If you are wondering what data we process and, above all, for what purpose, we hope you will find the answer to your questions below.
SOME PIECES OF INFORMATION ABOUT YOUR PERSONAL DATA PROCESSING AT IGSON CAPITAL AG
The information that is included in this document regards the Customers’ personal data to be processed by IGSON CAPITAL AG with the legal seat at Mühlegasse 18, 6340 Baar, Switzerland (hereinafter Igson Capital AG or the Self-Regulatory Organisation) in association with agreements concluded for providing payment services and some additional services. The information provided is compliant with the Swiss Federal Act on Data Protection (FADP) of 19 June 1992 (235.1 of 1992) and with the European Union regulations regarding the personal data processing [General Data Protection Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter GDPR)].
Irrespective of the laws binding the processing of personal data in accordance with the highest standards and respect as well as the Customers’ privacy are the priorities of the most importance for Igson Capital AG.
The data controller and a contact point
The data controller is Igson Capital AG.
A possible contact point at Igson Capital: firstname.lastname@example.org
The aim of the personal data processing
The Customers’ personal data, including biometric data is processed in the purpose of: the execution of a Customer’s agreement; the fulfilment of any and all legal obligations that the controller is responsible for as well as to perform some issues for and on behalf of public interest (e.g. performing issues associated with security and/or defence, storing the files for the purpose of the supervisory authority’s request); the matters that come from the legitimate interests being performed by the Self-Regulatory Organisation (e.g. own-products direct marketing, claims securitization and claiming claims towards a Customer, claims securitization and claiming claims against a Customer and/or any third party); marketing matters that do not result from the legitimate interests that are pursued by the Self-Regulatory Organisation (e.g. any third parties’ products and services marketing, own-marketing not being a direct marketing).
Legal backgrounds for the personal data processing
Legal backgrounds for the personal data processing are as follows:
- Federal Act on Data Protection (FADP) of 19 June 1992 [235.1 of 1992];
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), in particular Article 6 of the said Regulation that statutes the general conditions of lawfulness of the personal data processing [Official Journal of the European Union L 119 of 4.5.2006];
- Federal Act on Financial Services (Financial Services Act or FinSA) of 15 June 2018 [950.1 of 2018];
- Federal Act on Financial Institutions (Financial Institutions Act or FinIA) of 15 June 2018 [954.1 of 2018];
- Federal Act on Combating Money Laundering and Terrorist Financing in the Financial Sector (Anti-Money Laundering Act or AMLA) of 10 October 1997 [955.0 of 1997];
- a Customer’s consent – in the event that the Self-Regulatory Organisation is entitled or obligated to process the personal data under an explicit consent and that results from the prior mentioned legal acts and regulations.
In the event of the personal data processing under Article 6 paragraph 1 letter (f) of General Data Protection Regulation (when the personal data processing is necessary for the purposes of the legitimate interests pursued by the Self-Regulatory Organisation or by any third party), the Self-Regulatory Organisation informs a Customer that the legitimate interests pursued by the controller are as follows: own-products direct marketing, claims securitization and claiming claims towards a Customer as well as claims securitization and claiming claims against a Customer.
The personal data recipients
Accordingly to the definition of “recipient” that is placed in General Data Protection Regulation in Article 4 point (9) the Self-Regulatory Organisation informs a Customer that while processing his/her personal data may be disclosed to the following categories of recipients:
- a Customer and the persons granted by a Customer;
- the persons granted by the Self-Regulatory Organisation who are employed at the Self-Regulatory Organisation or at the companies that belong to the capital group of Igson Capital;
- the entities that process the personal data for the interest and on behalf of the Self-Regulatory Organisation and the persons granted and employed at those entities (e.g. marketing performance provided by external providers, debt collection and claiming claims upon an external provider’s services basis);
- third parties – in the case of a Customer’s consent for the personal data transferring (e.g. in case of the personal data transferring in the purpose of marketing, in case of verifying a Customer’s reliability, in case of ordering a payment) or in the case the Self-Regulatory Organisation uses its lawful rights; public authorities that may request and/or may be delivered the personal data in other cases than within specific proceedings being carried out accordingly with the Swiss law and the European Union law.
Processing of the personal data in third countries
Igson Capital AG does not transfer any personal data, including biometric data to any third countries (outside Switzerland and/or the European Economic Area) or to international organisations. In the case such an intention has occurred the Self-Regulatory Organisation will make its best efforts, if necessary, the personal data is transferred to any third country or any international organisation, such third country or such international organisation will be the one(s) the European Commission has confirmed an adequate level of data protection (accordingly to General Data Protection Regulation). In any other case the Self-Regulatory Organisation may be entitled to transfer the personal data to a third country or an international organisation only under the condition an adequate level of data protection has been ensured by that third country or by that international organisation and under the condition the rights of the persons the personal data regards have been protected as enforceably and lawfully effectively as mentioned in General Data Protection Regulation as well as a Customer has been respectfully informed with respect to a possibility a Customer to be delivered copies of the personal data, or a place the personal data have been disclosed.
