Privacy policy statement
This privacy policy statement informs you about how Zürcher Kantonalbank processes your personal data.
1. General
When it comes to the issue of data protection too, Zürcher Kantonalbank (the Bank) is committed to an open, transparent and customer-friendly approach. By personal data, the Bank means information which relates to an identified or identifiable natural person. The Bank interprets processing as being any handling of personal data, irrespective of the means and methods used, in particular the collection, storage, use, adaptation, publication, archiving or destruction of personal data.
Additional conditions (for example, general terms and conditions or terms of use) may apply to certain forms of data processing, e.g. for apps offered by the Bank such as ZKB TWINT, for ZKB Mobile Banking or social media presences of the Bank or in connection with corporate communication. These are available on the corresponding websites or in the corresponding apps.
1.1 General terms and conditions of business
1.1 General terms and conditions of business
The provisions of Articles 15 to 17 of the General Terms and Conditions of Business (AGB), as last amended in January 2022, contain general references to data protection, particularly concerning the performance of contracts.
1.2 Data security
1.2 Data security
The Bank undertakes to protect your privacy in line with the applicable laws, in particular through the rules on banking secrecy and the law governing data protection. The Bank takes numerous precautions to ensure this, such as implementing technical and organisational security measures (e.g. the use of firewalls, personal passwords as well as encryption and authentication technologies, access restrictions, awareness-raising and training of employees).
2. Scope of processing
2.1 Categories of personal data
2.1 Categories of personal data
Depending on which products and services the Bank provides for you, it can process the following categories of personal data. The Bank’s policy is to process as little personal data as necessary.
2.1.1 Former, current and potential customers (or prospective customers)
These include, in particular, the following:
- Master and inventory data such as name, address, telephone number, e-mail address, date of birth, nationality, profession, economic and family circumstances, financial goals, investment knowledge and experience, contract number and duration, identification and authentication data, e.g. login for eBanking, documents to establish the customer's identity, such as an identity document or passport, information about the account, securities account, cards and payments, about current or completed transactions, contracts, products, services; information about third parties, such as life companions, family members, authorised representatives and advisors who are also affected by a data processing.
- Fiscal domicile and any other documents and information which may be relevant in terms of tax.
- Transaction or order and risk management data, for example, information on the beneficiary, counterparty or third-party banks in the case of transfers or card payments and, where applicable, details of issued mandates, information concerning your assets, real estate, lines of credit, credit rating, investment products, risk and investment profile, cases of fraud, enquiries, consultations, conversations and physical or electronic correspondence.
- Personal data requiring special protection (sensitive personal data), such as biometric data for voice recognition during telephone calls for the identification of the caller.
- Recordings of telephone calls between you and the Bank, if applicable, or video recordings of your visit to our premises or your use of our ATMs.
- Marketing data, such as the needs, wishes, interests, preferences, information about the use of products, services or contact and communication channels.
- Technical data such as internal and external identifiers, trade numbers, IP addresses, location in apps (for example ZKB TWINT), records of accesses or changes.
2.1.2 Visitor information (i.e. visitors of branches or websites)
These include, in particular, the following:
- Master data and inventory data, such as name, telephone number, e-mail address, address, date of birth and personal data collected using a form.
- Recordings of telephone calls between you and the Bank, if applicable, or video recordings of your visit to our premises or your use of our ATMs.
- Technical data, such as internal or external identifiers, IP addresses, and logs of access or changes.
- Marketing data, for example, needs, wishes, preferences and interactions.
- Data that is transmitted to us on account of your visit to our websites or that you provide to us (e.g. using a form).
2.1.3 Supplier Employee Data
These include, in particular, the following:
- Master data and inventory data such as name, address, position, telephone number, e-mail address, date of birth, contract number and duration, and information on current or concluded services, products or projects.
- Recordings of telephone calls between you and the Bank, if applicable, or video recordings of your visit to our premises or your use of our ATMs.
- Technical data, for example internal and external identifiers, trade numbers, IP addresses, records of accesses or changes.
2.2 Period for which the data is stored
2.2 Period for which the data is stored
The period for which personal data is stored is determined according to statutory retention obligations resp. the purpose for which the data in question are processed.
As a rule, the Bank stores personal data for the duration of the business relationship or term of the contract and subsequently for a further five, ten or more years (depending on the applicable legal basis). This corresponds to the interval of time within which legal claims can be brought against the Bank. Current or anticipated legal or supervisory authority proceedings can lead to data being stored beyond this period.
2.3 Purposes
2.3 Purposes
The Bank can process the personal data described in section 2.1 in connection with the provision of its own services as well as for its own purposes or those required by law. These include, in particular, the following:
- Customer onboarding procedures, review, conclusion, implementation, processing and administration of the business relationship and products and services provided by a universal bank (e.g. communication, verification of identity, evaluation of applications, loan decisions, lines of credit, financial planning, payments, invoices, accounts, cards, investment, stock exchange, pensions, foundation, succession planning and insurance, eFinance, customer service, and communication).
- Statistics, planning or product development, business decisions (for example, the determination of indicators relating to the use of services, utilisation figures, transaction analyses, development of ideas for new products or the evaluation or improvement and review of existing products, services, processes, technologies, systems and returns).
- Monitoring and management of risks, business reviews, establishment of businesses, timely business processing (for example, combating fraud, investment profiles, limits, market, credit or operational risks, and system, product and employee training).
- Brokerage of third-party products and services such as credit or debit cards.
- Marketing, market research, customer relationship management, customer recovery, comprehensive service, advice and information concerning the range of services offered, preparation and provision of tailor-made services (for example, direct marketing, print and online advertising, customer, promotional or cultural events, sponsoring, prize draws, measurement of customer satisfaction, future customer needs or behaviour or assessment of customer, market or product potential).
- Statutory or regulatory audit, information, disclosure or reporting obligations with respect to courts, authorities, compliance with official orders (for example, identity verification, automatic exchange of information with foreign tax authorities, orders by the FINMA, public prosecutor’s offices, in connection with combatting fraud or money laundering or the financing of terrorism or for the purpose of recording and monitoring communications).
- Protecting the Bank’s interests and securing its claims in cases where claims are brought against the Bank or Bank customers as well as protecting the security of the customer and employees.
- Operation of the website (e.g. for technical administration and further development of ZKB websites).
- Any other purposes of which the Bank has informed you.
2.4 Source
2.4 Source
In order to fulfil the purposes set out in section 2.3, the Bank may collect personal data from the following sources:
- Personal data provided to the Bank, for example, in connection with the opening of a business relationship, a consultation, communication with the bank, for products and services or on the Bank’s websites and apps.
- Please only disclose personal data of third parties outside of a legal obligation if you have made the third parties concerned aware of this data protection declaration in advance.
- Personal data which are generated in connection with the use of products or services and is transmitted to the Bank through the technical infrastructure or through processes based on the division of labor (e.g, websites, eBanking, apps, in connection with payment transactions and securities trading or during the course of cooperation with other financial or IT service providers or marketplaces and exchanges.)
- Personal data from third-party sources, for example, correspondent banks involved in money transfers or the Zentralstelle für Kreditinformationen (Central Office for Credit Information - ZEK), the Informationsstelle für Konsumkredit (Consumer Credit Information Office - IK), credit reference bureaus, credit checkers, address traders, insurance companies, authorities, other companies within the Bank’s group or sanction lists maintained by the UNO, the SECO and the EU.
- Personal data that is publicly accessible, e.g. on the Internet, in the media, in public registers, such as the land register or commercial register offices.
2.5 Basis for the processing of personal data
2.5 Basis for the processing of personal data
Depending on which products and services the Bank may provide for you resp. the purpose for which the personal data are processed, the data processing is carried out based on the following:
- Entering into, conclusion or execution of a contract or business relationship with you or for the fulfilment of the Bank’s obligations arising from such a contract or business relationship (including any necessary pre-contractual measures), e.g. for lines of credit, financial planning, payments, invoices, accounts, cards, investment, stock exchange, pensions, incorporations, succession planning and insurance, eFinance, and customer service.
- Where applicable, to safeguard the legitimate interests of the Bank – for example, statistics, planning and product development, business decisions; monitoring and controlling of risks, business audits; marketing, market research, customer relationship management, comprehensive service, advice and information concerning the range of services offered, preparation and provision of tailor-made services – where no objection has been lodged; protection of the Bank's interests and securing the claims of the Bank, its customers and employees.
- Where applicable, for the fulfilment of legal or regulatory obligations of the Bank or the performance of tasks in the public interest, e.g. based on the Swiss Banking Act, Collective Investment Schemes Act, Anti-Money Laundering Act, Pfandbrief Act, FINMA Regulations and Circulars, tax laws (cf. also information on tax treaties and the exchange of information with authorities).
- Where applicable, based on your consent1.
1 Consents obtained for other reasons, for example, due to the provisions concerning banking secrecy according to the Federal Law on Banks and Savings Banks (BankG), are not affected by this section.
2.6 Obligation to provide personal data
2.6 Obligation to provide personal data
If personal data which the Bank processes are necessary in order to fulfil statutory or regulatory obligations or for the conclusion or performance of a contract or the commencement of a business relationship with you, it may be the case that the Bank cannot accept you as a customer or cannot provide you with products or services if the Bank is unable to process this personal data. In this case, we will inform you accordingly.
2.7 Existence of automated individual decision-making in individual cases, including profiling
2.7 Existence of automated individual decision-making in individual cases, including profiling
The Bank reserves the right in future to analyse and evaluate customer data (including data of affected third parties, see section 2.1) also in automated form in order to recognise key personal characteristics of the customer or in order to predict developments and create customer profiles. These are used in particular for business review and processing (e.g. in connection with the determination of an investment strategy, risk profiles, credit check, combating money laundering, abuse and fraud, IT security) and the individual consultation and provision of offers and information (e.g. marketing, product development and product improvement so that you only receive offers that match your interests), which the Bank and its Group companies may make available to the customer.
Customer profiles may in the future also lead to automated individual decisions, for example, automated creditworthiness decisions in order to accept and execute orders submitted by the customer in eBanking in an automated manner.
The Bank will ensure that a suitable contact person is available if the customer wishes to express an opinion concerning an automated individual decision and such a possibility of expressing an opinion is required by law.
2.8 Categories of intended recipients, guarantees and disclosure abroad
2.8 Categories of intended recipients, guarantees and disclosure abroad
2.8.1 Recipients
Within the Bank, only those departments receive access to your personal data which require this for the conclusion or performance of a contract or the commencement of a business relationship, in order to fulfil statutory or regulatory obligations or perform duties in the public interest.
The Bank only discloses customer data to third parties in the following cases – depending on the nature of the products and services used:
- In order to execute orders, i.e. in relation to the use of products or services, for example to payees, beneficiaries, authorised account users, intermediaries as well as correspondence banks, brokers, clearing houses, other parties involved in a transaction, service providers (e.g. Swisscom), exchanges or marketplaces, reporting of certain stock exchange transactions to international transaction registers.
- With the consent of the customer, to affiliated companies for the purpose of providing comprehensive customer services and for the purpose of outsourcing.
- On the basis of statutory obligations, legal justifications or official orders, for example, to courts, law enforcement agencies or supervisory authorities, e.g. in the area of the law governing financial markets or tax matters or, where necessary, in order to protect the Bank’s legitimate interests in Switzerland and abroad. The latter applies in particular in the event of legal steps or public statements against the Bank being initiated or threatened by the customer, in order to secure the Bank’s claims against the customer or third parties, in connection with the collection of the Bank’s claims against the customer and in order to restore contact with the customer after contact with the competent Swiss authorities has been broken off.
Contract processors are third parties who process personal data on behalf of and for the Bank, e.g. IT, marketing, market research, sales or communication service providers, logistics companies, printing service providers, financial service providers, real estate service providers, rating agencies, collection agencies, anti-fraud agencies, information and cybersecurity service providers, credit reference agencies or consulting firms. If personal data is communicated to such a contract processor, they may only process the received personal data in the same way as the Bank itself. The Bank selects its contract processors carefully and places them under a contractual undertaking to guarantee confidentiality and banking secrecy in Switzerland as well as the security of the personal data.
2.8.2 Location of disclosure
The location of the data disclosure depends on the type of product or service used. Due to our business model as a full-service bank, the following variations are possible:
- The Bank trades and holds in custody securities and financial instruments and/or executes fiduciary investments and foreign exchange transactions on behalf of the customer. In this context, foreign law and contractual provisions may require the Bank to disclose for whom it is acting. This may result in the Bank having to name specific persons or disclose information and documents to authorities and business undertakings in Switzerland or abroad. It should be noted that trading (depending on the exchange or trading facility), downstream processing stages and safekeeping may take place in third countries. The disclosure obligations vary from country to country. Furthermore, new duties of disclosure may arise at any time, or existing ones may be amended. Further information on the place of disclosure of personal data in connection with securities and financial instruments and/or fiduciary investments and foreign currency transactions has already been provided to you in connection with the specific services and products (cf. our General Terms and Conditions of Business, the terms on our products and services and our legal notices and information relating to our trading and investment business, in particular disclosure of customer data in connection with financial market and foreign exchange transactions, Shareholder Rights Directive II, country specifications for cross-border payments, Markets in Financial Instruments Regulation (MiFIR) and SBVg guidelines (February 2016 and June 2009).
