In light of the Swiss Federal Act on Data Protection (“DPA”) and its upcoming revision as well as the EU General Data Protection Regulation (“GDPR”), the new European Union (“EU”) privacy regulation, BARYON AG has issued this statement on Data Privacy. Although GDPR is an EU regulation, it is relevant for BARYON AG for a number of reasons. Swiss data protection legislation is historically closely tied to EU regulations and any future amendments will be substantially influenced by GDPR. Furthermore, although GDPR is an EU regulation, under certain circumstances it may apply to companies outside the EU, including BARYON AG, due to the extraterritorial effect.
In this Data Privacy Statement BARYON AG outlines how it collects, processes and protects personal data concerning the following persons: (i) prospective clients, (ii) persons that have or are in the process of applying for a business relationship with BARYON AG (“Clients”) and (iii) individuals or entities whose information is provided by a Client to BARYON AG or comes to the attention of BARYON AG in some other way in via services provided by BARYON AG to a Client (“Connected Individuals”). A Connected Individual may include, but is not limited to, (i) any director, officer, authorized signatory or employee of a company, (ii) a trustee, settlor or protector of a trust, (iii) any beneficial owner of Client’s assets, (iv) a controlling person, (v) a payee of a designated payment, (vi) representative(s) or agent(s) of a Client, or (vii) any other individual or entity having a relationship with a Client that is relevant to this Client’s business relationship with BARYON AG.
Furthermore, this Data Privacy Statement shall also inform Clients, Connected Individuals and prospective clients of their rights in relation to personal data collected and processed by BARYON AG. Please note: Which specific personal data are processed and how they are used depends largely on the products and services requested or agreed upon in each case.
Wherever BARYON AG uses “you” or “your” in this Data Privacy Statement, this is meant as a reference to a prospective client, a Client and any Connected Individual as defined herein.
If BARYON AG provides separate or additional information about how it collects and uses Clients’ or Connected Individuals’ personal data for a particular product or service, those terms will also apply. Furthermore, this Data Privacy Statement continues to apply even if a Client’s agreements for products and services with BARYON AG end.
Please familiarize yourself with this Data Privacy Statement and also forward it to any Connected Individuals before BARYON AG is provided with personal data of an involved Connected Individual.
The contact person and the controller for data processing purposes is BARYON AG’s Data Protection Officer (according to GDPR) who can be reached as follows:
E-Mail Address: email@example.com
The personal data BARYON AG collects or has about Clients, Connected Individuals and prospective clients come from different sources. This includes personal data relating to an existing business relationship, a prospective business relationship or a closed, previous business relationship with BARYON AG or any of BARYON AG’s products or services that the Client or a Connected Individual or prospective client has applied for or held previously.
Some of the personal data will come directly from the Client, the Connected Individual or the prospective client. Some might be obtained from a custodian bank of the Client, another advisor, a business introducer or from other third parties. Personal data might also come from publicly available sources from combining different sets of information.
Personal data collected may include, in particular:
BARYON AG may also collect and process additional personal data about which BARYON AG will inform you from time to time.
BARYON AG processes personal data of Clients, Connected Individuals and prospective clients for various purposes in accordance with the provisions of the European GDPR and the Swiss DPA and only uses such personal data where BARYON AG has a lawful basis for using it. The lawful basis and purposes include processing:
Where required, BARYON AG processes personal data beyond the actual fulfilment of the contract for the purposes of safeguarding the legitimate interests pursued by BARYON AG or a third party. For example:
Insofar as you have granted BARYON AG consent to process your personal data for specific purposes, this processing is lawful on the basis of your consent. A consent given may be revoked at any time. This also applies to withdrawal of declarations of consent that were given to BARYON AG before the GDPR came into force, i.e. prior to May 25, 2018. Please be advised that a withdrawal of consent does not affect the lawfulness of the processing of data prior to revocation of such consent. Note however that BARYON AG may still be entitled to process your personal data if it has another legitimate reason for doing so.
