Privacy and Cookie Policy

INFORMATION ABOUT THE PROCESSING OF PERSONAL DATA

INTRODUCTION

The present document describes our data-processing policy in relation to use of the www.lapis.finance website and associated resources, including social media (hereinafter the “Site”).

The present document is to inform users, pursuant to and for the purposes of Article 4 par. 5 of the Federal Act on Data Protection (FADP) and, where applicable, Articles 13 and 14 of European Regulation (EU) 679/2016 (“GDPR”), that personal data submitted or otherwise acquired in relation to activity on the Site will be processed in compliance with the principles of the legislation referred to above.
Please note that the GDPR, as stipulated in Art. 3, applies only in the case of the processing of personal data in connection with:
a) the offering of goods or services to natural persons in the EU;
b) monitoring of the behaviour of natural persons in the EU.

Paragraphs A and B specify the ownership of the Site and contact details, and describe the mechanism for accepting and revising the present document. Paragraphs C and D describe our policy on the processing of the personal data of users of the Site; Finally, Paragraph E sets forth the legal provisions applicable to the relationship between the parties and establishes the competent jurisdiction in the event of any disputes arising therefrom.
The terms and conditions for use of the Site are described in a separate document, which can be accessed by clicking on this link. The document is reproduced and included in full here.
Access to the Site is conditional on reading and agreeing to a specific disclaimer in relation to financial matters, the text of which can be viewed by clicking on this link.

A. OWNER OF THE SITE (DATA CONTROLLER) AND CONTACT DETAILS

The Site is owned by Lapis Asset Management Ltd (“LAPIS”), Lugano (CH).
All communications must be addressed in writing and shall be deemed to have been validly and effectively performed on receipt, if conveyed through the ordinary post or, in the case of e-mail, on transmission of a read receipt.

Contacts:
■ Lapis Asset Management Ltd, Via Collina 9, CH-6962 Lugano, Switzerland
■ Tel. +41 (0)91 971 16 93
■ E-mail: info@lapis.finance

B. ACCEPTANCE OF AND CHANGES TO THIS POLICY

By using the site, users agree to the terms and conditions, as well as the data-processing operations described in this policy, in the version current at the time of access. The current version may be viewed by clicking on the link at the foot of the page. The user is responsible for carefully checking the terms and conditions, and other information, before accessing the Site, the Data Controller having the right to update the present document at any time as it sees fit, in particular when there are changes to the applicable legislation, the functions of the Site, and the products and services made available to the user.

C. DATA PROTECTION POLICY

Data Controller

The Data Controller is Lapis, contact details as above, represented by its constituent bodies, as listed in the Canton Ticino Commercial Register (link).
The Data Controller may be contacted by using the contact details specified in par. A above.

Data Protection Officer

The Data Protection Officer may be contacted in writing by ordinary post at the following address: c/o Lapis Asset Management Ltd, Via Collina 9, CH-6962 Lugano, Switzerland.
Any communication relating to data protection may also be sent to the following e-mail address: info@lapis.finance.

Legal regime applicable to data processing

The Data Controller, in its capacity as a legal person under Swiss law, based in Switzerland and active in the private sphere, processes users’ data in conformity with the Federal Act on Data Protection (“FADP”, RS 235.1).
Although in principle LAPIS does not process data that falls within the scope of the GDPR (cf. par. A above), in exceptional cases where the Regulation is applicable, LAPIS accords to those concerned the protection afforded by the GDPR itself (in particular the rights provided for by Arts. 12 – 23). The text of the GDPR may be consulted by clicking on this link.

Notions and categories of personal data

Personal data is understood to be any information concerning an identified or identifiable natural person (“Personal Data”). Sensitive information is regarded as personal data deserving of special protection, such as information relating to the private sphere, social security measures, racial and ethnic origin, political opinions, religious or philosophical convictions, trade-union membership, biometric or health-related data, mental or physical health, as well as information relating to criminal convictions or related security measures.
The Data Controller neither needs nor requests the transfer of any personal data requiring special protection. We would therefore warn users not to spontaneously transmit information of this kind via the Site and the related resources (e-mail, contact form, social media etc.).

Purposes and lawfulness of data processing

The Data Controller will process Personal Data for the purposes summarized in the following table:

PurposesLegal basisPeriod for which data is kept
Navigating in the present websiteLegitimate interest
Fulfilment of contractual obligations
1 year maximum
See information about cookies (link)
Request for contact, request for information or job applicationLegitimate interest
Request from person concerned
1 year
Organizational, administrative, financial or accounting activities
or client/user management, regardless of the kind of data processed.
Mainly the concern of internal organizational activities.
Legal Obligation
Legitimate interest
Fulfilment of contractual obligations
Generally: 10 years

The Data Controller gathers and processes Personal Data to facilitate and optimize use of the Site. Such data includes information concerning the use of the Site, for instance the IP address of the user’s device, the user’s location, the unique identifier of the user’s mobile device, time spent on the Site, the links activated, the characteristics of the browser (type, language, plug-ins installed, etc.), cookies, etc. This data is processed automatically in order solely to permit navigation on the Site, assess the introduction of new functions, improve the quality of the services provided, measure use of the site and optimize its user-friendliness.

The Site processes Personal Data transmitted by the user, in particular via online form or e-mail, for the purposes of communication or to make available the information requested by the user.

The Site does not produce or transmit advertising content or messages devised on the basis of online behaviour, nor does it profile users or monitor use of web-based resources or e-mail. The Site does not sell, hire out, market and/or lend Personal Data to third parties.

We would warn you not to transmit information and/or documents containing personal and/or confidential information by e-mail, as this is an unsafe method of communication and does not guarantee privacy. At users’ request, LAPIS is able to provide secure channels for electronic communication if sensitive data needs to be transmitted (e.g. VPN or encrypted e-mail).

Obligation to provide data

Apart from data to facilitate navigation, as described above, users are free to provide or not to provide Personal Data.

The provision of data may be optional or necessary, depending on the specific purposes for which an item of data is processed. A decision not to provide necessary data will make it impossible to obtain what was requested or make use of the Data Controller’s services.

Transfer of data to a third country and/or international organization

Personal Data may be transmitted abroad (i.e. outside Switzerland), though only to the European Union or to countries that guarantee adequate protection of personal data (as provided for in Swiss law) as per the list drawn up by the federal authorities (link) or by the European authority responsible for the processing of data subject to the GDPR. Interested parties are entitled to obtain copies of such data.

In the case of transfer to non-European countries, in particular the United States, whose level of data protection is not considered adequate, personal data may be transferred only to natural persons, organizations and companies that have adhered to specific agreements and/or international instruments concerned with the protection of personal data (e.g. Swiss/EU–US Privacy Shield). Those concerned may obtain information about the protection measures adopted for the transfer of Personal Data by addressing a request to the Data Controller via e-mail.

Period during which personal data is kept

The Site retains Personal Data for as long as such retention is necessary, considering the purposes for which it was gathered and the extent to which there is a legal obligation to keep it (normally 10 years). Once the purpose of gathering Personal Data has ceased to exist and the legal obligation to retain it has expired, the Data Controller arranges for the final and secure erasure of the data or, alternatively, for its anonymization.

Access to our detailed policy on the keeping of personal data may be requested from the Data Controller by e-mail.

Newsletter

The Data Controller provides a free update service concerning its activities via Newsletter.

The Newsletter is sent exclusively to those who have registered for this purpose by providing their e-mail address. You can be removed from the list of recipients at any time and with immediate effect by clicking on the “unsubscribe” link at the foot of every e-mail.

Deciding not to register for the Newsletter or unsubscribing from the list of recipients does not prejudice or reduce in any way your ability to use the Site and/or the associated resources.

The Data Controller does not monitor the behaviour of recipients of the Newsletter or profile them in any way. The Data Controller does not transfer the e-mail addresses of users to third parties, except for the Newsletter service provider, which receives the recipients’ e-mail addresses as part of its management of the Newsletter. The said service provider must be based in Switzerland, in the EU or in the USA (but in the latter case only if it has adhered to the US–CH/EU Privacy Shield).

Data relating to minors

Processing with the consent of the person concerned is lawful if the minor thus granting consent is at least 16 years old. If the minor is under 16 years of age, processing of his/her data is lawful only when consent is given or authorized by his/her legal representative. The Data Controller will in any case take reasonable steps, considering the technologies available, to check that the consent granted by the legal representative is effective. However, the Data Controller shall not be in any way liable for misleading statements provided by the minor and, in any case, should it become aware that a false declaration has been made, shall immediately erase all personal data and any material acquired. The Data Controller will facilitate requests relating to the personal data of minors originating from a legal representative.

Data Processors, recipients or categories of recipients, access to data

The Personal Data provided by users may be communicated to recipients who will process the data as Data Processors and/or as natural persons acting under the authority of the Data Controller or Data Protection Officer. Where they are acting independently, such persons assume the status of separate Data Controllers.

Aside from legally permissible data transmissions, data may be communicated to recipients belonging to the following categories:
■ individuals who provide information and telecommunications system management services used by the Data Controller to make the Site available and for organizing, programming, creating and executing the activities connected with the Site;
■ companies and professionals who provide services to the Data Controller, for example in the legal, accounting, administrative and tax fields.

In managing the Site and associated resources (in particular, e-mail, marketing, back-up, web design, graphics, maintenance, translation, hosting and internet access), LAPIS uses external suppliers of goods and/or services based and active in Switzerland or in the European Union (EU).

These external suppliers have access to the data only as strictly necessary for the correct and efficient performance of their tasks, subject to their signing a confidentiality and non-use agreement in respect of the Personal Data concerned.

A full, up-to-date list of data processors many be viewed at our corporate offices. For reasons of data security, certain items of information may be anonymized or masked.

Communications via e-mail, risks

Users should be warned that (i) use of e-mail does not ensure the confidentiality or integrity of the data being transmitted, (ii) many e-mail service providers are located or store their data in countries which do not guarantee adequate data protection (e.g. the USA; see the official, up-to-date list, which can be downloaded by clicking here), (iii) use of an e-mail service of this kind means that data will be transferred via and stored in a country that does not guarantee adequate protection of such data.

The user authorizes the Data Controller (including its constituent bodies, auxiliaries, agents and representatives) to transmit via ordinary (i.e. not certified and/or encrypted) electronic mail documents and/or information, including documents containing personal and/or confidential information, using the e-mail address provided by the user in response to user requests received via telephone or e-mail. The user, fully aware of the risks mentioned above, exonerates the Data Controller from all liability in the event of unauthorized third-party access to the documents and/or personal and/or confidential information transmitted or received via e-mail by the Data Controller and/or its constituent bodies and agents.

Links to third-party resources

The Site contains links to third-party websites and other internet-based resources. The Data Controller is not in any way liable for the content, security or availability of such websites and resources. In particular, the Data Controller does not check the privacy or data protection policies of such third parties.

Security

The Site implements security measures that are reasonable in the circumstances and proportionate to the risks involved in respect of unauthorized access, use, transmission, damage, loss and destruction of Personal Data. Such measures include technical, physical and organizational arrangements. However, considering the “open network” nature of the Internet, the Data Controller cannot guarantee, and does not guarantee, that data will not be intercepted or acquired by unauthorized third parties.

Users’ rights

Within the limits set by the FADP, a data subject may:
■ obtain rectification of inaccurate personal data (Art. 5 par. 2 FADP);
■ request free of charge and receive a written reply as to whether data concerning him/her is being processed (Art. 8 par. 1 FADP);
■ suspend or withdraw consent to the processing of his/her personal data (Art. 12 par. 2b) FADP);
■ have unlawful processing of his/her personal data halted (Art. 12 par. 2a) FADP);
■ prevent, without having to provide justification, the communication to third parties of personality profiles or personal data worthy of special protection (Art. 12 par. 2c) FADP);
■ demand that the processing of data be blocked, its communication to third parties be prevented, or that personal data be rectified or destroyed (Art. 15 par. 1 FADP);
■ if the accuracy or inaccuracy of personal data cannot be demonstrated, ask that a note be added stating its disputed nature (Art. 15 par. 1 FADP);
■ demand that rectification, destruction, blocking (in particular the blocking of communication to third parties) or mention of the disputed character of personal data or a ruling thereon be communicated to third parties or published (Art. 15 par. 3 FADP);
■ order the destruction of personal data gathered, kept or used unlawfully;
■ have the unlawfulness of the processing of personal data recorded.

If data processing falls within the territorial scope of Art. 3 GDPR, a person may assert his/her rights as expressed in Arts. 15, 16, 17, 18, 19, 20, 21, 22 GDPR, by applying to the Data Controller or the Data Processor. The text of the GDPR may be consulted by clicking on this link. The user is entitled, at any time and within the limits and on the terms set out in the GDPR, to ask the Data Controller for access to his/her personal data, its rectification or erasure, to limit processing that concerns him/her or to oppose such processing, or to exercise his/her right of portability. If the processing is based on Art. 6 par. 1a) or Art. 9 par. 2a) GDPR, the user is entitled to withdraw his/her consent at any time without prejudice to the lawfulness of processing based on consent as given prior to such withdrawal. The user is entitled to appeal to the competent Supervisory Authority. If a user asks to exercise his/her right of portability, the Data Controller must provide him/her, in a commonly used format that can be read on a computer, with the personal data concerning him/her, without prejudice to par. 3 and 4 of Art. 20 GDPR.

