Legal Notes Singapore Personal Data Protection Information
The following data protection information gives an overview of our collection and processing of your data.
Duties of disclosure upon collection of personal data in accordance with the Singapore Personal Data Protection Act (PDPA)
Data privacy is important – please read this document.
The Credit Suisse entities and establishments listed in section 12 of this statement have issued this Privacy Statement in light of the enactment of the PDPA.
This Privacy Statement supplements but does not supersede any consents you have previously given us or other terms and conditions in our agreement with you that govern the collection, use, and disclosure (referred to in this Privacy Statement as “processing”) of your Personal Data by us.
With the following information, we would like to give you an overview of how we will process your personal data and of your rights according to the PDPA. The details on what data will be processed and which method will be used depend significantly on the nature of your business relationship with us and (if you are a client) the services applied for or agreed upon.
“We”, “us” and “our” as used in this statement refers to each and any of the Credit Suisse entities and establishments listed (as the context requires) as responsible for data processing in section 12 of this statement.
“You” and “your” as used in this statement refers to individuals:
- with whom we come into contact, or in respect of whom we obtain personal data, in the usual course of dealings with our clients, our service providers, and our other business counterparties or transaction participants, which may include, without limitation, employees, directors, shareholders, officers, trustees, power of attorney holder, security provider, beneficial owners, authorized signatory, and other personnel of such clients, service providers, business counterparties or transaction participants (each a “Connected Individual”) in all cases outside the Credit Suisse group (as applicable to you, “Your Organisation”); or
- who themselves are our clients.
1. What Sources and Data Do We Use?
Data from you: We process personal data about you that we obtain from you in the context of our business relationship with you and / or Your Organisation (as applicable). We do this in order to facilitate, enable and / or maintain that relationship and / or to provide services to our clients or for other reasons specified below. In addition, in carrying on our business relationship with you or Your Organisation, information may be collected about you indirectly from monitoring or other means (e.g. recording of telephone calls and monitoring e-mails). In these circumstances, the information is not accessed by us on a continuous or routine basis, but it may be used for compliance purposes.
Data from other sources: We also process personal data about you that we obtain from publicly accessible sources (such as online registers or directories ) or that is legitimately transferred to us by other companies in the Credit Suisse group or from other third parties. These may include Your Organisation as well as third parties not related to you or Your Organisation, such as settlement service providers, central securities depositaries, exchanges, central clearing counterparties and other similar entities, databases, and third party service providers such as professional advisers, insurers and risk consulting firms.
Personal data relating to a third party: If you provide us with personal data relating to a third party, for example, your spouse, children, parents or a Connected Individual, you represent and warrant that you have obtained the consent of such third party to you providing us with such personal data. You must ensure that you make such third parties and your Connected Individuals aware of the scope of and purposes for which we will collect and process their personal data and how it will be processed as set out in this Privacy Statement.
Types of personal data: The types of personal data we process may include:
- personal details relating to you (name, date and place of birth, nationality, gender, domicile)
- contact details, including private and / or business phone numbers, postal/residential and email addresses
- identification data such as passports, National Insurance or Social Security numbers, driving licence, ID cards, property register identification, social network user names, customer identifiers (CIF, IBAN / BIC), relationship identifiers (e.g. client segment and account currency), photographs
- authentication data such as sample signatures
- marital status, name of spouse, number of children (if applicable)
- tax status (e.g. tax ID)
- order data (e.g. payment data and account information)
- data from the fulfilment of our contractual obligations
- information about your financial situation (e.g. source of wealth, incomes, benefits, mortgage information, shareholdings)
- video surveillance and telephone / audio recordings
- data relating to criminal convictions and offences (including excerpts of criminal register)
- data related to designation of your status as a politically exposed person (PEP) and related information
- marketing and sales data (e.g. customer relationship documentation)
- data relating to your habits and preferences
- dietary and access requirements (e.g. for event organisation purposes)
- data from your interactions with us, our branches, our internet websites, our apps, our social media pages, meetings, calls, chats, emails, interviews and phone conversations
- documentation data (e.g. file notes or meeting minutes from a consultation, client needs and product usage)
- data relating to your current and past professional roles and employment, and education (e.g. corporate title, membership of professional associations or bodies, career histories or biographies, job function, knowledge and experience in investment matters, qualifications and skills)
- health data
- other data similar to the broad categories mentioned above.
