Baseline Wealth Management Ltd (“Baseline”) has issued this Data Privacy Statement in light of the Swiss Federal Act on Data Protection (“DPA”) and its upcoming revision. Swiss data protection legislation is historically closely tied to EU regulations and its future amendment will be substantially influenced by EU General Data Protection Regulation (“GDPR”). Furthermore, although GDPR is an EU-regulation, under certain circumstances it may apply to companies outside the EU such as Baseline (extraterritorial effect).
In this Data Privacy Statement Baseline would like to outline how it collects, processes and protects personal data about the following persons: (i) prospective clients, (ii) persons that have or are in the process of applying for an account with Baseline (“ Clients”) and (iii) individuals or entities whose information is provided by a Client to Baseline or comes otherwise to Baseline’s knowledge in connection with services provided by Baseline to a Client (“Connected Individuals”). A Connected Individual may include, but is not limited to, (i) any director, officer, authorized signatory or employee of a company, (ii) a trustee, settlor or protector of a trust, (iii) any beneficial owner of Client’s assets, (iv) a controlling person, (v) a payee of a designated payment, (vi) representative(s) or agent(s) of a Client, (vii) a co-obligor under a loan (e. g. guarantor of a credit) or (viii) any other individual or entity having a relationship with a Client that is relevant to this Client’s business relationship with Baseline. Furthermore, this Data Privacy Statement shall also inform Clients, Connected Individuals and prospective clients of their rights in relation to personal data collected and processed by Baseline. Please note: Which specific personal data are processed and how they are used depends largely on the products and services requested or agreed in each case.
Wherever Baseline uses “you” or “your” in this Data Privacy Statement, this is meant as a reference to a prospective client, a Client and any Connected Individual as defined herein.
If Baseline provides separate or further information about how it collects and uses Clients’ or Connected Individuals’ personal data for a particular product or service, those terms will also apply. Furthermore, this Data Privacy Statement continues to apply even if Client’s agreements for portfolio management or other products and services with Baseline end.
Please familiarize yourself with this Data Privacy Statement and also forward it to any Connected Individuals before Baseline is provided with personal data of such Connected Individual.
1. Who is responsible for Data Processing and who can you contact in this regard?
The controller for data processing purposes can be reached at:
Baseline Wealth Management Ltd
Chief Compliance Officer
Rue du Rhône 67
CH-1207 Geneva Switzerland
E-Mail Address: firstname.lastname@example.org
2. What sources and data does Baseline use?
The personal data Baseline collects or has about Clients, Connected Individuals and prospective clients come from different sources. This includes personal data relating to the business relationship or a prospective business relationship with Baseline or any of Baseline’s products or services that the Client or a Connected Individual or prospective client has applied for or held previously.
Some of the personal data will come directly from the Client, the Connected Individual or the prospective client. Some might be obtained from a bank, another independent asset manager, another advisor, a business introducer or from other third parties. Personal data might also come from other entities or Baseline might obtain such personal data lawfully by accessing publicly available sources or combining different sets of information.
Personal data collected may include, in particular:
a) Information that a Client, a Connected Person or a prospective client provides to Baseline such as:
b) Information that Baseline collects or generates about the Client, a Connected Person or a prospective client, such as:
c) Information about the Client, a Connected Person or a prospective client that Baseline collects from other sources, for example:
Baseline may also collect and process additional personal data about which Baseline will inform you from time to time.
3. What does Baseline process personal data for (purpose of the processing) and on what legal basis?
Baseline processes personal data of Clients, Connected Individuals and prospective clients for various purposes in accordance with the provisions of the Swiss DPA and only uses such personal data where Baseline has a lawful basis for using it. The lawful basis and purposes include processing:
a) For the fulfillment of contractual obligations
The processing of personal data is carried out in order to perform banking transactions and financial services pursuant to contracts with Baseline’s Clients and their Connected Individuals or to take steps prior to entering into a contract (e.g. with prospective clients).
