Data Privacy Statement

In light of the Swiss Federal Act on Data Protection (“DPA”) and its upcoming revision as well as the EU General Data Protection Regulation (“GDPR”), the European Union (“EU”) privacy regulation, BARYON AG has issued this statement on Data Privacy. Although GDPR is an EU regulation, it is relevant for BARYON AG for a number of reasons. Swiss data protection legislation is historically closely tied to EU regulations and any future amendments will be substantially influenced by GDPR. Furthermore, although GDPR is an EU regulation, under certain circumstances it may apply to companies outside the EU, including BARYON AG, due to the extraterritorial effect.

In this Data Privacy Statement BARYON AG outlines how it collects, processes and protects personal data concerning the following persons: (i) prospective clients, (ii) persons that have or are in the process of applying for a business relationship with BARYON AG (“Clients”) and (iii) individuals or entities whose information is provided by a Client to BARYON AG or comes to the attention of BARYON AG in some other way in via services provided by BARYON AG to a Client (“Connected Individuals”). A Connected Individual may include, but is not limited to, (i) any director, officer, authorized signatory or employee of a company, (ii) a trustee, settlor or protector of a trust, (iii) any beneficial owner of Client’s assets, (iv) a controlling person, (v) a payee of a designated payment, (vi) representative(s) or agent(s) of a Client, or (vii) any other individual or entity having a relationship with a Client that is relevant to this Client’s business relationship with BARYON AG.

Furthermore, this Data Privacy Statement shall also inform Clients, Connected Individuals and prospective clients of their rights in relation to personal data collected and processed by BARYON AG. Please note: Which specific personal data are processed and how they are used depends largely on the products and services requested or agreed upon in each case.

Wherever BARYON AG uses “you” or “your” in this Data Privacy Statement, this is meant as a reference to a prospective client, a Client and any Connected Individual as defined herein.

If BARYON AG provides separate or additional information about how it collects and uses Clients’ or Connected Individuals’ personal data for a particular product or service, those terms will also apply. Furthermore, this Data Privacy Statement continues to apply even if a Client’s agreements for products and services with BARYON AG end.

Please familiarize yourself with this Data Privacy Statement and also forward it to any Connected Individuals before BARYON AG is provided with personal data of an involved Connected Individual.

1. Who is responsible for Data Processing and who can you contact in this regard?

The contact person and the controller for data processing purposes is BARYON AG’s Data Protection Officer (according to GDPR) who can be reached as follows:

BARYON AG
Daniel Amstutz
General-Guisan-Quai 36
CH-8002 Zurich
Switzerland
E-Mail Address: daniel.amstutz@baryon.com

2. What sources and data does BARYON AG use?

The personal data BARYON AG collects or has about Clients, Connected Individuals and prospective clients come from different sources. This includes personal data relating to an existing business relationship, a prospective business relationship or a closed, previous business relationship with BARYON AG or any of BARYON AG’s products or services that the Client or a Connected Individual or prospective client has applied for or held previously.

Some of the personal data will come directly from the Client, the Connected Individual or the prospective client. Some might be obtained from a custodian bank of the Client, another advisor, a business introducer or from other third parties. Personal data might also come from publicly available sources or from combining different sets of information.

Personal data collected may include, in particular:

a) Information that a Client, a Connected Person or a prospective client provides to BARYON AG such as:

Contact details (e.g. name, address and other contact details such as date and place of birth, and nationality);
Information about a Client, a Connected Person or a prospective client given to BARYON AG contained in forms and documents of the custodian bank or of BARYON AG or by communicating with BARYON AG, whether face-to-face, by phone, e-mail, on-line, postal mail or otherwise;
Information concerning a Client’s, Connected Person’s or prospective client’s identity (e.g. passport information which does also contain a photograph) or which is relevant for authentication purposes (e.g. sample signature).

b) Information that BARYON AG collects or generates about the Client, a Connected Person or a prospective client, such as:

Client relationship data (e.g. products held and services rendered), securities and payment transaction data and other financial information;
Information BARYON AG collects or generates to comply with its obligations under the anti-money laundering regulatory framework (e.g. information on origin of assets, beneficial ownership);
Information BARYON AG collects or generates for risk management purposes such as client due diligence data (including periodic review results). For Clients of BARYON AG’s asset management mainly the creation of risk profiles and calculation/estimation of individual risk capacity of Clients, data to assess suitability/appropriateness, client qualification data (e.g. status as qualified investor), client segmentation data as well as in the case of insufficient or missing data the set-up of estimations based on combinations from various data from the Client’s business relation history;
Information included in relevant client files and client documentation and other comparable information;
Marketing information (e.g. newsletters, documents received, invitations to and participations at events and special activities, personal preferences and interests, opt-in and opt-out declarations).

c) Information about the Client, a Connected Person or a prospective client that BARYON AG collects from other sources, for example:

Information (including personal data) from the custodian bank of the Client to the extent of the services agreed with BARYON AG;
Information from tax advisors of the Client;
Information from publicly available sources and combined information from external sources (e.g. corporate and media broadcasts, information pertaining to social interactions between individuals, organizations, prospects and other stakeholders acquired from companies that collect combined information).