2. What Do We Process Your Data for (Purpose of Processing) and On What Legal Basis?
We process your personal data for one of the following reasons.
a. Due to legal obligations
We are subject to various legal and regulatory obligations, including without limitation prudential and conduct regulation of banks and investment firms, as applicable, regulation of financial markets, compliance with any court orders, investor protection regulations, securities regulations, laws relating to money laundering, terrorism finance, sanctions and any tax laws. The purposes of processing may include:
- identity checks, fraud and financial crime and market abuse prevention or detection. If fraud is detected, Your Organisation, or individuals connected to it or you could be refused certain services, finance
- fulfilling control and reporting obligations under applicable financial regulations including securities regulations
- fulfilling requirements related to our licences and regulatory permissions
- complying with investor protection or conduct of business regulation (such as carrying out suitability or appropriateness assessments)
- complying with regulatory record keeping obligations
- complying with regulatory obligations in relation to measuring and managing risks within the Credit Suisse group.
b. For purposes of legitimate interests
We may process your personal data, for the purposes of the legitimate business and other interests pursued by us or a third party, in:
- developing, deploying and supporting our products and services
- developing and furthering our business and business relationships, and keeping our clients and other stakeholders satisfied
- protecting our businesses and the integrity of the financial markets
- managing risk and securing our systems, assets, infrastructure and premises
- exercising and defending our legal rights and position anywhere in the world
- complying with legal and regulatory obligations and cooperating with regulatory, judicial and other authorities and bodies around the world
- supporting other Credit Suisse companies in pursuing the above interests.
The purposes for which we may process your personal data (and such processing may involve sharing data between members of Credit Suisse group and/or external parties) in connection with the above interests include the following:
- carrying on business relationships with clients and other parties
- providing services to clients
- due diligence in relation to transactions members of Credit Suisse group are involved in
- performing obligations and exercising rights under and otherwise carrying out contracts, or taking pre-contractual measures with Your Organisation or a third party
- management of the businesses and further development of the services and products of the Credit Suisse group
- reviewing and optimizing procedures for needs assessment for the purpose of direct client discussions
- marketing or market and opinion research
- obtaining personal data from publicly available sources for client acquisition purposes
- compliance with licencing, permission and / or licencing exemption requirements and regulatory requests or guidance related to such licences, permissions or exemptions
- compliance with applicable laws, regulations and judicial orders outside Singapore
- compliance with regulatory guidance, policy statements, best practice and associated policy requirements and controls in connection with the carrying on business
- facilitation of and responding to, regulatory requests and supervisory visits, and otherwise acting in open and collaborative manner with competent regulatory authorities
- prevention of and investigations related to financial crime, including fraud, financing of terrorism and money laundering, and compliance with sanctions, including know your customer (KYC) and regular politically exposed persons (PEP) screening
- asserting legal claims and defences in legal disputes
- carrying out conflict checks
- handling client complaints
- warehousing appropriate information within a single jurisdiction in order to co-ordinate the services and business activities of the Credit Suisse group and satisfying other administrative needs across Credit Suisse group
- facilitating operational actions in connection with our business relationships (e.g. processing of payments, billing)
- validating the authority of signatories (e.g. when concluding agreements and transactions)
- risk control across Credit Suisse group
- consulting with credit rating agencies to investigate creditworthiness and credit risks where we may have an exposure to you
- securing and operating Credit Suisse group’s IT systems
- video surveillance and measures to protect the rights of an owner of premises to keep out trespassers and to provide site security (e.g. access controls)
- improving, enhancing or developing new goods or services
- improving, enhancing or developing new methods or processes for business operations in relation to Credit Suisse goods and services
- learning, analysing or understanding behavior, demographics and preferences of existing or prospective clients (including groups of individuals segmented by profile)
- identifying goods or services that may be suitable for existing or prospective clients (including groups of individuals segmented by profile) or personalising or customising any such goods or services for individuals
- carrying out market research.
c. For fulfilment of contractual obligations
We may process your personal data in order to maintain our business relationship with you in accordance with our legal agreement(s) with you. Such processing may take place in order to carry out obligations or exercise rights we may have pursuant to the legal agreement(s) with you, to take steps necessary in order to conclude a legal agreement with you or to take other steps at your or your representative’s request prior to entering into a legal agreement with you. If you are our client, the level and nature of processing of your personal data that we may carry out pursuant to this paragraph will likely depend on the specific product or service to be provided to you (and can include needs assessments and other assessments to provide advice and support to you, as well as to carry out transactions contemplated in, or necessary to fulfil, such legal agreement).
d. As a result of your consent
There may be circumstances where we ask for your consent to process your personal data. As long as you have granted us this consent, this processing is legal on the basis of that consent. You can withdraw your consent at any time by contacting the Data Protection Office (see section 12 below). Withdrawal of consent does not affect the legality of data processing carried out prior to withdrawal. However, this may affect our ability to provide you with our services, or maintain our business relationship with you.
3. Who Receives My Data?
The following paragraphs set out details of the recipients or categories of recipients to which we transfer your personal data.
a. The Credit Suisse group
We will share or otherwise process your personal data with entities in the Credit Suisse group and in accordance with section 4 of this statement as applicable, for example:
- in connection with any services offered or provided by us or any other member of the Credit Suisse group
- to facilitate carrying on the business of the Credit Suisse group and providing services to clients on a global basis
- for risk control including internal approvals processes
- to warehouse appropriate information within a single jurisdiction in order to co-ordinate the services and business activities of the Credit Suisse group
- to pass on information about you to any members of the Credit Suisse group in connection with any services which we think you or Your Organisation may be interested in
- in connection with financial or regulatory reporting purposes.
b. External recipients of data
We may transfer personal data about you:
- to public entities and institutions (e.g. regulatory, quasi-regulatory, tax or other authorities, law enforcement agencies, courts, arbitrational bodies, fraud prevention agencies)
- to other credit and financial service institutions or comparable institutions in order to carry on a business relationship with you or Your Organisation (depending on the contract, e.g. correspondent banks, custodian banks, brokers, securities exchanges, credit rating agencies)
- to third parties in connection with transactions that members of Credit Suisse group are involved in (e.g. correspondent banks, brokers, exchanges, central clearing counterparties, depositaries, trustees, trade repositories, processing units and third-party custodians, issuers, investors, prospective buyers and other transaction participants and their representatives)
- to prospective buyers as part of a sale, merger or other disposal of any of our business or assets to a natural or legal person, public authority, regulatory agency or body for which you have given us your consent to transfer personal data to
- to professional advisors including law firms, accountants, auditors and tax advisors
- to insurers
- to suppliers (service providers and sub-contractors) and agents appointed by us for the purposes given. These are companies in the categories of IT services, logistics, printing services, telecommunications, advice and consulting, and sales and marketing and translation services, located in any jurisdiction.
4. Will My Personal Data Be Transferred outside of Singapore?
In certain circumstances, we may transfer your personal data to another country outside of Singapore. You understand that the data protection legislation outside Singapore may not give you as much protection as the data protection legislation in Singapore.
For transfers to countries outside Singapore where the level of protection has not been recognised as adequate under the Singapore PDPA, we will rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you such as when making an international payment) or your consent or implement contractual clauses to ensure the protection of your personal data to a standard that is at least comparable to that provided under the PDPA.
Please contact our Data Protection Office if you would like to request to see a copy of the specific safeguards applied to the export of your information. Contact details are provided in Section 12 below.
5. How Will My Personal Data Be Protected?
We protect personal data in our possession or under our control by making reasonable physical, technical, administrative and procedural security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
6. For How Long Will My Data Be Stored?
- We will process and store your personal data, at least, for the period equal to a term of our agreement(s) with you (if applicable). We may need to process and store your personal data after the expiration of such time in order to comply with our legal obligations, initiate, defend or take any other action in relation to the legal proceedings or as long as it is lawful for us to do so. It should be noted here that our business relationships are often long-term relationships, which are set up with you or Your Organisation on the basis of periods of years.
- We will normally retain your records for a minimum of ten years to comply with regulatory and contractual requirements unless there is a particular reason to hold the records for longer, including legal hold1 requirements (e.g. for the purpose of legal proceedings), which require us to keep records for an undefined period of time.
7. What Data Privacy Rights Do I Have?
In relation to your personal data, and to the extent permitted under the Singapore PDPA, you may have the right:
- to request access to your personal data
- to request the rectification of inaccurate or incomplete personal data
- to request the restriction of the processing of your personal data
- to data portability (i.e. to request to transmit your personal data to another data controller via automatic means).
To exercise any of the above rights you do not need to use a particular form but you should write to our Data Protection Office in accordance with section 12 of this statement. We will then assess and respond to your request to exercise your rights.
Please note that some of the above rights are subject to limitations in some situations, and that the exercise of the above rights may affect our ability to continue a business relationship with you or Your Organisation.
If applicable, you also have a right to make a complaint to the competent supervisory authority, which is the Personal Data Protection Commission in Singapore.
You may also withdraw consent granted to us for the processing of your personal data at any time by contacting the Data Protection Office (see Section 12 below). Please also see section 2.d of this privacy statement for further details on consent.
8. Am I Obliged to Provide Data?
In the context of our relationship, you may need to provide certain personal data that is required for accepting and carrying out a business relationship, fulfilling contractual obligations or that we are legally obliged to collect. Without this data, we may not be in a position to enter into a legal agreement, provide services, or initiate or maintain a business relationship.
For example, and where applicable to our business relationship, anti-money laundering regulations may require us to identify you on the basis of your identification documents before establishing a business relationship and to collect and put on record data including your name, place and date of birth, nationality, address and identification details for this purpose. In order for us to be able to comply with these statutory obligations, you must provide us with the necessary information and documents in accordance with such regulations, and to immediately disclose any changes over the course of our relationship. If you do not provide us with the necessary information and documents, we cannot enter into or continue the business relationship you require.
9. Will Automated Decisions and Profiling Take Place?
We process some of your data automatically, with the goal of assessing certain personal aspects (profiling) to assist us to personalize and improve the quality of our services provided to you and to help us meet legal and regulatory requirements. For example we may use profiling, including behavioural analysis in the following ways:
- to combat money laundering, terrorism financing, fraud and other financial crime, and assess risks and offences that pose a danger to assets. Data assessments (including on payment transactions) are also carried out for this purpose. At the same time, these measures also serve to protect you or Your Organisation.
- we use assessment tools in order to be able to specifically notify you and advise you or Your Organisation about our products and services, including market and opinion research. These tools allow our communications and marketing to be tailored to you as needed.
10. We May Collect Biometric Data and other Sensitive Personal Data From You
If we collect your biometric data or other sensitive personal identifiers, your explicit consent will be required in a separate process to use your Touch ID or other biometric identification to access certain applications.
11. Changes to this Privacy Statement
This Privacy Statement takes effect on 20 August 2021. We may need to make changes to it in the future. We will post updates to this Privacy Statement to our website.
12. Who Is Responsible For Data Processing and How Can I Contact Them?
The legal entities and establishments responsible for the processing of your personal data and their contact details are:
Credit Suisse (Singapore) Limited
Credit Suisse (Singapore) Nominees PTE Ltd.
Credit Suisse AG, Singapore Branch
Credit Suisse Securities (Singapore) Pte Limited
Credit Suisse Services AG, Singapore Branch
Credit Suisse Trust Limited (Singapore)
SYMASIA FOUNDATION LIMITED
One Raffles Link #03-01
You can reach our Singapore Data Protection Officer at:
The Data Protection Office
Credit Suisse AG, Singapore Branch
One Raffles Link #03-01
or by e-mail at: email@example.com
Important note: when contacting our Data Protection Office, please ensure that you specify the correct legal name of the Credit Suisse entity or establishment to which your query relates.