Storage periods of the personal data
The personal data is stored:
- in the case of the personal data collection, including biometric data in purpose of conclusion a Contract [legal background: Article 6 paragraph 1 letter (b) of GDPR]: as from the moment of the personal data is collected prior concluding a Contract or within concluding a Contract or within executing a Contract (in case of completing or updating the personal data within executing a Contract) up to a Contract is terminated or an Agreement is still executed following its termination (e.g. claim-handling);
- in the case of the personal data collection, including biometric data in purpose of fulfilling the obligations that result from binding laws and regulations or that remain in connection with the performance of a task carried out in the public interest [legal background: Article 6 paragraph 1 letter (c) and (e)] within a period necessary to execute rights and tasks that may result from specific laws or regulations;
- in the case of the personal data processing, including biometric data in purpose of the Self-Regulatory Organisation’s legitimate interests [legal background: Anti-Money Laundering Act of 10 October 1997 [955.0 of 1997] and Financial Services Act of 15 June 2018 [950.1 of 2018] as well as Article 6 paragraph 1 letter (f) of GDPR] these data shall not be stored any longer than a period of six (6) years as from the moment a Contract is terminated or a relevant and reasonable objection has been submitted against the data processing in this purpose;
- in the case of the personal data collection, including biometric data under a Customer’s consent [legal background: Article 6 paragraph 1 letter (a) or (f) of GDPR]: as from the moment a Customer’s consent has been given to process the data (as well within executing a contract) up to the moment an application of a consent withdrawal is fully processed, in case of a consent withdrawal or an objection has been noted;
- apart from the abovementioned situations the personal data may be stored within a period of a limited data processing set up under a Customer’s application as well as on public authorities’ request – in the situations as provided in Article 18 and Article 58 of GDPR.
Each time the personal data, including biometric data is processed the Self-Regulatory Organisation follows the principles of limiting the aim(s), minimalizing the data provided and limiting the storage periods.
A customer’s rights related to the personal data processing
A Customer has the right to have an access to the personal data, including biometric data and its content, and to correct, delete and/or limit the processing. In addition a Customer has the right to submit an objection to processing his/her personal data as well as the right to transfer the data. Performance of the rights as mentioned in this paragraph complies with the provisions of General Data Protection Regulation (GDPR) – upon a basis of the definitions and mechanisms as stipulated in that General Regulation.
Without prejudice to the compliance of the data processing, in the case the Self-Regulatory Organisation processes the personal data under a Customer’s consent, then a Customer has a right to withdraw his/her consent for the data processing which has been performed under a Customer’s relevant consent prior its withdrawal.
A Customer has the right to lodge a complaint with a supervisory authority under the principles as stipulated in General Data Protection Regulation, in particular Article 77 of that General Regulation. The competent authority for data processing by federal bodies and private persons, including enterprises in Switzerland is the Federal Data Protection and Information Commissioner [FDPIC].
The data categories. Requirement of providing the personal data.
Lack of providing the personal data and its consequences.
Igson Capital AG informs that providing the following data is a contractual requirement and a necessary condition to conclude a contract at the same time: forename, surname, type of ID document, its serial number, national identity number, place of living, address for correspondence, facial images. Providing any other data such as: phone numbers, phone numbers for contact purposes, e-mail address is a contractual requirement. Providing all required data is voluntarily. The consequence of lack of providing the personal data that is necessary to conclude o Contract is no possibility to effectively conclude a Contract with the Self-Regulated Organisation. The consequence of lack of providing the personal data, including biometric data that is not a condition to conclude a Contract is no possibility to use this data in purpose that is connected with the data collection (i.e. e.g. contact a Customer through this data that aims to execute a Contract, possibility of marketing offer delivering).
The remaining pieces of information/statements
Igson Capital AG informs a Customer that in purpose of charging the fees for Products and Services, bank inter-charging as well as under the principles as stipulated in the binding laws and regulations and in purpose of marketing payment services or providing payment services all the personal data that is processed within a period of existing a Contract or a consent, and after termination of a Contract within a period of claiming and handling claims, but no longer than the term of the limitation of claims or performing tasks or duties provided in the binding laws and regulations.
The principles described in this document have been applicable since the day of conclusion a Contract with Igson Capital AG where the GDPR provisions have been in full force and effect.
While drafting the above pieces of information, on one hand, we attempted to deliver them as most specific and precise as possible (including accordingly with specific notions and definitions as provided in the GDPR provisions), and simple, clear and understandable, on the other hand. In purpose of permanent complying with and in association with often changing the provisions of the laws and regulations we restrict the right to permanent updating and improving a form and content of these pieces of information. We are aware of this material being extremaly extensive and therefore, should you have any remarks, questions or doubts (in particular all those connected with the personal data, including biometric data processing in specific purposes and situations), we kindly ask you to contact direct the Igson Capital AG contact point at email@example.com
A fully complete English wording of General Data Protection Regulation (GDPR) EU 2016/679 is available on the web page: