1. Introduction

This Privacy Policy outlines how CBH Compagnie Bancaire Helvétique SA (“we,” “CBH,” or “the Bank”) processes personal data and provides an overview of your rights under applicable data protection regulation.

In general, the processing of personal data varies based on the services you request, the nature of our business relationship, and the applicable legal requirements. In certain cases, additional conditions, such as general terms and conditions or product-specific agreements, may provide further details about specific types of data processing (e.g., for CBH Mobile Banking). These additional conditions are accessible on our website or directly within the respective applications.

This Privacy Policy does not address cookies or other tracking technologies used on the Bank’s website. A separate Cookie Policy, available on our website, provides detailed information on these technologies and their purposes.

2. Categories of personal data

The Bank applies the principle of data minimization and processes only the personal data required to fulfill its obligations or to meet specific legal or regulatory requirements. Depending on the circumstances, the Bank may collect and process the following categories of personal data:

a) Current, former and potential or prospective clients

• Master and identification data: name, address, telephone number, e-mail address, date of birth, nationality, profession, economic and family circumstances, financial goals, investment knowledge and experience, contract number and duration, identification and authentication data, e.g. login for Online Banking, documents to establish the client’s identity, such as an identity document or passport, information about third parties, such as life companions, family members, authorized representatives and advisors who are also affected by a data processing.

• Account and contractual data: Account numbers, securities accounts, card details, loan applications, contract information, details of issued mandates, information concerning your assets, real estate, lines of credit, credit rating, investment products.

• Transaction and risk management data: Information on historical transaction data, the beneficiaries, counterparties, or third-party banks in the case of transfers, payment orders or card payments, and, where applicable, risk and investment profile, cases of fraud, enquiries, consultations, conversations, and physical or electronic correspondence.
• Communication records: Recordings of telephone calls and correspondence exchanged via electronic or physical means.
• Video surveillance data: Recordings from video surveillance at Bank premises.
• Other sensitive personal data: Other personal data requiring special protection, such as biometric data used for voice recognition during telephone calls for caller identification.

• Tax information: Tax residency, tax identification numbers, and related documents required under applicable international tax regulations.

• Marketing and preference data: Information regarding product or service usage, preferences, interests, and communication channel usage.
• Technical data: IP addresses, internal identifiers, access logs, and records of interactions with the Bank’s online services or mobile applications.

b) Visitor information (i.e. visitors in our premises and websites)

• Identification data: Name, contact details, and any information provided in visitor forms.
• Surveillance and access data: Video recordings at Bank’s premises, logs of access to restricted areas, and website interaction data.

c) Mobile app users

• Data collected through apps: Information provided during registration, such as photographs or profile pictures, and technical details such as IP addresses and device identifiers.
• Other sensitive personal data: Other personal data requiring special protection, such as biometric data and video or picture taken for user identification (face recognition).
• Communication records: Messages and emails exchanged with the Bank via the Bank’s communication channels, such as H-Messenger, Online banking or Mobile app, etc.

3. Sources

The Bank collects personal data from the following sources:

• Directly from you: During onboarding, through forms, or during interactions with Bank representatives upon opening a business relationship, during consultations, in communications with the Bank, in relation to products and services, or through the Bank’s websites and apps. Please ensure that personal data relating to third parties is disclosed only if legally required or, where not mandatory, only after informing those third parties of this Privacy Policy notice.
• From service usage:Data generated through transactions, e-banking, mobile apps, or other Bank services such as payment transactions, securities trading, or cooperation with other financial or IT service providers, marketplaces, or exchanges.
• Third-party sources:  Data from correspondent banks involved in transactions, the Zentralstelle für Kreditinformationen (ZEK), the Informationsstelle für Konsumkredit (IKO), credit reference agencies, credit assessment entities, address brokers, insurance companies, government authorities, other companies within the Bank’s group, or sanctions lists maintained namely by the UN, SECO, and the EU.
• Publicly available information: All media, public databases, or commercial registers.

4. Purpose of data collection

The Bank collects and processes personal data, as outlined in section 2, for the purposes of providing its services and fulfilling its own operational needs, as well as for purposes required by law. These purposes include:

a) Managing business relationships and service delivery

• Reviewing, concluding, executing, and administering contracts, accounts, and services, including:
  • Onboarding procedures.
  • Identity verification and authentication.
  • Processing loan applications and determining credit limits.
  • Managing financial planning, accounts, cards, investments, and e-banking services.
  • Administering funds, pensions, successions, and other products.

b) Risk management and regulatory compliance

• Identifying, assessing, and mitigating operational, credit, market, and other risks.
• Preventing and detecting financial crimes, such as fraud, money laundering, and terrorism financing.
• Verifying compliance with Swiss and international legal requirements, such as:
  • The Swiss Anti-Money Laundering Act.
  • Tax laws and regulations (including automatic exchange of information with foreign tax authorities).
• Conducting audits and reviews required by supervisory authorities, including FINMA and other public entities.

