DATA PRIVACY POLICY
OF DUKASCOPY BANK SA

V.01.09.2023

1. Introduction

   1. We are strongly committed to protecting and safeguarding your personal data. The present Privacy Policy of Dukascopy Bank SA (hereinafter "the  Company") has been implemented in light of the EU's General Data Protection Regulation (GDPR) which benefits to the residents of the European Union and Switzerland’s New Federal Act on Data Protection (nFADP) of 1 September 2023.
   2. This Privacy Policy provides information on the processing and protection by the Company of personal data of natural persons.
   3. Clients accessing the Company's websites and applying for using its services shall preliminarily read and accept the present Privacy Policy. By continuing to access and use this website or services you expressly confirm your acceptance of our Privacy Policy.

2. Definitions

   1. Client (as a Data subject) – any natural person, who has been using or has expressed willingness to use services and other online resources (e.g. contests, online community, etc.) provided by the Company;
   2. The Company (as a Data Controller) – Dukascopy Bank SA, Route de Pre-Bois 20, ICC, Entrance H, 1215 Geneva 15, Switzerland.
   3. Dukascopy Group – Dukascopy Bank SA incorporated in Swiss Confederation and its representative offices, branches, and Dukascopy Europe IBS AS, Latvia;
   4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
   5. nFADP – Switzerland’s New Federal Act on Data Protection of 1 September 2023.
   6. Data  is defined as information stored electronically, either on a computer or in certain paper-based systems, or by other means.
   7. Data controllers  are individuals or organizations that determine the purpose and manner in which personal data is processed. They hold the responsibility to establish practices and policies in accordance with the Data privacy Rules. The Company is the Data Controller for all Personal Data used in its business.
   8. Data Protection by design  entails incorporating privacy and security measures right from the inception of designing and developing products, services or systems. The Data Controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, which are designed to implement data-protection principles, such as Data minimization (for instance replacing names and details relating to clients by codes).
   9. Data protection by default  refers to the principle whereby the settings, security measures, and privacy options of a system, application, or services are designed to safeguard client’s personal information from the start, without requiring them to make any changes. The Data Controller shall implement appropriate technical and organizational measures to ensure that, by default, only Personal Data which is necessary for each specific purpose of the processing is processed.
   10. Personal Data – any information related to an identified or identifiable natural person (Data subject). For further information please see Section 3;
   11. Processing – any actions and operations performed on Personal Data such as, but not limited to, collection, recording, storage, transfer, erasure, etc.;
   12. Services – any services offered by the Company;
   13. Website – www.dukascopy.com  and  www.dukascopy.bank
   14. Privacy Policy – the present Privacy Policy of Dukascopy Bank SA;

3. Categories of Personal Data That the Company Process

   1. The Company processes certain Personal Data for the purposes specified under Section 4. Please note that the below list is not exhaustive and upon necessity the Company may process other Personal Data, according to its Privacy Policy and other relevant legal enactments.
      1. Personal Data received from the Client:
         1. Natural person’s identification data – including, but not limited to name, surname, national identity number, gender, nationality, tax identification number, date of birth, details of identification document (e.g., passport or ID number or copies);
         2. Contact information – address, telephone number, e-mail address and other if relevant;
         3. Financial information – account number, account balance, income, wealth, transactions and other similar information;
         4. Background and source of funds – information regarding the education, the place and area of work, origin of funds and assets, occupation, business activities if any, employer if any;
         5. Information relating to the use of services and their relation to Clients’ preferences, habits etc. – such as information on services used, personal settings, surveys, contests and campaigns in which the Client has participated;
         6. Marital status and relevant third parties – individuals and legal entities associated to the Client account (e.g., POA holders, authorized users, etc.), originators or beneficiaries of the Client's transactions, whether persons closely related to the Client may be classified as politically exposed persons (PEPs) etc.;
         7. Audio/video data – video surveillance cameras’ footage, phone conversation recordings, video and audio recordings made during the video identification (VI) process;
      2. Sensitive Personal Data received from the Client:
         1. Data related to criminal convictions and offences – data on the criminal record related to criminal offences of Clients, Potential clients, beneficial owners and representatives thereof;
         2. Biometric and Document Verification data – facial recognition scans, scans of the ID document’s chip, security features and Machine-Readable Zone (MRZ) data used for identity cross-verification.
         3. Data related to regulatory compliance: Status of politically exposed person (PEP), tax residency status, etc.
         4. Other sensitive personal information – data specific to the physical, physiological, mental, economic, cultural or social identity including data related to religious, philosophical, political or trade union activities, health, privacy sphere or ethnic origin.
      3. Information collected automatically while using the Website, mobile or online applications operated or owned by the Company:
         1. Technical information and unique identifiers – Internet protocol (IP) addresses, login information, information about browser, time zone, etc.;
         2. Cookies and profiling tools used by the Company’s websites and its mobile applications. For more detailed information on the types of cookies and unique identifiers the Company uses and for which purposes, please refer to the Company’s Cookie Policy.
   2. It is the duty of the Client of informing third parties of this Privacy Policy in case he provides to the Company with Personal Data related to such third parties.

