Privacy notice

Sygnum Bank AG and its subsidiaries and branches (hereinafter “Sygnum” or “Group”, “we”, “us”) collects and processes Personal Data that concern you (hereinafter “you” and “your”) but also other individuals.

In this privacy notice (hereinafter “Privacy Notice”), we describe what we do with your Personal Data (as defined below in Section 2) when you use www.sygnum.com, our other websites or apps (hereinafter collectively “Website”), obtain services or products from us, interact with us in relation to a contract or at general meetings. When appropriate we will provide a just-in-time notice to cover any additional processing activities not mentioned in this Privacy Notice. In addition, we may inform you about the processing of your Personal Data separately, for example in consent declarations, terms and conditions, additional privacy notices, forms and other notices.

If you disclose data to us or share data with us about other individuals, such as family members, co-workers, etc., we assume that you are authorised to do so, and that the relevant data is accurate. By sharing data about others with us, you confirm that this is the case and that these individuals are aware of this Privacy Notice.

This Privacy Notice is aligned with the EU General Data Protection Regulation (hereinafter “GDPR”), the Federal Act on Data Protection (hereinafter “FADP“) and any relevant applicable national data protection laws (including but not limited to the Data Protection Regulations 2021 (hereinafter “DPR”) applicable in the Abu Dhabi Global Market (“ADGM”) and the Luxembourg law of 1^st August 2018 organizing the National Commission for data protection and the general system on data protection as amended from time to time (hereinafter “LDPL”)) . However, the application of these laws depends on each individual case.

“Client(s)” refers to any individual or legal entity who has or had a banking relationship with Sygnum. This definition includes prospective Clients;

“Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her;

“Controller(s)” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data;

“Employee(s)” means any or all of Sygnum’s employees;

“Personal Data” means any information relating to an identified or identifiable natural person (hereinafter “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

“Recipient(s)” means a natural or legal person, public authority, agency or another body, to whom Personal Data are disclosed, whether a Third Party or not. However, public authorities which may receive Personal Data in the course of a particular inquiry in accordance with the laws of the European Union or any of its Member State law shall not be regarded as recipients; the processing of Personal Data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

“Third Party/Third Parties” means a natural or legal person, public authority, agency or body other than the data subject, Controller, processor and persons who, under the direct authority of the Controller or processor, are authorised to process Personal Data;

“You” and “your” as used in this statement refers to individuals with whom we come into contact, or in respect of whom we obtain Personal Data, in the usual course of dealings with our Clients and Third Parties, our service providers, and our other business counterparties or transaction participants, which may include, without limitation, employees, directors, officers, beneficial owners and other personnel of such Clients, service providers, business counterparties or transaction participants, in all cases outside the Group (as applicable to you); or who themselves are our Clients.

Sygnum with its registered seat in Zurich, Switzerland, is the world’s first digital asset bank, and a digital asset specialist with global reach. With Sygnum Bank AG’s Swiss banking license, as well as Sygnum Pte Ltd’s capital markets services (CMS) and major payment institution (MPI) licenses in Singapore, Sygnum empowers institutional and private qualified investors, corporates, banks, and other financial institutions to invest in the digital asset economy with complete trust. Sygnum operates an independently controlled, scalable, and future-proof regulated banking platform. Sygnum’s interdisciplinary team of banking, investment, and Distributed Ledger Technology (DLT) experts is shaping the development of a trusted digital asset ecosystem.

Sygnum is the Controller for Sygnum’s processing under this Privacy Notice, unless we tell you otherwise in an individual case, for example in additional privacy notices, on a form or in a contract. However, unless we tell you otherwise, this Privacy Notice also applies where a Group Company (as defined below) is the Controller. This applies where your data is processed by a Group Company in connection with its own legal obligations or contracts or where you share data with such a Group Company, but the Group Companies may receive and process your Personal Data for other purposes set out below (see Section 11.a). In these cases, this Group Company is the Controller and only if it shares your data with other Group Companies for their own processing (see Section 7), will these other Group Companies also become Controllers.

