Data protection information under the Swiss

Federal Act on Data Protection and EU General

Data Protection Regulation
The following information provides an overview of how we process your personal data and your rights under data
protection law. Which specific data is processed and how it is used depends largely on the services requested or agreed
in each case.
Please also forward this information to your current and future authorised representatives, any beneficial owners or holders
of any right on the account(s) (e. g., power of attorney, information right) as well as any co-obligors under a loan.

1. Who is responsible for the data processing and who can you contact in this regard?

Controller: Our internal data protection officer

may be contacted at:
Deutsche Bank (Switzerland) Ltd Deutsche Bank (Switzerland) Ltd
Place des Bergues 3 Data protection officer
Case Postale Hardstrasse 201, Prime Tower
1211 Genève 1 8005 Zürich
Tel: +41 22 739 0111 Tel: +41 58 111 0111
Fax: +41 22 739 0700 E-mail: [email protected]

2. What sources and data do we use?

General Remarks
We process personal data which we receive from prospective clients and our existing clients in the context of the opening
of an account relationship and of our business relationship. Personal data is also received from other persons such as
persons who have received a power of attorney from a client, credit card holders, co-obligors under a loan (e. g.,
guarantor). To the extent necessary in order to provide our services, we also process personal data which we lawfully
(e. g., for executing orders, performing contracts or on the basis of your consent) receive from other entities within the
Deutsche Bank Group or other third parties (e. g., external asset manager). We also process personal data from publicly
available sources (e. g., debtor directories, land registers, commercial registers and registers of associations, press,
media, internet) which we lawfully obtain and are permitted to process.
Relevant personal data may be, for example:
Name, address / other contact information (e. g., telephone, e-mail address), date / place of birth, gender, nationality,
marital status, legal capacity, occupation / partner type (employed / self-employed), identification data (e. g., identification
document data), authentication data (e. g., specimen signature), tax information (e. g., tax-ID, FATCA status, tax
residency status), and other KYC data (Know your customer data).
Client contact information
In the business origination and development phase and over the course of the business relationship, particularly as a
result of personal, telephone or written contact initiated by you or the bank, additional personal data is collected, e. g.,
information about the contact channel, date, occasion and result, (electronic) copies of correspondence and information
on participation in direct marketing activities.
Product and services
When we provide products / services from the categories listed below to you additional personal data may be collected,
processed and stored in addition to the aforementioned data (incl. telephone conversations). These products / services
primarily include:
Account and payment transactions (incl. online banking)
Order data (e. g., payment orders), data stemming from the performance of our contractual obligations (e. g., payment
transaction data).
Securities, Derivatives, Foreign Exchange, Interest Rate, Fiduciary Deposits and other investments
Information on knowledge of and / or experience with various types of investments, investment behaviour / strategy
(scope, frequency, risk appetite), occupation, financial situation (assets, liabilities, income from (self-)employment / trade,
expenses), foreseeable changes in financial circumstances (e. g., age of retirement), specific objectives / major concerns
in the future (e. g., planned acquisitions, redemption of liabilities), tax information, documentation data (e. g., suitability
statement, consultation records).

CH 809 E 05.2018 1
 Life insurance
Policy number, product data (e. g., rate, benefit, premium), documentation data (e. g., consultation records). Where the
premiums are invested in securities, the personal data listed under ”Securities, Derivatives, Foreign Exchange, Interest
Rate, Fiduciary Deposits and other investments” may be used.
Credit cards
Occupation, income, rental costs or construction financing rate, dependent children, residence / work permit.
Loans and structured financing
Credit records (income statements, cash flow accounts and balance sheets, tax documentation, information / proof of
assets and liabilities, guarantees assumed, third-party account statements, expenses), employer, nature and term of the
employment relationship, nature and term of self-employment, number of dependent children, marital property, residence
/ work permit, scoring / rating data, information / proof of intended purpose, own and external collateral: property
documentation (e. g., land register extracts, property appraisals), documentation data (e. g., consultation records).
In the case of personal guarantees by third parties (external collateral), the bank may impose comparable requirements
on the respective guarantors to disclose the economic and financial circumstances.
Digital services
With respect to data processed when using digital service products, please refer to further information on data protection
in connection with the respective digital service product (for instance, processing data with e-banking).

