Skyline Digital AG Privacy Notice

Information regarding data processing pursuant to the EU General Data Protection Regulation (“GDPR”) and the Swiss Federal Act on Data Protection (“FADP”)This information is applicable for current and potential clients (hereinafter referred to as “Client” or “you”) of Skyline Digital AG (hereinafter referred to as “Skyline” or “we”). The products and services of Skyline are not directed to people under the age of 18 years.

Only persons of legal age are permitted to use the services of Skyline and register for an account. Therefore, we are not knowingly collecting personal data from minors. So, if you are under the age of 18 years, please do not use Skyline’s platform and do not provide us with any personal data. With this information we are informing you about how we process your personal data and about your rights derived from the EU-GDPR and the FADP.

A. About this Privacy Policy

Privacy and the security of transactions are core elements of cryptocurrencies, blockchain technology and its whole global movement. Skyline really appreciates the trust Clients have in us when trading cryptocurrencies and other digital assets on our platform. For this reason, privacy and data security have an enormously high priority for Skyline. It is very important to us that you feel safe during your visit to our website and while using our services as well as over the course of all other business transactions with us. As soon as you make use of products and/or services of Skyline, you entrust us with the processing of your personal data. Skyline wants to give you the best possible experience with our platform to ensure that you enjoy the usage of our products and services now and in the future. 

Therefore, in this Privacy Policy, we want to transparently inform you which personal data we collect from you, how we process it and to whom we might forward it in detail. Furthermore, we would like to inform you which precautions we take to protect your personal data, which rights you have in this context and to whom you can turn for data protection concerns.

1. Controller

Who is responsible for the processing of your personal data and whom can you contact in case of necessity?

Skyline is aware that both the protection and the careful handling of your personal data are very important. Skyline will solely use the personal data provided by you in compliance with the applicable data protection requirements, this Privacy Policy and your consent.

If you have any questions in connection with the processing of your personal data and the exercising of your rights under GDPR or FADP, you can contact our privacy team: Please note that for certain requests, we require further identification data from you (e.g. Passport, ID card, etc), in order to ensure that your personal data is only shared with you.

2. Data categories and sources

From which sources does the data originate?

We process first and foremost personal data which we have received from you.

Insofar as we receive personal data from third parties, this concerns the following persons / organizations in particular:

  • Financial institutes and intermediaries;
  • Business partners, in association with the provision of contractual services;
  • Business introducer, based on your interaction with such introducers.

In some cases, we collect personal data from public registers (such as Zefix), public administration or other third-party sources, such as fraud prevention agencies, services and providers specialized in collecting and providing data related to money laundering and terrorist financing, the media and the Internet.

What personal data and special categories of personal data do we process? 

Subject to the products or services we provide to you, we collect and process personal data received from you within the scope of the business relationship. The following personal data might be processed:

  • Contact data: personal details such as your name, address, date of birth, phone number, e-mail-address.
  • Verification data: when an account is verified, also depending on the level of verification, therefore we might process Know Your Client (“KYC”) documents, for example, screenshots of national identity documents, like passport, driving license, ID card, and identification data from these documents, utility bill details for residence verification, data about status of political exposed persons, video data from the video authentication process, biometric data for verification, among others.
  • Financial information: over the course of the products or services provided, we might process payment and transaction records, information relating to your source of wealth and funds such as about your assets, financial statements, liabilities, bank information, transaction-ID, among others, specially including information related to your fiat and digital asset transactions.
  • Company information: we might process for example: commercial register reports, data of or concerning beneficial owners, records or additional information on recent, past or planned business activities, other data necessary to determine/validate the structure, the beneficial ownership or any power of attorney of the company, client or account number, tax-related doucments and information, among others
  • Information of funds: if proof of funds is necessary, we might process for example: banking statements or any other details provided by banks or financial institutions, contracts of sales or contracts in general, or any other suitable data to prove or determine the origin of funds, among others.
  • Communications: we might process records of phone calls, emails and the content of instant messages between you and us and consultation protocols if required, including support requests and other data that may be directly provided by you through any communication mean to us.
  • Where permitted by law, special categories of personal data (Art. 9 GDPR; Art. 3 lit. c FADP), such as your political opinions, religious beliefs, health data, or information relating to criminal convictions or offenses.