The Sygnum Data Protection Officer (hereinafter “DPO”) ensures that this Privacy Notice is made available to all relevant Data Subjects when Sygnum collects and processes their Personal Data.

Additionally, all Employees of Sygnum who interact with Data Subjects ensure that this Privacy Notice is drawn to the Data Subject’s attention and their acknowledgment of their data processing is secured.

You may contact us for data protection concerns and to exercise your rights under Section 15 as follows:

Sygnum Bank AG
Attn. Data Protection Officer
Uetlibergstrasse 134a
8045 Zurich
Switzerland
[email protected]
T +41 58 508 2000

Types of Personal Data
We process various categories of data about you. The main categories of data are the following:

Identification Data: Identification Data includes personal details in relation to you such as name, date and place of birth, nationality, gender, domicile, marital status, name of spouse, number of children (if applicable). It also includes contact details such as private and / or business phone numbers, postal and email addresses. We further process specific data regarding your identification such as passport IDs, ID cards, foreign resident permit number, samples of your digital/electronic signature or your tax domicile as Identification Data.

Financial Data: As Financial Data we collect, for example, your bank details, account number, data about transactions, credit card data and crypto wallet addresses and transactions. Data regarding your risk and investment profile, credit ratings or credit checks as well as your tax identification number may also be processed as part of Financial Data.

Professional Occupation / Qualification Data: This includes data relating to your current and past professional roles and employment, as well as your education (e.g. corporate title, membership of professional associations or bodies, career histories or biographies, job function, knowledge and experience in investment matters, qualifications and skills).

Behavioural Data: Depending on our relationship with you, we try to get to know you better and to tailor our products, services and offers to you. For this purpose, we collect and process data about your behaviour and preferences. We do so by evaluating information about your behaviour in our domain, and we may also supplement this information with third-party information, including from public sources. Based on this data, we can for example determine the likelihood that you will use certain services or interact in a certain way. The data processed for this purpose is already known to us (for example where and when you use our services), or we collect it by recording your behaviour (for example how you navigate our Website).

Connection Data: When you use our Website or our online banking portal, we collect the IP address of your terminal device and other technical data to ensure the functionality and security of these offerings. This data includes logs with records of the use of our systems. To ensure the functionality of these offerings, we may also assign an individual code to you or your terminal device (for an example of a cookie, please see our Cookie Notice).

Property / Rental Objects Data: Such data refers to data such as property details or vehicles and their registration numbers.

Health Data: In connection with our offerings and services we may process information that permits conclusions concerning health status such as, but not limited to, restrictions, invalidity, grade of disability, occupational disability level and disabilities.

Communication Data: We will process data about communication between you and us including the content as well as time and date. We may also record photos, videos and sound in which you may be identifiable, in accordance with internal policies. You will be informed if and when such recordings take place. For example, we will tell you if we record or listen in on telephone or video conversations, for example for training and quality assurance purposes, or we will indicate when a video conference is recorded. If you do not wish to be recorded, please notify us or leave the (video) conference or turn off your camera. However, if you are a Client, we are required to record all our calls with you in line with applicable law and with Sygnum’s General Terms and Conditions.

Other Sensitive Data: This includes for example data relating to criminal convictions and offences (including excerpts of criminal register) data related to the designation of your status as a politically exposed person (PEP) and related information, data relating to characteristics or preferences (gender / biometric / characteristics, race/ethnic origin, lifestyle, hobbies, politics, religion, trade union, natural person’s sex life / sexual orientation etc.).

Data from public sources or data we receive: As far as it is not unlawful we also collect data from public sources (for example debt collection registers, land registers, commercial registers, the media, or the internet including social media) or data we receive from other companies within our Group, from public authorities and from other Third Parties (such as credit agencies, address brokers, associations, contractual partners, internet analytics services, etc.).

