Data Protection Declaration

1. General terms

This data protection declaration explains how we process personal data.

“Personal data“ means all details related to a specific or identifiable natural or legal person. „Processing“ means all ways of dealing with personal data, irrespective of the means and procedures used, in particular procuring, storing, using, revising, disclosing, archiving and destroying of personal data.

In connection with specific kinds of data processing, e.g. the entry into contracts, additional provisions might apply. Such provisions are available in the respective contracts.

2. Data security

We undertake to protect your privacy in accordance with the applicable laws, especially the code of conduct and data protection law. For this reason, we take a number of precautions, such as implementing technical and organisational security measures (e.g. access restrictions, firewalls, personal passwords such as encryption and authentication technologies, staff training).

3. Categories of personal data

We can process the following categories of personal data while limiting the processing to the necessary minimum.

Client data such as:

  • Master data and data on holdings (e.g. name, address, nationality, date of birth, information about accounts, custody accounts, concluded transactions and contracts, information about third parties who are also affected by the data processing, such as spouses, authorised representatives and advisors).
  • Transaction data, order data, and risk management data (e.g. data regarding beneficiaries of payments, the beneficiary's bank, the amount of payments, data on risk and investment profiles, investment products).
  • Technical data (e.g. business numbers, IP addresses, internal and external identifiers, records of access).
  • Marketing data (e.g. preferences, needs).

Data of interested parties and visitors (i.e. our visitors or visitors of our website) such as:

  • Master data and data on holdings (e.g. name, address, date of birth).
  • Technical data (e.g. IP addresses, internal and external identifiers, records of access).
  • Marketing data (e.g. preferences, needs).

Supplier data such as:

  • Master data and data on holdings (e.g. name, address, date of birth, concluded transactions and contracts).
  • Technical data (e.g. IP addresses, internal and external identifiers, records of access).

4. Origin of personal data

For the purposes of section 5, we can collect personal data from the following sources:

  • Personal data given to us, e.g. for the entering into a business relationship, the execution of contracts, or our products and services.
  • Personal data necessary for the use of products or services and transmitted to us via the technical infrastructure or complex processes.
  • Personal data from third parties, e.g. authorities or UNO/EU sanction lists.

5. Purposes of data processing

We can process personal data for the provision of own services and for own or legally prescribed purposes. In particular, the purposes of our data processing are the following:

  • Entering into and executing of contracts, processing and managing products and services (e.g. payments, investments).
  • Monitoring and managing risks (e.g. investment profiles, combating of money laundering, limits, market risks).
  • Planning, business decisions (e.g. developing of new or assessing of existing services and products).
  • Marketing, communication, information about and review of the range of services (e.g. advertisements in print and online; events for clients and interested parties as well as other events, determination of future client needs).
  • Compliance with legal or regulatory disclosure, notification or reporting obligations to courts and authorities, fulfilment of official orders (e.g. reporting obligations towards FINMA and foreign supervisory authorities, orders of prosecution departments in connection with money laundering and terrorist financing).
  • Protecting our interests and securing our rights in case of claims against us or own claims against third parties.

6. Disclosure to third parties, categories of recipients

We may disclose client data to the following third parties in the following cases:

  • For outsourcing activities according to section 7 and for the purpose of comprehensive customer service to third party service providers.
  • For the execution of orders, i.e. when using third party products and services (e.g. to Aquila AG in connection with compliance reviews).
  • Based on legal obligations, legal justifications or official orders, e.g. to courts, supervisory authorities, tax authorities, or other third parties.
  • Where necessary, to protect our legitimate interests, e.g. with respect to any legal action threatened or initiated against us by clients, in case of public statements, to safeguard our claims against clients or third parties, or for debt collection proceedings.
  • With the consent of the person concerned, to other third parties.

In particular in connection with certain products or services, personal data must also be disclosed to third parties domiciled in countries which do not have an appropriate level of data protection (e.g. the United States). If data has to be transferred to such a country, we will take measures for a continuous appropriate protection of personal data.

7. Outsourcing of business units or services

We are outsourcing certain business units and services, wholly or partially, to third parties, in particular to Aquila AG (such as legal and compliance, accounting, CRM system, IT).

We carefully select any contractors who process personal data on our behalf. Where possible, we use service providers domiciled in Switzerland. The service providers might be entitled to outsource certain services to other third parties.

The services providers are only permitted to process the data received to the extent that we do ourselves. Additionally, they are contractually required to guarantee confidentiality and the security of personal data.

8. Automated individual decisions in specific cases, including profiling

We reserve the right to process client data in the future in an automated manner, in particular to identify significant personal characteristics of the clients, to predict developments and to create client profiles.

This is used, in particular, to review and develop our offering and to improve our services.

Client profiles may, in the future, also lead to automated individual decisions (e.g. automated receipt and execution of client orders in our CRM system).

We ensure that a suitable contact person is available to the client if the client wishes to express a view on any automated individual decision where such opportunity to express a view is required by law.

9. Duration of storage

The duration of storage for personal data depends on the purpose of the data processing and/or statutory storage provisions (depending on the applicable legal basis, five, ten or more years).

10. Rights of the affected persons

You can ask us whether personal data about you is being processed. You have the right to object to the data processing, the right to restriction of processing, and, if applicable, the right to data portability. You also have the right of rectification and, provided that there are no compelling statutory or regulatory requirements (such as storage provisions) or technical barriers, the right to erasure. The erasure of your personal data may lead to the result that we cannot provide certain services any longer. Furthermore, if applicable, there is also a right to lodge a complaint with an appropriate data privacy supervisory authority. Where we process personal data based on your granted consent, you may revoke your consent at any time.

To help us reply to your request, please send us a clear message. We will examine your issue and reply in good time.

11. Contact data

We are responsible for the processing of personal data. If you have any questions relating to data protection, please contact the following address:

Toledo Capital AG

Gotthardstrasse 25,

8002 Zürich