c) Marketing and relationship management

• Maintaining and improving the client relationship through personalized services and tailored advice.
• Enhancing client engagement through surveys, communications, and customized service delivery.
• Providing information on relevant financial products or services offered by the Bank or affiliated entities.

d) Business and operational efficiency

• Developing internal strategies and products by analyzing service usage and market trends.
• Optimizing internal processes, such as employee training, systems updates, or new technology implementation.
• Preparing reports and statistics for management decisions or external reporting obligations.

e) Securing Bank premises, systems, and claims

• Monitoring Bank premises with security systems such as video surveillance and access controls.
• Securing access to Online and Mobile Banking as well as other online services through authentication measures.
• Protecting the Bank’s claims and rights in cases of legal disputes or fraud investigations.

f) Legal and regulatory reporting

• Fulfilling mandatory disclosures or reporting obligations to Swiss and international authorities.
• Providing required data to supervisory and state authorities or courts in the event of investigations, fraud, or criminal proceedings.

g) Communication and documentation

• Documenting exchanges with clients for compliance and operational purposes, including telephone recordings, email correspondence, or physical communications.

5. Legal basis

The Bank’s processing of personal data depends on the products and services provided to you and the specific purpose for which the data is processed. Processing may be based on the following legal grounds:

a) Contractual or pre-contractual obligations

• Data is processed to initiate, fulfill, or terminate a business relationship or contract. This includes:
  • Verifying the identity of clients and meeting onboarding requirements.
  • Managing loans, credit lines, investment accounts, and financial products.
  • Processing payments, invoices, securities orders, and corporate actions.
• Pre-contractual measures, such as assessing the feasibility of credit or investment products, also fall under this category.

b) Legal and regulatory obligations

• The Bank is required to process data to comply with Swiss laws and other jurisdictions applicable regulations, such as:
  • The Swiss Banking Act, the Collective Investment Schemes Act, the Pfandbrief Act, and FINMA regulations and Circulars.
  • The Anti-Money Laundering Act.
  • Tax compliance laws, including provisions on tax treaties and information exchange with authorities.
  • Swiss and EU financial market regulations, including MiFIR and other directives applicable to securities transactions.
• Regulatory compliance includes fulfilling obligations for monitoring, reporting, and record-keeping as required by public authorities.

c) Legitimate interests of the Bank

• Where necessary, data processing is conducted to protect the Bank’s legitimate interests, such as:
  • Conducting business reviews and developing new strategies or products.
  • Preventing fraud and financial crime.
  • Managing risks, including market, credit, and operational risks.
  • Offering personalized products and services, provided no objections have been raised.
  • Protecting the Bank’s claims and rights, including during disputes or legal proceedings.

d) Consent

In cases where consent is required (e.g., for marketing communications, data sharing with affiliated and group entities, or transfers to third countries), the Bank will ensure explicit consent is obtained and documented.

If you have given us your consent for the processing of personal data for specific purposes, the lawfulness of this processing is based on your consent.

Consent can be withdrawn at any time. However, withdrawal does not affect the legality of prior processing activities, and certain services may be restricted as a result.

Consents obtained for other purposes, such as those required by banking secrecy provisions under the Federal Law on Banks and Savings Banks (BankG), are not affected by this section.

Please note that Articles 15 and 16 of the Bank’s General terms and conditions outline references to data protection, including explicit waivers particularly those related to order execution and payment services.

e) Public interest or vital interests

In rare circumstances, data may be processed to protect the vital interests of individuals or to fulfill tasks of public interest. This may include responding to emergencies or fulfilling extraordinary legal mandates.

6. Period of retention

Personal data is retained as long as necessary to comply with contractual, legal, statutory or regulatory obligations and the purpose for which the data is processed. As a general rule, the Bank stores personal data for the duration of the business relationship or contract term, followed by an additional period of five, ten, or more years, depending on the applicable legal framework. Legal or supervisory authority proceedings may require that data be stored beyond this timeframe.

7. Data security

The Bank protects personal data in line with the applicable laws, in particular through the rules on banking secrecy and the law governing data protection. To this end, the Bank implements strict security measures and precautions, including but not limited to the use of network segregation, strong authentication methods, access control, encryption, data loss protection, detection systems, awareness-raising and training of employees.

8. Transfer of data

Personal data may be transferred to jurisdictions that do not offer the same level of data protection as Switzerland. These transfers are secured through appropriate guarantees, such as standard contractual clauses approved by relevant authorities or binding corporate rules, to ensure an adequate level of data protection.

Where no guarantees are in place and the transfer is necessary, such transfer may be based on the following statutory derogations:

• Execution of client orders: For example, payment transactions or securities transfers.
• Legal obligations: To comply with reporting requirements, such as tax information exchanges.
• Establishment, exercise, or defense of legal claims: Where necessary and proportionate to protect the Bank’s legitimate interests.
• Overriding public interest: To fulfill obligations of significant public importance recognized by applicable laws.
• Client consent: Explicit, written consent is obtained for data transfers when necessary.

