PRIVACY POLICY

DATA PRIVACY POLICY OF SPX ENHANCE SA V.01.09.2023

Introduction

We are strongly committed to protecting and safeguarding your personal data. The present Privacy Policy of SPX ENHANCE SA (hereinafter "the Company") has been implemented in light of the General Data Protection Regulation (GDPR).
This Privacy Policy provides information on the processing and protection by the Company of personal data of natural persons.
Clients accessing the Company's websites and applying for using its services shall preliminarily read and accept the present Privacy Policy. By continuing to access and use this website or services you expressly confirm your acceptance of our Privacy Policy.

Definitions

Client (as a Data subject) – any natural person, who has been using or has expressed willingness to use services and other online resources (e.g. contests, online community, etc.) provided by the Company;
The Company (as a Data Controller) – SPX ENHANCE SA, and its representative offices, branches.
GDPR – Regulation of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

nFADP

Data is defined as information stored electronically, either on a computer or in certain paper-based systems, or by other means.
Data controllers are individuals or organizations that determine the purpose and manner in which personal data is processed. They hold the responsibility to establish practices and policies in accordance with the Data privacy Rules. The Company is the Data Controller for all Personal Data used in its business.
Data Protection by design entails incorporating privacy and security measures right from the inception of designing and developing products, services or systems. The Data Controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, which are designed to implement data-protection principles, such as Data minimization (for instance replacing names and details relating to clients by codes).

Data protection by default refers to the principle whereby the settings, security measures, and privacy options of a system, application, or services are designed to safeguard client’s personal information from the start, without requiring them to make any changes. The Data Controller shall implement appropriate technical and organizational measures to ensure that, by default, only Personal Data which is necessary for each specific purpose of the processing is processed.

Personal Data – any information related to an identified or identifiable natural person (Data subject). For further information please see Section 3;
Processing – any actions and operations performed on Personal Data such as, but not limited to, collection, recording, storage, transfer, erasure, etc.;
Services – any services offered by the Company;

Website – www.spxenhance.com

Privacy Policy – the present Privacy Policy of SPX ENHANCE SA;
Categories of Personal Data That the Company Process The Company processes certain Personal Data for the purposes specified under Section 4. Please note that the below list is not exhaustive and upon necessity the Company may process other Personal Data, according to its Privacy Policy and other relevant legal enactments.

Personal Data received from the Client:
Natural person’s identification data – including, but not limited to name, surname, national identity number, gender, nationality, tax identification number, date of birth, details of identification document (e.g., passport or ID number or copies);
Contact information – address, telephone number, e-mail address and other if relevant;
Financial information – account number, account balance, income, wealth, transactions and other similar information;
Background and source of funds – information regarding the education, the place and area of work, origin of funds and assets, occupation, business activities if any, employer if any; Information relating to the use of services and their relation to Clients’ preferences, habits etc. – such as information on services used, personal settings, surveys, contests and campaigns in which the Client has participated;
Marital status and relevant third parties – individuals and legal entities associated to the Client account (e.g., POA holders, authorized users, etc.), originators or beneficiaries of the Client's transactions, whether persons closely related to the Client may be classified as politically exposed persons (PEPs) etc.;
Audio/video data – video surveillance cameras’ footage, phone conversation recordings, video and audio recordings made during the video identification (VI) process;

Sensitive Personal Data received from the Client: Data related to criminal convictions and offences – data on the criminal record related to criminal offences of Clients, Potential clients, beneficial owners and representatives thereof;
Biometric and Document Verification data – facial recognition scans, scans of the ID document’s chip, security features and Machine-Readable Zone (MRZ) data used for identity cross-verification.
Data related to regulatory compliance: Status of politically exposed person (PEP), tax residency status, etc.
Other sensitive personal information – data specific to the physical, physiological, mental, economic, cultural or social identity including data related to religious, philosophical, political or trade union activities, health, privacy sphere or ethnic origin.
Information collected automatically while using the Website, mobile or online applications operated or owned by the Company:
Technical information and unique identifiers – Internet protocol (IP) addresses, login information, information about browser, time zone, etc.;
Cookies and profiling tools used by the Company’s websites and its mobile applications. For more detailed information on the types of cookies and unique identifiers the Company uses and for which purposes, please refer to the Company’s Cookie Policy.
It is the duty of the Client of informing third parties of this Privacy Policy in case he provides to the Company with Personal Data related to such third parties.

Grounds and Purposes for the Processing of Personal Data
The Company processes Personal Data if one of the following circumstances applies:
the processing of Personal Data is necessary to enter into and execute a contract;
to comply with the Company’s legal obligations;
to protect the legitimate interests of the Company or of third parties;
if the Bank obtains the consent from Client.
The Company primarily processes Personal Data for the following purposes:
to provide Services and free of charge online and mobile resources;
to send administrative information, including updates of policies and changes to contractual terms;
to provide the Client with information about Services, products, educational materials, upcoming events and other related information that may be useful to the Client in relation to SPX ENHANCE Group offers and other resources;
to assess and mitigate risks related to anti-money laundering and terrorism financing as well as transaction related risks;
to comply with legal obligations and/ or government authorities’ requests;
in relation to the Company’s legitimate interests.