BARYON AG may also collect and process additional personal data about which BARYON AG will inform you from time to time.

3. What does BARYON AG process personal data for (purpose of the processing) and on what legal basis?

BARYON AG processes personal data of Clients, Connected Individuals and prospective clients for various purposes in accordance with the provisions of the European GDPR and the Swiss DPA and only uses such personal data where BARYON AG has a lawful basis for using it. The lawful basis and purposes include processing:

a) On the basis of your consent (article 6 para. 1 a) of the GDPR)

Insofar as you have granted BARYON AG consent to process your personal data for specific purposes, this processing is lawful on the basis of your consent. A consent given may be revoked at any time. This also applies to withdrawal of declarations of consent that were given to BARYON AG before the GDPR came into force, i.e. prior to May 25, 2018. Please be advised that a withdrawal of consent does not affect the lawfulness of the processing of data prior to revocation of such consent. Note however that BARYON AG may still be entitled to process your personal data if it has another legitimate reason for doing so.

b) For the fulfilment of contractual obligations (article 6 para. 1 b) of the GDPR)

The processing of personal data is carried out in order to perform transactions and financial services pursuant to contracts with BARYON AG’s Clients and their Connected Individuals or to take steps prior to entering into a contract (e.g. with prospective clients).
The purposes of data processing are primarily dependent on the specific product (i.e. discretionary portfolio management agreement, investment advisory agreement, advisory and consulting agreement, tax consulting, legal counselling) and can include needs assessments, advisory, asset management and other financial or support services, as well as the carrying out of transactions. Additional details about the purposes of data processing may also be included in the applicable contractual or product documentation, contained in the correspondence with BARYON AG or in the brochure “Client Information Asset Management” of BARYON AG.

c) Due to legal obligations (article 6 para. 1 c) of the GDPR) or in the public interest (article 6 para. 1 e) of the GDPR)

Furthermore, BARYON AG is subject to various legal obligations, i.e. statutory requirements (e.g. Financial Services Act, Collective Investment Schemes Act, Financial Market Infrastructure Act, Anti-Money Laundering Act, ordinances of FINMA (Swiss Financial Market Supervisory Authority), ordinances and circulars of regulatory authorities and tax laws). Purposes of processing include for example assessment of identity, fraud and money laundering prevention measures, fulfilment of control and reporting obligations under fiscal and other laws, and measuring and managing risks within BARYON AG.

d) In the context of balancing interests and the purposes of safeguarding legitimate interests respectively (article 6 para. 1 f) of the GDPR)

Where required, BARYON AG processes personal data beyond the actual fulfilment of the contract for the purposes of safeguarding the legitimate interests pursued by BARYON AG or a third party. For example:

Keep track of BARYON AG’s conversations with Clients, Connected Individuals and prospective clients (by phone, in person, by email, by postal mail or by any other kind of communication);
Asserting legal claims and mounting a defense in the event of legal disputes;
Correspond with legal advisers, third party intermediaries and custodian banks;
Manage BARYON AG’s internal operational requirements for audit and administrative purposes;
Prevention and solving of crimes;
Risk control of BARYON AG;
Marketing, to the extent that Clients, Connected Individuals and prospective clients have not objected to having their personal data used;
Complying with applicable Swiss and other legal statutory and regulatory requirements.

4. Who receives personal data?

Within BARYON AG those units are given access to personal data of Clients, Connected Individuals and prospective clients which require them in order to perform the agreed services as well as BARYON AG’s contractual and statutory obligations or as further described in this Data Privacy Statement. Service providers and auxiliary persons appointed by BARYON AG may also receive data for these purposes if they observe customer secrecy rules. These are in first line the custodian banks of the Client and (on a very closely held basis) companies in the categories of IT services, logistics, printing services, telecommunications, advice and consulting, as well as sales and marketing.

