INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of Personal Data (“Regulation” or “GDPR”) lays down a set of rules on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, safeguarding the fundamental rights and freedoms of natural persons and, in particular the right to the protection of personal data.
Art. 4, n. 1 of the Regulation sets forth that “Personal Data” means any information relating to an identified or identifiable natural person(“Data Subject”).
The term “Processing” instead means any operation or set of operations, performed whether or not by automated means which are applied to Personal Data or sets of Personal Data, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (art. 4, n. 2 of the Regulation).
Furthermore, it is envisaged in article 12 and following articles of the Regulation, that the Data Subject has to be made appropriately aware of any information concerning (i) the Processing activities performed by the Data Controller and (ii) the rights of Data Subjects.
- IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER OF THE PROCESSING
The Data Controller of the Processing pursuant to articles 4 and 24 of the Regulation is the family officeSWIX Family Office SA, with registered office in Corso Elvezia 4 – 6900 Lugano (CH), Tel. +41 91 960 50 00 – Fax +4191 921 05 84. The Data Controller may be contacted by writing to the above address or by sending an e-mail to: Manucer.firstname.lastname@example.org
- PURPOSE AND LEGAL BASIS OF THE PROCESSING
The Personal Data provided by the Data Subject to the Data Controller will be treated solely for the purposes regarding the performance of a prospective or existing professional assignment entrusted to the Data Controller (including any connected or instrumental operations, such as, for example, thepreliminary collection of information when a prospective assignment is being discussed or the assessment of a potential conflict of interests), in compliance with the provisions envisaged by art. 13 of the Regulation and with the obligations of confidentiality that in any case guide the professional activity of the family office.
In particular, “purposes regarding the performance of the professional assignment” means any Personal Data Processing related to the operation, administration and performance of the contractual relationship mentioned.
The legal basis for the Processing for the above purposes is art. 6, subparagraph 1, letter b) of the GDPR (“Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”).
Within the scope of these purposes, the Processing is also performed to comply with specific legal requirements concerning the operation of the contractual relationship and the fulfilment of the assignment.
The legal basis for the Processing for the above mentionned purposes is art. 6, subparagraph 1, letter c), GDPR (“Processing is necessary for compliance with a legal obligation to which the controller is subject”).
Finally, data will be processed in the presence of a Data Controller’s legitimate interestto perform and manage the activity, with the intentto deliver enhanced services, after considering and balancing any potential impact on the Data Subject’s rights.
The legal basis for the Processing for the above mentionned purposes is art. 6, subparagraph 1, letter f), GDPR (“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party[…]”).
- CONSEQUENCES OF DENIED DATA DISCLOSURE
Given that the communication of Personal Data by the Data Subject and the consequent Processing by the Data Controller are required to establish or continue and appropriately carry out a pending relationship, such communication is mandatory. Refusal by the Data Subject to provide the Personal Data requested by the Data Controller may lead to the impossibility to execute and direct any contractual relationship with the Data Subject.
- SPECIAL CATEGORIES OF PERSONAL DATA
TheData Subject’s free and express consent will be requested in writing whenever —in the performance of the professional assignment or in order to comply with specific legal requirements concerning the contractual relationship— the Data Controller needs to acquire also falling within the special categories of Personal Data indicated in art. 9 of the Regulation (in particular, Personal Data revealing a person’s “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”).
The legal basis for the Processing of Personal Data falling into the above categories of Personal Data referred to in art. 9 of the Regulation will be represented by the express consent provided by the Data Subject pursuant to art. 9, subparagraph 2, letter a), GDPR (“the Data Subject has given explicit consent to the Processing of those Personal Data for one or more specified purposes”).
- PROCESSING MODALITIES
In accordance with what is ruled in art. 5 of the Regulation, Personal Data concerned by Processing are:
- processed lawfully, fairly and in a transparent manner in relation to theData Subject;
- collected and recordedfor specified, explicit and legitimate purposes and subsequently processedin ways that are compatible with such purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, updated;
- processed in a manner that ensures appropriate security;
- kept in a form which allows identification ofthe Data Subject for no longer than is necessary for the purposes for which the Personal Data are processed.
In relation with the purposes stated above, Personal Data may be processed using paper and electronic means and, in particular, by ordinary mail or email, telephone (eg. automated calls, text messages), fax and any other IT instruments merely in connection with such purposes and, in any case, ensuring data security and confidentiality, in compliance with what is envisaged by art. 32 of the Regulation on security measures and by persons in charge of the Processing, in compliance with what is envisaged by art. 29 of the Regulation.
