SIX BBS General Privacy Statement

This Privacy Statement applies to instances where SIX BBS Ltd processes personal data as a controller, thus deciding purposes and means of the processing of personal data alone or jointly with other controllers. Whenever SIX BBS Ltd acts in relation to a processing activity as a Data Processor on behalf of another entity such as its customers, this Privacy Statement does not apply, but rather the provisions of the relevant Data Processing Agreement.

Further, this Privacy Statement is general and subsidiary. This means that it covers all processing of personal data effected by SIX BBS Ltd as a controller, but that the specific Privacy Statements of SIX BBS Ltd take precedence over this general Privacy Statement. Where a specific Privacy Statement does not provide information on certain aspects of personal data processing by SIX BBS Ltd as a controller, this indicates that relevant provisions of this Privacy Statement are in effect also for the processes covered by the respective specific Privacy Statement.

The following specific Privacy Statements of SIX BBS Ltd are in effect:

• Debix Privacy Statement
• eBill Privacy Statement for network partners and invoice issuers
• eBill.ch Privacy Statement for websites

It applies to all natural persons with whom we come into contact (referred to as “you” in this document). This includes employees, company officers and directors, financial stakeholders and all personnel of our customers, service providers, supervisory authorities, and other business partners.

Data protection is a top priority for SIX BBS Ltd; this applies in particular to the processing of personal data.

Our services are offered to institutions authorized or supervised by FINMA, the Swiss National Bank (SNB) or a comparable foreign authority or other reputable institutions. Delivery of services by SIX BBS Ltd requires a contract with SIX BBS Ltd.

Personal data may be included in the data and information we process as agreed with customers.

In order to fulfill our business purposes, we require contact information about the employees or customers of our customers.

SIX BBS Ltd is responsible for the processing of personal data.

SIX BBS Ltd
Hardturmstrasse 201
8005 Zurich
Switzerland

We Process Personal Data:

• For the purpose of concluding a contract with customers
• To fulfill a contractual obligation
• To comply with legal requirements
• To pursue legitimate business interests, e.g., for compliance with the security provisions for our premises and IT infrastructure
• Where provided for, on the basis of consent

We Process Personal Data for the Following Reasons:

• To provide services and products to customers including any communications required to deliver them
• To receive requests and to improve our service and product quality
• To receive, investigate and respond to customer complaints
• To inform customers, suppliers and service providers
• To inform supervisory authorities (especially the SNB and FINMA)
• To manage relationships with participants, suppliers and service providers
• To carry out analyses with the intention of strengthening our relationships and improving our services and product offerings
• For testing and support purposes
• To operate and maintain our information technology platform
• To establish, exercise and/or defend legal claims and rights
• To protect, exercise and enforce our rights, property and security, or to assist participants, suppliers, service providers and other third parties to do so
• To undertake corporate marketing
• For other purposes as disclosed at each opportunity

In most cases, the personal data processed by SIX BBS Ltd is limited to basic information on individuals. Exemplary, this includes name, job title, business function, work address, telephone number and e-mail address.

Other categories depend on the respective services and processing activities, e.g., login credentials, banking relationship data, system generated identification numbers, photos identifying you in the context of ATM services. Please contact us, should you need more detailed information.

We Collect Data From:

• Our participants, when they
  – Provide us with contact details for relationship management, sales, or other purposes
  – Send us data in either electronic or printed forms via e-mail or physical mail
  – Provide us with information for client on-boarding
  – Provide us with data for a contract or a service agreement (including invoicing)
  – Provide us with data to address operational problems, for customer satisfaction and other market-related surveys, for service improvements, and similar legitimate reasons
  – Instruct us to process transactions for settlement
• Our service providers when such data is required to
  – Establish and maintain a contact
  – Enter into and maintain contracts, service level agreements and other types of service descriptions
  – Facilitate billing and payment
  – Monitor and control service delivery to ensure and enhance quality
  
• You directly, when you as an individual provide us with your information when you use the services we make publicly available
• From other sources, such as
  – Background information from third party providers
  – Information from regulatory authorities
  – Information from publicly available sources

Personal data may be disclosed to and/or transferred to

• Our partners within and outside SIX Group Ltd if the data is included in business transactions to be processed by the partners or in the context of issue and problem resolution, contract management, service and invoicing requests, requests of your compliance office, and general participant support
• FINMA, law enforcement agency or tax authorities
• Our auditors and legal advisors
• Our technology suppliers that provide support for incident handling
• Other persons where disclosure is required by law or contractual obligations

Personal data can be transferred to other legal entities within SIX Group Ltd as well as the relevant supervisory authorities, law enforcement and tax authorities, courts, service providers involved and other partners within and outside Switzerland and the European Economic Area (EEA). This includes countries whose data protection standards deviate from that of the EEA standard. When we transfer your personal data to service providers, other SIX Group Ltd entities or partners in these countries, we will ensure that they protect your personal data in accordance with EEA-approved standard data transfer agreements or other appropriate safeguards.

Data transfer can take place to the following countries: Germany, France, Italy, Austria, Liechtenstein, Poland and UK.

As a general rule, we keep personal data as long as we have a client relationship. After a contractual relationship ends, we are usually required to maintain that data for a period of 10 years. In cases where the relevant customer or counterparty informs us that employment of or a customer relationship with a certain person has ceased, the retention period starts from that point in time.

You can ask us to: (i) provide you with a copy of your personal data; (ii) correct your personal data; (iii) erase your personal data; or (iv) restrict our processing of your personal data. You may also opt out of the processing of your personal data for direct marketing purposes or object to our other processing of your personal data. These rights will be limited in some situations; for example, where we are required by law to process your personal data.

To exercise these rights or if you have questions about how we process your personal data, please contact us using the contact details on the last page. You may also raise objections to the relevant data protection authorities where you live or work or where the alleged infringement of data protection law occurred.

This Privacy Statement was last updated on 31 October 2023. Future updates may be required in response to changing legal, technical or business developments.

To exercise your rights with regards to data protection please use this link.

You can also direct your queries to: SIX Group Services Ltd, Data Protection Officer, Hardturmstrasse 201, 8005 Zurich, Switzerland, e-mail: dataprotection@six-group.com