3. Why do we process your data (purpose of the processing) and on what legal basis?
We process the aforementioned personal data in compliance with the provisions of the Swiss Federal Act on Data
Protection (FADP) and if applicable the EU General Data Protection Regulation (GDPR).
a. for the performance of contractual obligations
The processing of personal data is carried out in order to perform banking transactions and financial services pursuant
to contracts with our clients or to take steps at your request prior to entering into a contract.
The purposes of the data processing are primarily dependent on the specific product (see no. 2) and may include, among
other things, requirements analysis, advice, asset management and transactional services. For further details on the
purpose of the data processing, please refer to the respective contractual documentation and general business
conditions.
b. for the purposes of safeguarding legitimate interests
Where necessary, we process your data above and beyond the actual performance of our contractual obligations in order
to safeguard the legitimate interests pursued by us or by a third party. Examples include:
— Reviewing and optimizing procedures for needs assessment for the purpose of direct client discussions
— Advertising or market and opinion research, to the extent that you have not objected to having your data used
— Asserting legal claims and mounting a defence in the event of litigation
— Ensuring the bank’s IT security and IT operations
— Preventing crimes
— Video surveillance to
safeguard against trespassers, to gather evidence in the event of robbery or fraud or to document
disposals and deposits
— Measures for building and systems security (e. g., admittance control)
— Measures to ensure against trespassing
— Measures to manage business and further develop services and products
— Group risk management
c. on the basis of your consent
Insofar as you have granted us consent to the processing of personal data for specific purposes (e. g., analysis of trading
activities for marketing purposes), the lawfulness of such processing is based on your consent. Any consent granted may
be revoked at any time. This also applies to the revocation of declarations of consent that are granted to us prior to the
entry into force of the EU General Data Protection Regulation, i. e., prior to 25 May 2018 or any entry into force of the
revised Swiss Federal Act on Data Protection. Please be advised that the revocation shall only have effect for the future.
Any processing that was carried out prior to the revocation shall not be affected thereby. You can request a status
overview of the consents you have granted from us at any time or view some of them when banking online.

CH 809 E 05.2018 2
 d. for compliance with a legal obligation or in the public interest
As a bank, we are also subject to various legal obligations, e. g., statutory requirements (e. g., Swiss Code of obligations
(Obligationenrecht), Banking Act (Bankengesetz), Collective Investment Schemes Act (Kollektivanlagengesetz),
Intermediated Securities Act (Bucheffektengesetz)), tax laws as well as laws regarding financial services and the
supervision of financial institutions (Financial Market Infrastructure Act (Finanzmarktinfrastrukturgesetz), Financial
Market Supervision Act (Finanzmarktaufsichtsgesetz), Anti-Money Laundering Act (Geldwäschereigesetz)). Other
purposes of processing include credit checks, identity and age verification, anti-fraud and anti-money laundering
measures, the satisfaction of tax law control and reporting obligations as well as the assessment and management of
risks in the bank and the Group.

4. Who receives your data?

Within the bank, those offices given access to your data require them in order to perform our contractual and statutory
obligations. Service providers and vicarious agents employed by us may also receive data for these purposes if they
observe banking secrecy and our written instructions under data protection law. These are mainly companies from the
categories listed below.
With regard to the transfer of data to recipients outside the bank, it must first of all be noted that as a bank we are under
a duty to maintain secrecy about any customer-related facts and evaluations of which we may have knowledge (please
see our general business conditions). We may only disclose information about you if we are legally required to do so, if
you have given your consent, if we are authorised to provide bank information and / or if processors commissioned by
us guarantee compliance with banking secrecy and the provisions of the FADP and, if applicable, GDPR.
Under these conditions, recipients of personal data may be, for example:
— Public authorities and institutions (e. g., Swiss Financial Market Supervisory Authority (Finanzmarktaufsicht), Federal
Tax Administration (Eidgenössische Steuerverwaltung), Money Laundering Reporting Office Switzerland (Meldestelle
für Geldwäscherei) or the German Bundesbank) insofar as a statutory or official obligation exists.
— Other credit and financial services institutions, comparable institutions and processors to whom we transfer personal
data in order to perform the business relationship with you such as real estate appraisals, credit card processing, risk
controlling, investment services, share register, fund management, auditing services, IT services, payment
transactions.
Other recipients of data may be those offices to which you have given your consent to the transfer of data or with respect
to which you have exempted us from banking secrecy by means of a declaration of consent.

5. Will data be transferred to a third country or to an international organisation?

Data may be transferred to countries outside Switzerland (so-called third countries) if this is required for the execution of
your orders (e. g., payment and securities orders), prescribed by law (e. g., reporting obligations under tax law), if you
have given us your consent or in the context of outsourcing. If service providers in a third country are used, they are
obligated to comply with same level of data protection as in Switzerland.

