Data Protection Policy of SQUARE Consulting GmbH
In this Data Protection Policy we, SQUARE Consulting GmbH and companies of the SQUARE Group (hereinafter together SQUARE, we or us), describe how we collect and process personal data. This is not an exhaustive description; where appropriate, other data protection policies or general terms and conditions, conditions of participation and similar regulations may apply to specific circumstances. The term “personal data” is here deemed to include all information referring to an identified or identifiable person.
If you provide us with personal data of other persons (e.g. family members or work colleagues), please make sure that these persons are aware of this Data Protection Policy, and provide us with their personal data only if you are allowed to do so and such personal data is correct.
This Data Protection Policy is in line with the Swiss Federal Act on Data Protection Act (FADP) and the EU General Data Protection Regulation (GDPR). Although the GDPR is a European Union regulation, it is relevant for us and companies outside the European Union and the EEA must also comply with the GDPR in certain cases.
1. Controller / Data Protection Officer / Representative
Unless specifically otherwise indicated, SQUARE Consulting GmbH, Bahnhofstrasse 24, 8001 Zurich, Switzerland is the “controller” of data processing carried out by us. If you have data protection related concerns, you can inform us regarding all companies of the SQUARE Group using the following contact details: SQUARE Consulting GmbH, Datenschutzbeauftragter (Data Protection Officer), Bahnhofstrasse 24, 8001 Zurich, Switzerland, Tel.: +41 (0)44 586 56 06 E-Mail: info@square-Consulting.ch, Website: www. square-Consulting.ch.
Our data protection representative in the EU to be addressed in accordance with Art. 27 GDPR by supervisory authorities and data subjects for all matters in connection with EU data protection legislation is: VGS Datenschutzpartner UG, Am Kaiserkai 69, 20457 Hamburg, Germany, email@example.com.
2. Collection and Processing of Personal Data
We primarily process personal data (such as name, address, date of birth, national insurance number, account numbers, etc.) that we obtain from our clients and other business partners as well as other individuals in the context of our business relationship with them or that we collect from users when operating our websites, apps and other applications.
To such a degree as it is permitted to us, we also obtain certain data from publicly accessible sources (e.g. debt registers, land registries, commercial registers, press, internet) or we may receive such information from affiliated companies of SQUARE, from the authorities or other third parties, such as the providers of background checks. Insofar as these third parties are themselves wholly or partly responsible for the processing of these data, their data protection regulations apply additionally (e.g. the data protection regulations of LexisNexis, available at https://www.lexisnexis.com/global/privacy/de/article-14-bis.page).
Apart from data you provided to us directly, the categories of personal data that we receive about you from third parties include, but are not limited to: information from public registers, data received in connection with administrative or court proceedings, information in connection with your professional role and activities (e.g. in order to conclude and carry out contracts with your employer with your assistance), information about you in correspondence and discussions with third parties, credit rating information (where we conduct business activities with you personally), information about you given to us by individuals associated with you (family, consultants, legal representatives, etc.) in order to conclude or process contracts with you or with your involvement (e.g. references, your address for deliveries, powers of attorney), information regarding legal regulations such as anti-money laundering and export restrictions, bank details, information regarding insurances, our distributors and other business partners for the purpose of ordering or delivering services to you or by you (e.g. payments made, previous purchases), information about you found in the media or internet (insofar as indicated in the specific case, e.g. in connection with a job applications, marketing/sales, etc.), your addresses and any interests and other socio-demographic data (for marketing purposes), data in connection with your use of the website (e.g. IP address, MAC address of your smartphone or computers, information about your device and settings, cookies, date and time of your visit, site and content retrieved, applications used, referring website, localisation data).
