Cembra App Privacy Policy

1. What is this Privacy Policy about?

The protection of your personal data and fair and transparent data processing are important to us. Therefore, we would like to inform you about our data processing and provide you with the information you need to exercise your rights.
Further information can be found in the respective product- and service-specific terms and conditions, on our website, in loyalty and added-value program conditions of our cooperation partners (see list section 6 below) and, if applicable, in further privacy policies.

2. Who are we?

The following company (“we”, “us” or “Cembra”) is responsible for data processing according to this Privacy Policy:
Cembra Money Bank AG
Bändliweg 20
8048 Zurich
Switzerland

Our Data Governance Officer will be happy to answer any questions and concerns you may have in connection with our data protection practices.
Cembra Money Bank AG
Data Governance Officer
Bändliweg 20
8048 Zurich
Switzerland

We have also appointed a representative in the European Union (EU):
activeMind.legal
Kurfürstendamm 56
10707 Berlin
Germany

3. When, for whom and for what is this Privacy Policy intended?

This Privacy Policy applies to any processing of personal data in connection with all of our business activities in all our business areas, as well as for the use of applications made available by Cembra (e.g. Cembra App). It is applicable to the processing of both existing and future personal data.

4. What personal data do we process for which purposes, from which sources and on which legal basis?

4.1 Origin of the personal data

The personal data we process originate, on the one hand, from you as existing or future customers and, on the other hand, from publicly accessible sources (e.g., the media or Internet), from Cembra Group companies, from government agencies bodies (e.g., residents’ registration authorities, the land registry, the commercial registry or debt collection offices) and from third parties (e.g., external credit assessors, the Central Credit Information Office [ZEK] or the Consumer Credit Information Office [IKO]).

4.2. Categories of personal data

a) In the course of initiating or performing the contract, we process different personal data, e.g., personal details (name, address and other contact data, date and place of birth as well as nationality), identification data (e.g., identity document data) and authentication data (e.g., signature samples, patterns of behaviour and movement). In addition, this may include instruction, transaction and risk management data (e.g., payment transaction data, data from the advisory and data from processing of contractual relationships), information about your financial situation (e.g., information on income and assets, creditworthiness, scoring/rating data [see explanation in section 4 b below], information on the origin of assets, current or completed loan agreements), tax-relevant information (information on where you are registered for tax purposes and any other relevant documents and information) as well as contractual and documentation data (e.g., information on the account, custody account, concluded transaction or about third parties such as civil partners or authorised representatives, consultation minutes and discussion minutes).

b) When you log in to or use our Cembra App, we process your end-device data (e.g. details about the device’s manufacturer and type, operating system, device ID and IP address), your Cembra access data (e.g. access code) or your desired settings (e.g. storage of the username or login key or use of other login options (e.g. Face or Touch ID)). Furthermore, we process data regarding the use of the Cembra App (e.g. number of accesses to the Cembra App, including date and time of day), your consent to the terms and conditions of use of the Cembra App or to other terms and conditions of Cembra, as well as data related to your bank product registered on the Cembra App (e.g. credit-card transaction data, monthly bills or payments). If you communicate with us via e-mail, we store the exchanged information and your contact data. We may also process data concerning your habits and/or preferences. Where necessary, we will obtain your consent to this in advance.

c) When you visit websites or use eService, and depending on the offering and features, we process information such as log data; in the case of websites, we process information such as details about the time of the access to our website, duration of the visit and pages retrieved.

Particularly sensitive personal data are data that enjoy special protection (e.g., information on ethnic origin, political opinion, religious and ideological beliefs, genetic and biometric data, health data or information on criminal convictions). Such data will only be processed with your consent or based on a legal foundation.

Please note that consent to processing of personal data not requiring special protection – should it be required – are usually given on other grounds, depending on the particular case, e.g., to comply with the provisions on banking secrecy. Such consent does not change anything about the fact that when processing personal data not requiring special protection, we do not rely on consent, but on the legal foundations mentioned below.

Among other things, we process personal data in the following situations for the following purposes and on the legal foundations mentioned below. Data processing may also be based on several legal foundations.

4.3. Purposes of data processing

a. For the conclusion, execution and enforcement of agreements
The processing of personal data occurs to provide banking and financial services in the context of concluding, executing and enforcing the agreements with our customers or to implement precontractual measures that occur on pursuant to a request of yours. The purpose of data processing depends primarily on the specific product and, among other things, may include opening, managing and closing accounts, , providing advice and support, executing transactions, and analysing your needs. Further details on the purpose of the data processing can be found in the respective contractual documents, terms and conditions and, if applicable, other documents made available to you.

b. When you use the Cembra App
When you install and use our Cembra App, we process your data particularly in order to:

We may analyse your use of the Cembra App and the bank product registered on the Cembra App to better tailor our products and services to you. We will obtain your consent before sending you offers electronically. You are free to revoke this consent at any time.

c. Visiting websites, use of Cembra eService:
When you visit our website, we process your personal data for IT security purposes, to improve the user-friendliness of the website and its functions and to personalise the content presented. For these purposes, we use analysis services such as Google Analytics. Detailed information on the use of the website used is collected in this connection. For these purposes, we may use cookies and similar technologies. Cookies are small files stored on your terminal when you visit our website. Further information can be found on our website and in the product-specific contractual and, if applicable, data protection provisions.

d. In the context of a balance of interests
In addition, we also process your data to protect our legitimate interests, provided that they are not outweighed by your interests. The following is a non-exhaustive list of processing purposes that represent legitimate interests:

e. Due to legal requirements or in the public interest
We process your personal data to meet our regulatory, supervisory and statutory obligations to clarify, inform and report (e.g., in the case of disclosure orders or instruction by the Swiss Financial Market Supervisory Authority [FINMA], as part of the automatic exchange of information with foreign tax authorities or in connection with combating money laundering and the financing of terrorism).

5. Do you have an obligation to provide personal data?

Usually, you are not obliged to provide us with personal data. However, we are not able to enter into a contractual relationship with you if you do not provide us with the personal data required for a business relationship and the fulfilment of contractual obligations or which we are legally obliged to collect (e.g., information required for identification, such as name, place and date of birth, nationality, address and identification document data). Furthermore, if you fail to provide the necessary personal data, we may not be able to give you access to certain of our online services (e.g. Cembra App, website, eService) in whole or in part.

6. With whom do we share your personal data?

Within Cembra, those departments, employees and other bodies have access to your personal data which require such access in order to perform their tasks. In addition, we may outsource individual or entire business areas and services to Cembra Group companies and to third parties in Switzerland and abroad, assign claims and rights and enter into cooperations with partners. If necessary, your personal data will be forwarded to these recipients. We ensure that the data protection and banking secrecy laws are adhered to by such third parties by diligent selection of such processors and the conclusion of adequate contracts. In particular, this involves services and cooperation in the following areas:

We can also forward your personal data for business purposes (e.g., for credit risk, fraud prevention and marketing purposes) to recipients within the Cembra Group for their own purposes. As a result, your personal data can also be processed and linked for the respective purpose together with personal data that comes from another Cembra Group company. You can find a current list of our Group companies at www.cembra.ch/group.
Forwarding of personal data within the Cembra Group is possible in other cases, as well. We can disclose your personal data to third parties if it is in our legitimate interest or you have authorised us to do so. We are obligated to disclose your personal data to third parties (normally, to authorities) if this is required by law.

7. When do we transfer personal data abroad?

We can outsource our services within Switzerland and abroad (see preceding section). Personal data can also be transmitted abroad in conjunction with executing agreements or transactions or offering online services, e.g., in relation to payment transactions or installing the Cembra App. The recipients of your personal data may be abroad – and also outside the European Union (“EU”) or the European Economic Area (“EEA”, this includes the Principality of Liechtenstein, for example). The relevant countries may not have laws that protect your personal data to the same extent as in Switzerland or in the EU or EEA. If we transmit your personal data to such a third country, we shall secure the protection of your personal data in an appropriate manner. This may include the conclusion of data adequate processing agreements with the recipients of your personal data in such countries. Adequate agreements may include ones which have been approved, set up or recognised by the European Commission and/or the Federal Data Protection and Information Commissioner (FDPIC).

8. Does profiling take place and do we perform automated decisions?

We can process your personal data to create profiles, e.g., for analysing, evaluating and decision-making. Such processing can be performed by us and our Group companies for fraud prevention (e.g., in credit card payments) and for risk management purposes. Moreover, we use profiles to enable us to provide you with individual advice and personalized offers. You can object to the processing of your data for advertising purposes at any time (cf. section 11).
If we perform automated decision-making it is either required for the conclusion or fulfilment of a contractual relationship or it is based on your explicit consent. We shall inform you in each case of such decisions if this is legally required.

9. How do we protect your personal data?

We apply appropriate technical and organisational security measures in order to ensure the security of your personal data, e.g., to protect you against unauthorised or unlawful processing and the risk of loss and to prevent any unintentional change, undesired disclosure or unauthorised access.

10. How long do we store your personal data?

We store your personal data for as long as is necessary for the purpose for which we collected it. Furthermore, we may also store your personal data for longer for statutory retention requirement. For example, a ten-year retention period applies for most documents. In addition, we store your personal data if we have a legitimate interest in the storage, e.g., if limitation periods are running, if we need personal data to enforce or defend against claims and for archiving purposes and for IT security reasons.

11. What rights do you have

Each person affected has particular rights pursuant to the data protection law applicable to them, especially the following rights:

In addition, you have the right to file an objection to the data protection authority, in Switzerland to the Federal Data Protection and Information Commissioner (FDPIC).
You can revoke your consent for the processing of personal data at any time. Please bear in mind such revocation of consent will only have effect for the future. Data processing that occurred before the revocation remains unaffected.
Consent obtained for other reasons, e.g., on account of provisions on bank-client confidentiality pursuant to the Federal Act on Banks and Savings Banks (BankA), remains unaffected.
Moreover, you can object to the processing of your personal data for the purpose of advertising at any time by notifying us.

12. Amendments of this Privacy Policy

This Privacy Policy can be amended in the course of time if we amend our data processing or new legal provisions become applicable. We inform our active customers in a suitable manner (in writing or electronically, e.g., by e-mail or via the Cembra App) if an adjusted Privacy Policy has entered into force.
In the event of ambiguities arising from translations, the German text of this Privacy Policy shall apply.