4. Grounds and Purposes for the Processing of Personal Data

   1. The Company processes Personal Data if one of the following circumstances applies:
      1. the processing of Personal Data is necessary to enter into and execute a contract;
      2. to comply with the Company’s legal obligations;
      3. to protect the legitimate interests of the Company or of third parties;
      4. if the Bank obtains the consent from Client.
   2. The Company primarily processes Personal Data for the following purposes:
      1. to provide Services and free of charge online and mobile resources;
      2. to send administrative information, including updates of policies and changes to contractual terms;
      3. to provide the Client with information about Services, products, educational materials, upcoming events and other related information that may be useful to the Client in relation to Dukascopy Group offers and other resources;
      4. to assess and mitigate risks related to anti-money laundering and terrorism financing as well as transaction related risks;
      5. to comply with legal obligations and/ or government authorities’ requests;
      6. in relation to the Company’s legitimate interests.

5. Disclosure of Clients’ Personal Data

   1. The Company is entitled to disclose Client’s Personal Data to selected third parties insofar as such data is necessary for the performance of their delegated functions and there is an adequate legal basis for a lawful disclosure of Personal data, including:
      1. within Dukascopy Group, including all offices and affiliates of the Company, irrespective of their geographical location;
      2. to selected third parties, including providers that deliver services to Dukascopy Group under written agreements ensuring proper safeguards and limitations with regards to Personal Data processing. This may include companies providing IT, payment services, audit services, identity verification, due diligence services, data analysis, marketing support, cloud services and others;
      3. to competent governmental, regulatory or other law enforcement agencies/ authorities.

6. Personal Data Transfers

   1. The Client Personal Data is primarily processed within the European Economic Area (EEA) and the Swiss Confederation. However, when it is necessary, Personal Data may be transferred to third countries, as specified in this Privacy Policy. For all situations, if the transfer of Personal data is to be made outside of the EEA and/or Switzerland, the Data Controller must ensure of the compliance with any confidentiality duty (including banking secrecy) but also verify whether the country is considered equivalent in connection to its data protection rules and if the principle of data protection are being considered from a due diligence standpoint as well as on the basis of a contractual agreement.
   2. The Company transfers or makes Client Personal Data accessible for processing outside the EEA or the Swiss Confederation only when appropriate safeguards are in place and if one of the following applies:
      1. Personal data transfer is required under the laws and regulations;
      2. Personal data transfer is necessary for significant reasons of public interest;
      3. Personal data transfer is necessary to enter into or to perform the agreements with Clients for the provision of Services;
      4. The Client has expressly given consent to the processing of his data outside the EEA.

7. Retention Period and Record Maintenance

   1. Record Period
      1. The period of retention of Personal Data depends on the purposes specified by the Company. Nevertheless, Personal data must not be retained beyond the period required to fulfill its intended purpose. This implies that Data shall be destroyed or erased from the Company’s systems when it ceases to be necessary.
      2. In determining the retention period of Personal Data, the Company takes into account contractual obligations, the legitimate interest of the Company and relevant legal enactments (such as the regulation concerning anti-money laundering and terrorism financing).
      3. As a standard procedure, The Company stores the Client’s Personal data for a period of 10 (ten) years following the termination of the business relationship, unless specified otherwise by relevant laws and regulations.
   2. Record Maintenance
      1. The Data Privacy Rules requires the Company maintains records for all its data Processing activities.
      2. These records should include, at a minimum, the name and contact details of the identity of the Data Controller, the processing purpose, a description of the categories of data subjects and categories of personal data or if possible, standards employed to determine the retention period, a general description of the security measures in place to safeguard the data. Moreover, in situation involving the international transfer or personal data, the name of the relevant safeguarding state should be also be documented.