In case that SQUARE and/or its affiliates administer or provide services to structures/entities that were to be classified as Financial Institutions (FI) according to the Automatic Exchange of Information under the Common Reporting Standard (CRS) and/or as Foreign Financial Institutions (FFI) under the Foreign Account Tax Compliance Act (FATCA), information such as the following about the relevant account holders and controlling persons may be subject to reporting to the relevant tax authorities:
· name, address, tax residency, TIN, date of birth
· account number
· overall balance
· gross payments
3. Purpose of Data Processing and Legal Grounds
We primarily use the collected personal data to conclude and process contracts with our clients and business partners, particularly within the framework of business Consulting, legal and tax advice, the provision of family office services, salary and HR advice, mandates to act as trustee or member of a board of directors, investment reporting services, compliance services, trust and corporate administration, Automatic Exchange of Information, as well as art management with our clients and the procurement of products and services from our suppliers and sub-contractors, as well as in order to comply with our domestic and foreign legal obligations. You may of course also be affected by our data processing in your capacity as an employee of such a client or business partner.
Furthermore, we also process your personal data and personal data of third parties, where permitted and advisable, in our opinion for the following purposes, which are in our (or, as the case may be, any third parties’) legitimate interest, such as:
· providing and developing our products, services and websites, apps and other platforms on which we are active;
· communication with third parties and processing of their requests (e.g. job applications, media enquiries);
· review and optimisation of procedures regarding needs assessment for the purpose of direct customer approach as well as obtaining personal data from publicly accessible sources for customer acquisition;
· advertisement and marketing (including organising events), provided you have not objected to the use of your data for this purpose (if you are part of our customer base and you receive our advertisement, you may object at any time and we will then put you on a list barring further advertising material being sent);
· media surveillance;
· asserting legal claims and defence in connection with legal disputes and official proceedings;
· carrying out background checks and screening activities in relation to the client and the relevant persons as part of the performance of a contract;
· prevention and investigation of criminal offences and other misconduct (e.g. conducting internal investigations, data analysis to combat fraud);
· ensuring our operation, including our IT, our websites, apps and other platforms;
· video surveillance to protect our domiciliary rights and other measures to ensure the safety of our IT, building and investment security, and for the protection of our employees and other persons and valuables entrusted to us (e.g. access controls, visitor logs network and mail scanners, telephone recordings);
· acquisition and sale of business divisions, companies, or parts of companies and other corporate transactions and associated transfer of personal data as well as measures for business management and compliance with national and international statutory and regulatory obligations as well as internal SQUARE regulations.
If you have given us your consent to process your personal data for certain purposes (for example when registering for the receipt of newsletters), we will process your personal data within the scope of and based on this consent, unless we have another legal basis, provided that we require one. Consent given can be withdrawn at any time, but this does not affect any data processing already carried out.
4. Cookies / Tracking and other Techniques Regarding the Use of Our Website
For information relating to data processing via our website, please refer to our online data protection policy.
5. Data Transfer and Transfer of Data Abroad
In the context of our business activities and in line with the purposes of the data processing set out in Section 3, we may transfer data to third parties, insofar as such a transfer is permitted and we deem it appropriate, either in order for them to process data for us, or for their own purposes. In particular, the following categories of recipients may be concerned:
· our service providers (within SQUARE, or externally, e.g. banks, insurance companies), including processors (e.g. IT providers);
· registered agents in countries in which they are prescribed by law, provided we are supporting you at your request in the country in question in connection with the incorporation and/or administration of a company;
· dealers, suppliers, sub-contractors and other business partners;
· domestic and foreign authorities, government office or courts;
· the media;
· the public, including users of our websites and social media;
· competitors, industry organisations, associations, organisations and other bodies;
· acquirers or parties interested in the acquisition of business divisions, companies or other parts of SQUARE;
· other parties in possible or actual legal proceedings;
· other companies in the SQUARE group;
all together Recipients.
Certain Recipients may be within Switzerland but can be anywhere in the world. In particular, you must anticipate your data to be transferred to all countries in which SQUARE is represented by affiliates, branches or other offices, as well as in other countries in Europe and the USA where we are acting on your behalf or where our service providers (e.g. LexisNexis) are located. If we transfer data to a country without adequate legal data protection, we ensure an appropriate level of protection as legally required by using appropriate contracts (in particular based on the “standard contractual clauses” of the European Commission, which can be accessed at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en) or binding corporate rules or we rely on the statutory exceptions of consent, performance of the contract, the establishment, exercise or enforcement of legal claims, overriding public interests, published personal data, or because it is necessary to protect the integrity of the persons concerned. You can obtain a copy of the mentioned contractual guarantees at any time from the contact person named in Section 1 above, if they are not available under the above-mentioned link. However, we reserve the right to redact copies for data protection reasons or reasons of secrecy or to provide excerpts only.
