GDPR Data Privacy Notice
1. Data protection
MOONCHAIN CAPITAL SA (« hereafter « MOONCHAIN » or “we”) takes your privacy seriously.
In the light of the enactment of the General Data Protection Regulation (Regulation (EU) 2016/679) (hereinafter referred to as “GDPR”), we would like to give you, should you be considered as a natural person in the European Union (EU), with the following information, an overview of how we will process your data and of your rights according to data privacy laws.
If you have any questions or comments, please contact us at the address set out in section 2.
‘Personal data’ is any information that relates to an identified or identifiable natural person.
The details on what personal data will be processed and which method will be used depend significantly on the services applied for or agreed upon.
Should you be considered as a natural person in Switzerland, please read our “FADP Data Privacy Notice”, based on the Swiss Federal Act on Data Protection accessible here.
2. Who is responsible for data processing and how can I contact them?
You may exercise any of your rights in relation to your personal data by writing to us at the following addresses. To avoid delay in dealing with your request, please enclose with your signed letter a copy of your passport or identity card:
MOONCHAIN CAPITAL SA, att. to Mr Christopher MANESSIS, Data Protection Officer, Rue des Epinettes 19, 1227 Les Acacias, Switzerland.
If you are not satisfied with MOONCHAIN’s response, you have the right to make a complaint to the data protection authority in the jurisdiction where you live or work, or in the place where you think an issue in relation to your data has arisen.
3. What sources and data do we use?
MOONCHAIN processes personal data that we obtain from our clients in the context of our business relationship. MOONCHAIN will, depending on the service we provide to you (if any), collect and process personal data about you including:
- Personal details such as your name, identification number, date of birth, KYC and AML documents (including a copy of your national identity card or passport), phone number physical and electronic address, and family details such as the name of your spouse, partner, or children;
- Information, including payment and transaction records and information relating to your assets, liabilities, revenues, earnings and investments (including your investment objectives);
- Tax domicile and other tax-related documents and information;
- Where applicable, professional information about you, such as your job title and work experience;
- Your knowledge of and experience in investment matters;
- Details of our interactions with you and the services you use;
- Any records of phone calls and emails between you and MOONCHAIN;
- Where applicable, details of your nomination of a mandate;
- Identifiers we assign to you, such as your client number;
- When you access our Website, data transmitted by your browser and automatically recorded by our server, including date and time of the access, name of the accessed file as well as the transmitted data volume and the performance of the access, your web browser, browser language and requesting domain, and IP address (additional data will only be recorded via our Website if their disclosure is made voluntarily, e.g. in the course of a registration or request), and;
- In some cases (where permitted by law), special categories of personal data, such as your biometric information, political opinions or affiliations, health information, racial or ethnic origin, religious or philosophical beliefs, and, to the extent legally possible, information relating to criminal convictions or offences.
In addition, in some cases, we might collect this information from public registers (which, depending on the service you receive, may include beneficial ownership and other registers), public administration or other third-party sources, such as wealth screening services, credit reference agencies, fraud prevention agencies.
If relevant to the services we provide to you, we will also collect information about business partners (including other shareholders or beneficial owners), dependants or family members, representatives, and agents. Additionally, where you are an institutional or corporate client or investor, we will also collect information about your directors, employees or shareholders. Before providing MOONCHAIN with this information, you should provide a copy of this notice to those individuals.
4. What do we process your data for (purpose of processing) and on which legal basis?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) :
For fulfilment of contractual obligations (Art. 6 para. 1b of the GDPR)
Personal data is processed in order to provide consulting services on investments in the field of cryptocurrencies and blockchain technology, as well as in the context of carrying out our contracts with our clients or to carry out pre-contractual measures that occur as part of a request. The purposes of personal data processing are primarily in compliance with the specific product (e.g. consulting services on investments, client referral, etc.) and can include needs assessments, advice as well as analytical back-up. You can find other details about the purposes of data processing in the relevant contract documents and terms and conditions.