Other data: We collect Other Data about you in various contexts. This may include information that relates to official or legal proceedings (e.g. case files, evidence, etc.). We can also collect data to help with fraud prevention. We may also collect data when you enter or exit our premises, as well as information regarding your access rights (including access controls etc.), or information that you provide to us during general meetings (e.g., voting behavior). Finally, we may also collect data in connection with events or promotions (e.g. competitions) and the use of our systems and infrastructure.

Data sources
In most cases, Personal Data as set out in this Section 6 is provided to us directly by you (through forms, when you communicate with us, in relation to contracts, when you use the Website, etc.). You are not obliged or required to disclose data to us except in certain cases, for example if we are legally obliged (for example to comply with Anti-Money-Laundering obligations) to collect data. If you wish to use our products and services, you must also provide us with certain data as part of your contractual obligation under the relevant contract. When using our Website, the processing of certain technical data cannot be avoided. If you wish to gain access to certain systems or buildings, you must also provide us with registration data. However, in the case of Behavioural Data, you generally have the option of objecting or not giving Consent.

We may also collect data from public sources (for example debt collection registers, land registers, commercial registers, the media, or the internet including social media) or receive data from other companies within our Group, from public authorities and from Third Parties.

The categories of Personal Data that we receive about you from Third Parties include, in particular:

• Information from public registers or information that we receive in relation to administrative and legal proceedings
• Information in relation to your professional functions and activities (so that we can, for example, conclude and process transactions with your employer with your assistance)
• Information about you in correspondence and meetings with Third Parties
• Credit information (where we conduct business with you in a personal capacity)
• Information about you that persons related to you (family members, advisors, legal representatives, etc.) share with us so that we can conclude or perform contracts with you or involving you (for example references, your delivery address, powers of attorney)
• Information about compliance with legal requirements such as those relating to fraud prevention and the combating of money laundering and terrorist financing, export restrictions
• Information from banks, insurance companies, sales and other contractual partners of us about your use or provision of services (for example payments, purchases, etc.)
• Information from the media and the internet about the use or provision of services by you (for example payments made, purchases made, etc.) as well as information from the media and the internet about you (where appropriate in a specific case, for example in the context of an application, marketing/sales, press review, etc.)
• Your address and potentially interests and other socio-demographic data (especially for marketing and research purposes)
• Data in relation to the use of third-party websites and online offerings where such use can be linked to you

We process your data for the purposes explained below in more detail. Further information is set out in Sections 18 and 19 for online services. These purposes and their objectives represent interests of us and potentially of Third Parties. You can find further information on the legal basis of our processing in Section 8.

Communication
We process data for purposes related to communication with you, in relation to responding to inquiries and the exercise of your rights (Section 15), to enable us to contact you in case of queries and in order to comply with regulatory requirements. The data we use in this context are, in particular, Identification and Communication Data.

Establishing, registering, processing, managing, and terminating business relationships
We process data for the preparation, conclusion, administration and performance of contractual relationships. The data we process to this end varies depending on the type and scope of the relationship and may include all types of Personal Data outlined in this Privacy Notice.

Security and access control purposes
We may also process your data – in particular your Identification, Behavioural, Communication, Connection and Other Data – for security reasons and access control purposes.

Compliance with laws, directives and recommendations from public authorities and internal regulations
We also process data to comply with laws, directives and recommendations from public authorities and our own internal regulations (Compliance). The data that we process for this purpose includes all types of Personal Data outlined in this Privacy Notice.

Risk management, prevention of fraud and other illegal activities, and prudent corporate management
We further process all types of Personal Data but in particular Identification, Financial, Professional Occupation / Qualification, Communication and Behavioural Data as well as Other Data – for the purposes of our risk management and as part of our corporate governance, including business organisation and development.

