CA nextbank
No alt text defined

Data protection policy for the "CA next bank TWINT" mobile application

1. PREAMBLE

Data protection and data security are a priority for Crédit Agricole next bank (Suisse) SA (hereinafter "CANB") and its partners. In this data protection policy, clients are informed of the processing and flow of data when they pay merchants or private individuals and use the value added services through the CA next bank TWINT application (hereinafter the "CA next bank TWINT app").

In the context of the CA next bank TWINT application, CANB cooperates in particular with the company TWINT AG headquartered in Zurich (hereinafter TWINT AG), Swisscom SA (hereinafter Swisscom) whose headquarters are in Ittingen, and SIX Payment Services SA (hereinafter SIX) with headquarters in Zurich.

TWINT AG, as an operator of the TWINT system, is responsible for processing the payments made via CA next bank TWINT providing the value added services (physical card, coupons, etc.).

Swisscom develops and makes available to CANB the CA next bank TWINT application as well as the interfaces with TWINT AG and SIX required for the effective operation of the CA next bank TWINT application.

For this purpose, CANB has entered into various contracts with TWINT AG, Swisscom and SIX for the provision and operation of the CA next bank TWINT application, the provisions of which are also imposed on any duly appointed subcontractors.

2. DATA CONTROLLER

With respect to the collection, processing, communication and use of its clients' personal data, CANB, its agents and any subcontractors are subject to compliance with the Swiss federal law on banks and Swiss data protection laws (in particular the Federal Data Protection Act, FADP, and its implementing ordinance, OPDo).

CANB and TWINT AG (hereinafter "We") are independently responsible for the processing of the data under this policy, or maintain subcontracting relationships for the processing of the data concerned.

3. WHO IS THIS DATA PROTECTION POLICY INTENDED FOR?

This Data Protection Policy concerns you for one or more of the following reasons:

  • You are a "Client": we are or have been in a direct contractual relationship with you as a CANB client.
  • You are an "Intermediary": we process your data when you interact with our institution through one of our Clients. You may be the beneficial owner, the beneficiary of transactions, etc.

This Policy complements the CANB data protection policy and specifies the information set out in the contracts you have signed with CANB. If there is any contradiction between the provisions of this Policy and the provisions stated in these contracts or other media, the provisions of the latter shall prevail. When we collect your data through one of our Clients and process them, it is the responsibility of that Client or its representative to inform you of this, including by means of this data protection Policy.

4. WHAT ARE THE SOURCES FROM WHICH WE COLLECT PERSONAL DATA?

In general, we collect personal data directly from you, for example when the CA next bank TWINT app is installed and used, and in different ways:

  • Directly from you when you sign a contract with us and use the services of the CA next bank TWINT app (registration and use).
  • Indirectly through our Clients when you are in a relationship with them.
  • Indirectly through public or private external sources that allow us, in compliance with your rights and applicable laws, to know you better (databases and publications made available by official authorities, etc.)

5. WHAT PERSONAL DATA DO WE COLLECT AND FOR WHAT PURPOSE?

a. Installation and use of the application

When the CA next bank TWINT app is installed and used, we process the following personal data:

  • Surname, first name
  • Address
  • Date of birth
  • Telephone number
  • Bank details
  • Identity document
  • Email address
  • Location data (after agreement)

These personal data must be processed to be able to deliver the services provided in the CA next bank TWINT app, including the processing of payments, the verification of solvency, the provision of information regarding availability, the fight against fraud and the processing of claims and reimbursements, as well as to comply with regulatory requirements. If you do not give us this information, you will not be able to use the CA next bank TWINT app.

b. Marketing Purposes

In order to provide you with information and personalised offers from TWINT or in relation to TWINT in the CA next bank TWINT app (TWINT campaigns), your payment data are analysed in order to customize their distribution. The following information and data are used for personalisation purposes:

  • Name, business sector and location of the payment recipient
  • Date and time of payment
  • Amount involved
  • Type of payment (for example, in the online shop or in a store). We also collect and analyse the offers you view, activate or use in the CA next bank TWINT app. However, TWINT and CANB are not able to view the contents of your cart, and therefore do not analyse this data.

Moreover, you can allow third-party service providers' campaigns to be displayed to you, and, for personalisation purposes, supplementary data about you to be analysed at the same time as the payment data. You can revoke your consent at any time in the CA next bank TWINT app. The following personal data about you are processed for this purpose:

  • Date of birth
  • Postcode

c. Physical cards

You can register customer loyalty programmes and other preferential offers from third-party service providers (physical cards) in the CA next bank TWINT app. The following data are processed to enable the display or transmission of the physical card:

  • Type and name of the physical cards;
  • Number of physical cards

The personal data that are processed for the display or transmission of physical data are deleted if you erase the physical card in the CA next bank TWINT app.

d. Partner functions

In the CA next bank TWINT app, you can directly purchase merchandise and services (e.g. super deals or digital coupons) or other offers (for example, parking or cash withdrawal). These offers are governed by the provisions and confidentiality policies indicated in the offer in question.

6. SPECIFIC PROCESSING OF YOUR PERSONAL DATA

We may automatically evaluate some of your specific personal information ("profiling") to determine your preference data, to identify security and abuse risks, to conduct statistical evaluations, or for operational planning purposes. By using the app, you accept that your transaction data will be analysed so that we can present personalized TWINT offers to you.

In cases where we take decisions that rely exclusively on automated processing and which have a legal impact for you or which could significantly affect you, we will inform you accordingly and will take the necessary measures in accordance with applicable laws.

7. WHERE DO WE STORE YOUR PERSONAL DATA?

Your personal data are saved on secure servers in Switzerland or the European Union.

8. FOR HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We keep and process your personal data as long as needed to achieve the intended purpose. The data will be deleted as soon as they are no longer needed to provide the service.

To comply with our legal and regulatory obligations, in particular legislation regarding money laundering or accounting or tax requirements, contractual documents and certain data (e.g. payment data) must be retained for a maximum period of ten (10) years after the end of the commercial relationship.

Personal data can be stored in archives (i.e. with restricted access), for the purposes of evidence management, for a maximum period corresponding to the duration of the contractual relationship or business relationship, plus any additional time required for the assessment and consolidation of rights, the duration of statutory limitation periods and the exhaustion of remedies.

Users can also transmit their location data to us. Their consent will be requested before the data is transmitted, depending on the configuration of their smartphones. Location data are only recorded imprecisely (radius of 16 km), and are deleted after six months at the latest.

9. TO WHOM DO WE COMMUNICATE PERSONAL DATA?

In the context of the use of the CA next bank TWINT app, we communicate your personal data to the following categories of recipients:

  • TWINT SA / TWINT Acquiring SA: as part of their business activity, your personal data can be communicated within the group to TWINT SA or to TWINT Acquiring SA.
  • Service providers: we collaborate with service providers which process your personal data on our behalf and according to our instructions to perform the subcontracted operations, and, where applicable, as independent data controllers pursuing their own legitimate interests. We enter into contracts with these service providers which include provisions concerning the protection of your personal data.
  • Authorities: we may disclose personal data to government authorities, courts and other regulatory authorities or agencies in Switzerland or abroad if we are legally required or permitted or if it is deemed necessary to protect our interests. The authorities process the data concerning you that they receive from us under their own responsibility.
  • Parent company and/or Crédit Agricole Group: we may also communicate your personal data to the parent company and/or to the Crédit Agricole Group in the context of (i) our regulatory obligations with respect to fighting financial crime and (ii) the safeguarding our legitimate interests, in particular in the fight against fraud.

10. HOW TO WE PROCESS YOUR PERSONAL DATA IF IT IS TRANSFERRED OUTSIDE SWITZERLAND?

We take great care to ensure that your personal data are processed and stored in Switzerland or in a country whose data protection legislation is recognized as "adequate" by the Swiss Federal Data Protection and Information Commissioner, which is the case for nearly all of the processing operations performed.

As mentioned in section 9, we also communicate data to third parties. They are not all located exclusively in Switzerland. Your data may therefore be processed in Europe or the United Stated (e.g. when using Google Analytics), or – in exceptional cases – in any other country in the world.
Some of the service providers mentioned in this Data Protection Policy are based in the United States, which does not have an adequate data protection legislation. In this case we contractually oblige this recipient to comply with the applicable data protection (for this purpose, we use the revised standard contractual clauses of the European Commission, available here), unless the recipient is already subject to a data protection regulatory framework relative that is recognized by law and we cannot rely on an exemption. An exception may apply in the case of legal proceedings abroad, but also in case of overriding public interests or if the performance of a contract requires such disclosure, if you have given your consent or if it concerns data that you have made accessible to everyone and you are not opposed to their processing.

11. DO WE USE ONLINE TRACKING TECHNIQUES?

a. Google Analytics for Firebase

In the CA next bank TWINT app we use Google Analytics for Firebase, an analytics tool by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google). Google Analytics uses methods such as cookies to analyse client behaviour in the CA next bank TWINT application in order to continually optimize the application. The data collected about your use of the application include:

  • information about the device,
  • approximate location information (country and city),
  • click path,
  • application updates,
  • date and time of the visit,
  • downloads,
  • Flash version,
  • IP address,
  • Javascript support,
  • pages visited,
  • purchasing activity,
  • use data,
  • interactions with widgets,
  • length of visits to websites and web pages,
  • page from which the visitor left the website,
  • country, region or city from which access was made;
  • the terminal (type, version, colour depth, resolution, width and height of browser window),
  • whether it is a new or repeat visitor,
  • the operating system used,
  • the time of the server request.

As a general rule, these data are transferred to a Google server in the United States, where they are saved. In this context, the IP address is truncated by activating IP anonymization ("anonymizeIP") before being transmitted within member States of the European Union, in the other States party to the agreement on the European Economic Area, or in Switzerland. The masked IP address transmitted for the purposes of Google Analytics will not, according to Google, be combined with other Google data. In exceptional cases, the full IP address may be transmitted to a Google server located in the United States and be truncated there. In such cases, you will be asked to give your prior consent to the processing of the data.

This information is used to analyse the use of the application, report on application activity and provide other services related to the use of the application for market research purposes and to design our websites as needed. These data may be transmitted to third parties if required by law or if such third parties are mandated to process the data.

The use of Google Firebase for application optimization can be disabled in the CA next bank TWINT application.

b. Microsoft App Center

In the CA next bank TWINT application, TWINT uses the Microsoft Corporation ("Microsoft") Software Development Kit (SDK) App Center to transmit crash reports with the aim of continuously improving the CA next bank TWINT application. Information on CA next bank TWINT application crashes collected by the SDK App Center are transmitted to Microsoft's server in the United States and stored there. These data are evaluated by Microsoft to provide crash reports and other services related to error message analysis of the CA next bank TWINT application. Detailed information on the type of data and their use are included in Microsoft's privacy policy at the following link: https://privacy.microsoft.com/de-de/privacystatement.

12. WHAT ARE YOUR RIGHTS?

You may, at any time, under the conditions set by law:

  • access your personal data: you can obtain information about the processing and disclosure of your personal data;
  • have them rectified: you can request the rectification of your personal data if they are inaccurate or incomplete;
  • object to their processing on grounds relating to your particular situation, where the legal basis for the processing is the legitimate interest of the Bank or third parties (unless the Bank can prove the existence of legitimate and compelling grounds for such processing which take precedence over your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims) – at any time and without justification, to their processing for purposes of commercial prospecting;
  • request their deletion: you can request the deletion of your personal data, in particular when they are no longer necessary for the purposes for which they were collected, except, with the exception of processing required for compliance with a legal obligation or for the establishment, exercise or defence of legal claims;
  • request the restriction of their processing: you can request the suspension or restriction of the processing of your data;
  • request their portability: when the processing is automated and is based on consent or the performance of the contract or pre-contractual measures, you may request the return of the personal data that you have provided to us and/or their transfer to a third party;
  • Lastly, you can, when the legal basis for the processing is consent, withdraw your consent for the future and thus put an end to the processing of your data, it being specified that the withdrawal of consent does not call into question the lawfulness of the processing carried out until then.

Please note that the exercise of some of these rights may prevent the provision of certain products or services.

If you wish to exercise any of your rights, you may write to the address mentioned in the section "Your Contact Points", indicating the right(s) you wish to exercise as well as all elements enabling your identification (identity document, contract number, etc.).

YOUR CONTACT POINTS

If you have any questions, claims or wish to exercise your rights mentioned above, you can contact the department responsible for personal data protection:

  • By post: Crédit Agricole next bank (Suisse) SA – Service Marketing Relation Client –Esplanade de Pont Rouge 4-6 - CP 1250, 1211 Geneva 26
  • By email: dpo@ca-nextbank.ch.

CANB has appointed a Data Protection Officer (DPO) who can be contacted at the following addresses: Crédit Agricole next bank (Suisse) SA – Data Protection Officer – Esplanade de Pont Rouge 4-6 - CP 1250, 1211 Geneva 26 or by email: dpo@ca-nextbank.ch.