The purposes of data processing are primarily dependent on the specific product (e.g. portfolio management mandate, credit, securities, deposits, payments) and can include needs assessments, advisory, portfolio management and other financial or support services, as well as the carrying out of transactions. Additional details about the purposes of data processing may also be included in the applicable contractual or product documentation.
b) In the context of balancing interests and the purposes of safeguarding legitimate interests respectively
Where required, Baseline processes personal data beyond the actual fulfilment of the contract for the purposes of safeguarding the legitimate interests pursued by Baseline or a third party. For Example:
c) On the basis of your consent (article 17 of the DPA)
Insofar as you have granted Baseline consent to process your personal data for specific purposes (e.g. analysis of transactional activities for marketing purposes), this processing is lawful on the basis of your consent. A consent given may be revoked at any time. Please be advised that a withdrawal of consent does not affect the lawfulness of the processing of data prior to revocation of such consent. Note however that Baseline may still be entitled to process your personal data if it has another legitimate reason for doing so.
d) Due to legal obligations
Furthermore, Baseline is subject to various legal obligations, i.e. statutory requirements (e.g. FINIa, FINsa, the Banking Act, Collective Investment Schemes Act, Anti-Money Laundering Act, Mortgage Bond Act, ordinances and circulars of regulatory authorities and tax laws) as well as portfolio management regulatory requirements. Purposes of processing include for example assessment of risk profile, identity and age verification, fraud and money laundering prevention measures, fulfilment of control and reporting obligations under fiscal and other laws, and measuring and managing risks within Baseline (including for consolidated supervision purposes).
Baseline may also collect and process additional personal data for other purposes about which Baseline will inform you from time to time.
4. Who receives personal data?
Within Baseline those units are given access to personal data of Clients, Connected Individuals and prospective clients which require them in order to perform Baseline’s contractual and statutory obligations or as further described in this Data Privacy Statement. Service providers and auxiliary persons appointed by Baseline may also receive data for these purposes if they observe banking secrecy. These could mainly be companies in the categories of banking services, IT services, logistics, printing services, telecommunications, debt collection, advice and consulting, as well as sales and marketing.
With regard to transferring data to other recipients outside Baseline, to begin with, it is to be noted that, as a Swiss Financial Market Authority (“FINMA”) authorized portfolio manager, Baseline is generally obliged to maintain secrecy about any customer-related facts and evaluations which Baseline may acquire or have knowledge of (banking secrecy). Baseline may pass on information about you only if legal provisions demand it, if you have given your consent (e.g. to process a financial transaction a Client or Connected Individual has ordered Baseline to perform), and/or if Baseline is authorized to provide information. Under these requirements, recipients of personal data can be, for example:
Additional recipients of personal data may be those for which you have given your consent to transfer your personal data or with respect to which you have exempted Baseline from banking secrecy by agreement or consent.
5. Is data transferred to a third country or to an international organisation?
In certain circumstances personal data may be transferred to, and stored at, a destination outside Switzerland, including locations which may not have the same level of protection for personal data as Switzerland. Baseline will always do this in a way that is permissible under data protection rules. Baseline may need to transfer your information in this way for example:
Transfer of personal data to recipients in countries outside Switzerland, the EEA and the EU (so-called third countries) will take place if:
Where your personal data is to be disclosed to third parties domiciled in countries which do not have an appropriate level of data protection, Baseline ensures that where necessary it takes appropriate measures (e.g. contractual arrangements - such as the EU Standard Contractual Clauses / see Article 46 para. 2 (c) of the GDPR- or other precautions or justifications) so that personal data continues to receive appropriate protection.
You can obtain more details of the protection given to your information when it is transferred outside Switzerland by contacting Baseline in accordance with the information provided in section 1 above.
6. How long will personal data be stored?
Baseline will process and store personal data of Clients, Connected Individuals or prospective clients for as long as it is necessary in order to fulfil Baseline’s contractual and statutory obligations. It should be noted here that the business relationship with Baseline is a continuing and long-term obligation, intended to last for several years.
