Data protection information under the EU General Data Protection Regulation (GDPR) for “natural persons”

This information is applicable for current and potential clients of 1291 Group (hereinafter referred to as “1291” or “we”).

1291 is committed to comply with business-client confidentiality as well as data protection laws and regulations and to thus ensuring the protection and confidentiality of your Personal Data. The following information shall provide an overview of how we process your Personal Data and your rights under data protection laws and regulations. Which specific data are processed and how they are used depends largely on the services requested or agreed in each case. However, we process data about individuals (“Personal Data”), including data about the employees and contractors of our suppliers (“Affected Persons”).

Please also forward this information to the current and future authorized representatives and beneficial owners. These include, e.g. beneficiaries in the event of death, commercial attorneys-in-fact or guarantors.

1. Who is responsible for the data processing and who can I contact in this regard

For the data processing the following entity (including its sister companies) is responsible:

1291 Group Ltd.
Hottingerstrasse 21
8032 Zurich, Switzerland

Phone: +41 44 266 21 41
E-mail: info@1291group.com

Additionally you can contact directly our 1291 Group Data Protection Officer (DPO): dpo@1291group.com

2. What source and what type of data do we process?

We process Personal Data that we receive from you in your capacity as an Affected Persons in the context of our business relationship. Should it be necessary for the provision of our services, we process Personal Data that we lawfully received from other independent entities within the 1291 Group or other third parties (such as private commercial databases). Additionally, we process Personal Data from publicly available sources (e.g., commercial registers and registers of associations, press, Internet) which we lawfully obtain and are permitted to process.

Further, we process Personal Data in dealing with current and potential clients (such as name, address) and other contact details (telephone, e-mail address), title, date of birth, gender, nationality, marital status, partner type data, identification data (such as ID, tax-ID), certification data (such as specimen signature), contract related data and information regarding your family and financial situation (such as household composition and source of funds), CVs, bank details for processing future payments (e.g. account number), details of the insured person and contact details, details of the beneficiary and contact details, details of the addressee’s representative and contact details, criminal records or any other information publicly available or accessible through third party providers. In addition to the categories mentioned, we also process documentation data (such as consultation protocol) and other data comparable with the above categories.

3. Does 1291 collect special categories of data (Art. 9 GDPR)

To the extent that we process any special categories of data relating to Affected Persons, we will do so because the processing is necessary for the establishment, exercise or defense of a legal claim, for reasons of substantial public interest or you have given your explicit consent to 1291 to process that data (where legally permissible). In that sense, we might process health data that is classified as sensitive Personal Data (Art. 9 (1) GDPR). In this respect, your explicit consent will be required in a separate procedure.

4. For what purpose do we process your data and on what legal basis

We process the aforementioned Personal Data in compliance with the provisions of the EU General Data Protection Regulation (GDPR).

4.1. For fulfillment of contractual obligations (Art. 6 (1) (b) GDPR)

Data is processed in order to provide business, consultancy and financial services in the context of carrying out contracts of our clients or to carry out pre-contractual measures that occur as part of a request. The purposes of data processing are primarily in compliance with the specific product and can include needs assessments, advice. You can find other details about the purposes of data processing in the relevant contract documents.

4.2. For compliance with a legal obligation (Art. 6 (1) (c) GDPR) or in the public interest (Art. 6 (1) (e) GDPR

As an intermediary, we are also subject to various legal obligations i.e., statutory requirements (such as Anti-Money Laundering Act [if applicable], financial supervisory ordinances and circulars) and regulatory requirements . Other purposes of processing include identity and age verification, anti-fraud and anti-money laundering measures, and reporting obligations as well as the assessment and management of risks in the Group.

In order to comply with legal requirements, we may also be required to process your information and disclose it to other third parties (e.g. inquiries from public authorities). For example, due to the Automatic Exchange of Information (“AEOI”) and the Foreign Account Tax Compliance Act (“FATCA”) we are required to forward detailed information about your tax domicile or tax liability to other financial intermediaries or the (tax) authorities of your (main) country of residence.

4.3. For the purposes of safeguarding legitimate interests (Art. 6 (1) (f) GDPR)

Where necessary, we process your data beyond the actual performance of our contractual obligations in order to safeguard the legitimate interests pursued by us or a third party, which does not unduly affect your interest or fundamental rights and freedoms. Besides the following examples, we also obtain Personal Data from publicly available sources for client acquisition purposes:

  • Consulting and exchanging data with information offices;
  • Reviewing and optimizing procedures for needs assessment for the purpose of direct client discussions;
  • Asserting legal claims and defense in legal disputes;
  • Guarantee of IT security and IT operation;
  • Prevention and clarification of crimes;
  • Measures for business management and further development of services and products;
  • Group risk management.

For all the data processing foreseen in point 4.2. – 4.4. the juridical base of the data processing is constituted by the necessity of carrying out a legal obligation. Therefore in those cases the obtaining of your preventive consent to this data processing is not necessary.

4.4. On the basis of your consent (Art. 6 (1) (a) GDPR)

Insofar as you have granted us consent to the processing of Personal Data for specific purposes (such as transfer of Data within the 1291 independent units), the lawfulness of such processing is based on your consent. Any consent granted may be revoked at any time. This also applies to the revocation of declarations of consent that are granted to us prior to the entry into force of the GDPR, i.e., prior to 25th of May 2018.

Please be advised that the revocation shall have effect only for the future and only applies to those areas where a revocation does not contradict our activity. Any processing that was carried out prior to the revocation shall not be affected thereby.

5. Who receives your data?

Within 1291, those units are given access to your data which require them in order to perform our contractual, legal and regulatory obligations.

With regard to transferring data to recipients outside 1291, it must first of all be noted that as an intermediary we are under a duty to maintain secrecy about any client-related facts and evaluations of which we may have knowledge (business secrecy). We may only disclose information about you if we are legally required to do so, if you have given your consent, if we are authorized to provide information and / or if processors commissioned by us guarantee compliance with business secrecy and the provisions of GDPR.

Under these requirements, recipients of Personal Data might be, for example:

  • Public authorities and institutions (such as financial supervisory authorities, criminal prosecution authorities) insofar as a statutory or official obligation exists;
  • Other companies within 1291 Group in the context of the exercise of functions for the purpose of risk control due to statutory or official obligation;
  • Other financial service and credit institutions/providers, comparable institutions and processors to whom we transfer your Personal Data in order to perform any business relationship with you (specifically: processing of bank references, support / maintenance of electronic data processing/ IT applications, archiving, document processing, compliance services, controlling, data screening for anti-money laundering purposes (if applicable), data destruction, collection, customer management, reporting, research, risk controlling, expense accounting, website management, auditing services).

Other recipients of data might be any units for which you have given your consent to the transfer of data or with respect to which you have exempted us from insurance business secrecy by agreement or consent.

 

6. Is data transferred to a third country or to an international organization?

Data will only be transferred to countries outside Switzerland and Liechtenstein, the EU or the EEA (so-called third countries) if this is required for the execution of your instructions, prescribed by law (such as reporting obligations under tax law), if you have given us your consent or in the context of commissioned data processing. If service providers in a third country are used, they are obligated to comply with the higher data protection level in Europe in addition to written instructions by agreement of the EU standard contractual clauses.

We take seriously our obligation to ensure that any transfers outside the EU or the EEA are only made where the transfer is made to entities that can demonstrate equivalence in standards of security and other relevant data processing requirements.

7. For how long will my data be stored?

We process and store your Personal Data just as long as it is necessary for the performance of our contractual and statutory obligations. In this regard, it should be noted that our business relationship is a continuing obligation designed to last for several years. We have processes in place to review at various points, the different categories of data that we hold to ensure that we do not hold these for an excessive period of time.

If the data are no longer required for the performance of our contractual and statutory obligations, they are regularly deleted within the statutory limitation period, unless their further processing – for a limited time – is necessary for other legal purposes, such as e.g.:

  • Compliance with records retention periods under commercial and tax law: These include the Anti Money Laundering Act and the Insurance Act. The periods for storage and documentation specified there might range;
  • Preservation of evidence and/or all forms of relevant information when litigation is reasonably anticipated, which requires us to keep records for an undefined period of time.