With regard to transferring data to other recipients outside BARYON AG, to begin with, it is to be noted that, as a regulated independent asset manager, BARYON AG is generally obliged to maintain secrecy about any customer-related facts and evaluations which BARYON AG may acquire or have knowledge of. BARYON AG may pass on information about you only if legal provisions demand it, if you have given your consent, and/or if BARYON AG is authorized to provide information. Under these requirements, recipients of personal data can be, for example:

Public authorities and institutions (e.g. Swiss Financial Market Authority (FINMA), other financial authorities, tax authorities, criminal prosecution authorities, courts) insofar as a statutory or official obligation exists;
Other financial service institutions, comparable institutions and data processors to which BARYON AG transfers a data subject’s personal data in order to perform the business relationship with such data subject (e.g. custodian banks, clearing houses, clearing or settlement systems, brokers, stock exchanges, information offices, service providers, companies that a data subject holds securities in);
Joint account holders, trustees, beneficiaries, power of attorney holders, members of foundation councils, directors as far as connected with a business relation between you and BARYON AG;
Power of attorney holders entitles them to give instructions to BARYON AG or executors of the will;
Any custodian bank where BARYON AG is entitled to give orders for you in line with the services agreed between you and BARYON AG;
Auditors or dispute resolution bodies.

Additional recipients of personal data may be those for which you have given your consent to transfer your personal data or with respect to which you have exempted your custodian bank form the banking secrecy by agreement or consent.

5. Is data transferred to a third country or to an international organisation?

In certain circumstances personal data may be transferred to, and stored at, a destination outside Switzerland, including locations which may not have the same level of protection for personal data as Switzerland. BARYON AG will always do this in a way that is permissible under data protection rules. BARYON AG may need to transfer your information in this way for example:

To perform its contract with you (e.g. in the case of a custodian bank outside Switzerland to forward orders in line with the services agreed with BARYON AG).

Transfer of personal data to recipients in countries outside Switzerland, the EEA and the EU (so-called third countries) will take place if

It is necessary for the execution of orders or a contract (e.g. payments and securities orders);
It is required by law (e.g. reporting obligations under fiscal law);
It is in the context of commissioned data processing; or
You have given your consent to BARYON AG.

Where your personal data is to be disclosed to third parties domiciled in countries which do not have an appropriate level of data protection, BARYON AG ensures that where necessary it takes appropriate measures (e.g. contractual arrangements – such as the EU Standard Contractual Clauses / see Article 46 para. 2 (c) of the GDPR- or other precautions or justifications) so that personal data continues to receive appropriate protection.

You can obtain more details of the protection given to your information when it is transferred outside Switzerland by contacting BARYON AG in accordance with the information provided in section 1 above.

6. How long will personal data be stored?

BARYON AG will process and store personal data of Clients, Connected Individuals or prospective clients for as long as it is necessary in order to fulfil BARYON AG’s contractual and statutory obligations. It should be noted here that the business relationship with BARYON AG is a continuing and long-term relation, intended to last for several years. If the personal data are no longer required in order to fulfil contractual or statutory obligations, they are regularly deleted, unless their further processing – generally for a limited time – is required for the following purposes:

Compliance with records retention periods under commercial and tax law: this includes for example the Swiss Code of Obligations (CO) and its related relevant ordinances, the Federal Act on Value Added Tax (VATA), the Federal Act on Direct Taxation (DTA), the Federal Act on Harmonization of Direct Taxes of Cantons and Municipalities (THA), the Federal Act on Stamp Duties (SDA) the Federal Act on Withholding Tax (WTA), the Swiss Association of Asset Managers ‘s Guidelines on the treatment of assets without contact and dormant assets.
Preservation of evidence in accordance with statutes of limitations.
Compliance with special retention constellations, such as «legal holds», i.e. processes put into effect by BARYON AG in order to preserve all forms of relevant information when litigation is reasonably anticipated or ongoing. In such cases BARYON AG might be required to keep the information for an undefined period of time.
For the comprehensive documentation of related and still ongoing business relationship with BARYON AG (i.e. source of wealth, circumstances regarding the establishment of the business relationship, performance development).

7. What data protection rights do you have?

Under the applicable data protection laws you may have the following rights: the right of access (as defined in article 8 DPA and 15 GDPR), the right to rectification (as defined in article 5 DPA and 16 GDPR), the right to erasure (as defined in article 5 DPA and 17 GDPR), the right to restriction of processing (as defined in articles 12, 13, 15 DPA and 18 GDPR), the right to object to the data processing (as defined in article 4 DPA and 21 GDPR) and, if applicable, the right to data portability (as defined in article 20 GDPR). The right of access and the right to erasure are subject to certain restrictions (under articles 9, 10 and 13 DPA and, in particular, 23 GDPR). Furthermore, if applicable on a person, there is also a right to lodge a complaint with an appropriate data privacy supervisory authority (article 77 GDPR).

