Information on Data Protection under the Swiss Federal Act on Data Protection (FADP/DSG)

In the course of its activities, Abrias Investment Management AG (hereinafter also referred to as “ABRIAS”) processes data relating to natural and legal persons (hereinafter referred to as “personal data”). Such personal data includes information about customers (current and former), prospective customers, business partners and their employees, as well as any other person who interacts with ABRIAS.

ABRIAS complies with the applicable laws and regulations to ensure the protection and confidentiality of personal data. This document provides you with an overview of how your personal data is processed and of your personal rights.

1. Types of data processed

ABRIAS primarily processes the personal data it receives in the context of its business relationship with its customers and other business partners, from them and other persons involved:

  • Personal data such as first and last name, date and place of birth, nationality, residence, gender, telephone number, postal and email address, as well as data about family members or related persons such as the name of the spouse/partner and/or children;
  • Financial information, such as payment and transaction records, information on assets, balance sheets, liabilities, taxes, income, earnings and investments;
  • Tax residence and other tax documents and information such as the tax identification number;
  • Professional information about the customer, such as location and professional experience;
  • Investment knowledge and experience;
  • Details on customer contacts and the products and services requested, as well as details of any mandates granted;
  • Where applicable, recordings of telephone calls between the customer and ABRIAS;
  • In certain cases (where permitted by law) special categories of personal data, such as biometric data and data relating to criminal convictions or offences.

In some cases, ABRIAS may also collect the above information by consulting public registers, public authorities or other third-party sources such as the custodian bank. Where relevant for the services we provide to our customers, we also collect information about joint cardholders or bank accounts, members (including other shareholders or beneficiaries), relatives or family members, representatives and agents.

When a customer visits ABRIAS’s website (www.abrias.ch), the data transmitted by the customer’s browser is automatically recorded by our server (including date and time of access, name of the retrieved file, amount of data transferred and access status, the customer’s browser, language and domain, IP address). Further data is collected only if the customer provides voluntary consent, e.g. in the context of a registration or enquiry via Abrias’s website.

ABRIAS may use cookies, tracking technologies and other means (e.g. web beacons, pixels, gifs, tags, unique identifiers) to collect and process the above information from a variety of channels, including email and the devices you use to interact with us via our website.

2. Purpose of data processing and legal bases

ABRIAS processes the above personal data in accordance with the provisions of the Swiss Federal Act on Data Protection. Your personal data is always processed for a specific purpose and only to the extent necessary to achieve that purpose. The main purposes of this processing are as follows:

2.1. Fulfilment of contractual obligations

Data is processed in order to provide financial services in connection with the performance of contracts concluded with customers or to carry out pre-contractual measures prior to entering into such contracts. The purposes of the processing depend primarily on the specific service requested by the customer and may include a needs assessment.

2.2. Compliance with legal obligations

The company is subject to various legal obligations (e.g. the Financial Institutions Act, the Anti-Money Laundering Act, the Financial Services Act) and to provisions issued by the supervisory body to which the company is affiliated, OSFINcontrol Suisse AG, and by FINMA, which may require the processing of personal data.

2.3. Pursuit of legitimate interests

Where necessary, we process data beyond what is strictly required for the effective fulfilment of our contractual obligations in order to pursue legitimate interests of ours or of third parties, provided these are not outweighed by the interests or fundamental rights and freedoms of our customers. In addition to the examples below, we also obtain personal data from publicly accessible sources for customer acquisition purposes:

  • to assert legitimate claims and develop a defence position in the event of disputes;
  • to ensure the IT security and operation of ABRIAS’s IT systems;
  • prevention and detection of criminal offences;
  • video surveillance to prevent unauthorised access, gather evidence in the event of theft or fraud, or determine availability and collateral;
  • measures to ensure the security of buildings and premises (e.g. access control);
  • measures to manage activities and further develop services and products.

When ABRIAS processes personal data pursuant to sections 2.1, 2.2 and 2.3, it is not necessary to obtain the data subject’s prior express consent.

2.4. Specific purposes

Where the data subject has consented to the processing of personal data for specific purposes (e.g. analysis of trading activity for marketing purposes, etc.), the lawfulness of such processing is based on consent. You may withdraw your consent at any time.

3. Access to and protection of personal data

Within ABRIAS, access to data is granted to employees who require it to fulfil contractual, legal and regulatory obligations. Service providers and agents (generally providers of banking, IT, logistics, printing, telecommunications, debt collection, consulting, sales and marketing services) engaged by ABRIAS may also receive data for these purposes, provided they comply with the applicable regulations for processing personal data.

