General privacy statement of the Swiss National Bank
Introduction
The Swiss National Bank ('SNB') is subject to the Swiss Federal Act on Data Protection ('FADP'). The FADP regulates how personal data may be processed. Personal data are all information which can, either on its own or together with other information, be attributed to an identified or identifiable natural person.
When may you provide data to the SNB that do not relate to you?
If you disclose personal data to us that relate to other persons rather than to you yourself (hereinafter 'personal data of third parties'), we assume that you are entitled to do so and that the data are correct. By transmitting these personal data of third parties, you confirm that this is the case and that you have notified the third parties concerned of the information in this privacy statement. If this is not the case, you may not disclose personal data of third parties to us.
Where personal data are mentioned below, if applicable this always also includes personal data that have not been collected from the data subject.
Which categories of personal data does the SNB collect?
The SNB processes personal data in particular in the following contexts:
- the fulfilment of its statutory tasks and oversight duties;
- enquiries, notifications, surveys, questionnaires, statistics and research;
- your visit as well as the organisation and hosting of conferences, training courses, seminars and other events (including audio and visual recordings);
- compliance with statutory duties in Switzerland and abroad;
- the rights and obligations of the SNB as a joint-stock company, in particular with respect to its shareholders and their representatives;
- the protection of buildings and assets (among other things by means of electronic surveillance, including audio and video surveillance of public and non-public areas);
- contractual and other business relationships and their initiation and handling;
- services provided by or for the SNB;
- the operation of websites, applications and similar electronic offerings;
- the reporting of regulation violations;
- activities similar to the processing mentioned above.
The SNB also collects and processes personal data that it receives from third parties rather than from you directly. This may apply in the above-mentioned situations and to the resulting categories of personal data, for example if your employer or other third parties disclose your personal data to the SNB as a contact person or in connection with the initiation or performance of a contract. This also applies in cases where your personal data are disclosed to the SNB by a third party rather than by you for the purpose of registering to participate in a conference or event or take a training course. The SNB also processes personal data it receives from third parties in connection with the fulfilment of its statutory mandate and tasks and associated statutory provisions (e.g. combating money laundering).
The SNB may also collect the following categories of personal data, which it collects from you or, in certain cases, from third parties in Switzerland or abroad rather than from you directly:
- personal data from publicly available sources (registers such as debt collection registers and commercial registers, land registers, the media, the internet) as well as personal data available from public authorities or other third parties (e.g. credit reports, credit information, etc.);
- personal data in connection with judicial, administrative or other official proceedings or in connection with a report of regulation violations;
- personal data relating to professional activities, affiliations, publications, academic titles, memberships and functions, geographical and socio-geographical personal data (e.g. travel data), as well as information about your preferences and habits, hobbies, contact details, age, audio and visual recordings, information on means of identification such as passport or identity card (e.g. in connection with conferences, training courses, seminars, research, surveys, questionnaires, etc.);
- contact, customer and transaction data as well as data on creditworthiness (e.g. in connection with business relationships, surveys, questionnaires, events, etc.);
- personal data received by the SNB in the course of correspondence or other exchanges with third parties;
- personal data that the SNB receives from people you know (such as family, circle of friends, employer, service providers commissioned by you such as consultants, lawyers, etc.), for example in connection with withholding tax, child, education and family allowances, or with a designation as a beneficiary, co-insured, contact person, authorised person, reference or person involved in a report or enquiry, etc.;
- personal data in connection with contracts in which you are a party or beneficiary or are otherwise involved (e.g. with regard to insurance, pension funds, banks, service providers, etc.);
- personal data which the SNB receives in connection with the use of the internet, other electronic means (mobile applications, telephones, etc.) or IT-supported services (e.g. MAC or IP address, cookies, online behaviour such as time of page visits, automatically generated data concerning a malfunction of a website or service, information on the IT means you use to visit or use SNB websites or other IT means or IT-supported services accessible via the internet, your location, information in forms, login data, etc.);
- personal data, in certain cases, are also processed when the SNB records telephone calls from users, either to fulfil its statutory duties or for evidential, training or quality control purposes.
For what purpose does the SNB process personal data?
The SNB processes personal data primarily in order to fulfil its statutory tasks. Furthermore, it processes personal data in connection with contracts it concludes, with other business relationships or the performance of contracts (e.g. if you are a beneficiary or co-insured, or are party to a contract), with the organisation and hosting of training courses, seminars, events, with its rights and obligations as a joint-stock company, in particular towards its shareholders and their representatives, and with other legal obligations in Switzerland and abroad.
The SNB also processes personal data for the following reasons:
- communication, for example, with former, current or future customers, interested parties, employees and people you know (e.g. an emergency contact, beneficiary), or persons otherwise connected with the SNB (e.g. walk-in customers, the general public, assistants, authorities, media, academics, researchers, persons submitting reports or enquiries, persons involved in surveys or statistics, etc.);
- statements, publications, processing of enquiries, notifications, surveys, questionnaires, statistics and research;
- development and refinement of offers, services, presence on the internet and in other electronic or other media;
- recruitment (in particular applications) and personnel administration, provision of fringe benefits, settlement of withholding tax, child, education and family allowances, contact after end of employment relationship;
- performance of statutory duties in Switzerland and abroad;
- audit, administration, optimisation of processes, fulfilment of tasks and the operation of the SNB and its infrastructure (in particular, internal or external IT infrastructure and presence in electronic media);
- promotion of products and services, organisation of training courses and events, optimisation of the aforementioned, and related communications;
- training in connection with artificial intelligence (AI training);
- surveying public opinion, monitoring reports, the press and other media;
- enforcing rights and obligations in judicial, administrative or other official proceedings in Switzerland and abroad;
- handling of reports of regulation violations;
- protecting buildings, people, assets and infrastructure, including video and other electronic surveillance (logs, access controls, visitor lists, IT filter data, recordings, etc.) and ensuring security, in particular IT security, to prevent theft, fraud and misuse and for evidential purposes. Personal data sent, stored or otherwise processed by employees or third parties via or on the SNB's electronic infrastructure are also processed in the context of attacks simulated by the SNB or SNB service providers;
- clarification (including internal investigations) and prevention of violations of statutory provisions, SNB regulations and agreements, of criminal offences or other violations of regulations;
- in accordance with the purpose(s) arising from forms, declarations of consent, or otherwise.