6. How long will your data be stored?

We process and store your personal data as long as it is necessary for the performance of our contractual and statutory
obligations. In this regard, it should be noted that our business relationship is a continuing obligation designed to last for
several years.
If the data is no longer required for the performance of our contractual and statutory obligations, it is regularly deleted or
anonymized, unless the further processing (for a limited time) is necessary for the following purposes:
— Compliance with records retention periods under commercial and tax law, such as the Swiss Code of obligations
(Obligationenrecht); the Money Laundering Act (Geldwäschereigesetz); the Federal Act on Archiving
(Archivierungsgesetz), the Federal Act on Accounts Ordinance (Geschäftsbücherverordnung) and the Federal Act on
Value Added Tax (Mehrwertsteuergesetz). The records retention periods prescribed therein range in general from two
to 10 years. In exceptional cases a longer retention period is required;
— Preservation of all forms of relevant information when litigation is ongoing or reasonably anticipated

CH 809 E 05.2018 3
 7. What data protection rights do you have?
Under GDPR every data subject has a right of access, a right to rectification, a right to erasure, a right to restriction of
processing, a right to object and a right to data portability. If applicable, data subjects also have a right to lodge a complaint
with an appropriate data privacy regulatory authority. In general, but subject to certain differences or exceptions, similar
rights are also granted by the Swiss Federal Act on Data Protection.
You may revoke your consent to the processing of personal data at any time. This also applies to the revocation of
declarations of consent that are granted prior to the entry into force of the EU General Data Protection Regulation, i. e.,
prior to 25 May 2018 or any entry into force of the revised Swiss Federal Act on Data Protection. Please be advised that
the revocation will only take effect in the future. Any processing that was carried out prior to the revocation shall not be
affected thereby.

8. Are you under any obligation to provide data?

Within the scope of our business relationship, you must provide personal data which is necessary for the initiation and
execution of a business relationship and the performance of the associated contractual obligations or which we are legally
obligated to collect. As a rule, we would not be able to enter into any contract or execute the order without these data or
we may no longer be able to carry out an existing contract and would have to terminate it.
In particular, provisions of money laundering law require that we verify your identity before entering into the business
relationship, for example, by means of your identity card and that we record your name, place of birth, date of birth,
nationality and your residential address. In order for us to be able to comply with this statutory obligation, you must
provide us with the necessary information and documents in accordance with the Anti-Money Laundering Act
(Geldwäschereigesetz) and notify us without undue delay of any changes that may arise during the course of the business
relationship. If you do not provide us with the necessary information and documents, we will not be allowed to enter into
or continue your requested business relationship. Moreover, provisions of tax law regarding in particular the Foreign
Account Tax Compliance Act (FATCA) and the automatic exchange of information require us to receive the relevant tax
data from you.

9. To what extent is automated decision making (including profiling) carried out?

As a rule, we do not make decisions based solely on automated processing to establish and implement the business
relationship. If we use these procedures in individual cases, we will inform you of this separately, provided that this is
prescribed by law.

10. Is “profiling” used?

In some cases, we process your data automatically with the aim of evaluating certain personal aspects (profiling). For
instance, we use profiling in the following cases:
— We are required by law to take anti-money laundering and anti-fraud measures. Data evaluations are also carried out
(in payment transactions, among other things) in this context. These measures also serve to protect you.
— Inorder to provide you with targeted information and advice on products, we use evaluation tools. These enable
demand-oriented communication and advertising, including market and opinion research.
— We use scoring to assess your creditworthiness. Where applicable we calculate the likelihood that a given client will
meet their contractual payment obligations. The calculation may include, for example, income levels, expenses,
existing liabilities, occupation, experiences from the previous business relationship, repayment of prior loans in
accordance with the contract. Scoring is based on a mathematically and statistically recognised and proven procedure.
The calculated score values assist us in our decision-making and are incorporated into ongoing risk management.

Information on your right to object under the EU General Data Protection Regulation (GDPR)
1. Ad hoc right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal
data concerning you which is based on processing in the public interest and processing for the purposes of
safeguarding legitimate interests; this includes any profiling based on GDPR provisions.
If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling
legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is
for the establishment, exercise or defence of legal claims.
2. Right to object to the processing of data for marketing purposes
In certain cases, we process your personal data for direct marketing purposes. You have the right to object at any
time to processing of personal data concerning yourself for such marketing, which includes profiling to the extent that
it is related to such direct marketing.
If you object to processing for direct marketing purposes, we will no longer process your personal data for such
purposes. There are no formal requirements for lodging an objection; where possible it should be made by telephone
to: + 41 22 739 0111.

CH 809 E 05.2018 4