Marketing and relationship management
We process data for marketing and relationship management purposes, for example to send our Clients and Third Parties personalised information for products and services from us and from Third Parties. This may happen in the form of newsletters, invitations, and other regular contacts (electronically, by e-mail, by telephone or by post), and on other channels for which we may have contact information from you, also as part of marketing campaigns, and may also include free services, promotional material, or events. You can object to being contacted for marketing and relationship management purposes, for example by clicking an opt-out link in an e-mail. With your Consent, we can also target our online advertising on the internet more specifically to you (see Section 18 and 19). The data that we process for marketing purposes and relationship management includes Identification, Professional/Occupation, Communication, Behavioural and Connection Data.

Market research, service and operations optimisation and product development
We also process your data for the purposes of market research, to improve our services and operations, and for product development. The data that we process in this regard are in particular Identification, Financial, Communication, Behavioural and Connection Data.

Further purposes
We may process your data for further purposes, for example as part of our internal processes and administration or for quality assurance purposes and trainings, and where processing is required to safeguard legitimate interests of Sygnum or a Third Party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Consent 
Where we ask for your Consent for certain processing activities, we will inform you separately about the relevant processing purposes. You may withdraw your Consent at any time with effect for the future by providing us written notice (by mail) or, unless otherwise noted or agreed, by sending an e-mail to us; see our contact details in Section 5. For withdrawing Consent for online tracking, see Section 18. Where you have a user account, you may also withdraw Consent or contact us also through the relevant Website or other service, as applicable. Once we have received notification for withdrawal of Consent, we will no longer process your information for the purpose(s) you consented to, unless we have another legal basis to do so. Withdrawal of Consent does not, however, affect the lawfulness of the processing based on the Consent prior to withdrawal.

Performance of a contract
Where we do not ask for Consent for processing, the processing of your Personal Data relies on the re-quirement of the processing for initiating, entering into or performing a contract with you (or the entity you represent).

Compliance with legal obligations
We may also be required to process Personal Data to comply with our legal obligations under applicable laws and regulations.

Legitimate interests
We may also process Personal Data on the basis of our legitimate interests or the legitimate interests of a Third Party as long as such interests do not override the rights and freedoms of concerned Data Subjects. Our legitimate interests are namely as follows:

• Marketing of our products and services
• The provision of the proof, in the event of a dispute, of a transaction or any commercial commu-nication as well as in connection with any proposed purchase, merger or acquisition of any part of our business
• Compliance with foreign laws and regulations and/or any order of a foreign court, government, supervisory, regulatory or tax authority
• Risk management
• Processing Personal Data of employees if you are legal persons
• Compliance with legal obligations under applicable laws and regulations, insofar as this is not al-ready recognized as a legal basis by applicable data protection laws (for example, in the case of the GDPR, the laws in the EEA and in the case of the FDAP, Swiss law)

Sensitive Personal Data
Where we receive sensitive Personal Data (such as Health Data and Other Sensitive Data outlined above in Section 6), we may process your data on another legal basis, for example, in the event of a dispute, as required in relation to a potential litigation or for the enforcement or defence of legal claims, because the Personal Data have been made public by the relevant Data Subjects or on one of the other basis provided for under article 9 of the GDPR (or a corresponding provision under the FADP, the revFADP and/or any applicable national data protection law). In some cases, other legal basis may apply, which we will communicate to you separately if necessary.

We process some of your data automatically, with the goal of assessing certain personal aspects. This might be considered as Profiling as defined in Section 2.  We may use Profiling by using assessment tools to be able to specifically notify you and advise you regarding products. These allow communications and marketing to be tailored as needed – including market and opinion research. Your rights with respect to Profiling are set out in Section 15 below.

In certain situations, it may be necessary for the efficiency and consistency of decision-making processes that we automate discretionary decisions that produce legal effects concerning you or similarly significantly affect you (“automated individual decisions”, for example as part of our online onboarding offering). In these cases, we will inform you accordingly and take the measures required by applicable law.  Your rights with respect to automated decision making are set out in Section 15 below.

In relation to our contracts, the Website, our services and products, our legal obligations or legitimate interests and other purposes set out in Section 7, we may disclose your Personal Data to the following categories of recipients:

Group Company/Group Companies: The subsidiaries and branches outlined on our website www.sygnum.com. A Group Company may use Personal Data according to this Privacy Notice for the same or other purposes as we use it (see Section 7).