Disclosure of Clients’ Personal Data

The Company is entitled to disclose Client’s Personal Data to selected third parties insofar as such data is necessary for the performance of their delegated functions and there is an adequate legal basis for a lawful disclosure of Personal data, including:
within SPX ENHANCE Group, including all offices and affiliates of the Company, irrespective of their geographical location;
to selected third parties, including providers that deliver services to SPX ENHANCE Group under written agreements ensuring proper safeguards and limitations with regards to Personal Data processing. This may include companies providing IT, payment services, audit services, identity verification, due diligence services, data analysis, marketing support, cloud services and others;
to competent governmental, regulatory or other law enforcement agencies/ authorities.

Personal Data Transfers

Personal data transfer is required under the laws and regulations;
Personal data transfer is necessary for significant reasons of public interest;
Personal data transfer is necessary to enter into or to perform the agreements with Clients for the provision of Services;
The Client has expressly given consent to the processing of his data.

Retention Period and Record Maintenance

Record Period The period of retention of Personal Data depends on the purposes specified by the Company. Nevertheless, Personal data must not be retained beyond the period required to fulfill its intended purpose. This implies that Data shall be destroyed or erased from the Company’s systems when it ceases to be necessary. In determining the retention period of Personal Data, the Company takes into account contractual obligations, the legitimate interest of the Company and relevant legal enactments (such as the regulation concerning anti-money laundering and terrorism financing).
As a standard procedure, The Company stores the Client’s Personal data for a period of 10 (ten) years following the termination of the business relationship, unless specified otherwise by relevant laws and regulations.
Record Maintenance
The Data Privacy Rules requires the Company maintains records for all its data Processing activities. These records should include, at a minimum, the name and contact details of the identity of the Data Controller, the processing purpose, a description of the categories of data subjects and categories of personal data or if possible, standards employed to determine the retention period, a general description of the security measures in place to safeguard the data. Moreover, in situation involving the international transfer or personal data, the name of the relevant safeguarding state should be also be documented.

Client’s Obligation

The Client acknowledges and accepts that he will not to hold SPX ENHANCE Group or any of their officers, directors, employees and affiliates liable responsible for any types of losses, including financial losses, suffered by the Client in case of use by a third party of Client’s confidential information, for example the login and password either communicated to this third party by the Client or obtained by the third party from the Client by an abusive/fraudulent manner. The Client shall be solely liable for any such personal data disclosure to unauthorized third parties.

Client’s Rights

Upon written request, the Client is entitled to receive a copy of his Personal Data from the Company. However, if such request is excessive or repetitive, the Company reserves the right to refuse to provide the Client with copy of his Personal Data and the Company may request a reasonable fee taking into account the necessary resources for preparing such copy;
The Client may request the Company to correct his Personal Data;
The Client may request the Company to erase his Personal Data to the extent permitted by law and other regulation applicable to the Company;
The Client may restrict the processing of his Personal Data by the Company to the extent permitted by law and other regulation applicable to the Company;
The Client has the right to receive his Personal Data in structured, commonly used and electronic format, as well as to transmit it to another controller;
The Client may withdraw consent for Processing for direct marketing purposes at any time;
The Client has the right to be informed about automated individual decision-making, including profiling;
All aforementioned rights should be exercised in good faith and on a written request basis;
If your request or concern is not satisfactorily resolved by the Company and its Data Protection Officer through the contact details indicated in Section 11 upon your written demand, you have the right to lodge a complaint with the personal data protection authority of the Swiss Confederation.
The Data Controller may refuse, restrict, or defer the communication of information in cases where a formal law provides for it, in the presence of overriding interests, a third party enquire it or when the request for access is obviously unfounded.

Data Security

The Company will ensure that appropriate security measures are taken against unlawful or unauthorized processing of Personal data and against the accidental loss of, or damage to, Personal data.
Maintaining data security means guaranteeing the confidentiality, integrity and availability of Personal data.

Cookies

The Company uses monitoring technologies such as cookies to provide efficient operation of the Website to its visitors;
Cookie is technology based on small system files placed on browser during visit of the Website;
The Company collects information about visitor’s device and uses cookies to:
customize Company’s Website features;
avoid re-entry of visitor’s data;
store visitor’s preferences;
gather information about usage of the Website.
The Company uses third party cookies, provided by third party web analytic services such as Google Analytics;
Clients and Website visitors can configure their browser preferences and not to accept cookies, however this may affect functionality of the Website;
For detailed information on cookies, their management and deletion please see the SPXE’s: Cookie Policy

Contact Details

Should the Client have any questions or inquiries regarding the processing of his Personal Data by the Company, he shall send an e-mail to: support@spxenhance.com

Final Provisions

The Client acknowledges and accepts that the Company has the right to change its Privacy Policy at any time without prior notice to the Client. The Company may freely use its websites to inform the Client about any changes in the Privacy Policy. The publishing of an updated version of the Privacy Policy on the Company’s website(s) shall be deemed a valid notification of changes to the Client. The Client undertakes to regularly review the Company’s Website(s) and updates to the Privacy Policy.
The amendments to the Privacy Policy shall become effective on the date specified in the Privacy Policy;
This Privacy Policy was last updated on the date indicated at the top. It supersedes all previous versions.