If the personal data are no longer required in order to fulfil contractual or statutory obligations, they are regularly deleted, unless their further processing – generally for a limited time - is required for the following purposes:
7. What data protection rights do you have?
Under the applicable data protection laws you may have the following rights: the right of access (as defined in article 8 DPA), the right to rectification (as defined in article 5 DPA), the right to erasure (as defined in article 5 DPA), the right to restriction of processing (as defined in articles 12, 13, 15 DPA), the right to object to the data processing (as defined in article 4 DPA) and, if applicable. The right of access and the right to erasure are subject to certain restrictions (under articles 9, 10 and 13 DPA). Furthermore, if applicable on a person, there is also a right to lodge a complaint with an appropriate data privacy supervisory authority.
Where Baseline processes personal data based on your granted consent, you may revoke your consent specifically granted to the processing of personal data at any time. This also applies to the revocation of declarations of consent that were granted to Baseline prior to the entry into force of the GDPR, i.e. before May 25, 2018. Please be advised that the revocation will only take effect in the future. Any processing that was carried out prior to the revocation shall not be affected thereby. Please note however that Baseline may still be entitled to process your personal data if it has another legitimate reason for doing so.
8. How is personal data kept secure?
Baseline implements internal technical and organisational measures to keep personal data of Clients, Connected Individuals and prospective clients safe and secure which may include encryption, anonymization, access limitations and physical security measures. Baseline requires its employees and any third parties who carry out any work on Baseline’s behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of personal data.
9. Is there an obligation to provide data?
In the context of a business relationship with Baseline a Client or a Connected Individual, must provide all personal data which is necessary for the establishment and maintenance of such business relationship and the performance of the associated contractual obligations or which Baseline is legally obliged to collect. As a rule, Baseline would not be able to enter into or perform any contract or – consequently - accept and execute any order without collecting and processing personal data.
Data subjects are responsible to make sure the information provided to Baseline is accurate and up to date.
In particular, provisions of anti-money laundering law require that Baseline verifies a data subject’s identity before entering into the business relationship by means of a document of evidentiary value (e.g. identity card) and that Baseline collects and records a data subject’s name, place of birth, date of birth, nationality, residential address and other data for that purpose. In order for Baseline to be able to comply with this statutory obligation, a data subject must provide Baseline with the necessary information and documents in accordance with the Anti-Money Laundering Act and notify Baseline without undue delay of any changes that may arise during the course of the business relationship. If a data subject does not provide Baseline with the necessary information and documents, Baseline will not be allowed to enter into or continue the requested business relationship.
If you give Baseline any information about another person connected to your account (such as a Connected Individual), you must inform such person about what personal data you have given to Baseline, and make sure they are informed of the content of this Data Privacy Statement.
10. Is “profiling” or “automated decision-making” used?
In some cases, Baseline processes personal data of Clients, Connected Individuals or prospective clients automatically with the aim of evaluating certain personal aspects (profiling). For instance, Baseline uses profiling in the following cases:
Due to legal and regulatory requirements, Baseline is obliged to take anti-money laundering, anti-terrorist-financing, anti- fraud and anti-financial crime measures. Data evaluations (including on payment transactions) are also carried out in this context. At the same time, these measures also serve to protect you.
In order to provide you with targeted information and advice on products, Baseline may use evaluation tools. These enable demand-oriented communication and advertising, including market and opinion research.
Baseline reserves its right to further analyse and evaluate personal data in an automated manner in the future, so as to identify significant personal characteristics of yourself or to predict developments and to create client profiles. These may in particular be used for business-related checks, individual management, advisory or financial services and the provision of offers and information that Baseline may make available to you.
When providing you with services, Baseline may make decisions about you by automated means. Baseline will ensure that a suitable contact person is available if you wish to express a view on any automated individual decision where such an opportunity to express a view is required by law. In such event, please refer your request to the address contained in section 1 above.
11. Changes to the Data Privacy Statement
You may request a copy of this Data Privacy Statement from Baseline using the contact details set out in section 1 above. Baseline may modify or update this Data Privacy Statement from time to time by providing a revised version to its Clients or making such a revised version available on Baseline’s website at www.baselinewealth.com.