Where BARYON AG processes personal data based on your granted consent, you may revoke your consent specifically granted to the processing of personal data at any time. This also applies to the revocation of declarations of consent that were granted to BARYON AG prior to the entry into force of the GDPR, i.e. before May 25, 2018. Please be advised that the revocation will only take effect in the future. Any processing that was carried out prior to the revocation shall not be affected thereby. Please note however that BARYON AG may still be entitled to process your personal data if it has another legitimate reason for doing so.

8. How is personal data kept secure?

BARYON AG implements internal technical and organisational measures to keep personal data of Clients, Connected Individuals and prospective clients safe and secure which may include encryption, anonymization, access limitations and physical security measures. BARYON AG requires its employees and any third parties who carry out any work on BARYON AG’s behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of personal data.

Important: Please note, due to organisational and technical issues BARYON AG’s e-mails are sent un-encoded. Specifically, un-encoded e-mails we receive will be answered in un-encoded form. This is also the case for e-mail addresses we have used before the release of the Data Privacy Statement. You are responsible for protecting your e-mail accounts. BARYON AG cannot be held responsible for any damages or follow-on damages concerning manipulation, deletion, forgery, dissemination, etc. due to insufficient security measures being applied to your e-mail accounts. You may, indeed you must advise us if you no longer wish to receive communications by e-mail.

9. Is there an obligation to provide data?

In the context of a business relationship with BARYON AG a Client or a Connected Individual, must provide all personal data which is necessary for the establishment and maintenance of such business relationship and the performance of the associated contractual obligations or which BARYON AG is legally obliged to collect. In the case of asset management services, this data includes, for example, also information regarding knowledge and experience with financial instruments, personal financial situation as well as the structure and risk profile of total wealth, education and professional activities, investment goals, intended in- and outflows of assets and any other information suitable to enable BARYON AG to set up a comprehensive risk profile i.e. the assessment of the individual risk capacity. As a rule, BARYON AG would not be able to enter into or perform any contract or – consequently – accept and execute any order without collecting and processing personal data. Data subjects are responsible to make sure the information provided to BARYON AG is accurate and up to date.

In particular, provisions of anti-money laundering law require that BARYON AG verifies a data subject’s identity before entering into the business relationship by means of a document of evidentiary value (e.g. identity card) and that BARYON AG collects and records a data subject’s name, place of birth, date of birth, nationality, residential address and other data for that purpose. In order for BARYON AG to be able to comply with this statutory obligation, a data subject must provide BARYON AG with the necessary information and documents in accordance with the Anti-Money Laundering Act and notify BARYON AG without undue delay of any changes that may arise during the course of the business relationship. If a data subject does not provide BARYON AG with the necessary information and documents, BARYON AG will not be allowed to enter into or continue the requested business relationship.

If you give BARYON AG any information about another person connected to your business relationship with BARYON AG (such as a Connected Individual), you must inform such person about what personal data you have given to BARYON AG, and make sure they are informed of the content of this Data Privacy Statement.

10. Is “profiling” or “automated decision-making” used?

BARYON AG is not processing personal data of Clients, Connected Individuals or prospective clients automatically with the aim of evaluating certain personal aspects (profiling).

Our internet website (www.baryon.com) uses cookies. Cookies are small text messages which are stored by your browser when you visit our website. We use cookies to make our website user-friendly. You can de-activate the use of cookies in your browser, but this may result in cookie management or the website no longer working correctly. Most cookies will be deleted after you left our website. However, some cookies may remain active for 24 hours before complete deletion.

11. Changes to the Data Privacy Statement

You may request a copy of this Data Privacy Statement from BARYON AG using the contact details set out in section 1 above. BARYON AG may modify or update this Data Privacy Statement from time to time by providing a revised version to its Clients or making such a revised version available on the BARYON AG’s website at www.baryon.com.

Information on your right to object under article 21 of the EU General Data Protection Regulation (GDPR)

1. Ad hoc right to object

In case GDPR is applicable to you, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on article 6 para 1 e) GDPR (processing in the public interest) and article 6 para.1 f) GDPR (processing for the purposes of safeguarding legitimate interests); this includes any profiling based on those provisions within the meaning of article 4 para. 4 GDPR. If you lodge such an objection, BARYON AG will no longer process your personal data, unless BARYON AG can demonstrate mandatory legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the establishment, exercise or defense of legal claims. Please note, that in such cases BARYON AG will not be able to provide services and maintain a business relationship with you either.

2. Right to object to the processing of data for direct marketing purposes

In individual cases BARYON AG processes your personal data for direct marketing purposes or to invite you to events. If GDPR is applicable to you, you have the right to object at any time to processing of personal data concerning yourself for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, BARYON AG will no longer process your personal data for such purposes. There are no formal requirements for lodging an objection. It should ideally be in writing and addressed to: