Data protection and data security are a priority for Crédit Agricole next bank (Suisse) SA (hereinafter "CANB") and its partners. In this data protection policy, clients are informed of the processing and flow of data when they pay merchants or private individuals and use the value added services through the CA next bank TWINT application (hereinafter the "CA next bank TWINT app").
In the context of the CA next bank TWINT application, CANB cooperates in particular with the company TWINT AG headquartered in Zurich (hereinafter TWINT AG), Swisscom SA (hereinafter Swisscom) whose headquarters are in Ittingen, and SIX Payment Services SA (hereinafter SIX) with headquarters in Zurich.
TWINT AG, as an operator of the TWINT system, is responsible for processing the payments made via CA next bank TWINT providing the value added services (physical card, coupons, etc.).
Swisscom develops and makes available to CANB the CA next bank TWINT application as well as the interfaces with TWINT AG and SIX required for the effective operation of the CA next bank TWINT application.
For this purpose, CANB has entered into various contracts with TWINT AG, Swisscom and SIX for the provision and operation of the CA next bank TWINT application, the provisions of which are also imposed on any duly appointed subcontractors.
With respect to the collection, processing, communication and use of its clients' personal data, CANB, its agents and any subcontractors are subject to compliance with the Swiss federal law on banks and Swiss data protection laws (in particular the Federal Data Protection Act, FADP, and its implementing ordinance, OPDo).
CANB and TWINT AG (hereinafter "We") are independently responsible for the processing of the data under this policy, or maintain subcontracting relationships for the processing of the data concerned.
This Data Protection Policy concerns you for one or more of the following reasons:
This Policy complements the CANB data protection policy and specifies the information set out in the contracts you have signed with CANB. If there is any contradiction between the provisions of this Policy and the provisions stated in these contracts or other media, the provisions of the latter shall prevail. When we collect your data through one of our Clients and process them, it is the responsibility of that Client or its representative to inform you of this, including by means of this data protection Policy.
In general, we collect personal data directly from you, for example when the CA next bank TWINT app is installed and used, and in different ways:
When the CA next bank TWINT app is installed and used, we process the following personal data:
These personal data must be processed to be able to deliver the services provided in the CA next bank TWINT app, including the processing of payments, the verification of solvency, the provision of information regarding availability, the fight against fraud and the processing of claims and reimbursements, as well as to comply with regulatory requirements. If you do not give us this information, you will not be able to use the CA next bank TWINT app.
In order to provide you with information and personalised offers from TWINT or in relation to TWINT in the CA next bank TWINT app (TWINT campaigns), your payment data are analysed in order to customize their distribution. The following information and data are used for personalisation purposes:
Moreover, you can allow third-party service providers' campaigns to be displayed to you, and, for personalisation purposes, supplementary data about you to be analysed at the same time as the payment data. You can revoke your consent at any time in the CA next bank TWINT app. The following personal data about you are processed for this purpose:
You can register customer loyalty programmes and other preferential offers from third-party service providers (physical cards) in the CA next bank TWINT app. The following data are processed to enable the display or transmission of the physical card:
The personal data that are processed for the display or transmission of physical data are deleted if you erase the physical card in the CA next bank TWINT app.
In the CA next bank TWINT app, you can directly purchase merchandise and services (e.g. super deals or digital coupons) or other offers (for example, parking or cash withdrawal). These offers are governed by the provisions and confidentiality policies indicated in the offer in question.
We may automatically evaluate some of your specific personal information ("profiling") to determine your preference data, to identify security and abuse risks, to conduct statistical evaluations, or for operational planning purposes. By using the app, you accept that your transaction data will be analysed so that we can present personalized TWINT offers to you.
In cases where we take decisions that rely exclusively on automated processing and which have a legal impact for you or which could significantly affect you, we will inform you accordingly and will take the necessary measures in accordance with applicable laws.
Your personal data are saved on secure servers in Switzerland or the European Union.
We keep and process your personal data as long as needed to achieve the intended purpose. The data will be deleted as soon as they are no longer needed to provide the service.
To comply with our legal and regulatory obligations, in particular legislation regarding money laundering or accounting or tax requirements, contractual documents and certain data (e.g. payment data) must be retained for a maximum period of ten (10) years after the end of the commercial relationship.
Personal data can be stored in archives (i.e. with restricted access), for the purposes of evidence management, for a maximum period corresponding to the duration of the contractual relationship or business relationship, plus any additional time required for the assessment and consolidation of rights, the duration of statutory limitation periods and the exhaustion of remedies.
Users can also transmit their location data to us. Their consent will be requested before the data is transmitted, depending on the configuration of their smartphones. Location data are only recorded imprecisely (radius of 16 km), and are deleted after six months at the latest.
In the context of the use of the CA next bank TWINT app, we communicate your personal data to the following categories of recipients:
We take great care to ensure that your personal data are processed and stored in Switzerland or in a country whose data protection legislation is recognized as "adequate" by the Swiss Federal Data Protection and Information Commissioner, which is the case for nearly all of the processing operations performed.
As mentioned in section 9, we also communicate data to third parties. They are not all located exclusively in Switzerland. Your data may therefore be processed in Europe or the United Stated (e.g. when using Google Analytics), or – in exceptional cases – in any other country in the world. Some of the service providers mentioned in this Data Protection Policy are based in the United States, which does not have an adequate data protection legislation. In this case we contractually oblige this recipient to comply with the applicable data protection (for this purpose, we use the revised standard contractual clauses of the European Commission, available here), unless the recipient is already subject to a data protection regulatory framework relative that is recognized by law and we cannot rely on an exemption. An exception may apply in the case of legal proceedings abroad, but also in case of overriding public interests or if the performance of a contract requires such disclosure, if you have given your consent or if it concerns data that you have made accessible to everyone and you are not opposed to their processing.
In the CA next bank TWINT app we use Google Analytics for Firebase, an analytics tool by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google). Google Analytics uses methods such as cookies to analyse client behaviour in the CA next bank TWINT application in order to continually optimize the application. The data collected about your use of the application include:
As a general rule, these data are transferred to a Google server in the United States, where they are saved. In this context, the IP address is truncated by activating IP anonymization ("anonymizeIP") before being transmitted within member States of the European Union, in the other States party to the agreement on the European Economic Area, or in Switzerland. The masked IP address transmitted for the purposes of Google Analytics will not, according to Google, be combined with other Google data. In exceptional cases, the full IP address may be transmitted to a Google server located in the United States and be truncated there. In such cases, you will be asked to give your prior consent to the processing of the data.
This information is used to analyse the use of the application, report on application activity and provide other services related to the use of the application for market research purposes and to design our websites as needed. These data may be transmitted to third parties if required by law or if such third parties are mandated to process the data.
The use of Google Firebase for application optimization can be disabled in the CA next bank TWINT application.
In the CA next bank TWINT application, TWINT uses the Microsoft Corporation ("Microsoft") Software Development Kit (SDK) App Center to transmit crash reports with the aim of continuously improving the CA next bank TWINT application. Information on CA next bank TWINT application crashes collected by the SDK App Center are transmitted to Microsoft's server in the United States and stored there. These data are evaluated by Microsoft to provide crash reports and other services related to error message analysis of the CA next bank TWINT application. Detailed information on the type of data and their use are included in Microsoft's privacy policy at the following link: https://privacy.microsoft.com/de-de/privacystatement.
You may, at any time, under the conditions set by law:
Please note that the exercise of some of these rights may prevent the provision of certain products or services.
If you wish to exercise any of your rights, you may write to the address mentioned in the section "Your Contact Points", indicating the right(s) you wish to exercise as well as all elements enabling your identification (identity document, contract number, etc.).
If you have any questions, claims or wish to exercise your rights mentioned above, you can contact the department responsible for personal data protection:
CANB has appointed a Data Protection Officer (DPO) who can be contacted at the following addresses: Crédit Agricole next bank (Suisse) SA – Data Protection Officer – Esplanade de Pont Rouge 4-6 - CP 1250, 1211 Geneva 26 or by email: dpo@ca-nextbank.ch.