EFG Digital Identification Privacy Notification

1. Introduction

1. Introduction

This Privacy Notification applies to prospective clients (“you”) relevant to our digital identification document authentication process (the “Authentication”).

THIS PRIVACY NOTIFICATION SUPPLEMENTS ANY OTHER PRIVACY NOTIFICATION PROVIDED TO YOU BY US (e.g. https://www.efginternational.com/data-privacy.html).

In this Privacy Notification ‘we’ refers to the EFG Group entity with which you want to establish a contractual relationship. EFG Group means the group of companies composed of EFG International AG and its worldwide affiliates. A list of the EFG Group entities and their contact details can be found here: https://www.efginternational.com/contact.html.

2. Types of personal information collected and processed

During the Authentication process we may collect and in general process the following personal information relating to you:

  • Any personal information included in the identification documents you have provided and/ or any forms you have completed for the purposes of the Authentication;
  • Video and/ or recorded audio captures and/or images and biometric information from these captures/ images, which are compared against the information gathered from the identification documents you have provided; and
  • Technical information, including the internet protocol (IP) address used to connect your device to the internet, your log-in information, the browser type and version, the time-zone setting, the operating system and platform, the type of device you use, a unique device identifier, mobile network information, your mobile operating system, the type of mobile browser you use and so on.

3. Sources of personal information

We collect your personal information:

  • Directly from you. If you fail to provide certain information, we may not be able to finalise the Authentication process and enter into a contractual relationship with you. Please note that we may still process any available personal information; and
  • Automatically by the systems used for the purposes of the Authentication.

4. How we use personal information

The situations in which we may process your personal information are listed below:

  • To authenticate documents provided by you in order to confirm and verify your identity;
  • To facilitate the opening of an account for your benefit or related to you and to improve the quality of our services;
  • To ensure compliance with our internal policies and/ or procedures and to be able to monitor risks and report them;
  • To carry out business, operational and administrative activities, including audits;
  • To carry out statistical and other analysis, including profiling;
  • To comply with any applicable laws and regulations and/or any voluntary code or industry best practice we reasonably decide to adopt;
  • To comply with the request or requirement of any court of any relevant jurisdiction or any relevant tribunal, mediator, arbitrator, ombudsman, taxation authority or regulatory or governmental authority;
  • To carry out the detection, investigation and prevention of fraud, money laundering, bribery, corruption, terrorist financing and other crime or malpractice and oversee and report on such detection, investigation and prevention activities; and
  • For use in connection with any legal proceedings or regulatory action (including prospective legal proceedings/ regulatory action) and for obtaining legal advice or for establishing, exercising or defending legal rights.

5. Recipients of your personal information

We (and those parties to whom personal information is disclosed) may disclose personal information in the situations described below:

  • To third parties/ processors of your personal information who provide services to us;
  • To any court of any relevant jurisdiction or any relevant tribunal, mediator, arbitrator, ombudsman, taxation authority or regulatory or governmental authority;
  • To public authorities, regulators or governmental bodies, when required by law or regulation;
  • To our auditors and professional advisors;
  • To insurers and information providers; or
  • Otherwise if you consent to such disclosure.

6. Overseas transfers

We may transfer the personal information we collect about you to countries other than the country of our incorporation or the country in which the information originally was collected. Those countries may not have the same laws on personal information as the country in which you initially provided the information.

When we transfer your personal information to other countries, we will protect that information as described in this Privacy Notification and in accordance with applicable law. If necessary, we require the recipients referred to in section 5 above to comply with appropriate measures designed to protect personal information.

7. How to contact us

If you have a query regarding the processing of your personal information or if you would like to exercise your rights under the applicable legislation on personal information, please contact your Client Relationship Officer and/ or the Data Protection Officer/ the Privacy Officer of the EFG entity that supports you.

8. EEA Addendum

If you are in the European Economic Area (Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden, the "EEA") and provided that the EFG Group entity with which you want to establish a contractual relationship is subject to the provisions of Regulation (EU) 2016/679 (GDPR), the following additional EEA-specific provisions apply to our processing of your personal information.

B. Legal basis for using your personal information

We will only use your personal information when the law allows us to. Most commonly and depending on the situation in which we will use your personal information, we will use your personal information in the following circumstances:

  • Where you have given your consent;
  • Where we need to take steps at your request prior to entering into a contract with you;
  • Where we need to comply with a legal obligation;
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (e.g. ensuring compliance with our policies and procedures);
  • Where it is needed in the public interest;
  • Where necessary for the establishment, exercise and defense of legal claims; and
  • Where we need to protect your interests (or someone else’s interests);

C. European Privacy Rights

Your rights in connection with personal information

Under certain circumstances and subject to applicable law, you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Where personal information is processed by automated means and:
    • where we process your personal information on the basis of your consent; or
    • where such processing is necessary for entering into or performing our obligations under a contract with you, request the transfer of your personal information to you or to another party (also known as “data portability”).
  • Where we process your personal information on the basis of your consent, you may withdraw that consent at any time. If you do not give your consent or withdraw your consent this may affect our ability to provide you with services. Please note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
  • In certain circumstances, request not to be subject to automated decision-making, including profiling.

Certain of these rights are not absolute under the applicable legislation (as sometimes there may be overriding interests that require the processing to continue, for example); nonetheless we will consider your request and respond to you. Moreover, the exercise of some of these rights may result in terminating the digital identification process.

Finally, you have the right to lodge a complaint with the supervisory authority in the jurisdiction where you live or work, or in the place where you think an issue in relation to your personal information has arisen.

D. Retention of personal information

We will retain personal information for as long as necessary to fulfill the purpose for which it was collected or to comply with legal, regulatory, accounting, reporting or internal policy requirements. To determine the appropriate retention period for personal information, we consider the applicable legal requirements, as well as the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means.

E. How to contact us

If you would like to exercise any of your rights in connection with your personal information or receive a copy of the measures designed to protect personal information in the case of transfer of your personal information outside the EEA or obtain further information on the retention periods of personal information, please contact your Client Relationship Officer and/ or the Data Protection Officer/ the Privacy Officer of the EFG entity that supports you.

9. Swiss Addendum

The additional provisions below apply to the processing of personal information which is subject to the Swiss Federal Data Protection Act.

A. Controller

The Swiss EFG Group entity with which you want to establish a contractual relationship (“Swiss EFG Entity”), is the controller of your personal information.

B. Overseas transfers

Your personal information may be transferred (including made accessible from) by the Swiss EFG Entity to the following countries:

(i) Countries within the EEA;

(ii) Other countries recognized by Switzerland as providing adequate privacy protection (for a list of these countries, please see https://www.fedlex.admin.ch/eli/cc/2022/568/fr#annex_1); and

(iii) Countries where other EFG Group entities / branches are established (for a complete list, see https://www.efginternational.com/ch/about/locations.html); certain service providers of the Swiss EFG Entity might be also established in these countries.

Some of the countries referred to under (iii) do not benefit from data protection regulations that have been recognized as being "adequate" (i.e., comparable standard) from a Swiss data protection perspective. When we transfer your personal information to such countries, we will implement appropriate safeguards in accordance with applicable law (e.g., implementation of standard contractual clauses).