With regard to the transfer of data to recipients outside ABRIAS, it should first be noted that the asset manager’s employees are obliged to maintain confidentiality regarding all facts and assessments relating to the customer of which they may become aware.

Under certain conditions, ABRIAS is permitted to disclose information to third parties, such as:

  • authorities and institutions (e.g. FINMA, supervisory authorities, audit firms, tax authorities, law enforcement authorities), where legal obligations exist;
  • other financial service providers, similar institutions and processors to whom we transfer personal data in order to perform our mandate (e.g. support/maintenance of data processing/IT applications, archiving, document processing, compliance and risk management services).

Appropriate technical and organisational measures have been implemented to prevent unauthorised or unlawful access to personal data provided by customers.

4. Transfer to a third country

Data may be transferred to countries outside Switzerland only if this is necessary for the provision of the agreed services (e.g. stock exchange orders), is required by law (e.g. tax reporting obligations), or the customer has given consent. Where service providers are used in a third country, they are obliged to comply with the level of data protection applicable in Switzerland.

5. Retention period

ABRIAS stores personal data only for as long as necessary to achieve the purpose for which it was collected or to meet requirements of laws, regulations or internal policies. For this purpose, specific criteria apply to determine appropriate retention periods depending on the purpose, such as proper accounting, facilitating the customer relationship, defence in the event of legal claims, or responding to requests from supervisory authorities. In general, ABRIAS retains personal data for the duration of the relationship or contract plus a further ten years, corresponding to the period during which legal action may be brought after termination of such relationship or contract. Pending or threatened legal or administrative proceedings may lead to retention beyond this period.

6. Data protection rights

6.1. General

Each data subject has the right to information about their data, the right to rectification or deletion and to restriction of processing and/or to object, as well as to data portability where applicable. Furthermore, within the applicable limits, the right is provided to lodge a complaint with a competent data protection supervisory authority.

You may withdraw your consent to the processing of your personal data at any time. The withdrawal applies only for the future; processing carried out before withdrawal is not affected.

The rights of access, withdrawal or objection are not absolute, as they may not apply in certain circumstances or may be subject to exceptions (e.g. to fulfil legal obligations). We will handle requests we receive in accordance with applicable data protection laws. In addition, if a data subject exercises their rights, we may first request proof of identity. We may also ask for additional information if your request is unclear. If we are unable to comply with your request, we will provide you with an explanation.

To exercise your rights, please use the contact details set out in section 11.

6.2. Right to object to processing for marketing purposes

In some cases, we process personal data for direct marketing purposes. The data subject has the right to object at any time to the processing of personal data for such purposes, including profiling insofar as it is related to such direct marketing. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes. To object, please use the contact details set out in section 11.

7. Obligation to provide data

In the context of providing our services, the data subject is obliged to provide the personal data required to establish and perform the mandate and to fulfil the relevant contractual and legal obligations. Without this data, we are generally unable to enter into or perform a contract with our customers. In particular, the provisions of the Anti-Money Laundering Act require us to verify your identity before entering into a business relationship. In order to comply with this legal obligation, data subjects are required to provide us with the necessary information and documents and to notify us promptly of any changes that may occur during the term of the mandate. In the absence of the required information and documents, we are not permitted to provide our services.

8. Use of automated decision-making procedures

ABRIAS generally does not make decisions solely on the basis of automated procedures for establishing and conducting the business relationship. Where the company uses such procedures in individual cases, it will provide separate information where required by law. A right to object is guaranteed under certain conditions.

9. Profiling

In some cases, we process customer data automatically for the purpose of evaluating certain personal aspects (profiling). Examples include:

  • The law requires us to take measures to combat money laundering, fraud and terrorist financing, as well as criminal offences that pose a threat to assets. Data analyses (e.g. in payment transactions) may also be carried out in this context;
  • We may carry out customer profiling in order to meet regulatory and contractual requirements (e.g. determining the customer’s investment profile).

10. Data security

ABRIAS implements appropriate technical (e.g. encryption, pseudonymisation, logging, access control, data backup, etc.) and organisational (e.g. instructions to our employees, confidentiality agreements, audits, etc.) measures to ensure the security of the information collected and processed and to protect it against unauthorised access, misuse, loss, falsification and destruction. Access to your personal data is permitted only where it is genuinely necessary.

However, security risks generally cannot be completely ruled out: certain residual risks are usually unavoidable. In particular, as flawless data security cannot be guaranteed when communicating by email, instant messaging or similar means, we recommend that you send confidential information via especially secure channels.

11. Contact details

The responsible body is ABRIAS’s data protection officer, who can be contacted at the following address:

Abrias Investment Management AG
Bahnhofplatz
CH-6300 Zug
Telephone: +41 41 662 40 40
Email: operations@abrias.ch