This information notice («Privacy Policy»)states the modalities and the purposes of the Processing of Personal Data by the family officeSWIX Family OfficeSA, in its capacity as Data Controller (hereafter the “Data Controller”), as well as any other information required by law, including information on the rights of Data Subjects and on their exercise.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of Personal Data (“Regulation” or “GDPR”) lays down a set of rules on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, safeguarding the fundamental rights and freedoms of natural persons and, in particular the right to the protection of personal data.

Art. 4, n. 1 of the Regulation sets forth that “Personal Data” means any information relating to an identified or identifiable natural person(“Data Subject”).

The term “Processing” instead means any operation or set of operations, performed whether or not by automated means which are applied to Personal Data or sets of Personal Data, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (art. 4, n. 2 of the Regulation).

Furthermore, it is envisaged in article 12 and following articles of the Regulation, that the Data Subject has to be made appropriately aware of any information concerning (i) the Processing activities performed by the Data Controller and (ii) the rights of Data Subjects.



 The Data Controller of the Processing pursuant to articles 4 and 24 of the Regulation is the family officeSWIX Family Office SA, with registered office in Corso Elvezia 4 – 6900 Lugano (CH), Tel. +41 91 960 50 00 – Fax +4191 921 05 84. The Data Controller may be contacted by writing to the above address or by sending an e-mail



The Personal Data provided by the Data Subject to the Data Controller will be treated solely for the  purposes regarding the performance of a prospective or existing professional assignment entrusted to the Data Controller (including any connected or instrumental operations, such as, for example, thepreliminary collection of information when a prospective assignment is being discussed or the assessment of a potential conflict of interests), in compliance with the provisions envisaged by art. 13 of the Regulation and with the obligations of confidentiality that in any case guide the professional activity of the family office.

In particular, “purposes regarding the performance of the professional assignment” means any Personal Data Processing related to the operation, administration and performance of the contractual relationship mentioned.

The legal basis for the Processing for the above purposes is art. 6, subparagraph 1, letter b) of the GDPR (“Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”).

Within the scope of these purposes, the Processing is also performed to comply with specific legal requirements concerning the operation of the contractual relationship and the fulfilment of the assignment.

The legal basis for the Processing for the above mentionned purposes is art. 6, subparagraph 1, letter c), GDPR (“Processing is necessary for compliance with a legal obligation to which the controller is subject”).

Finally, data will be processed in the presence of a Data Controller’s legitimate interestto perform and manage the activity, with the intentto deliver enhanced services, after considering and balancing any potential impact on the Data Subject’s rights.

The legal basis for the Processing for the above mentionned purposes is art. 6, subparagraph 1, letter f), GDPR («processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party[…]»).



 Given that the communication of Personal Data by the Data Subject and the consequent Processing by the Data Controller are required to establish or continue and appropriately carry out a pending relationship, such communication is mandatory. Refusal by the Data Subject to provide the Personal Data requested by the Data Controller may lead to the impossibility to execute and direct any contractual relationship with the Data Subject.



TheData Subject’s free and express consent will be requested in writing whenever —in the performance of the professional assignment or in order to comply with specific legal requirements concerning the contractual relationship— the  Data Controller needs to acquire also  falling within the special categories of Personal Data indicated in art. 9 of the Regulation (in particular, Personal Data revealing a person’s “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”).

The legal basis for the Processing of Personal Data falling into the above categories of Personal Data referred to in art. 9 of the Regulation will be represented by the express consent provided by the Data Subject pursuant to art. 9, subparagraph 2, letter a), GDPR (“the Data Subject has given explicit consent to the Processing of those Personal Data for one or more specified purposes).



In accordance with what is ruled in art. 5 of the Regulation, Personal Data concerned by Processing are:

  • processed lawfully, fairly and in a transparent manner in relation to theData Subject;
  • collected and recordedfor specified, explicit and legitimate purposes and subsequently processedin ways that are compatible with such purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, updated;
  • processed in a manner that ensures appropriate security;
  • kept in a form which allows identification ofthe Data Subject for no longer than is necessary for the purposes for which the Personal Data are processed.

In relation with the purposes stated above, Personal Data may be processed using paper and electronic means and, in particular, by ordinary mail or email, telephone (eg. automated calls, text messages), fax and any other IT instruments merely in connection with such purposes and, in any case, ensuring data security and confidentiality, in compliance with what is envisaged by art. 32 of the Regulation on security measures and by persons in charge of the Processing, in compliance with what is envisaged by art. 29 of the Regulation.