Further processing purposes also arise from the categories of personal data collected by the SNB and mentioned in the section Which categories of personal data does the SNB collect? of the present 'General privacy statement of the SNB'.
Under which circumstances does the SNB disclose personal data and to whom?
The SNB discloses personal data if there is a legal basis for doing so or a law so provides, pursuant to a decision or by order of a court or authority in Switzerland or abroad, or if you as the data subject have given your consent. In addition, in connection with the aforementioned purposes, the SNB may disclose personal data to service providers, contractual partners, other business partners, event organisers, beneficiaries, customers, the media and the public, institutions, associations, clubs and similar organisations, participants in current or potential legal proceedings, parties involved in a report of regulation violations, authorities and administrative bodies, provided that appropriate agreements regarding data protection have been concluded for the corresponding disclosure or that the recipients of the personal data have otherwise undertaken or are obliged to provide adequate data protection.
To which countries does the SNB disclose personal data?
The SNB only discloses personal data in exceptional cases and, as a rule, at most to countries with adequate data protection from Switzerland's perspective (specifically the EU and EEA states). However in some cases, and subject to specific requirements, certain personal data may by way of exception also be transferred to other countries (worldwide).
How is an adequate level of data protection ensured if this is not already guaranteed by the applicable legislation in the country concerned?
If personal data are disclosed to a country with inadequate data protection from Switzerland's perspective, and if the disclosure is not based on an exemption provision, the SNB will otherwise ensure adequate data protection, unless the recipient of the personal data has already undertaken to comply with recognised rules guaranteeing adequate data protection.
The SNB ensures adequate data protection by concluding standard contractual clauses. These standard contractual clauses are recognised by the Federal Data Protection and Information Commissioner (FDPIC), provided adaptations are made to comply with Swiss legislation. Standard contractual clauses adapted to comply with Swiss law can be obtained from the SNB. On the following website https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914 you can find the standard contractual clauses without adaptions in line with Swiss law. The adaptations of the standard contractual clauses required by the FDPIC for use under Swiss law can be found on the FDPIC website.
An exemption may apply, for example in the event of legal proceedings abroad, in cases of overriding public interests, in connection with the performance of a contract, if you have given your consent, or if data are involved that you have made available to the general public and to whose processing you have not objected.
Data security
The SNB takes appropriate technical and organisational security precautions to protect your personal data from unauthorised access and other unauthorised processing as well as from misuse. When selecting and instructing external service providers, the SNB ensures that the recipients of personal data comply with the relevant data protection requirements by taking appropriate technical and organisational measures.
However, although regular checks are performed, it is impossible to protect against all risks posed by the internet as a universally accessible medium.
Duration of storage of personal data
The SNB stores personal data for as long as necessary to fulfil contractual as well as national and international legal obligations, to pursue legitimate interests, or for the purposes for which processing is used.
It is possible that personal data may be retained, including for reasons of proof, for as long as claims can be asserted against the SNB or insofar as the SNB is otherwise legally obliged to do so or justified interests require such retention. As soon as stored personal data are no longer required, they are erased or anonymised as far as is possible.
Rights of data subjects
Data subjects, i.e. persons whose personal data are processed, may - free of charge - request information on whether their personal data are being processed by the SNB.
In principle, data subjects have the right to object to data processing, the right to have their personal data corrected or erased, the right to restrict data processing and the right to data portability. In cases where the SNB processes personal data on the basis of a declaration of consent, such consent can be revoked at any time; however, this has no effect on data processing already carried out. Incorrect personal data can be corrected upon request.
These rights may be restricted by legal or regulatory provisions (e.g. the SNB's reporting, archiving or retention obligations).
Relationship to other privacy statements or agreements
The present 'General privacy statement of the SNB' provides information on how the SNB processes personal data. In some cases, this information is regulated or supplemented in other documents. For example, for certain processing of personal data, further information is provided in specific privacy statements, in contracts or general terms and conditions (such as conditions of participation or terms of business), and in forms and declarations of consent, etc. For example, for the use of the SNB's websites or with regard to contractual relations with the SNB, for certain SNB surveys and questionnaires, or with regard to certain employment relationships with the SNB, etc., the information in the corresponding specific privacy statements must also be observed. In the event of any conflicts between the 'General privacy statement of the SNB' and its specific privacy statements, the latter take precedence. Any information that is not contradictory, however, is to be understood as supplementary information and applies in addition to the information contained in the present 'General privacy statement of the SNB'.
Who is responsible for the processing of personal data?
The SNB is responsible for the processing of your personal data as described in the 'General privacy statement of the SNB' or other SNB privacy statements.
If you have any questions about the processing of your personal data, you can contact the SNB using the details below:
By post:
Swiss National Bank
Data Protection Office
Börsenstrasse 15
P.O. Box
8022 Zurich
How can the SNB's Data Protection Officer be contacted?
The SNB's Data Protection Officer can be contacted using the details provided in the section Who is responsible for the processing of personal data?.
Changes
The SNB may amend the present privacy statement at any time and without prior notice.
Date
September 2023