For the purposes of the legitimate interests pursued by MOONCHAIN (Art. 6 para. 1f of the GDPR)
Where required, we process your data beyond the actual fulfilment of the contract for the purposes of the legitimate interests pursued by us or a third party. Examples:
- Reviewing and optimizing procedures for needs assessment for the purpose of direct client discussions;
- Marketing or market and opinion research, unless you have objected to the use of your data
- Asserting legal claims and defence in legal disputes
- Guarantee of MOONCHAIN’s IT security and IT operation
- Prevention and clarification of crimes
- Video surveillance to protect the right of owner of premises to keep out trespassers, for collecting evidence in hold-ups or fraud
- Measures for business management and further development of services and products
- Risk control in MOONCHAIN
In addition we obtain personal data from publicly available sources for client acquisition purposes.
As a result of your consent (Art. 6 para. 1a of the GDPR)
As long as you have granted us consent to process your personal data for certain purposes (e.g. analysis of trading activities for marketing purposes), this processing is legal on the basis of your consent. Consent given can be withdrawn at any time.
Withdrawal of consent does not affect the legality of data processed prior to withdrawal.
Due to statutory provisions (Art. 6 para. 1c of the GDPR) or in the public interest (Art. 6 para. 1e of the GDPR)
Furthermore, we are subject to various legal obligations, meaning statutory requirements (e.g. the Swiss Banking Act, Collective Investment Schemes Act, Anti-Money Laundering Act, the Swiss Financial Market Supervisory Authority ("FINMA") ordinances and circulars, tax laws).
Purposes of processing include assessment of creditworthiness, identity and age checks, fraud and money laundering prevention, fulfilling control and reporting obligations under fiscal laws, and measuring and managing risks within MOONCHAIN.
5. Who receives my data?
We might share personal data to MOONCHAIN employees or with other MOONCHAIN Group companies (if any) in order to ensure a consistently high service standard across our group, and to provide services to you.
MOONCHAIN will disclose personal data only to those of its employees and affiliated corporate entities of its group (if any) that (i) need to know that information in order to process it on MOONCHAIN’s behalf or to provide services, and (ii) that have agreed not to disclose it to others.
Personal data may be disclosed to third parties in connection with the services we are providing to you. The recipients of any such information will depend on the services that are being provided. In order to fulfil the aforementioned purposes and subject to any confidentiality restriction we may have expressly agreed with you or any transaction parties, we may disclose your personal data to:
- Service providers which perform services on our behalf, such as payment, crypto-currency platforms exchange, third party storage providers and trade data repositories, third party IT and hosting providers, third party distribution platforms and courier services;
- To other deal/transaction participants, counterparties, vendors and beneficiaries;
- Financial, taxation, regulatory or judicial authorities, state agencies or public bodies, upon request and to the extent permitted by law;
- Certain professionals such as lawyers, notaries or auditors; and
- To any other persons as agreed with you.
When we do so we take steps to ensure they meet our data security standards, so that your personal data remains secure.
We reserve the right to make personal data accessible to other recipients, as disclosed to you from time to time or if required by applicable laws or requested by a competent authority.
The provision of personal data may be mandatory, e.g., in relation to our compliance with legal and regulatory obligations to which we are subject. Please be aware that not providing such information may preclude us from pursuing a business relationship with, and/or from rendering our services to you.
Public or regulatory authorities
If required from time to time, we disclose personal data to public authorities, regulators or governmental bodies (e.g. Swiss National Bank, FINMA, financial authorities, criminal prosecution authorities), including when required by law or regulation, under a code of practice or conduct, or when these authorities or bodies require us to do so.
- If our business is sold to another organisation or if it is re-organised, personal data will be shared so that you can continue to receive services. We will usually also share personal data with prospective purchasers when we consider selling or transferring part or all of a business. We take steps to ensure such potential purchasers keep the data secure.