8. Client’s Obligation

   1. The Client acknowledges and accepts that he will not to hold Dukascopy Group or any of their officers, directors, employees and affiliates liable responsible for any types of losses, including financial losses, suffered by the Client in case of use by a third party of Client’s confidential information, for example the login and password either communicated to this third party by the Client or obtained by the third party from the Client by an abusive/fraudulent manner. The Client shall be solely liable for any such personal data disclosure to unauthorized third parties.

9. Client’s Rights

   1. Upon written request, the Client is entitled to receive a copy of his Personal Data from the Company. However, if such request is excessive or repetitive, the Company reserves the right to refuse to provide the Client with copy of his Personal Data and the Company may request a reasonable fee taking into account the necessary resources for preparing such copy;
   2. The Client may request the Company to correct his Personal Data;
   3. The Client may request the Company to erase his Personal Data to the extent permitted by law and other regulation applicable to the Company;
   4. The Client may restrict the processing of his Personal Data by the Company to the extent permitted by law and other regulation applicable to the Company;
   5. The Client has the right to receive his Personal Data in structured, commonly used and electronic format, as well as to transmit it to another controller;
   6. The Client may withdraw consent for Processing for direct marketing purposes at any time;
   7. The Client has the right to be informed about automated individual decision-making, including profiling;
   8. All aforementioned rights should be exercised in good faith and on a written request basis;
   9. If your request or concern is not satisfactorily resolved by the Company and its Data Protection Officer through the contact details indicated in Section 11 upon your written demand, you have the right to lodge a complaint with the personal data protection authority of the Swiss Confederation.
   10. The Data Controller may refuse, restrict, or defer the communication of information in cases where a formal law provides for it, in the presence of overriding interests, a third party enquire it or when the request for access is obviously unfounded.

10. Data Security

    1. The Company will ensure that appropriate security measures are taken against unlawful or unauthorized processing of Personal data and against the accidental loss of, or damage to, Personal data.
    2. Maintaining data security means guaranteeing the confidentiality, integrity and availability of Personal data.

11. Cookies

    1. The Company uses monitoring technologies such as cookies to provide efficient operation of the Website to its visitors;
    2. Cookie is technology based on small system files placed on browser during visit of the Website;
    3. The Company collects information about visitor’s device and uses cookies to:
       1. customize Company’s Website features;
       2. avoid re-entry of visitor’s data;
       3. store visitor’s preferences;
       4. gather information about usage of the Website.
    4. The Company uses third party cookies, provided by third party web analytic services such as Google Analytics;
    5. Clients and Website visitors can configure their browser preferences and not to accept cookies, however this may affect functionality of the Website;
    6. For detailed information on cookies, their management and deletion please see the Bank’s: Cookie Policy

12. Contact Details

    Should the Client have any questions or inquiries regarding the processing of his Personal Data by the Company, he shall send an e-mail to: [email protected] or send a letter to: Data Protection Officer, Dukascopy Bank SA, Route de Pre-Bois 20, ICC, Entrance H, 1215 Geneva 15, Switzerland.

13. Final Provisions

    1. The Client acknowledges and accepts that the Company has the right to change its Privacy Policy at any time without prior notice to the Client. The Company may freely use its websites to inform the Client about any changes in the Privacy Policy. The publishing of an updated version of the Privacy Policy on the Company’s website(s) shall be deemed a valid notification of changes to the Client. The Client undertakes to regularly review the Company’s Website(s) and updates to the Privacy Policy.
    2. The amendments to the Privacy Policy shall become effective on the date specified in the Privacy Policy;
    3. This Privacy Policy was last updated on the date indicated at the top. It supersedes all previous versions.