- DISCLOSURE OF PERSONAL DATA
The Processing of Personal Data provided by the Data Subject will be performed by the professionals involved in the performance of the services, as well as by their supporting staff, through persons expressly and specifically appointed by the Data Controller, operating at the latter’s office in their capacity as Data Processors (art. 28 GDPR) or as Persons acting under the authority of the controller or of the processor (art. 29 GDPR) or even as officials expressly appointed for the Processing of Personal Data in accordance with the terms envisaged by the Regulation.
In order to enable the fulfilment of legal and contractual obligations Personal Data may be communicated to service providers with Data Processor functions providing IT and system administrator services, to post offices, to shipping agents and couriers when sending documents, as well as to banking institutions carrying out accounting aspects deriving from the execution of the assignment, as well as to the Public Administration pursuant to the laws in force, as well as to any third parties providing IT or filing services.
The Personal Data of the Data Subject will not be publicised by the Data Controller, which will never disclose them or make them otherwise available to undetermined parties.
Please notice that, should the performance of the services entail the Processing of Personal Data of any third party somehow connected to the Data Subject (such as employees, customers, suppliers, subsidiaries, affiliates and counterparts in general) it is the Data Subject’s responsibility to inform the party or parties concerned and obtain, if due, the consent required for the Data Controller to process their Personal Data, it being understood that any request made to the Data Controller to perform its services in such circumstance shall give rise to the presumption that the Data Subject has already fulfilled such requirement, by informing the parties concerned and obtaining their consent (when due) in favour of the Data Controller.
- STORAGE OF PERSONAL DATA
Personal Data are processed and stored in cloud and on servers both within and outside the European Union, belonging or otherwise available to the Data Controller and/or to third-party companies in charge of the Processing, duly appointed as Data Processors.
The Personal Data concerned by Processing will be stored in compliance with the provisions set forth in art. 5, subparagraph 1, lett. e), GDPR in a form allowing the identification of the Data Subjects concerned for no longer than the time required to achieve the purposes indicated above, for which the Personal Data were originally collected and processed.
Personal Data are stored according to the following criteria:
- For the time strictly necessary to achieve the “purposes concerning the performance of the contract” for which they are being processed;
- For the time strictly necessary to comply with the requirements established by law or by the regulation as well as with measures ordered by supervisory and control bodies.
- TRANSFER OF PERSONAL DATA ABROAD
- RIGHTS OF DATA SUBJECTS
In conformity with what is envisaged in Chapter III, Subparagraph I, GDPR, the Data Subject may exercise the rights indicated therein and in particular:
(i) Right of access:the right to obtain confirmation as to whether or not Personal Data regarding the Data Subject are being processed, and, where that is the case, receive information, in particular on: the purposes of the Processing, the categories of Personal Data being treated, the recipients to whom these may be disclosed (article 15, GDPR),
(ii) Right to rectification: the right to obtain, with no undue delay, the rectification of any inaccurate Personal Data regarding the Data Subject or to completion of any incomplete Personal Data (article 16, GDPR),
(iii) Right to erasure:the right to obtain, with no undue delay, the erasure of Personal Data regarding the Data Subject, in the cases envisaged by the GDPR (article 17, GDPR),
(iv) Right to restriction of Processing: the right to obtain from the Data Controller restriction of Processing, in the cases envisaged by the GDPR (article 18, GDPR)
(v) Right to data portability:the right to receive, in a structured, commonly used and machine-readable format, one’s own Personal Data, as well as the right to have those data transmitted with no hindrance to another Data Controller, in the cases envisaged by the GDPR (article 20, GDPR)
(vi) Right to object: the right to object to the Processing of one’s own Personal Data, unless legitimate grounds exist for the Data Controller to continue in their Processing (article 21, GDPR).
Without prejudice for any other administrative or judicial remedy, the Data Subject who deems that the Processing concerning himself or herself is breaching the GDPR has the right to lodge a complaint with a supervisory authority, based in the Member State of his or her habitual residence, place of work or place of the alleged infringement, pursuant to art. 77 GDPR.
In order to exercise the above rights, the Data Subject may contact the Data Controller at the contact details referred to in point 1 above.
The exercise, at any time, of the right to withdraw his or her consent to the Processing of Personal Data is without prejudice for the lawfulness of the Processing performed by the Data Controller which is based upon the consent granted before the revocation.
SWIX Family Office SA, (updated at 25/05/2018)