Data protection information for customers of the Swiss Bankers Prepaid Services Group regarding data processing on the basis of the EU General Data Protection
The following data protection information provides an overview of how customer data is collected and processed by the Swiss Bankers Prepaid Services Group (consisting of Swiss Bankers Prepaid Services AG, Grosshöchstetten, Switzerland and Swiss Bankers Prepaid Services (Liechtenstein) AG, Vaduz, Liechtenstein) on the basis of the EU Data Protection Regulation (GDPR), particularly Articles 13, 14 and 21, which has applied since 25 May 2018. The following information provides an overview of how we process personal data, as well as the rights of existing and prospective customers under the data protection legislation. The specific data processed and the manner in which this is done depends primarily on the services that have been requested or agreed.
Swiss Bankers Prepaid Services AG
Kramgasse 4, CH-3506 Grosshöchstetten, Schweiz
Telephone: +41 31 710 11 11
Email address: email@example.com
Swiss Bankers Prepaid Services (Liechtenstein) AG
Austrasse 56, FL-9490 Vaduz, Liechtenstein
Telephone: +423 233 31 41
Email address: firstname.lastname@example.org
We process personal data that we receive from our customers as part of our business relationship with them. Insofar as is necessary for the provision of our services, we also process personal data which we have acquired legally from publicly accessible sources (e.g. registers of companies and associations, records of debtors, the press, Internet) or which has been legitimately transmitted to us by other companies of the Swiss Bankers Prepaid Services Group or other third parties.
Relevant personal data includes particulars (e.g. name, address and other contact details, date/place of birth, nationality), identification data (e.g. ID/passport details) and authentication data. It may also include order details (e.g. for card loading), data from the fulfilment of our contractual obligations (e.g. sales data), information about the financial situation (e.g. credit reference data, scoring/rating data, source of assets), advertising and sales data (including advertising scores), documentation data (e.g. phone records), data about the use of our offered media (e.g. the times at which our websites, apps or newsletters are accessed, clicks/entries on our webpages) as well as other data similar to the specified categories.
We process personal data in accordance with the legal regulations that apply in each case. In the area of data protection law, these include the following in particular: the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP) and the Liechtenstein Data Protection Act.
a) To fulfil contractual obligations (Art. 6(1)(b) GDPR)
We process personal data for the purpose of providing our services – in particular, to perform the contracts agreed with you and to fulfil your orders – as well as for all activities that are necessary for our business operations and management.
The purposes for data processing are based primarily on the specific service requested of us by the data subject (e.g. use of prepaid card, ordering banknotes).
b) In the context of balancing interests (Art. 6(1)(f) GDPR)
To the extent necessary, we will process personal data after the actual fulfilment of the contract in order to protect our own legitimate interests or those of third parties, provided that these interests are not outweighed by the customer’s own interest in protecting their personal data.
Advertising or market and opinion research, provided that the customer has not objected to us using the data
Prevention and investigation of criminal acts
Video surveillance for the protection of proprietary powers or the collection of evidence
In the event of robbery and fraud
Measures relating to business management and the further development of products and services
c) On the basis of consent (Art. 6(1)(a) GDPR)
If we have been given permission to process personal data for specific purposes (e.g. sharing data within the company, analysing payment transaction data for marketing purposes), it is processed lawfully on the basis of this consent. Consent may be withdrawn at any time. The withdrawal of consent does not affect the lawfulness of the data processing performed before the time of withdrawal.
d) Due to a legal obligation (Art. 6(1)(c) GDPR) or in the public interest (Art. 6(1)(e) GDPR).
In addition, we are subject to various legal obligations, i.e. statutory requirements (e.g. Swiss Federal Act on Banks and Savings Banks, the Liechtenstein E-Money Act, the Swiss Anti-Money Laundering Act, the Liechtenstein Due Diligence Act, tax laws) and supervisory requirements (e.g. FINMA or FMA).
Reasons for processing personal data include identity verification, prevention of fraud and money laundering, fulfilment of tax inspection and reporting duties, as well as risk assessment and management within the Swiss Bankers Prepaid Services Group.
Within the companies of the Swiss Bankers Prepaid Services Group, the customer’s personal data is only made available to parties that need it to fulfil their contractual and legal obligations. Service providers and vicarious agents engaged by us may also receive data for these purposes if they are obliged to maintain banking secrecy and protect trade secrets. This includes companies in the categories of IT services, logistics, printing, telecommunications, consulting, auditing, and sales and marketing. With regard to the sharing of data with recipients outside of the authorised companies, we are obliged to maintain confidentiality over customer-related facts and circumstances that we become aware of. We may only share information about customers if they have provided their consent, if we are required to do so by law or if we are authorised to provide information. Recipients of personal data under these conditions may include:
public bodies and institutions (e.g. FINMA/FMA, financial authorities, law enforcement agencies) in the event of a legal or official obligation;
other financial services institutions or similar institutions to which we send personal data for the purpose of conducting the business relationship with the customer (e.g. payment processors);
other companies within the Swiss Bankers Prepaid Services Group for the purpose of risk management based on legal or official obligations.
