The protection and the lawful collection, processing and use of the personal data of our Customers is an important concern for us. As such, Helvetia Finance & Trust AG is committed to complying with the GDPR and the national data protection laws. Data protection is a matter of high priority and we only work with partners who can also demonstrate an appropriate level of data protection. We only process your data if you have given us your express consent, if this is based on a contract or pre-contractual measures on a service basis or if the relevant laws permit or require data processing. Our procedures cover both the currently applicable national legal framework and the requirements of the General Data Protection Regulation (GDPR) valid throughout Europe from 25 May 2018. Under no circumstances will we sell our Customer data or pass them on to unauthorised third parties. We understand that our Customers own their own data. It is not ours. Accordingly, Identifikaciniai Projektai adheres to these guidelines as well on our behalf.
Lawful basis and transparency
- Conduct a regular (at least monthly) audit to determine what information we process and who has access to it. Since Helvetia Finance & Trust AG conducts higher-risk data processing, we keep an up-to-date and detailed list of processing activities (Schedule A-DP) and remain prepared to show that list to regulators upon request. To demonstrate GDPR compliance, we utilise a data protection impact assessment (Schedule B-DP). We include: the purposes of the processing, what kind of data we process, who has access to it within the Helvetia Finance & Trust AG organisation, any third parties (and where they are located) that have access, what we’re doing to protect the data (e.g. encryption), and when we plan to erase it (if possible).
- Helvetia Finance & Trust AG must have a legal justification for our data processing
Helvetia Finance & Trust AG is aware that the processing of data is illegal under the GDPR unless it can be justified according to one of six conditions listed in Article 6. There are other provisions related to children and special categories of personal data in Articles 7-11. Helvetia Finance & Trust AG processes data on the basis of the consent of the data subject concerned or some other legitimate basis”, as follows:
- Consent – must meet all 5 requirements (see 5 key elements to lawful consent, below)
- Contract – Processing is necessary to satisfy a contract to which the data subject is a
- Legal obligation – You need to process the data to comply with a legal
- Life saving – You need to process the data to save somebody’s
- Public interest – Processing is necessary to perform a task in the public interest or to carry out some official function.
- Legitimate interest – you have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.
5 Key elements to lawful consent:
In short, lawful consent requires 5 key elements (If you’re missing any one of these five elements, you do not have consent under the GDPR):
- Freely given – the person must not be pressured into giving consent or suffer any detriment if they refuse.
- Specific – the person must be asked to consent to individual types of data
- Informed – the person must be told what they’re consenting
- Unambiguous – language must be clear and simple. That is, there should be no question about whether the data subject has consented. “Silence, pre-ticked boxes or inactivity should not therefore constitute consent,” according to GDPR Recital 32.
- Clear affirmative action – the person must expressly consent by doing or saying something, and it must be simple for consent to be revoked.
Helvetia Finance & Trust AG provides clear information about our data processing and legal justification in our privacy
We explain to our Customers and site visitors in our privacy and cookies policies that that we are collecting their data, and why (Article 12). We also explain in our privacy policy how the data is processed, who has access to it, and how we keep it safe.
Data Security
- We take data protection into account at all times from the moment each time we process data. See “Schedule D-DP”.
- Encrypt, pseudonymize, or anonymise personal data wherever
At Helvetia Finance & Trust AG we follow the principles of ‘data protection by design and by default,’ including implementing ‘appropriate technical and organisational measures’ to protect data. We also ensure that any processing of personal data adheres to the data protection principles outlined in Article 5. Technical measures we employ include but are not limited to encryption, and organisational measures such as limiting the amount of personal data we collect or deleting data we no longer need. A
- Create an internal security policy for our team members and build awareness about data
At Helvetia Finance & Trust AG we are aware that even though our technical security is very strong, operational security can still be a weak link. As such, we have created a security policy that ensures the Helvetia Finance & Trust AG team members are knowledgeable about data security. It includes guidance about email security, passwords, two-factor authentication, device encryption, and VPNs. Helvetia Finance & Trust AG employees who have access to personal data and non-technical employees receive extra training in the requirements of the GDPR.
- We conduct data protection impact assessments and we have a process in place to carry it
A data protection impact assessment (aka privacy impact assessment) is a way to help us understand how our product or service could jeopardize our Customers’ data, as well as how to minimise those risks. The GDPR requires us to carry out this kind of analysis whenever we plan to use people’s data in such a way that it’s ‘likely to result in a high risk to their rights and freedoms.’ As per the ICO’s recommendations, Helvetia Finance & Trust AG , does it anytime we’re about to process personal data, in a new way.
- We have a process in place to notify the authorities and our data subjects in the event of a data
If there’s a data breach and personal data of our Customers is exposed, we notify the supervisory authority in our jurisdiction of Switzerland within 72 hours. We also quickly communicate data breaches to our Customers/ data subjects unless the breach is unlikely to put them at risk (for instance, if the stolen data is encrypted).
Accountability and governance
- Jonathan Curci is the responsible person at Helvetia Finance & Trust AG for ensuring GDPR
As part of ‘data protection by design and by default‘, Jonathan Curci is empowered to evaluate data protection policies and the implementation of those policies.
- Helvetia Finance & Trust AG signs a data processing agreement with all third parties that process personal data on our behalf, including any third-party services that handle the personal data of our data subjects, such as analytics software, email services, cloud servers, etc. We only use third parties that are reliable and can make sufficient data protection guarantees.
- Since we are located outside the EU, we plan to appoint a representative within Switzerland or, if required, one of the EU member states.
Since we anticipate having Customers across multiple member states, and since it is recommended to have a representative in all countries where we have Customers, we will wait until this requirement is interpreted, and in the meantime, we plan to designate a representative in a member state that uses our language, such as the United Kingdom.
- Appoint a qualified Data Protection Officer (DPO). While it is not required to appoint a DPO in Switzerland, we plan to appoint one asap.
Privacy rights
- Helvetia Finance & Trust AG ensures that it is easy for our Customers to request and receive all the information we have about them.
Our Customers have the right to see what personal data we have about them and how we’re using it. They also have a right to know how long we plan to store their information and the reason for keeping it that length of time. We stand prepared to send our Customers the first copy of this information upon request, free of charge, within a month, after we have identified the person requesting the data.
- We make it easy for our Customers to correct or update inaccurate or incomplete
We do our best to keep our Customer data up-to-date by and we make it easy for our Customers to view (Article 15) and request an update their personal information promptly for accuracy and completeness.
- We make it easy for our Customers to request to have their personal data
Subject to the five grounds on which we can deny the request, our Customers have the right to ask us to delete all the personal data we have about them, and we have to honor their request within about a month. Reasons to deny include compliance with our legal obligation under AML.
- We make it easy for our Customers to ask us to stop processing their
Our Customers/data subjects can request to restrict or stop processing of their data if certain grounds apply, mainly if there’s some dispute about the lawfulness of the processing or the accuracy of the data. We honor such requests within one month. In such cases, processing shall be restricted, but we will still be allowed to keep storing their data. If we plan to begin processing their data again, we will first notify the data subject.
- We make it easy for our Customers to receive a copy of their personal data in a format that can be easily transferred to another company.
Upon request, we send the personal data of our Customers in a commonly readable format (e.g. a spreadsheet) either to them or to a third party they designate.
- We make it easy for our Customers to object to our processing their
If we process our Customer or site visitors’ data for the purposes of direct marketing, we stop processing it immediately for that purpose, upon request.
- Since Helvetia Finance & Trust AG makes some decisions about people based on automated processes, we have a procedure to protect their rights.
Some types of organisations use automated processes to help them make decisions about people that have legal or ‘similarly significant’ effects. If you think that applies to you, you’ll need to set up a procedure to ensure you
are protecting their rights, freedoms, and legitimate interests. You need to make it easy for people to request
human intervention, to weigh in on decisions, and to challenge decisions you’ve already made.