Information on data protection for clients

The following information provides you, as a client (incl. authorised agent, beneficial owner), with an overview of the processing of your personal data by St.Galler Kantonalbank AG (SGKB) and your rights under data protection law.

The data protection information is based on the relevant provisions of the European General Data Protection Regulation (GDPR) and the current as well as future Swiss Data Protection Act (DSG). The type of data that is processed and the manner in which it is used is based primarily on the products and services used by you.

1. Who is responsible for data processing and whom can you contact?

Responsibility for data processing lies with:

St.Galler Kantonalbank AG
St. Leonhardstrasse 25
9001 St. Gallen
Telefon: 071 231 31 31
UID (enterprise identification number): CHE-105.845.146

If you have any questions relating to the subject of data protection at SGKB, please contact our data protection officer:

St.Galler Kantonalbank AG
Data protection officer
St. Leonhardstrasse 25
9001 St. Gallen

Individuals in the European Union (EU) or the European Economic Area (EEA) can also contact our representative based in Germany:

Swiss Infosec (Deutschland) GmbH
Unter den Linden 24
10117 Berlin / Deutschland

2. What types of data do we process and where does this data come from?

The personal data processed by SGKB comes from the following sources:

  • data provided to us by our clients themselves within the context of the business relationship.
  • data provided to us by third parties for the execution of orders, the fulfilment of contracts or with your consent, for instance from third-party banks, operators of processing systems, pension funds, pension and vested benefit foundations, insurance companies, land registries, debt enforcement and bankruptcy offices, the Zentralstelle für Kreditinformationen (ZEK: Central Credit Information Bureau), the Informationsstelle für Konsumkredit (IKO: Information Office for Consumer Credit), principals, heir representatives, card issuers, pension foundations, Swiss Post, cashgate.
  • data provided to us by official bodies and authorities based on their activity, for instance, by courts, child and adult protection authorities, public prosecutors offices.
  • data that we obtain from publicly accessible sources directly or via specialist service providers, for instance from the media, the Internet, commercial registers as well as sanction and embargo lists.

The personal data and the categories of personal data processed depend primarily on the products and services used by you. Below you will find an overview of the categories of personal data processed by us for the most common product and service categories:

Processing purpose (products and Services) Categories of personal data
Opening and management of the business relationship Identification data (e.g. name, date of birth, nationality), contact data (e.g. address, telephone number), family circumstances (e.g. marital status, matrimonial regime), asset circumstances (e.g. total assets), occupation and education, information on the business relationship (e.g. signatures, powers of attorney, contracts), health data (e.g. information on your capacity to act)
Cultivation of the client relationship Interests and hobbies (e.g. for invitations to Events)
Account management and payment transactions Transaction data (e.g. incomings and outgoings, payment orders, payment transaction data), account balance
Maestro and credit cards Data on card administration (e.g. card limits), transaction data (e.g. on card use)
E-banking and mobile banking Data regarding use of the service (e.g. login Information)
Financing (loans) Asset circumstances (incl. information about debt enforcement, ZEK/IKO entries and tax data), occupation and education, data about loan use and securities, information about the item to be financed
Investments Asset circumstances (incl. information about debt enforcement, ZEK/IKO entries and tax data), occupation and education, data about loan use and securities, information about the item to be financed
Inheritance, pension and tax planning Asset circumstances, family circumstances, religion (where necessary for contract fulfilment)

3. For what purpose and on what basis is your data used?

The processing of personal data occurs primarily for the provision of banking business and financial services in the context of the fulfilment of our contractual obligations. The purpose of data processing is based primarily on the specific product and may include advice, asset management and the conducting of transactions as well as invoicing.

SGKB is also obliged to process personal data for the following purposes due to various legal and regulatory provisions: combatting money laundering and the financing of terrorism, identity checks, investment advisory services, the exchange of information with foreign tax authorities, credit checks, the handling of dormant assets.

Finally, SGKB processes personal data for the protection of its own justified interests and those of third parties, particularly for the following purposes: guaranteeing IT security, preventing criminal acts, enforcement of legal claims and defence in the event of legal disputes, client segmentation, further development of products and services, provision of service and product offers tailored to you, Marketing.

4. To whom will your data be known?

Within SGKB, access to your data will be granted to people who require it for the fulfilment of our contractual obligations and the provision of our products and services. Alongside our employees, these people include service providers recruited by us (e.g. IT providers, lettershops, lawyers) who have undertaken in writing to observe bank client secrecy.