Other recipients of data may include parties for which we have been granted consent to transfer data, or for which we have been released from obligations relating to banking secrecy and the protection of trade secrets by means of an agreement or consent.
For customers who are residents of an EU member state or the EEA: data is transmitted to third countries (countries outside the European Economic Area – EEA; e.g. to Switzerland) in accordance with Art. 44 ff. GDPR for the purpose of processing the orders that the customer has issued to Swiss Bankers Prepaid Services AG (registered office in 3506 Grosshöchstetten, Switzerland), provided that the transfer of data is necessary or legally required or the customer has given us their consent.
Swiss Bankers Prepaid Services (Liechtenstein) AG, Austrasse 56, 9490 Vaduz, acts as a representative of Swiss Bankers Prepaid Services AG in the EU and the EEA pursuant to Art. 27 GDPR.
We process and store personal data for as long as is necessary to fulfil our contractual and legal obligations. It should be noted that our business relationship constitutes a continuous obligation over a period of years. If the data is no longer needed to fulfil contractual and legal obligations, it will be deleted unless it needs to be (temporarily) retained for longer for the following purposes: To fulfil legal retention obligations: specifically under the Swiss Code of Obligations (OR), the Accounting Ordinance (GeBüV) and the Anti-Money Laundering Act (AMLA), which stipulate a retention/documentation period of 10 years.
All data subjects have a right of access under Article 15 GDPR, a right to rectification under Article 16 GDPR, a right to erasure under Article 17 GDPR, a right to restrict processing under Article 18 GDPR, a right to object under Article 21 GDPR, a right to data portability under Article 20 GDPR and a right to file a complaint with a supervisory authority under Article 77 GDPR.
Within the context of our business relationship, customers must provide the personal data that is necessary for establishing and executing a business relationship and fulfilling the associated contractual obligations, or the personal data that we are legally obliged to collect. Without this data, we will not usually be able to conclude or perform a contract. In particular, we are obliged under the money laundering regulations to identify customers by means of an identification document before the business relationship is established. In particular, we must collect and record their name, place of birth, date of birth, nationality and home address, as well as their ID/passport details.
Customers must provide us with the information and documents that are needed for complying with the Anti-Money Laundering Act. Should this data change during the course of the business relationship, we must be informed of the changes immediately. If the customer does not provide us with the necessary information and documents, we will not be permitted to establish or continue the business relationship.
We do not generally make use of fully automated decision-making pursuant to Article 22 GDPR for the purpose of establishing and executing the business relationship. Should we use these procedures in individual cases, we will inform our customers separately if we are required to do so by law.
We process personal data by automated means to a certain extent in order to analyse specific personal aspects (profiling). We use profiling in the following cases, for example:
Due to legal and regulatory requirements, we are obliged to combat money laundering, the financing of terrorism and asset-endangering crimes. Data is also analysed within this context (e.g. for payment transactions). These measures serve to protect the customer at the same time.
We use analysis tools to provide our customers with information and advice on products in a targeted manner. These enable requirements-oriented communication and advertising, including market and opinion research.
11.1 Right to object on a case-by-case basis
On grounds relating to their particular situation, customers have the right to object at any time to their personal data being processed on the basis of Article 6(1)(e) GDPR (data processing in the public interest) and Article 6(1)(f) GDPR (data processing on the basis of a balance of interests). This also applies to profiling based on this provision within the meaning of Article 4 no. 4 GDPR. If the customer objects, we will no longer process their personal data, unless we can provide compelling legitimate grounds for doing so that outweigh their interests, rights and freedoms, or if the processing is necessary for establishing, exercising or defending legal rights.
11.2 Right to object to the processing of data for direct marketing purposes
In individual cases, we process personal data to conduct direct marketing. Customers have the right to object at any time to their personal data being processed for the purpose of such marketing; this also applies to profiling if it is associated with such direct marketing. If the customer objects to their data being processed for direct marketing purposes, we will no longer process it for these purposes. The objection may be made in any form and should be addressed to: Swiss Bankers Prepaid Services AG, Kramgasse 4, 3506 Grosshöchstetten, Switzerland / Swiss Bankers Prepaid Services (Liechtenstein) AG, Austrasse 56, 9490 Vaduz, Liechtenstein.
Card issuers and licensors:
Data, in particular card numbers, are shared with Mastercard Europe SA, 1410 Waterloo, Belgium, for the purposes of data processing. Mastercard Europe SA processes these data in accordance with the Mastercard Binding Corporate Rules, which are approved by the Belgian data-protection authorities, and may share data with other entities specified in the Mastercard Binding Corporate Rules within or outside the European Union or the European Economic Area for the purposes of data processing.
Manufacturer of mobile devices
Operator of mobile apps