, in our opinion, may be of interest to you, including the products and services sold by us, or by our business partners. For example, when you sign up for a newsletter or SMS notification service, we process your contact data; in the case of e-mails, we also process information about your use of the messages (e.g., whether you opened an e-mail and downloaded the embedded images), so that we can tailor our offers to you and generally improve them. To find out more about you as a customer, we may also create profiles, e.g., by analysing which types of our products and services you use, how you wish to be contacted, etc. Cornèr Europe may also send a reminder e-mail to prospective customers who visit our websites, are interested in specific products and services and have stored their data in the contact form of the respective website. You can opt out of being sent information (block on advertising) or generally revoke any prior consent you may have given to data processing for marketing purposes by sending Cornèr Europe a written request to that purpose, including by e-mail (see information below on the right to object) ;
h) In connection with its products, Cornèr Europe may create customer, consumption and preference profiles from personal and transaction data collected for marketing purposes which enable Cornèr Europe to develop and offer attractive products and services to customers or to comply with specific legal and regulatory requirements . Cornèr Europe may send customers such information about its own products and services or those of its partners via the available communication channels (e.g., by post, e-mail, push notifications). Every customer can opt out of being sent information (block on advertising) or generally revoke any prior consent given to data processing for marketing purposes by sending Cornèr Europe a written request to that purpose, including by e-mail (see information below on the right to object) ;
i) Customer events: We also process personal data when we hold customer events (e.g., advertising events, sponsoring events, cultural and sports events). Such data may include the first and last names of the participants and/or prospective customers, their postal and/or e-mail address and possibly other information, such as their date of birth, depending on the circumstances. We process such information in order to carry out the customer events but also in order to make direct contact with you. For further information, see the relevant terms and conditions of participation. Every customer can opt out of being sent information (block on advertising) or generally revoke any prior consent given to data processing in the context of such customer events by sending Cornèr Europe a written request to that purpose, including by e-mail (see information below on the right to object);
j) Competitions, contests and similar events: We occasionally organize competitions, contests and similar events. In so doing, we process your contact data and information about your participation in order to carry out the competitions and contests, and if necessary in order to communicate with you about such events and for advertising purposes. For further information, see the relevant terms and conditions of participation. Every customer can opt out of being sent information (block on advertising) or generally revoke any prior consent given to data processing for such competitions, contests and similar events by sending Cornèr Europe a written request to that purpose, including by e-mail (see information below on the right to object);
k) Regarding fulfilment of our ongoing regulatory and compliance obligations (e.g., financial, anti-money-laundering and tax laws), including in connection with the recording and monitoring of communications, the disclosure of data to tax authorities, financial regulatory authorities and other supervisory and/or national authorities and for crime detection or prevention;
l) Law enforcement: We process personal data in various situations in order to enforce our rights, e.g., in order to enforce our claims in or out of court and to enforce or defend ourselves against claims before foreign or domestic authorities. For instance, we may inquire into the chances of success in litigation or file documents with an authority. In so doing, we may process your personal data or forward it to third parties in Switzerland and abroad, to the extent necessary and permissible;
m) Measures to prevent and investigate crimes and to ensure the safety of our customers, employees and other third parties;
n) Measures to secure the property owner's rights, including facility and building security measures (e.g., access control) ;
o) Ensuring IT security and IT operations of Cornèr Europe (including processing of personal data in test environments, where the information is generally pseudonymized in advance);
p) To perform transaction analyses and statistical analyses and similar analyses;
q) For the operational business management of Cornèr Bank Group and its affiliated companies ("Cornèr Group") (including credit and risk management, insurance, auditing, system and product training and similar administrative purposes);
r) Business partners: We work together with various companies and business partners, e.g., with suppliers, with commercial purchasers of goods and services, with joint venture partners and with service providers (e.g., IT-service providers). In so doing, we process personal data concerning the contact persons in those companies (e.g., names, position, title and communications with us), for contract preparation and performance, for planning and bookkeeping purposes and other contract-related purposes. Depending on the field of business, we may also be required to run more detailed checks on the relevant companies and their employees, e.g., through a security check. In that case, we collect and process further information. We may also process personal data to improve customer guidance, customer satisfaction and customer loyalty ( Customer/Supplier Relationship Management);
as well as for other purposes of which you will be informed on a case-by-case basis .
Much of the aforementioned processing is performed to fulfil contractual obligations or for pre-contractual measures at your request (items a), b), c)ii., c)iii., c)iv., c)v., d), r)).
Other processing is performed when required by law or in the public interest (items a), j), p)). For instance, such legal obligations may arise from the Swiss Banking Act, the Collective Investment Schemes Act, the Anti-Money Laundering Act, the Consumer Credit Act, the Mortgage Bond Act, as well as various tax laws and regulatory ordinances issued by the competent supervisory authorities.