8. Data protection rights

8.1. In general

Every data subject has the right to access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to restrict processing (Art. 18 GDPR), the right of object (Art. 21 GDPR), and if applicable, the right to data portability (Art. 20 GDPR). Furthermore, if applicable, you have a right to lodge a complaint with an appropriate data privacy regulatory authority (Art. 77 GDPR). The rights are depending on the lawful basis selected for holding the particular data.

You may revoke your consent to the processing of Personal Data at any time. This also applies to the revocation of declarations of consent that are granted prior to the entry into force of the EU General Data Protection Regulation, i.e., prior to 25th of May 2018. Please be advised that the revocation will only take effect in the future. Any processing that was carried out prior to the revocation shall not be affected thereby.

8.2. Ad hoc right of objection (Art. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of Personal Data concerning you which is based on processing in the public interest (Art. 6 (1) (e) GDPR) and for the purposes of safeguarding legitimate interests (Art. 6 (1) (f) GDPR); this includes any profiling based on those provisions within the meaning of Art. 4 (4) GDPR.

If you submit an objection, we will no longer process your Personal Data unless we can give evidence of mandatory, legitimate reasons for processing, which outweigh your interests, rights, and freedoms, or processing serves the enforcement, exercise, or defense of interests. Please note, that in such cases we will not be able to provide services and maintain a business relation.

9. Am I under any obligation to provide data?

Within the scope of our business relationship, you must provide Personal Data which is necessary for the initiation and execution of a business relationship and the performance of the associated contractual obligations or which we are legally obligated to collect. As a rule, we would not be able to enter into any contract or execute the order without these data or we may no longer be able to carry out an existing contract and would have to terminate the mandate or  the contractual relationship.

In particular, provisions of money laundering law require that we verify your identity before entering into the business relationship, for example, by means of your identity card and that we record your name, place of birth, date of birth, nationality and your residential address. In order for us to be able to comply with this statutory obligation, you must provide us with the necessary information and documents and notify us without undue delay of any changes that may arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we will not be allowed to enter into or continue your requested business relationship.

10. To what extent is automated decision-making (including profiling) carried out?

As a rule, we do not make decisions based solely on automated processing as defined in Art. 22 GDPR to establish and implement the business relationship. If we use these procedures in individual cases, we will inform you of this separately, provided that this is prescribed by law. In such a case, you will have a right to object to these procedures under certain circumstances.

11. Is profiling used within 1291?

In some cases, we process your data automatically with the aim of evaluating certain personal aspects (profiling). Example:

  • We might be required by law to take anti-money laundering, anti-fraud, terrorism financing measures and offenses that pose a danger to assets. Data evaluations are also carried out (in payment transactions, among other things) in this context. These measures also serve to protect you.

12. How do we protect Personal Data?

All personnel accessing Personal Data must comply with the internal rules, policies and processes in relation to the processing of any Personal Data to protect them and ensure their confidentiality. They are also required to follow all technical and organizational security measures put in place to protect the Personal Data.

We have also implemented adequate technical and organizational measures to protect Personal Data against unauthorized, accidental or unlawful destruction, loss, alteration, misuse, disclosure or access as well as against all other unlawful forms of processing. These security measures have been implemented taking into account the state of the art of the technology, their cost of implementation, the risks presented by the processing and the nature of the Personal Data, with particular care for sensitive data.

13. Contact

Please let us also know, if we do not meet your expectations with respect to the processing of Personal Data or you wish to complain about our data protection practices; this gives us the opportunity to examine your issue and make improvements, where necessary. In any of these cases, please send us a clear request in writing, together with a clearly legible copy of a valid official ID document (e.g. passport, ID card), to the entity or directly to the DPO (Data Protection Officer). We will acknowledge receipt as soon as received, examine your issue and reply in good time. If a full response will extend beyond one month, taking into account the complexity and number of the requests, we will advise you of this.

14. Changes to the Privacy Policy

This data protection information was last updated on 24 May 2018. It may be subject  to amendments. Any future change or additions to the processing of Personal Data as described above affecting you will be communicated to you through an appropriate channel (e.g. will be posted on our website).

TOP