Privacy Statement Securities & Exchanges

What’s the purpose of this Privacy Statement?

This Privacy Statement explains how and why Securities & Exchanges of SIX processes personal data. It applies to all natural persons with whom we come into contact (referred to as “you” in this document). This includes employees, officers, directors, beneficial owners and other personnel of our customers as well as service providers, authorities, and other business counterparties.

Why privacy?

Securities & Exchanges aims at strong protection of natural persons in regards to processing of their personal data. Our services are offered to institutional customers only,  nonetheless the processing of transactions might include personal data where this is necessary to ascertain  the business purpose. In addition, we process personal data in the context of business contact information.

Who is responsible?

The legal entities of Securities & Exchanges listed below are the controllers of your personal data. They are responsible for processing your data.  

• SIX Exfeed AG
  Hardturmstrasse 201
  8005 Zurich
  Switzerland
  
  
• SIX Repo AG
  Hardturmstrasse 201
  8005 Zurich
  Switzerland
  
  
• SIX Securities Services AG
  Hardturmstrasse 201
  8005 Zurich
  Switzerland
  
  
• SIX SIS AG
  Baslerstrasse 100
  4601 Olten
  Switzerland
  
  
• SIX Swiss Exchange AG
  Hardturmstrasse 201
  8005 Zurich
  Switzerland
  
  
• SIX Trade Repository AG
  Hardturmstrasse 201
  8005 Zurich
  Switzerland
  
  
• SIX x-clear AG
  Hardturmstrasse 201
  8005 Zurich
  Switzerland
  

Why do we process personal data?

We process personal data about you where:

• It is necessary to enter into a contract or carry out a contract with our customer
• It is necessary to comply with our legal obligations, or
• It is in our legitimate business interests, e.g. for security compliance if you visit our office, or to protect our IT infrastructure.

We process your personal data for the following reasons:

• To undertake corporate marketing
• To enter into contract
• To provide services and products to our customers including any communication required to render them
• To ensure fair and orderly markets
• To receive customer requests and improved services/products accordingly
• To receive, investigate and respond to customer complaints
• To  inform customers, suppliers and authorities about incidents and their impacts and resolution
• To manage relationships with our business partners, customers and service providers
• To carry out analyses with the intention to strengthen our relationships and improve the quality of our services and products
• For testing and support purposes
• To operate and maintain our information technology
• To establish, exercise and/or defend legal claims and rights
• To protect, exercise and enforce our rights, property or safety, or to assist our customers or others to do so
• For other purpose

What categories of personal data do we have?

Personal data processed by Securities & Exchanges is limited to basic contact information for individuals. In general this includes name, job title, position, work address, telephone number, email address. Other categories depend on the respective business product or service, e.g. beneficial owner identifiers in transaction reports.

Where do we get personal data from?

We collect data from the following sources:

• Personal data obtained from customers when you
  -  Give us contact data for relationship management, sales or any other purpose
  -  Send us your data on forms, e-forms, e-mail or by post
  -  Send us information for client on-boarding or admission
  -  Provide us data to enter into a contract or service level agreement including billing
  -  Provide us with data during the performance of our services for issue management, collection of customer experience,  service improvement and other legitimate reasons
  
• Personal data obtained from service providers required to
  -  Establish and maintain a contact
  -  Enter into and maintain contracts, service level agreements and other types of service descriptions
  -  Facilitate billing and payment
  -  Monitor and control service delivery to ensure and enhance quality
  -  Collaborate on solution design and delivery
  
• Personal data we receive from other sources
  -  Background information from third party providers
  -  Information from authorities
  -  Information from publicly available sources

To whom do we disclose your personal data?

Your personal data may be disclosed to and / or transferred to

• Our business partners (e.g. custodians, correspondent banks) if your data is included in business transactions which need to be processed by them
• Your own organization in connection with issue and problem resolution, contract management, service and billing requests, requests of your compliance office, client relationship management concerns
• The Swiss National Bank (SNB)
• Competent regulatory (e.g. FINMA), prosecuting or tax authorities
• Our auditors and legal advisors involved in or contemplating legal proceedings
• Our technology suppliers that provide support for incident handling
• Other persons where disclosure is required by law

Where do we transfer your personal data to?

We may transfer your personal data to SIX entities, regulatory, prosecuting, tax and governmental authorities, courts and other tribunals, service providers and other business counterparties located in countries inside or outside the European Economic Area (EEA), including countries which have different data protection standards to those which apply in the EEA. When we transfer your personal data to service providers or other business counterparties in these countries, we will ensure that they protect your personal data in accordance with EEA-approved standard data transfer agreements or other appropriate safeguards.

In the international custody business data may be transferred in the countries in which the sub-custodian is located. For other services, data may be transferred to the following countries if necessary for the provision of the service: Austria, Belgium, Colombia, Cyprus, France, Germany, Greece, Hungary, Ireland, Italy, Liechtenstein, Luxembourg, Netherlands, Norway, Poland, Singapore, Spain, Sweden, United Arab Emirates, United Kingdom, United States.

How long to we keep personal data?

As a general rule, we keep personal data as long as we have a client relationship. After a client relationship ends, we usually must keep it for a period of 10 years.  In cases where the relevant client or counterparty informs us that employment of a certain persons has ceased, the retention period starts from that point in time.

What rights do you have in relation to personal data?

You can ask us to: (i) provide you with a copy of your personal data; (ii) correct your personal data; (iii) erase your personal data; or (iv) restrict our processing of your personal data. You can also opt out of the processing of your personal data for direct marketing purposes or object to our other processing of your personal data. These rights will be limited in some situations; for example, where we are required to process your personal data by law.

To exercise these rights or if you have questions about how we process your personal data, please contact us using the contact details on the last page. You can also complain to the relevant data protection authorities where you live or work or where the alleged infringement of data protection law occurred.

Updates to this Privacy Statement

This Privacy Statement was last updated on 9/1/2023. Future updates may be required in response to changing legal, technical or business developments.

How to contact us

To exercise your rights with regards to data protection please use this link. You can also direct your queries to: SIX Group Services Ltd., Data Protection Officer, Hardturmstrasse 201, 8005 Zurich, Switzerland, E-Mail: dataprotection@six-group.com