Finally, some forms of data processing are performed to protect our legitimate interests or those of third parties in the context of a weighing of interests (items c)i., e), f), g), h), i), k), l), m), n), o), p)). If you would like further details about the weighing of interests, please contact us (contact details in section 1).
In specific cases, we will ask for your consent for personal data processing for certain purposes (e.g., transfer to third parties for their own marketing purposes). Such consent must be given separately and can be revoked at any time.
4. Who will receive my data?
Regarding the transfer of data to recipients outside Cornèr Europe, you should first remember that we treat all personal data with the utmost confidentiality. We are permitted to disclose information about you only when so required by law, or you have granted your consent (e.g., in order to carry out a financial transaction that you ordered from us or when using your payment card) or when we are authorized to disclose certain information.
4.1 Within the Cornèr Group
Within Cornèr Europe, your data is made available strictly on a need-to-know basis for the performance of our contractual and statutory obligations.
Cornèr Europe belongs to Cornèr Group. We may transfer personal data to other Cornèr Group companies for intra-Group management purposes (including for risk management pursuant to statutory or administrative obligations) and for various processing purposes, to the extent permitted by law. In so doing, your personal data may, to the extent permitted by law, be processed and linked with personal data from other Cornèr Group companies for the relevant purposes.
4.2 Third parties
When we provide you with products and services, we give personal data to individuals who are acting on your behalf or otherwise participating in the transaction (depending on the type of products or services you make use of), including the following types of companies described below, where applicable.
- Other lending and financial services institutions or similar establishments, with which we share your personal data (for instance, depending on the contract, correspondent banks, upstream paying agents, as well as clearing houses and clearing or settlement systems as well as specialized payment providers or payment institutions and provider of payment security systems, such as 3D Secure);
- Parties who participate in a transaction (e.g., payees, beneficiaries, authorized signatories on an account, intermediaries) or assume a risk in the course of or in connection with the transaction (e.g., an insurer);
- the relevant card organisation (e.g. Visa) and the acquiring companies that have agreements with individual merchants for purposes of acceptance of those cards;
- Other financial institutions, credit or business rating agencies (for the purpose of procuring or distributing credit reference information and credit checks).
4.3 Service providers
Your data may also be received for the above-mentioned purposes by the service providers or subcontractors we hire if they enter into appropriate confidentiality agreements. Such businesses include providers of banking services (incl. investment services), IT services (including hosting service providers), logistics, printing, telecommunications, debt collection, payment transactions, credit rating agencies, advice and consulting, as well as sales and marketing. In such situations, we protect your personal data in such a way as to ensure that the subcontractor complies with our data security standards.
4.4 Government authorities or regulatory authorities
If necessary, we also disclose personal data to government authorities, regulatory authorities or government agencies (e.g., financial authorities, criminal prosecution authorities), including when so required by laws or regulations or other rules of conduct, or when disclosure is demanded by such authorities or agencies.
4.5 Other cases
In the case of a sale of all or part of our business to another company or in case of the restructuring of our business, personal data will be shared to make it possible for you to continue using the relevant products and services. We usually give personal data to potential purchasers, too, if we are considering a full or partial sale or full or partial spin-off of a business unit. We take precautions to ensure that such potential purchasers will see to the security of the data.
We shall disclose personal data to the extent necessary for the exercise or enforcement of legal rights, including the rights of ourselves and of our employees and other rights-holders, or to the extent necessary in responding to inquiries by individuals or their representatives who wish to enforce their own rights or those of others.
5. Will my data be transmitted to third countries or to an international organisation?
The recipients mentioned in the previous section may reside within Switzerland or outside the European Union or the European Economic Area. In that case, Cornèr Europe will require such recipients to enter into a legally binding agreement to take appropriate measures to protect personal data, unless the receiving country is recognized as ensuring an appropriate level of data protection. Your data may also be transmitted to or within third countries to the extent necessary to carry out your orders (e.g., in the case of payment orders and securities trading orders), if such data transmission is required by law (e.g., tax reporting obligations) or if you have expressed your consent to that purpose.
Please contact us if you would like to examine the data transmission guarantees that have been agreed upon.
6. How long will my data be stored?
We store your personal data as necessary for the purpose for which we collected them.
In the case of contracts, we store your personal data for at least the duration of our contractual relationship. Please note that our business relationship is set up to last for years as a long-term contractual obligation.
Moreover, we store personal data whenever we have a legitimate interest in such storage. Such may be the case, in particular, when we need personal data in order to enforce or defend against claims, for archiving purposes, to ensure IT security or as long as the limitation period on contractual or extracontractual claims is still running. For example, 10-year limitation periods are commonly applicable, but there also many cases of 5-year or even 1-year limitation periods.
Furthermore, we store your personal data for the applicable statutory retention period (e.g., compliance with retention periods under tax or commercial law or compliance with the 10-year retention period required by anti-money laundering legislation).
In certain cases, we will ask you for your consent if we wish to store your personal data longer.
Upon expiry of such periods, we delete or anonymize your personal data.
7. What are my rights under data protection law?
Every data subject has the right to be informed about his or her personal data, the right to obtain its correction or deletion and to limit and/or object to its processing, and - to the extent applicable - the right to obtain a transfer of such data. Moreover to the extent it applies to you, there is a right to complain to an appropriate data protection supervisory authority.
You may revoke your consent to personal data processing at any time. Please note that any such revocation will only be applicable to the future. Any processing performed before the revocation will not be affected. Such revocation may result in the termination of the business relationship with you.
To exercise your rights, use the contact data provided in section 1.
8. Am I under an obligation to supply information?
In the course of our business relationship, you must supply such of your personal information as we need to initiate and conduct our business relationship and to perform the related contractual obligations and such information as we are required to collect by law. Without such data, we will not generally be able to enter into or perform the contract (in which case, we will inform you of that fact).
In particular, before we can start a business relationship with you, the anti-money laundering laws require us to check your identity by means of your identification documents and to collect and record, among others, your first and last names, place and date of birth, nationality, address and the identification document data. To enable us to meet that legal obligation, you need to provide us with the information and documents required by the Anti-Money Laundering Act, and to promptly report any relevant changes over the course of our business relationship. If you fail to provide us with the necessary information and documents we will be unable to initiate or continue our business relationship.
9. To what extent is the decision-making process automated?
We do not generally use any fully automated decision-making system to initiate and to continue the business relationship. If we use such methods in specific cases, we shall inform you of it separately, to the extent required by law.
10. Is profiling done?
In some cases we process your data automatically in order to evaluate certain personal aspects (profiling). We use profiling in the following cases, for example:
- We are required by laws and regulations to combat money-laundering, terrorist financing and economic crimes. We analyse data (e.g., in payment transactions) to that purpose, too. Such measures also help protect you.
- We use scoring in the assessment of your creditworthiness. This involves calculating the probability that a customer will not be able to meet his payment obligations according to the contract. For example, the calculation may include the earnings situation, expenditures, existing liabilities, occupation, employer, duration of employment, experiences from our past business relationship, repayment of loans according to the contract, as well as information from credit reference agencies. Scoring is based on a mathematical and statistically recognized and validated method. The scores calculated help us to decide whether or not to enter into agreements for certain products and are included in ongoing risk management (i.e., they are also used over the course of our business relationship with you).
- In order to inform and advise you about products in a manner tailored to your needs, we use analytics tools, which enable needs-based communication and advertising, including market and opinion research.
11. Data security
Cornèr Europe takes suitable technical measures (e.g., encryption, pseudonymization, logging, access control, data backups, etc.) and organizational measures (e.g., instructions to our employees, confidentiality agreements, reviews, etc.) to ensure the security of the information collected and processed against unauthorized access, misuse, loss, falsification and destruction. Access to your personal data is allowed on a strictly need-to-know basis.
Nevertheless, it is generally impossible to rule out security risks completely: certain residual risks are mostly unavoidable. In particular, since perfect data security cannot be guaranteed for communications by e-mail, Instant Messaging or similar means of communication, we advise you to send confidential information by especially secure communication tools (e.g., send it by post).
12. Biometric data
To the extent required by the applicable laws, we will request your separate express consent for the processing of biometric data (e.g., using your fingerprints or other biometric identification systems for personal identity checks).
Information about your right to object
1. Right to object to the processing of your data for direct advertising purposes
In certain cases, we process your personal data in order to perform direct advertising. You have the right to submit an objection, at any time, to the processing of your personal data for purposes of such advertising; and the same is true of such profiling as is used in direct connection with such direct advertising.
If you object to such processing for direct advertising purposes, then we shall no longer process your personal data for such purposes.
2. Case-specific right to object
You have the right to object, at any time, to such processing of your personal data as is performed in the public interest or on the basis of a weighing of interests.
If you submit such an objection, we shall no longer process your personal data unless we have compelling legally protected reasons for such processing that outweigh your own interests, rights and freedoms, or unless the processing is used for the enforcement, exercise or defense of legal claims. Please note that if you make such objections, we will no longer be able to provide you with services or to maintain a business relationship with you.
Your objection, which is not subject to any conditions as to form, should be addressed whenever possible to:
Cornèr Europe AG, Städtle 17, 9490 Vaduz
If you make use of more than one Cornèr Europe product or service , please specify, in exercising your right to object, which types of processing you object to. If there are uncertainties concerning the scope of your objection, we shall take the liberty of contacting you to clarify the matter.