We are entitled to transfer your data to a country that does not have adequate legal data protection without implementing one of the above-mentioned measures if the transfer of the data is necessary for the conclusion or fulfilment of a contract between you and us, or for the implementation of pre-contractual measures at your request. We are likewise entitled to transfer your data to a country that does not have adequate legal data protection without implementing the above-mentioned measures if this is necessary for the conclusion or fulfilment of a contract between us and an individual or legal entity that is in your interest. Where data of third parties, such as e.g. family members, has to be transferred in the above-mentioned cases, you are responsible for obtaining any consent required from these third parties.
6. Retention Periods for your Personal Data
We process and retain your personal data as long as required for the performance of our contractual and national and international legal obligations or for other purposes pursued with the processing, i.e. for the duration of the entire business relationship (from the initiation, during the performance of the contract until it is terminated) as well as beyond this duration in accordance with legal retention and documentation obligations. It is thus possible that personal data may be retained for the period during which claims can be asserted against our company or insofar as we are otherwise legally obliged to do so, or if legitimate business interests require further retention (e.g. for evidential and documentation purposes). As soon as your personal data are no longer required for the above-mentioned purposes, they will be deleted or anonymised, to the extent possible.
7. Data Security
We have taken appropriate technical and organisational security measures to protect your personal data from unauthorised access and misuse such as issuing instructions, training, IT and network security solutions, access controls and restrictions, encryption of data carriers and transmissions, inspections.
8. Obligation to Provide Personal Data to Us
In the context of our business relationship you must provide us with any personal data that are necessary for the commencement and carrying out of a business relationship and the performance of the contractual obligations relating to it. Without this data, we will usually not be in a position to enter into or conclude a contract with you (or the office or person that you represent). In addition, the website cannot be used unless certain information to ensure data traffic (e.g. IP address) is disclosed. Where you provide third party data to us which we have to process on your behalf for the conclusion or performance of the contract with you, you bear the responsibility for the existence of an adequate legal basis.
9. No Automated Decision Making
In establishing and carrying out a business relationship, and also in other situations, we generally do not use any fully automated individual decision-making (such as pursuant to Art. 22 GDPR). Should we use such procedures in certain cases, we will inform you separately about this and advise you of your rights in this connection.
10. Your Rights
In accordance with the data protection law applicable to you and as envisaged therein (as in the case of the GDPR), you have the right to information, rectification, erasure, the right to restriction of processing or to object to our data processing, as well as the right to receive certain personal data for transfer to another controller (data portability). Please note however that we reserve the right to enforce statutory restrictions on our part, for example if we are obliged to retain or process certain data, have an overriding interest in it (insofar as we are permitted to invoke such interest) or need the data for asserting claims. Should you incur costs in exercising such rights, we will notify you thereof in advance. We have already informed you of your right to withdraw consent in Section 3 above. Please note that exercising these rights may come into conflict with contractual agreements and this may have consequences such as the premature termination of the contract or cost implications. If this is the case, we will inform you in advance unless it has already been contractually agreed upon.
In general, exercising these rights requires you to clearly prove your identity (e.g. by means of a copy of an identity document, where your identity is otherwise not clear, or cannot be verified in another way). In order to assert these rights, you can contact us at the address given in Section 1.
Furthermore, every data subject has the right to enforce his/her rights through the courts or to lodge a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).
11. Amendments of this Data Protection Policy
We may amend this Data Protection Policy at any time without prior notice. The currently valid version is published on our website. If the Data Protection Policy is part of an agreement with you, we will notify you by e-mail or other appropriate method in case of an amendment.