The Processing of Personal Data provided by the Data Subject will be performed by the professionals involved in the performance of the services, as well as by their supporting staff, through persons expressly and specifically appointed by the Data Controller, operating at the latter’s office in their capacity as Data Processors (art. 28 GDPR) or as Persons acting under the authority of the controller or of the processor (art. 29 GDPR) or even as officials  expressly appointed for the Processing of Personal Data in accordance with the terms envisaged by the Regulation.

Personal Data may also be directly processed by the Data Controller and disclosed to third parties whenever such Processing serves legal or contractual obligations. For these purposes, Personal Data may be disclosed to external companies or professionals that may be collaborating with the Data Controller for the purposes indicated in this Privacy Policy. The Data Controller will always request to any such third party to respect the security of Personal Data and to treat them in compliance with the law.

In order to enable the fulfilment of legal and contractual obligations Personal Data may be communicated to service providers with Data Processor functions providing IT and system administrator services, to post offices, to shipping agents and couriers when sending documents, as well as to banking institutions carrying out accounting aspects deriving from the execution of the assignment, as well as to the Public Administration pursuant to the laws in force, as well as to any third parties providing IT or filing services.

The Personal Data of the Data Subject will not be publicised by the Data Controller, which will never disclose them or make them otherwise available to undetermined parties.

Please notice that, should the performance of the services entail the Processing of Personal Data of any third party somehow connected to the Data Subject  (such as employees, customers, suppliers, subsidiaries, affiliates and counterparts in general) it is the Data Subject’s responsibility to inform the party or parties concerned and obtain, if due, the consent required for the Data Controller to process their Personal Data, it being understood that any request made to the Data Controller to perform its services in such circumstance shall give rise to the presumption that the Data Subject has already fulfilled such requirement, by informing the parties concerned and obtaining their consent (when due) in favour of the Data Controller.



Personal Data are processed and stored in cloud and on servers both within and outside the European Union, belonging or otherwise available to the Data Controller and/or to third-party companies in charge of the Processing, duly appointed as Data Processors.

The Personal Data concerned by Processing will be stored in compliance with the provisions set forth in art. 5, subparagraph 1, lett. e), GDPR in a form allowing the identification of the Data Subjects concerned for no longer than the time required to achieve the purposes indicated above, for which the Personal Data were originally collected and processed.

Personal Data are stored according to the following criteria:

  1. For the time strictly necessary to achieve the “purposes concerning the performance of the contract” for which they are being processed;
  2. For the time strictly necessary to comply with the requirements established by law or by the regulation as well as with measures ordered by supervisory and control bodies.



Personal Data may be transferred to countries of the European Union or to other countries within the Processing purposes described in this Privacy Policy. In the case of Personal Data transferred outside the European Union, in the absence of an adequacy decision by the European Commission, the Data Controller will comply with the provisions envisaged by applicable rules and regulations on the transfer of Personal Data towards countries not belonging to the European Union.



In conformity with what is envisaged in Chapter III, Subparagraph I, GDPR, the Data Subject may exercise the rights indicated therein and in particular:

(i)       Right of access:the right to obtain confirmation as to whether or not Personal Data regarding the Data Subject are being processed, and, where that is the case, receive information, in particular on: the purposes of the Processing, the categories of Personal Data being treated, the recipients to whom these may be disclosed (article 15, GDPR),

(ii)      Right to rectification: the right to obtain, with no undue delay, the rectification of any inaccurate Personal Data regarding the Data Subject or to completion of any incomplete Personal Data (article 16, GDPR),

(iii)     Right to erasure:the right to obtain, with no undue delay, the erasure of Personal Data regarding the Data Subject, in the cases envisaged by the GDPR (article 17, GDPR),

(iv)     Right to restriction of Processing: the right to obtain from the Data Controller restriction of Processing, in the cases envisaged by the GDPR (article 18, GDPR)

(v)      Right to data portability:the right to receive, in a structured, commonly used and machine-readable format, one’s own Personal Data, as well as the right to have those data transmitted with no hindrance to another Data Controller, in the cases envisaged by the GDPR (article 20, GDPR)

(vi)     Right to object: the right to object to the Processing of one’s own Personal Data, unless legitimate grounds exist for the Data Controller to continue in their Processing (article 21, GDPR).

Without prejudice for any other administrative or judicial remedy, the Data Subject who deems that the Processing concerning himself or herself is breaching the GDPR has the right to lodge a complaint with a supervisory authority, based in the Member State of his or her habitual residence, place of work or place of the alleged infringement, pursuant to art. 77 GDPR.

In order to exercise the above rights, the Data Subject may contact the Data Controller at the contact details referred to in point 1 above.

The exercise, at any time, of the right to withdraw his or her consent to the Processing of Personal Data is without prejudice for the lawfulness of the Processing performed by the Data Controller which is based upon the consent granted before the revocation.


SWIX Family Office SA, (updated at 25/05/2018)