Third Parties:
Service providers: We work with service providers in Switzerland and abroad who process your data on our behalf or who receive data about you from us as separate Controllers (for example IT providers, banks).

Authorities: We may disclose Personal Data to agencies, courts and other authorities in Switzerland and abroad if we are legally obliged or entitled to make such disclosures or if it appears necessary to protect our interests.

Other third parties such as namely any third party that acquires, or is interested in acquiring or securitizing, all or part of our assets or shares, or that succeeds to us in carrying on all or a part of our businesses, or services provided to us, whether by merger, acquisition, reorganization or otherwise.

We reserve the right to make such disclosures even of Sensitive Personal Data (unless we have expressly agreed with you that we will not disclose such data to certain Third Parties, except if we are required to do so by law). Notwithstanding the foregoing, your data will continue to be subject to adequate data protection in Switzerland and the rest of Europe, even after disclosure. For disclosure to other countries, the provisions of Section 12 apply.

In addition, if we enable Third Parties to collect Personal Data from you on our Website and at events organised by us (for example for event photography, digital tools on our Website), we will inform you about this in connection with the activity.

As explained in Section 11, we may disclose data to other Third Parties. Recipients of data are not only located in Switzerland, but also in the EEA or other countries worldwide, e.g. the United States of America, Singapore and the United Arab Emirates.

If a recipient is located in a country without adequate level of protection for personal data pursuant to the applicable law, we have entered into legally binding transfer agreements with the relevant recipients in the form of the revised European Commission’s standard contractual clauses including the Swiss specifications as required by the Swiss data protection supervisory authority,unless the recipient is subject to a legally accepted set of rules to ensure data protection and unless we cannot rely on an exception. We will enter into corresponding agreements as may be required to comply with data transfer restrictions in accordance with applicable privacy laws in other jurisdictions. An exception may apply for example in case of legal proceedings abroad, but also in cases of overriding public interest or if the performance of a contract requires disclosure, if you have consented or if data has been made available generally by you and you have not objected against the processing. Where the recipient is located in a country outside the European Economic Area which benefits from an adequacy decision of the European Commission, the Personal Data are transferred to the recipient based on such adequacy decision.

If you would like to request to see a copy of the specific safeguards which apply to the transfer of your Personal Data, please contact our DPO.

We process your Personal Data in line with this Privacy Notice and applicable legal retention periods. If there are no contrary legal or contractual obligations, we will delete or anonymize your data once the legal ground for processing no longer applies and/or the relevant data retention period has expired, unless its further processing is required – for a limited time – for the following purposes:

• Fulfilling obligations to preserve records according to commercial and tax law: This includes the Swiss Code of Obligations, the Federal Act on Value Added Tax, the Federal Act on Direct Taxation, the Federal Act on Harmonization of Direct Taxes of Cantons and Municipalities, the Federal Act on Stamp Duties and the Federal Act on Withholding Tax, and such other applicable corresponding laws as may apply in other jurisdictions.
• As a bank we can face legal holds which require us to keep records for an undefined period of time.

We take appropriate security measures to maintain the required security of your Personal Data and ensure its confidentiality, integrity and availability, and to protect it against unauthorised or unlawful processing, and to mitigate the risk of loss, accidental alteration, unauthorised disclosure or access.

To help you control the processing of your Personal Data, you have the following rights in relation to our data processing, depending on the applicable data protection law:

• The right to request information as to whether and what data – including its categorisation – we collect, store and process from you
• The right to request information on the purpose of the processing and the legal basis for it
• The right to request information on whether the processing is based on the legitimate interests of Sygnum or a Third Party, as well es information about those interests
• The right to request information on the identity and the person or organisation’s contact details that have determined how and why to process your data
• The right to request information on the recipient(s) or categories of recipients that the data is/will be disclosed to
• The right to request information on whether we intend to transfer the Personal Data to a third country or international organisation and how we ensure this is done securely
• The right to request information on how long the data will be stored
• The right to withdraw Consent, where our processing is based on your Consent, as well as the right to receive details of your respective rights
• The right to have us correct data if it is inaccurate, to request us to erase, restrict or to object to such processing (including where the Personal Data are being processed for marketing purposes) as well as the right to request the details of your respective rights
• The right to request guidance on how to lodge a complaint with the supervisory authority and to lodge such complaint
• The right to request information on whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the Personal Data and the possible consequences of failing to provide such data
• The right to request information on the source of Personal Data if it was not collected directly from you
• The right to request any details and information of automated decision making, such as Profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing. Additionally, the right to request that the decision be reviewed by a human
• The right to request that we provide certain Personal Data in a commonly used electronic format or transfer it to another Controller
• The right to receive, upon request, further information that is helpful for the exercise of these rights

If you wish to exercise the above-mentioned rights in relation to us, please contact us in writing, at our premises or, unless otherwise specified or agreed, by e-mail; you will find our contact details above in Section 5.

You also have these rights in relation to other parties if we cooperate with them as separate Controllers. Please contact us in this regard and we will coordinate such request with the Controllers.

Please note that conditions, exceptions or restrictions apply to these rights under applicable data protection law (for example to protect Third Parties and/or trade secrets). We will inform you accordingly where applicable.

We may need to continue to process and keep your Personal Data to perform a contract with you, to protect our own legitimate interests, such as the assertion, exercise or defence of legal claims, or to comply with legal obligations. To the extent legally permitted, to protect the rights and freedoms of other data subjects and to safeguard legitimate interests, we may also reject a subject request in whole or in part (for example by redacting content that concerns Third Parties or our trade secrets).

If you do not agree with the way we handle your rights or with our data protection practices, please let us or our DPO know. If you are located in the EEA, Switzerland, Singapore or Abu Dhabi, you also have the right to lodge a complaint with the competent data protection supervisory authority in your country. You can find a list of authorities in the EEA here. You can reach the Swiss supervisory authority here. You can reach the Personal Data Protection Commission in Singapore here. You can reach the Office of Data Protection in the Abu Dhabi General Market here.

Sygnum may only contact you to fulfil its duties subject to this Privacy Notice. Our aim, however, is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.

We use various techniques on our Website that allow us and Third Parties engaged by us to recognize you during your use of our Website, and possibly to track you across several visits. Please refer to our Cookie Notice more information.

We may operate pages and other online presences (“channels”, “profiles”, etc.) on social networks and other platforms operated by Third Parties and collect the data about you described in Section 6 and below. We receive this data from you and from the platforms when you interact with us through our online presence (for example when you communicate with us, comment on our content or visit our online presence). At the same time, the platforms analyse your use of our online presences and combine this data with other data they have about you (for example about your behaviour and preferences). They also process this data for their own purposes, for marketing and market research purposes (for example to personalise advertising) and to manage their platforms (for example what content they show you) and, to that end, they act as separate Controllers.

We process this data for the purposes set out in Section 7, in particular for communication, for marketing purposes (including advertising on these platforms, see Section 18) and for market research. You will find information about the applicable legal basis in Section 8. We may disseminate content published by you (for example comments on an announcement), for example as part of our advertising on the platform or elsewhere. We or the operators of the platforms may also delete or restrict content from or about you in accordance with their terms of use (for example inappropriate comments).

For further information on the processing of the platform operators, please refer to the privacy information of the relevant platforms. There you can also find out about the countries where they process your data, your rights of access and erasure of data and other Data Subjects rights and how you can exercise them or obtain further information. We currently use the following platforms:

LinkedIn

Youtube

Twitter

Insofar LinkedIn, Twitter and/or YouTube use cookies, please refer to our Cookie Notice.

The DPO is responsible for keeping it up to date on behalf of Sygnum.

This Privacy Notice is not part of a contract with you. We can change this Privacy Notice at any time. The version published on this Website is the current version.