Furthermore, BARYON AG is subject to various legal obligations, i.e. statutory requirements (e.g. professional standards of SAAM (Swiss Association of Asset Managers), Collective Investment Schemes Act, Financial Market Infrastructure Act, Anti-Money Laundering Act, ordinances of FINMA (Swiss Financial Market Supervisory Authority), ordinances and circulars of regulatory authorities and tax laws). Purposes of processing include for example assessment of identity, fraud and money laundering prevention measures, fulfilment of control and reporting obligations under fiscal and other laws, and measuring and managing risks within BARYON AG.
BARYON AG may also collect and process additional personal data for other purposes about which BARYON AG will inform you from time to time.
Within BARYON AG those units are given access to personal data of Clients, Connected Individuals and prospective clients which require them in order to perform the agreed services as well as BARYON AG’s contractual and statutory obligations or as further described in this Data Privacy Statement. Service providers and auxiliary persons appointed by BARYON AG may also receive data for these purposes if they observe customer secrecy rules. These are in first line the custodian banks of the Client and (on a very closely held basis) companies in the categories of IT services, logistics, printing services, telecommunications, advice and consulting, as well as sales and marketing.
With regard to transferring data to other recipients outside BARYON AG, to begin with, it is to be noted that, as a regulated independent asset manager, BARYON AG is generally obliged to maintain secrecy about any customer-related facts and evaluations which BARYON AG may acquire or have knowledge of. BARYON AG may pass on information about you only if legal provisions demand it, if you have given your consent, and/or if BARYON AG is authorized to provide information. Under these requirements, recipients of personal data can be, for example:
Additional recipients of personal data may be those for which you have given your consent to transfer your personal data or with respect to which you have exempted your custodian bank form the banking secrecy by agreement or consent.
In certain circumstances personal data may be transferred to, and stored at, a destination outside Switzerland, including locations which may not have the same level of protection for personal data as Switzerland. BARYON AG will always do this in a way that is permissible under data protection rules. BARYON AG may need to transfer your information in this way for example:
Transfer of personal data to recipients in countries outside Switzerland, the EEA and the EU (so-called third countries) will take place if
Where your personal data is to be disclosed to third parties domiciled in countries which do not have an appropriate level of data protection, BARYON AG ensures that where necessary it takes appropriate measures (e.g. contractual arrangements – such as the EU Standard Contractual Clauses / see Article 46 para. 2 (c) of the GDPR- or other precautions or justifications) so that personal data continues to receive appropriate protection.
You can obtain more details of the protection given to your information when it is transferred outside Switzerland by contacting BARYON AG in accordance with the information provided in section 1 above.
BARYON AG will process and store personal data of Clients, Connected Individuals or prospective clients for as long as it is necessary in order to fulfil BARYON AG’s contractual and statutory obligations. It should be noted here that the business relationship with BARYON AG is a continuing and longterm relation, intended to last for several years. If the personal data are no longer required in order to fulfil contractual or statutory obligations, they are regularly deleted, unless their further processing – generally for a limited time – is required for the following purposes:
Under the applicable data protection laws you may have the following rights: the right of access (as defined in article 8 DPA and 15 GDPR), the right to rectification (as defined in article 5 DPA and 16 GDPR), the right to erasure (as defined in article 5 DPA and 17 GDPR), the right to restriction of processing (as defined in articles 12, 13, 15 DPA and 18 GDPR), the right to object to the data processing (as defined in article 4 DPA and 21 GDPR) and, if applicable, the right to data portability (as defined in article 20 GDPR). The right of access and the right to erasure are subject to certain restrictions (under articles 9, 10 and 13 DPA and, in particular, 23 GDPR). Furthermore, if applicable on a person, there is also a right to lodge a complaint with an appropriate data privacy supervisory authority (article 77 GDPR).
Where BARYON AG processes personal data based on your granted consent, you may revoke your consent specifically granted to the processing of personal data at any time. This also applies to the revocation of declarations of consent that were granted to BARYON AG prior to the entry into force of the GDPR, i.e. before May 25, 2018. Please be advised that the revocation will only take effect in the future. Any processing that was carried out prior to the revocation shall not be affected thereby. Please note however that BARYON AG may still be entitled to process your personal data if it has another legitimate reason for doing so.
BARYON AG implements internal technical and organisational measures to keep personal data of Clients, Connected Individuals and prospective clients safe and secure which may include encryption, anonymization, access limitations and physical security measures. BARYON AG requires its employees and any third parties who carry out any work on BARYON AG’s behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of personal data.
Important: Please note, due to organisational and technical issues BARYON AG’s e-mails are sent un-encoded. Specifically, un-encoded e-mails we receive will be answered in un-encoded form. This is also the case for e-mail addresses we have used before the release of the Data Privacy Statement. You are responsible for protecting your e-mail accounts. Baryon AG cannot be held responsible for any damages or follow-on damages concerning manipulation, deletion, forgery, dissemination, etc. due to insufficient security measures being applied to your e-mail accounts. You may, indeed you must advise us if you no longer wish to receive communications by e-mail.
In the context of a business relationship with BARYON AG a Client or a Connected Individual, must provide all personal data which is necessary for the establishment and maintenance of such business relationship and the performance of the associated contractual obligations or which BARYON AG is legally obliged to collect. In the case of asset management services, this data includes, for example, also information regarding knowledge and experience with financial instruments, personal financial situation as well as the structure and risk profile of total wealth, education and professional activities, investment goals, intended in- and outflows of assets and any other information suitable to enable BARYON AG to set up a comprehensive risk profile i.e. the assessment of the individual risk capacity. As a rule, BARYON AG would not be able to enter into or perform any contract or – consequently – accept and execute any order without collecting and processing personal data. Data subjects are responsible to make sure the information provided to BARYON AG is accurate and up to date.
In particular, provisions of anti-money laundering law require that BARYON AG verifies a data subject’s identity before entering into the business relationship by means of a document of evidentiary value (e.g. identity card) and that BARYON AG collects and records a data subject’s name, place of birth, date of birth, nationality, residential address and other data for that purpose. In order for BARYON AG to be able to comply with this statutory obligation, a data subject must provide BARYON AG with the necessary information and documents in accordance with the Anti-Money Laundering Act and notify BARYON AG without undue delay of any changes that may arise during the course of the business relationship. If a data subject does not provide BARYON AG with the necessary information and documents, BARYON AG will not be allowed to enter into or continue the requested business relationship.
If you give BARYON AG any information about another person connected to your business relationship with BARYON AG (such as a Connected Individual), you must inform such person about what personal data you have given to BARYON AG, and make sure they are informed of the content of this Data Privacy Statement.
BARYON AG is not processing personal data of Clients, Connected Individuals or prospective clients automatically with the aim of evaluating certain personal aspects (profiling).
You may request a copy of this Data Privacy Statement from BARYON AG using the contact details set out in section 1 above. BARYON AG may modify or update this Data Privacy Statement from time to time by providing a revised version to its Clients or making such a revised version available on the BARYON AG’s website at www.baryon.com.
In case GDPR is applicable to you, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on article 6 para 1 e) GDPR (processing in the public interest) and article 6 para.1 f) GDPR (processing for the purposes of safeguarding legitimate interests); this includes any profiling based on those provisions within the meaning of article 4 para. 4 GDPR. If you lodge such an objection, BARYON AG will no longer process your personal data, unless BARYON AG can demonstrate mandatory legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the establishment, exercise or defense of legal claims. Please note, that in such cases BARYON AG will not be able to provide services and maintain a business relationship with you either.
In individual cases BARYON AG processes your personal data for direct marketing purposes or to invite you to events. If GDPR is applicable to you, you have the right to object at any time to processing of personal data concerning yourself for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, BARYON AG will no longer process your personal data for such purposes. There are no formal requirements for lodging an objection. It should ideally be in writing and addressed to:
E-Mail Address: firstname.lastname@example.org
This Data Privacy Statement was last updated on November 11, 2018 and approved for distribution. The content will be amended as needed. Newer versions may be available and can be obtained from BARYON AG.