Where relevant for the products or services we provide to you, we may also collect and further process personal data about third parties, such as beneficial owners, representatives, dependents or family members. Please send a copy of this Privacy Notice to these third parties, before providing us with this information.

3. Purpose and legal basis for using personal data

For which purposes and based on which legal basis do we process your personal data? 

All processing is performed in accordance with the GDPR and the FADP on the basis of your consent (Art. 6 (1) lit. a EU-GDPR; Art. 13 (1) FADP). Processing will only take place in accordance with the defined purposes and to the extent agreed in the declaration of consent. Given consent may be withdrawn at any time without giving reasons and with future effect, if you no longer agree to the processing. Please note that the withdrawal of the consent does not affect the lawfulness of processing based on consent before its withdrawal.

All processing is performed on at least one of the following legal basis:

  • For the performance of contractual obligations (Art. 6 (1) lit. b EU-GDPR; Art. 13 (2) (a) FADP). Processing of personal data might be necessary for the performance of the contract with you or in order to take steps at your request prior to entering into a contract.
  • For compliance with legal and regulatory obligations (Art. 6 (1) lit. c EU-GDPR; Art. 13 (1) FADP). Processing of personal data might be necessary to comply with various legal obligations, including KYC and monitoring for prevention of fraud, among others.
  • For the purposes of the legitimate interests pursued by us or by a third party (Art. 6 (1) lit. f EU-GDPR; Art. 13 (1) FADP). Processing of personal data might be necessary to maintain the legitimate interests of Skyline or a third party, and this might take place beyond the performance of the contract.

In light of the above-listed legal basis, processing of personal might be purported for:

  • Client onboarding process, e.g., by analysis of your KYC documents and performance of client assessments.
  • Providing products and services to you, e.g., by analysis of your eligibility of specific products and services; or by executing payments to and from your accounts.
  • Managing our relationship with you, e.g., by documenting our interactions and collecting additional information from you related to specific transactions or the relationship in general; or by communicating with you on service-related questions and complaints.
  • Adhering to our legal, regulatory and compliance obligations, e.g., AML, counter terrorist financing and anti-fraud provisions, tax law control and reporting obligations, client segmentation, client interaction and other documentation requirements.
  • Assessment and optimization of the products and services you receive, e.g., by learning more about you as a customer and the products and services you use, including profiling, and contacting you for other products and services we think might be of interest to you.

4. Recipients of personal data

Who receives your personal data?

The protection and confidentiality of your personal data is important to Skyline. Therefore, we transfer your personal data only to the extent described below or within the scope of an instruction at the time the data is collected from you. In addition, personal data that we collect concerning you will neither be sold by us nor otherwise disclosed to third parties.

4.1. Skyline Group

Within the Skyline Group, ,the offices or employees will receive your personal data who need it to fulfill the contractual and legal obligations and legitimate interests. We transfer personal data for the purpose of our daily business operations like account management and other operations requested by you as well as to conduct internal administrative activities efficiently in a shared way and to maintain as well as improve our products and services.

4.2. Third parties

Skyline might transfer your personal data to any third parties acting on your behalf or involved in a transaction, such as payment recipients, correspondent banks, clearing houses, stock exchanges, fund managers, brokers, Virtual Asset Service Providers (VASP). Also, Skyline might transfer your personal data to any other person with your consent to the disclosure or the purpose of performing a contract or in order to take steps at the request of the data subject prior to entering into a contract.

4.3. Processors

To a limited extent, where deemed appropriate by us, we also transmit personal information to processors who perform services for us including Group companies, such as IT providers, marketing providers, debt recovery, fraud prevention, credit reference agencies and advisors/contractors bound by legal and contractual confidentiality obligations. We also use cloud services for the purpose of office automation (e.g. for the purpose of communication, data storage, document filing and collaboration) and customer relationship management automation (e.g. to systematically organize the relationship and interactions with existing and potential clients). The cloud services may be partially or fully managed by the cloud service providers and made available to us on demand via the Internet from the servers of the cloud service providers. The data centers of the cloud service providers for the services rendered to us, i.e. where the data is being locally processed and stored, will be located in Switzerland and/ or the EU. By the use of cloud services for office automation and customer relationship management automation we will as well process bank client identifying data and data relating to the client relationship with the Skyline. Skyline client identifying data is all information relating to an identified or identifiable person as a bank client, such as name, contact details, account number etc.

4.4. Public bodies and institutions and auditors

We might also transfer your personal data to public bodies and institutions and external regulatory/statutory auditors, including regulatory/supervisory authorities, such as the Swiss Financial Market Supervisory Authority FINMA or Criminal Prosecution Authorities (i) if we are required to do so by law or in the context of legal proceedings, (ii) if we believe that disclosure is necessary to prevent damages or financial loss, or (iii) in connection with an investigation into suspected or actual fraudulent or illegal activities.

5. International data transfer

Is your data transferred to third countries or international organizations?

As a matter of principle, your data will be stored in Switzerland and in the EU. We will only transfer or grant access to your personal data to recipients outside of Switzerland or the EU, if it is necessary for the execution of your orders (e.g., for fiat or digital asset transactions), prescribed by law or regulations (e.g., the exchange of sender/recipient transaction data or for regulatory purposes), or if you have provided us with your consent. 

In such cases, subject to legal or contractual authorizations, we process or have personal data processed in a third country only where the conditions of Art. 44 et seq of the GDPR are met. For example, the processing and the transfer shall be carried out based on special safeguards, such as the adherence to a code of conduct or certification mechanism together with binding and enforceable commitments from the recipient in the third country to apply the appropriate safeguards to protect the data or compliance with officially recognised special contractual obligations published by the European Commission.

6. Retention and deletion periods

For how long is my personal data stored and when will it be deleted?

We process and store (retain) your personal data as long as it is necessary for the fulfillment of our contractual, legal and regulatory obligations. 

Unless expressly stated in this Privacy Policy, personal data processed by us shall be erased as soon as they are no longer required for their intended purpose and the erasure does not conflict with any statutory retention obligations, including the ones resulting from Commercial and Tax Laws, the Swiss Federal Act on Banks and Savings Banks, Swiss Federal Act on Combating Money Laundering and Terrorist Financing and related ordinances as well as other applicable laws and regulations. The prescribed periods for such further retention range in general between two and ten years. Furthermore we may retain your personal data if this is necessary for the preservation of evidence in the event of an anticipated or occurring litigation.

7.Data subject rights

What data protection rights do you have?

You are entitled to the following rights associated with the processing of your personal data:

  • Right of access (Art. 15 GDPR; Art. 8 FADP): you have the right to request confirmation from us as to whether we are processing personal data concerning you. Where personal data concerning you is being processed, you have the right, to receive information from us within a reasonable time regarding the personal data stored about you and to receive a copy of the personal data concerning you which is undergoing processing.
  • Right to rectification (Art. 16 GDPR; Art. 5 FADP): you shall have the right to request the rectification of inaccurate personal data concerning you. Considering the purposes of the processing, you shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
  • Right to erasure (Art. 17 GDPR; Art. 5 FADP): You shall have the right to request from Skyline the erasure of personal data concerning you, where one of the following grounds applies and if no further processing is required: the personal data is no longer necessary in relation to the purposes for which they were collected; you withdraw your consent on which the processing was based and where there is no other legal basis or overriding legitimate interest for the processing; the personal data have been unlawfully processed; or erasure of the personal data is required for compliance with a legal obligation under European Union or Member State law to which the Controller is subject. Requests for the erasure of personal data must include the respective ground (Art 17 para 1 GDPR).
  • Right to restrict processing (Art. 18 GDPR; Art. 12, 13, 15 FADP): You shall have the right to request from us the restriction of processing where one of the following conditions applies: you contest the accuracy of the personal data (the restriction shall be put in place for a period which enables Skyline to verify the accuracy of the personal data); the processing of your personal data was unlawful, and you oppose the erasure of your personal data and request instead the restriction of their use; Skyline no longer requires your personal data for the purposes of the processing, but you require them for the assertion, exercise or defence of legal claims; or you have objected to processing of your personal data and it has not yet been determined whether the legitimate grounds of Skyline override your own.
  • Right to data portability (Art. 20 GDPR): You shall have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format. You shall also have the right to request that we transfer these data directly to another controller, designated by you, where this is technically feasible and does not adversely affect the rights and freedoms of others. The right to data portability may only be exercised where the basis of the processing is either your consent or a (pre)contractual necessity, and where the processing is carried out by automated means. The right to data portability does not apply to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Right to object (Art. 21 GDPR; Art. 4 FADP), and in particular, the right to object at any time to the processing of your Personal Data for marketing purposes, which includes profiling to the extent that it is related to direct marketing. If you have objected to processing, we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the assertion, exercise or defence of legal claims. The objection does not affect the lawfulness of processing your personal data based on legitimate interests before your withdrawal.
  • Rights in relation to automated decision making and profiling (Art. 22 GDPR)
  • Right to lodge a complaint with the supervisory authority (Art. 77 GDPR; Art. 27 and 29 FADP).
  • Right to withdraw a consent at any time with effect for the future. Any processing carried out prior to the withdrawal of your consent will not be affected (Art. 7 GDPR).

8. Obligation to provide personal data within the business relationship

Am I subject to an obligation to provide personal data?

Within the scope of our business relationship, you must provide that personal data which is required for the initiation, execution and termination of a business relationship, or that we are legally or regulatory obligated to collect. In particular, provisions of money laundering laws and regulations require that we verify your identity before entering into a business relationship, for example, by means of your identity card or passport, and record your name, place and date of birth, nationality and your residential address. In order to comply with these regulatory and statutory obligations, you must provide us with this personal data and corresponding documents and notify us without undue delay of any changes that may arise in the course of the business relationship. As a rule, without this data we must reject the conclusion or performance of an order/a transaction, or are no longer able to carry out an existing order/transaction and therefore may be forced to terminate the business relationship.

9. Automated decision-making

As a rule, we do not perform decision-making based solely on automated processing pursuant to Art. 22 GDPR to establish or terminate a business relationship. Should we use such a process in individual cases, we will inform you separately, where this is legally prescribed. In such a case and under certain circumstances, you will have a right to object such procedures.

10. Profiling

To what extent do we perform profiling?

Under certain circumstances we may process your personal data automatically with the aim of evaluating certain of your personal aspects (profiling), for example:

  • To comply with legal and regulatory provisions, such as anti-money laundering, anti-fraud and anti-terrorism financing measures and ongoing risk management.
  • To provide you with targeted information and individual offering of products and services.
  • To assess your creditworthiness (scoring).

11. Data Security

How do we protect your personal data?

The security of data is very important to Skyline and we are committed to protecting data we collect. We maintain comprehensive administrative, technical and physical measures designed to protect your personal data against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. These measures meet the highest international safety standards and are regularly reviewed regarding their effectiveness and suitability for achieving the intended safety objectives.

12. Updates of this Privacy Policy

We, Skyline, are committed to upholding the principles of data protection up to date. For this reason, we regularly review and update our Privacy Policy. This is to ensure that it is correctly and clearly displayed on our website, contains appropriate information about your rights and our processing activities (also with regard to technical changes or business development) and is implemented in accordance with applicable law, thus complying with data protection requirements. We update this Privacy Policy from time to time when required, in order to take current circumstances into account. If we make significant changes to this Privacy Policy, we will notify you after the login into your account and provide you with the updated version of the Privacy Policy. If it is required by applicable law, Skyline will obtain your express consent to significant changes. This Privacy Notice was last updated in October, 2022.