Privacy Notice
Status as at May 2024
1) Who is responsible for your personal data and who can you contact?
TruZt AG (“TruZt”, “us” or “we”) process information and personal data (“Personal Data”) relating to you and/or any Related Person of yours [Related Person(s) and you together: the “Data Subject(s)”]. We do this in connection with our existing and/or prospective business relationships, including your use of our websites and applications (together: the “Business Relationship”). We can do so either as controller or as joint controller (the “Controller”). A “Related Person” means an individual or entity whose information that you or a third party provides to us and/or information that otherwise comes to our knowledge in connection with our Business Relationship. A Related Person may include, but is not limited to, (i) a director, officer or employee of a company; (ii) a trustee, settlor or protector of a trust; (iii) a nominee or beneficial owner of an account; (iv) a substantial interest owner in an account; (v) a controlling person; (vi) a payee of a designated payment; (vii) a representative or agent (i.e. with a power of attorney, a right to information on an account, an e-banking user); or (viii) an employer or contractor.We therefore ask you to liaise with all of your Related Persons and to pass this Privacy Notice and the information it contains on to them.If you have any questions about this Privacy Notice, about your Controller or, more generally, about the processing of your (or your Related Persons’) Personal Data, you can contact our Data Protection Officer at the following address:
TruZt AG
Steinmatstrasse, 43
3920 Zermatt,
Switzerland
Email: data-protection@the-guestclub.com
2) How do we handle your Personal Data?
We are subject to certain confidentiality and/or secrecy obligations, e.g. those arising under laws governing data protection.This Privacy Notice deals with the way we process Personal Data. That means how we collect, use, store, transmit or otherwise handle or process, operations collectively defined in this document as “Processing” or “Processing Operations”. We may conduct our Processing Operations either directly or indirectly, through other parties that process Personal Data on our behalf (the “Processors”).3)
3) What Personal Data do we process?
Personal Data include any information relating to an identified or identifiable natural person or as defined in the applicable law. Personal Data of Data Subjects that we process may be based on the following principal legal bases, bearing in mind that they may also rely cumulatively on other legal bases mentioned.
On the legal basis of contract performance, including the pre-contractual steps:
-
identification data, e.g. names, addresses, telephone numbers, email addresses, business contact information;
-
personal characteristics, e.g. date of birth, country of birth;
-
work-related information, e.g. employment and job history, title, professional skills, powers of attorney;
On the legal basis of your prior consent:
-
certain cookie information, e.g. cookies and similar technologies on websites and in emails (see our Cookies policy).
4) For what purposes and on what legal bases do we process Personal Data?
Purposes for which we process Personal Data (the “Purposes”) may be based on the following principal legal bases, bearing in mind that they may also rely cumulatively on other mentioned legal bases.
We collect and process Personal Data as necessary for pre-contractual steps and performance of a contract to which you are a party and/or a Related Person is related, which encompasses the following Processing Operations:
-
the opening and management of your and/or a Related Person’s account or Business Relationship with us, including all related operations for your identification any other related services provided by any service provider of the Controller(s) and Processors in connection with our Business Relationship;
-
management of requests for proposals and/or due diligence, the provision of services (including the invoicing and payment of fees) and management of the Business Relationship and related communication with you.
We also collect and process Personal Data relating to compliance with legal and regulatory obligations to which we are subject, including to:
-
provide offering documentation to Data Subjects about products and services;
-
comply with legal obligations relating to accounting ;
-
carry out any other form of cooperation with, or reporting to, competent administrations, supervising authorities, law enforcement authorities and other public authorities ;
-
deal with active intra-Group risk management pursuant to which risks in terms of markets, credit, default, processes, liquidity and image as well as operational and legal risks must be identified, limited and monitored;
-
record conversations with Data Subjects on a cloud-based solution (such as telephone and electronic communications), in particular to document and verify instructions, detect potential or actual frauds and other offences.
Furthermore, we may process Personal Data in connection with legitimate interests (including those of other Group entities) we pursue so that we can:
-
assess certain characteristics of the Data Subjects on the basis of personal data processed automatically (profiling) (see also Section 5 below);
-
develop our Business Relationship with you;
-
improve the quality of our services and our internal business organisation and operations, including for risk assessment and to take risk management-related business decisions;
-
use this information in TruZt AG entities for market studies or advertising purposes, unless Data Subjects have objected to use of their personal data for marketing;
-
communicate personal data to other TruZt AG entities, in particular to guarantee an efficient and harmonised service and inform Data Subjects about services offered by TruZt AG entities;
-
establish, exercise and/or defend actual or potential legal claims, investigations or similar proceedings;
If our Personal Data Processes presuppose that you give your prior consent to doing so, we will seek your consent in due time and you will have the right to withdraw your consent at any time by contacting our Data Protection Officer (see Section 1 above). The provision of personal data may be mandatory, e.g. with regard to our compliance with legal and regulatory obligations to which we are subject. Please be aware that failing to provide such information may preclude us from pursuing a Business Relationship with, and/or from rendering our services to, you.5)
5) Do we rely on profiling or automated decision-making?
We may assess certain characteristics of the Data Subjects on the basis of Personal Data processed automatically (profiling), in
particular to provide Data Subjects with personalised offers and advice or information on our products and services or those of our affiliates and business partners.
We may also use technologies that allow us to identify the level of risks linked to a Data Subject or to activity on an account. We generally do not use automated decision-making in connection with our Business Relationship and/or Data Subjects. If we do so, however, we will comply with applicable legal and regulatory requirements.
6) What sources do we use to collect your Personal Data?
To achieve the Purposes, we collect or receive personal data:
-
directly from the Data Subjects, e.g. when they contact us or through (pre)-contractual documentation sent directly to us;
-
and/or indirectly from other external sources, including any publicly available sources [e.g. UN or EU sanctions lists, OFAC – Specially Designated Nationals (SND) lists], information available through subscription services or information provided by other third parties.7)
7) Do we share your Personal Data with third parties?
We reserve the right to disclose or make accessible the Personal Data to the following recipients, provided this is legally or otherwise authorised or required:
-
public/governmental administrations, courts, competent authorities ;
-
TruZt AG entities or third parties that may process Personal Data. In such cases, limited Personal Data may be used by the recipients independently for their own purposes in compliance with their applicable laws;
-
auditors or legal advisors.
We undertake not to transfer personal data to any third parties other than those listed above, except as disclosed to Data Subjects from time to time or if required by applicable laws and regulations applicable to them or by any order from a court, governmental, supervisory or regulatory body .8)
8) Are Personal Data transferred outside our jurisdiction of incorporation?
In the course of our Business Relationship, we may disclose, transfer and/or store Personal Data abroad (“International Transfer”):
-
(i) in connection with the conclusion or performance of contracts directly or indirectly related to our Business Relationship, e.g. a contract with you or with third parties in your interest;
-
or (ii) in exceptional cases duly provided for by applicable laws.
International Transfers may include the transfer to jurisdictions that:
-
(i) ensure an adequate level of data protection for the rights and freedoms of Data Subjects as regards Processing;
-
(ii) benefit from adequacy decisions as regards their level of data protection (e.g. adequacy decisions from the European Commission or the Swiss Federal Data Protection and Information Commissioner);
-
or (iii) do not benefit from such adequacy decisions and do not offer an adequate level of data protection. In the latter case, we will ensure that appropriate safeguards are provided, e.g. by using standard contractual data protection clauses established by the European Commission.
Specific information for Switzerland:
-
TruZt AG entities based in Switzerland process your personal data in connection with the conclusion or performance of contracts directly or indirectly related to our Business Relationship in data centres located in Switzerland or the European Union. TruZt AG entities may transfer your personal data to additional countries in certain circumstances, for example if you opt for servicing by other TruZt AG entities ;
-
or for purposes related to the execution of your contracts.
9) What are your rights in connection with data protection?
Subject to the limitations set forth in this Privacy Notice and/or in applicable local data protection laws, you can exercise the rights below free of charge by contacting the Data Protection Officer (see Section 1 above):
-
request access to, and receive a copy of, the Personal Data we hold;
-
request rectification or erasure of the Personal Data that are inaccurate;
-
request that Personal Data be erased when the Processing is no longer necessary for the Purposes, or is not or no longer lawful for other reasons, subject however to applicable retention periods (see Section 10 below);
-
request a restriction of Processing of Personal Data where the accuracy of the Personal Data is contested, the Processing is unlawful, or if the Data Subjects have objected to the Processing;
-
withdraw your consent at any time when the Personal Data Processing is based on your consent;
-
object to the Processing of Personal Data, in which case we will no longer process the Personal Data unless an exception applies;
-
receive the Personal Data in structured, commonly used and machine-readable format (data portability right);
-
obtain a copy of, or access to, the appropriate or suitable safeguards which we may have implemented for transferring the Personal Data abroad;
-
complain to our Data Protection Officer (see Section 1 above) about the Processing of Personal Data and, failing any satisfactory resolution of the matter, file a complaint about the Processing of Personal Data with the relevant data protection supervisory authority.
If a Data Subject objects to the Processing of Personal Data, we are nevertheless allowed to continue with the Processing if it is:
-
(i) legally mandatory;
-
(ii) necessary for the performance of a contract to which the Data Subject is a party;
-
or (iii) necessary for the purposes of the legitimate interests we pursue, including the establishment, exercise or defence of legal claims. We will not, however, use the Data Subject’s Personal Data for direct marketing purposes if the Data Subject asks us not to do so.10)
10) How long are your Personal Data kept or stored?
In principle, we retain Personal Data for as long as we need to do so to achieve the Purposes. We will delete or anonymise Personal Data (or equivalent) once they are no longer necessary to achieve the Purposes, subject however:
-
(i) to any applicable legal or regulatory requirements to store Personal Data for a longer period;
-
or (ii) to establishing, exercising and/or defending actual or potential legal claims, investigations or similar proceedings, including legal holds.
We may enforce any or all of the above mentioned under points (i) and (ii) to preserve relevant information.