Due to our contractual agreements and legal provisions, SGKB is obliged to observe bank client secrecy. For that reason, your personal data will only be forwarded to recipients outside SGKB due to a legal obligation, based on your consent or if this is required to execute your transaction. Subject to these conditions, your data may be provided to the following categories of recipients:

  • Public bodies and institutions due to a legal obligation: e.g. Swiss Financial Market Supervisory Authority (FINMA), Swiss National Bank, money laundering report office, courts, public prosecutors offices, child and adult protection authorities, tax authorities, the Zentralstelle für Kreditinformationen (ZEK: Central Credit Information Bureau), the Informationsstelle für Konsumkredit (IKO: Information Office for Consumer Credit), bank ombudsman, auditing companies.
  • The service providers recruited to carry out your orders: service providers for the processing of the payment transaction and securities transactions, exchanges and trading platforms, brokers and counterparties, depositaries, pension funds, insurance companies, real estate appraisers, service providers in the area of the management and keeping of securities (central mortgage bond institution), land registry and debt enforcement offices.
  • With your consent, the following categories of people may be data recipients: authorised agents, external asset managers, payment card issuers (Viseca, Swiss Bankers), loan providers (cashgate), vested benefit foundations (Swisscanto), pension funds, share register of third-party companies, insurance companies (Swisscanto, Mobiliar).

Clients domiciled in Germany acknowledge that SGKB will inform the Swiss Money Laundering Reporting Office Switzerland (MROS) in the case of any suspected money laundering or terrorist financing by clients domiciled in Germany, even if there is only a predicate felony to money laundering under German law.

5. Is your data transferred abroad or to an international Organisation?

SGKB processes personal data belonging to its clients exclusively in Switzerland. The transfer of your data to another country only takes place where required for the execution of your orders (e.g. processing of payments and securities transactions), where legally prescribed (e.g. automatic exchange of information for tax matters, official and legal help with respect to foreign authorities) or where you consent to this (e.g. information requests from foreign financial market supervisory authorities and securities issuers).

In connection with the transfer of data in international payment transactions and for investments in foreign securities, we refer you to the corresponding information letter of the Swiss Bankers Association (SBVg) from February 2016.

6. How long is your data stored?

SGKB processes and stores your personal data for as long as it is required for the fulfilment of our contractual and legal obligations. In general, the statutory retention obligations are ten years from the conclusion of a transaction or the end of a business relationship.

If your personal data is no longer required for the fulfilment of contractual or legal obligations, it will be – where technically possible – regularly deleted, unless the further processing of the data is required for the following purposes:

  • Fulfilment of legal and regulatory bookkeeping and retention periods in commercial and tax law
  • Retention of evidence during limitation periods
  • Retention of business documents on dormant assets

7. How is your data protected?

SGKB uses current technical and organisational measures to protect your personal data against loss, misuse, unauthorised access, forwarding and amendment. Our security measures include firewalls, data encryption, physical and technical access restrictions as well as period backups.

8. What are your data protection rights?

Based on and in the scope of applicable data protection law (Swiss Data Protection Act (DSG) or European General Data Protection Regulation (GDPR)), as an affected person you have the following rights: the right to information according to Art. 8 DSG (Art. 15 GDPR), the right to rectification according to Art. 5 DSG (Art. 16 GDPR), the right to deletion according to Art. 5 DSG (Art. 17 GDPR), the right to the restriction of processing according to Art. 12 and 15 DSG (Art. 18 GDPR), the right to oppose processing according to Art. 4 DSG (Art. 21 GDPR) as well as the right to data portability according to Art. 20 GDPR (for data subjects in the EU). Every data subject also has a right to complain to a data protection supervisory authority (Art. 77 GDPR).

As a data subject, you can also revoke any granted consent to the processing of personal data by us at any time, with the revocation applying only to the future.

You can contact your client advisor, the data protection officer at SGKB or our data protection representative to assert your data protection rights. The relevant contact details can be found in Section 1 of this information or on your account Statements.

9. Is there an obligation to provide data?

Within the context of your business relationship with SGKB, you must provide us with the personal data that is required for the commencement and implementation of the business relationship and for the execution and fulfilment of contractual obligations or that SGKB is legally obliged to collect (see Section 3 above). Without this data we will generally have to refuse to conclude a contract or to execute an order or will no longer be able to carry out an existing contract and may possibly have to end this.

10. Does automated decision-making or profiling take place?

SGKB does not generally use fully automated decision-making with legal effect to establish or implement the business relationship. Should we utilise this process in individual cases, we will provide you with separate information.

SGKB uses some automated data processing to evaluate certain personal aspects of your data. Such processing is, for instance, employed as follows:

  • To combat money laundering and fraud, data evaluations are carried out in areas such as payment transactions.
  • During credit checks, creditworthiness is assessed and economic viability is calculated.
  • For targeted communication and advertising as well as for the offering of products and services.
  • Should you use the finance assistant (PFM), your transactions will be assigned to certain expenditure and income categories automatically or based on criteria specified by you.

Version 1.3 (as of: 16 of October 2022)


St.Galler Kantonalbank AG
Data protection officer
St. Leonhardstrasse 25
9001 St. Gallen