- In connection with the administration of contracts with its suppliers, the Bank may also process contact details, such as the name, e-mail address or telephone number of its contact persons (employees of suppliers). These contact details will be processed using an IT system with a server hosted in Germany.
2.8.3 Guarantees
If, in exceptional cases, personal data is disclosed in countries where there is no adequate level of data protection (see also Art. 16 of the General Terms and Conditions of Business and information regarding the applicability of Swiss banking secrecy and data protection laws; these shall apply mutatis mutandis to visitor and employee data of suppliers), the Bank shall obligate the recipient to comply with an appropriate level of data protection by concluding recognised standard contractual clauses, or the Bank will avail of a statutory exception provision (e.g. conclusion or performance of a contract, safeguarding of overriding public interests, enforcement of legal claims, or your consent).
A copy of the EU standard contractual clauses (SCC) can be obtained from us free of charge.
3. Rights
You have the right to information, rectification, erasure, restriction, objection, as well as – where applicable – the right to data portability. In addition, you have the right to lodge a complaint with a competent data protection supervisory authority (see section 5).
Information requests can be submitted to the bank in writing together with a clearly legible copy of a valid official identity document (for example, passport, identity card, driving licence). The contact details are provided in section 5.
The right to erasure and the right to object are not unlimited rights. Depending on the individual case, overriding interests may necessitate further processing. The Bank will examine each individual case and notify you of the result. If personal data are processed for the purpose of direct marketing, your right to object also extends to direct marketing, including profiling for marketing purposes. You can lodge an objection to direct marketing at any time by sending the Bank a notification to this effect (see point 5).
Where applicable, you can at any time withdraw your consent to the Bank processing your personal data. Please note that such a withdrawal of consent only has effect for the future. Processing which took place prior to withdrawal of consent is not affected.
If the Bank fails to meet your expectations with respect to the processing of personal data, if you wish to complain about the Bank’s data protection practices or if you wish to exercise your rights, please notify the Bank of this (see point 5). Among other things, this gives the Bank the opportunity to address your concerns and, if need be, to make improvements. In order to assist the Bank in responding to your request, we kindly ask you to please provide a correspondingly detailed notification. The Bank will look into your concerns and will reply within an appropriate period.
4. Changes in personal data
The Bank is obliged to process the personal data accurately and keep it up to date. Please notify the Bank of any changes in your personal data using the usual communication channel.
5. Contact details and exercising your rights
Controller for the processing of personal data:
Controller for the processing of personal data:
Zürcher Kantonalbank
Zurich Head Office
Bahnhofstrasse 9
8001 Zürich
To exercise your rights in accordance with point 3, please contact the following office:
To exercise your rights in accordance with point 3, please contact the following office:
Zürcher Kantonalbank
Data Office
P.O. Box
8010 Zürich
or send us a message by e-mail to dsr@zkb.ch
Address your questions about personal data protection to the following department:
Address your questions about personal data protection to the following department:
Zürcher Kantonalbank
Data Protection Officer
Legal & Compliance
P.O. Box
8010 Zürich
or send us a message by e-mail to datenschutz@zkb.ch
EU representative pursuant to Article 27 of the GDPR:
EU representative pursuant to Article 27 of the GDPR:
VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
Germany
or by e-mail to info@datenschutzpartner.eu
If you are not satisfied with the Bank’s response, you have the right to lodge a complaint with the data protection authority in the jurisdiction within which you live or work or in the place in which, in your view, a problem arose in relation to the personal data.
You can address general questions, suggestions and comments to your client advisor.
6. Updating of the privacy policy statement
This privacy policy statement was last updated in June 2024. It explains in general terms the way your personal data is processed by the Bank. This privacy policy statement does not constitute a part of any contract between the Bank and you. The Bank reserves the right to amend this privacy policy statement from time to time. In the event of such amendments, you will be informed in an appropriate manner depending on how we usually communicate with you, for example via the website zkb.ch.
In case of any discrepancy between the wording of the German and the English version of the privacy policy statement, the German version shall prevail.
Last updated: June 2024