- We may need to disclose personal data to exercise or protect legal rights, including ours and those of our employees or other stakeholders, or in response to requests from individuals or their representatives who seek to protect their legal rights or such rights of others.
6. Will my personal data be transferred to a third country?
Data transfer to units in states outside Switzerland and the EU (known as third countries) takes place so long as:
- It is necessary for the purpose of the services we are providing to you;
- It is required by law (e.g. reporting obligations under fiscal law), or;
- You have granted us your consent.
Please contact us if you would like to request to see a copy of the specific safeguards applied to the export of your information (Article 13 para 1f of the GDPR).
7. For how long and where will my personal data be stored?
We will process and store your personal data for as long as it is necessary in order to fulfill our contractual and statutory obligations. It should be noted here that our business relationship is a long term obligation, which is set up on the basis of periods of years.
If the data is no longer required in order to fulfill contractual or statutory obligations, it is deleted, unless its further processing is required – for a limited time – for the following purposes:
- In general, MOONCHAIN will retain personal data for the period of your relationship or contract with MOONCHAIN plus 10 years, reflecting the length of time for which legal claims may be made following termination of such relationship or contract.
- An ongoing or anticipated legal or regulatory proceeding may lead to retention beyond this period.
- Due to requirements potentially laid down by FINMA, MOONCHAIN might also have to store all electronic correspondence (e-mails, etc.) and evidence of the calls made on business telephones by its employees for a period of two years.
All personal data will be stored in a server physically located in Switzerland.
8. What data privacy rights do I have?
Every data subject has the right to access his or her data (Article 15 GDPR), the right to request the rectification of inaccurate personal data concerning him or her (Article 16 GDPR), the right to obtain from the controller the erasure of personal data concerning him or her (Article 17 GDPR), the right to restriction of processing (Article 18 GDPR) and to object processing of personal data concerning him or her (Article 21 GDPR), and if applicable – the right to data to Article 20 GDPR.
Unless this proves impossible or involves disproportionate effort, we shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom your personal data have been disclosed. We shall inform you about those recipients if you request it (Article 19 GDPR).
Furthermore, if applicable on you, there is also a right to lodge a complaint with an appropriate data privacy regulatory authority (Article 77 GDPR).
You can withdraw consent granted to us for the processing of personal data at any time. Please note that the withdrawal only applies to the future. Processing that was carried out before the withdrawal is not affected by it.
9. Am I Obliged to Provide Data?
In the context of our business relationship, you must provide all personal data that is required for accepting and carrying out a business relationship and fulfilling the accompanying contractual obligations or that we are legally obliged to collect.
Without this data, we are, in principle, not in a position to close or execute any contract with you.
In particular, anti-money laundering regulations require us to identify you on the basis of your identification documents before establishing a business relationship and to collect and put on record name, place and date of birth, nationality, address and identification details for this purpose. In order for us to be able to comply with these statutory obligations, you must provide us with the necessary information and documents in accordance with the Anti-Money Laundering Act, and to immediately disclose any changes over the course of the business relationship. If you do not provide us with the necessary information and documents, we cannot enter into or continue the business relationship you desire.
10. To what extent is there automated decision-making?
In establishing and carrying out a business relationship, we generally do not use any automated decision-making pursuant to Article 22 of the GDPR. If we use this procedure in individual cases, we will inform you of this separately, as long as this is a legal requirement.
11. Will profiling take place?
We process some of your data automatically, with the goal of assessing certain personal aspects (profiling). We use profiling for the following cases, for instance:
- Due to legal and regulatory requirements, we are obligated to combat money laundering, terrorism financing, and offenses that pose a danger to assets. Data assessments (including on payment transactions) are also carried out for this purpose. At the same time, these measures also serve to protect you.
- We use assessment tools in order to be able to specifically notify you and advise you regarding our services. These allow communications and marketing to be tailored as needed including market and opinion research.