If consent is withdrawn, the Bank will cease transferring your data, except where legally required or permitted by statutory exceptions (e.g. contract performance, overriding public interest, legal claims). Withdrawal of consent may impact the Bank’s ability to provide certain services.

For transfers to jurisdictions with an adequate level of data protection, no explicit consent or specific safeguards are required, as these jurisdictions are recognized as providing a level of data protection comparable to that of Switzerland.

9. Automated decision-making and profiling

In principle, the Bank does not use a fully automated decision-making process to establish and conduct business relationships. If such processes are introduced, clients will be notified as required by law.

Profiling activities are limited to compliance and investment purposes, such as, for example to comply with obligations under the Federal Act on Financial Services as well as the Anti-money laundering and terrorism financing regulation, fraud identification, and combatting financial crime. In this context, data analysis (including on payment transactions) is conducted in compliance with such laws and regulations.

The Bank ensures that all profiling activities are proportionate and aimed at fulfilling regulatory obligations.

The Bank reserves the right to further analyze and evaluate personal data in an automated manner to identify significant personal characteristics or predict developments and create client profiles. These profiles may, in particular, be used for controls related to commercial activity, individual management, advisory or financial services, as well as for the provision of offers and information made available by the Bank.

10. Disclosure of Personal Data

Within the Bank, access to personal data is strictly limited to departments that require it to fulfill their specific functions, such as establishing or managing contract or business relationships, complying with statutory or regulatory obligations, or carrying out duties of public interest. These departments may include, but are not limited to:

• Client services: Relationship managers, advisory services, and trading activities.
• Operational support functions: Payment processing, securities settlement, loan and mortgage management, and general operational support.
• Risk and compliance functions: Credit, market, and operational risk management, regulatory compliance (including KYC and AML), internal audit, and information security.
• IT: Development and maintenance of IT systems, cybersecurity, and digital banking platforms.
• Administrative and logistical support: Document management, printing and distribution, and facilities management.
• Legal and tax functions: Legal advisory, litigation management, and tax compliance.
• Marketing and communication: Marketing strategies, institutional communication, and public relations.
• Human resources: Recruitment, training, and payroll management.

Personal data may also be disclosed to the following categories of external recipients:

• Authorities and regulators: To fulfill legal or regulatory requirements.
• Service providers: Under confidentiality agreements, for purposes such as IT services, payment processing, or audits.
• Affiliated companies (CBH Group entities): To support risk management, fulfill legal or regulatory obligations, facilitate operational or administrative measures.
• Other financial institutions: Including credit and financial services institutions, correspondent banks, custodian banks, brokers, and stock exchanges, to facilitate the business relationship.

The use of service providers (e.g., subcontractors) and agents employed by the Bank, including entities within the CBH Group or third parties is strictly in compliance with the Swiss Banking Act, the Data Protection Act and, where applicable, the FINMA Circular 2018/3 “Outsourcing” and Circular 2023/1 “Operational risks and resilience”. External service providers are obligated to maintain banking secrecy and adhere to rigorous data security standards.

In exceptional circumstances where personal data is disclosed to recipients situated in countries that lack an adequate level of data protection, the Bank ensures an appropriate level of data protection by requiring the recipient to sign standard contractual clauses or by relying on statutory exceptions (please refer to section 8).

11. Your data protection rights

You have the right to request information, rectification, erasure, restriction, objection, and, if applicable, data portability, in accordance with the rights arising under the regulations and laws applicable to the Bank. Additionally, you may file a complaint with a competent data protection supervisory authority, which in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

Requests for information should be submitted to the Bank in writing along with a clear copy of a valid identification document (e.g., passport, identity card, driver’s license). Contact details are provided in section 13.

Please note that the rights to erasure and objection are not absolute; further processing may be required based on overriding interests. The Bank will evaluate each case individually and inform you of the outcome. If personal data is processed for direct marketing purposes, your right to object includes objecting to profiling for marketing. You can exercise this right by notifying the Bank as outlined in section 13.

If applicable, you may withdraw your consent to the Bank’s data processing activities at any time. Such withdrawals are only effective moving forward, and any processing carried out prior to the withdrawal remains valid.

If the Bank’s data processing practices do not meet your expectations or if you have concerns about them, please notify the Bank (see section 13). This allows the Bank to address your concerns and make improvements if necessary. To facilitate a prompt response, please provide detailed information in your request. The Bank will investigate your concerns and respond within an appropriate timeframe.

12. Changes to Personal Data

The Bank processes personal data as accurately as possible and keeps it up to date. Please inform the Bank of any changes to your personal data through the usual communication channels.

13. Contact details of the Data Protection officer – DPO

CBH Compagnie Bancaire Helvétique SA

Délégué à la protection des données

Boulevard Emile-Jaques-Dalcroze 7

1204 Genève

dpo@cbhbank.com

14. Policy changes

This Privacy Policy is regularly reviewed and may be updated at any time without notice.

If you have any questions regarding the processing of your data, please contact either your Relationship Manager or the Bank’s data protection officer (see section 13), who will be happy to help you.

Last update: December 2024