General Data Protection Regulation (GDPR)

A new regulation from the European Union (EU) already came into force two years ago with the new General Data Protection Regulation (GDPR), which simplifies the rules on personal data processing by private companies and public bodies across Europe. With the GDPR, personal data protection should be ensured on the one hand, and free movement of data should be guaranteed on the other hand. The new regulation must be applied as of 25th May 2018 – this is also the case for Switzerland.
 

SIX processes data that is provided by customers to handle the contractual relationship – this affects data in relation to contacts in particular, such as their names, email addresses or business telephone numbers. By disclosing the data mentioned above, the customer confirms that he/she has notified the affected natural persons (employees, officer, etc.) that the data has been passed on.
 

As part of its duty of care to prevent fraud and terrorism financing, SIX is obligated to obtain and store specific documents and information upon commencement of the business relationship. Documents that must be stored are, in particular, copies of documents and information that are required to meet its duty of care and transaction receipts/records that are required to investigate transactions.
 

SIX only processes data for the purpose of handling the contract with the customer. Under no circumstances does SIX process data outside of contractual relationships with customers.
 

All SIX companies are direct or indirect subsidiaries of the SIX Group. SIX companies may outsource data processing and other services in whole or in part to the SIX Group or other SIX Group companies, as well as external third parties domestically or overseas. If data is transmitted to third parties as part of such outsourcing, SIX obligates the recipient in advance to ensure their existing confidentiality and data protection obligations in full.
 

As part of handling the contract for the customer, SIX may collaborate with third parties (e.g. suppliers) who also deliver services or manufacture products outside of Switzerland. SIX concludes contracts that ensure an appropriate level of data protection insofar as such contractual partners may be able to view customer data as part of handling the contract.
 

Data is normally stored for ten years, beyond the conclusion of the contractual relationship with the customer. Data that must be deleted beforehand in accordance with local legislation are excluded from this.
 

Data subjects have the right,

• to receive information as to if and what data is stored by SIX and how it is stored (categories of data, recipients or categories of recipients, the storage period of data or criteria for determining the storage period);
• to receive a copy of the data;
• to request the rectification of data if it is incorrect;
• to request erasure of data;
• to request restrictions on the processing of data;
• to receive data in a structured, common and machine-readable format;
• to lodge a complaint to the processing of data, in particular for the purpose of direct marketing.

The above-mentioned rights can be refused or restricted if the interests, rights and freedoms of third parties prevail or data processing is used to assert, exercise or defend legal claims.

Yes. All questions in relation to data protection and the rights of affected persons must be sent to the following address:

If you have any queries, please contact the respective competent authority in your country.

• SIX Payment Services (Europe) SA: Dataprotection.europe@six-payment-services.com 
• SIX Payment Services (Austria) GmbH: Dataprotection.austria@six-payment-services.com
• SIX Payment Services (Germany) GmbH: Dataprotection.germany@six-payment-services.com
• SIX Payment Services AG & SIX Payment AG (ex. Aduno): Dataprotection.switzerland@six-payment-services.com

If you have any questions on the new guidelines, please consult[D1]  the attached customer information.