D. COOKIES AND SOCIAL MEDIA PLUG-INS

Introduction

This section describes the Site’s policy on the processing of users’ personal data where so-called “cookies” are concerned.

Technical notions

What are cookies?
Cookies are text files deposited in the user’s browser by websites / apps or servers when the user is surfing the web. Thanks to cookies, these websites or servers are able to recognize the browser during surfing and subsequently. Cookies help to improve users’ online experience, for example by recording the preferences expressed by the user or by saving the user the task of having to log on again at every change of page. Cookies can also be used to monitor the user’s online behaviour, thus having an impact on his/her privacy.

Types of cookies
Cookies can be subdivided into different types.
If the entity depositing the cookie in the user’s terminal is the Data Controller of the website being visited, the cookie is described as a “first-party” cookie; if it is deposited by a third-party website/server, it is known as a “third-party” cookie.
Where the duration of a cookie is concerned, “session” cookies are deposited when you access the site and eliminated when you close down your browser. “Persistent” cookies, on the other hand, remain stored on your device after the browser has closed down (until the cookie’s expiry date).
Where the purpose of a cookie is concerned, it is important to distinguish between “technical” cookies and “profiling” cookies. Technical cookies make web surfing, and therefore delivery of the service requested by the user, possible. They are not used for other purposes and are generally managed by the Data Controller of the site being visited. “Analytical” or “statistical” cookies are similar to technical cookies when they are used directly by the website’s Data Controller to gather information, in aggregate form, on the number of users and how they interact with the website. Tracking cookies are generally third-party cookies used to create a profile of the user based on his/her online behaviour and habits, so as to be able to send him/her personalized advertising messages.

Data Controller’s statement regarding cookies

In general
The Site may use, when so disclosed below, technical or analytical session cookies and, when strictly necessary to ensure greater user-friendliness, persistent technical or analytical cookies, in particular to customize the configuration of the Site, keep navigation moving, analyse the flow of traffic, and for the administrative needs of the system. The data gathered in this way is processed anonymously and is not communicated to third parties.
The Site may use, when so disclosed below, analytical tracking cookies, but not user profiling cookies.

List of active cookies, purposes and duration
The Site has implemented only the following cookie:
First-party technical / analytical cookie
■ Supplier: Google LLC
■ Name: Google Analytics
■ Type: Statistical
■ Purpose: to gather information on the user’s interaction with the Site
■ Duration: 26 months
■ IP masking: YES
■ Cross-referencing with other data on the part of the supplier: NO
■ De-activation plug-in: link
■ Necessary for using the Site: NO

■ Supplier’s privacy policy: link

Possibility of deactivating or deleting, technical consequences

Cookies
A user can set up his/her browser to inform him/her when a cookie is received or to block cookies (in general or for particular types of cookies, or for the website of origin). Generalized blocking of cookies, given that it also applies to technical cookies, would impose serious limitations on use of the Site. The user can delete cookies from the browser’s memory, or set up the browser to automatically delete cookies when the programme closes down (recommended choice).
By default, browsers automatically accept cookies. Instructions for deactivating or deleting cookies can be found on the browser developer’s website. Please refer to the following instructions for the most widely used browsers: Microsoft Internet Explorer and Edge; Google Chrome; Apple Safari; Mozilla Firefox e Opera.

There are further ways of reducing the risk of online tracking, for instance:
■ Activating the DoNotTrack option on the browser (if available);
■ Using the browser’s “private” or “anonymous” surfing function (if available), which prevents cookies from being stored on the device after surfing the web;
■ Install on your browser privacy plug-ins like Privacy Badger or Ghostery;
■ Opt-out from selected behavioral advertising schemes (for example: DAA Consumer Opt-Out Page, NAI Consumer Opt-Out Page).

E. APPLICABLE LAW AND PLACE OF JURISDICTION

The legal relationship between the user and LAPIS with reference to access to and use of the Site (and the associated resources) is governed by Swiss substantive law, excluding the rules of international private law.
The parties have chosen the Court of Lugano (Ticino) as the exclusively competent court in the event of any dispute arising from or connected with the use of the Site (and the associated resources). LAPIS reserves the right to bring suits at the competent court at the user’s registered office, branch office or place of domicile.

Date of entry into force: 12th April 2019