Privacy and Data Protection Policy

Introduction

Banca del Sempione (Overseas) Ltd. (hereinafter also referred to as “the Bank“, “we” or “us“) issued this “Privacy and Data Protection Notice” (hereinafter the “Privacy Policy”) in the light of the Data Protection Act 2025 of the Bahamas (the “Act”). It applies to all clients, prospective clients, employees, service providers and any other individuals whose personal data we process. 
The purpose of this information is to inform you about the way in which your information is managed and collected within the contractual framework agreed with the Bank, on the reasons for the collection, the possible sharing and the time for which they will be kept. 
We therefore ask you to read this Privacy Policy which provides detailed information on the protection of your personal data and to bring it to the attention of any person whose information you provide us with. 
Detailed information on which data will be processed and which method will be used depends on the services requested or agreed. 
Regarding services provided by third party providers, please also read the relevant statutory provisions and the privacy policies of such third-party providers (e.g. providers of financial messaging services, stock exchanges, payment card schemes) that offer services independently from the Bank).

  1. Who is responsible for data processing and whom can I contact? 
    The responsible for the data processing is Banca del Sempione (Overseas) Ltd., Old Fort Bay Town Center, Nassau, The Bahamas.

    The responsible department is the Data Protecion Officer (DPO) of the Bank, which can be contacted at the address indicated below for any matter relating to the processing of personal data and for the exercise of data subject rights under the applicable law:
  2. Types of Personal Data Collected
    We collect and use your personal data to the extent necessary in the context of our activities, depending on the nature of the service we provide and to comply with applicable laws and regulations. 

    We may collect various types of personal data about you, including:
    • identification information (e.g., full name and surname, ID card and passport and relative number present on the identification document, nationality, place and date of birth, gender, photograph, IP address);
    • contact information (e.g., address and email address, phone number);
    • family situation (e.g., marital status, number of children);
    • tax statute (e.g., tax ID or other identification code for tax purposes);
    • education and employment information (e.g., level of education, remuneration);
    • banking, financial and transactional data (e.g., bank account details, credit card number transfer of assets, activities, declared investor profile, credit history, debt, source of wealth and expenses);
    • data about our products and services, including banks, financial and transactional data; 
    • data from your interactions with us through our Bank, our website, emails, phone conversations; 
    • background checks to evaluate solvency / over-indebtedness;
    • any recordings of telephone conversations between you and the Bank and video recordings during your visits to the Bank;
    • data that our servers automatically record when you visit the Bank’s website or our social media, your activity in relation to our products and services, the data transmitted by your browser or the device that you used and automatically recorded by our server (i.e. IP address, the type of device used, the type of browser used, the pages of the Bank’s website you visit, the date and duration of access and other technical information).  

      These data are used for reasons of computer security and to improve the ease of use of the site. We also use cookies, tracking scripts and other means such as, for example, pixel, tag, unique identifiers, to collect and process the above information and to keep track of your preferences and improve the quality of the products and services offered. For the use of cookies and other tracking scripts used by the Bank, please also refer to the “Cookies and Other Tracking Tools” available here

      We never ask for, collect or actively store particularly sensitive personal data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data, data concerning your sexual orientation or data relating to criminal convictions and offences, unless it is required by law. However, if necessary, the Bank may collect, use and otherwise process sensitive personal data in accordance with the Data Protection Act 2025 of The Bahamas and any applicable regulatory requirements to which the Bank is subject.   

      In the case of corporate clients or institutional investors, we may collect information on directors, representatives, employees, shareholders or beneficiaries. Before providing such information to the Bank, please provide a copy of this Policy to such persons. 
  3. Purposes of Processing 
    We process personal data only where a lawful basis under the Data Protection Act 2025 applies and only to the extent necessary to achieve that purpose. The main purposes of such data processing are as follows:
    • a) to comply with our contractual obligations. Personal data are processed for the purpose of entering into or performing a contract to which you are a contractual party, for the products and services or to fulfil obligations, in the following ways: 
      • Provide information related to our products and services; 
      • Provide products and services and ensure their correct fulfilment, in accordance with your instructions and the terms of the product subscribed to; 
      • Assist you and answer your questions; 
      • Assess whether we are able to offer you a product or service and under what conditions. 
    • b) to comply with legal and regulatory requirements, including: 
      • banking and financial regulations; 
      • prevention of money laundering and terrorist financing; 
      • compliance with legislation on sanctions and embargoes; 
      • fight against tax fraud and the fulfilment of tax inspection and notification obligations; 
      • monitor transactions to identify those that deviate from the normal routine;
      • define the credit risk score and the repayment capacity;
      • record, when necessary, telephone calls, chats, e-mails, etc.;
      • collect your information to establish your risk profile in the context of providing financial services; 
      • respond to an official request from a public authority duly authorized by law.
    • c) for legitimate interest, including, but not limited to, the improvement of our products and services, quality assurance and administrative purposes, the assessment of legal claims and defense in legal disputes, for your interests and only when your fundamental rights do not prevail over these interests.
    • d) as a result of your consent. We process some particularly sensitive personal data (e.g. data concerning health, the intimate sphere, data concerning administrative and criminal prosecutions and sanctions, data concerning social welfare measures) on the basis of your explicit consent. You may revoke your consent at any time in the manner set out in point 10. The revocation of consent does not affect the lawfulness of data processing in the period prior to it. In any case, it may result in the interruption of the service provision.

as well as for other purposes of which you will be informed on a case-by-case basis.
Much of the aforementioned processing is performed to fulfil contractual obligations or for pre-contractual measures at your request.
Other processing is performed when required by law or in the public interest. For instance, such legal obligations may arise from Central and Securities Commission of The Bahamas.
Finally, some forms of data processing are intended to protect our legitimate interests or those of third parties in the context of a weighing of interests. If you would like further details about the weighing of interests, please contact us (contact details in section 1).
In specific cases, we will ask for your consent for personal data processing for certain purposes (e.g., transfer to third parties for their own marketing purposes). Such consent must be given separately and can be revoked at any time.

  1. Data sharing and Transfers
    Every bank office that needs your personal data to comply with our contractual and legal obligations will have access to such data.
    Service providers outside the Bank may receive data for these purposes if they comply with data protection regulations. These are banking services companies, IT services, logistics.
    Regarding the transfer of data to recipients outside our Bank, it should first be noted that, as a credit institution, we are required to maintain confidentiality for all matters and assessments relating to the customers we come to know (Banking Secrecy under our general conditions). We may transmit information that concerns you only if the legal provisions require it or if you have given your consent (e.g. to process a financial transaction you ordered) and / or if the Bank is authorized to provide information. Based on these requirements, the recipients of personal data may be, by way of example, but not limited to:
    • bodies governed by public law and financial institutions (e.g. Central Bank of The Bahamas, Securities Commission of The Bahamas, financial authorities, criminal prosecution authorities) based on an obligation imposed by law or authority;
    • credit institutions and other financial or similar institutions to which we transfer your personal data for business purposes (depending on the contract, e.g. correspondent banks, custodian banks, stockbrokers, fund management companies, stock exchanges values, information centres).
  2. Transfers of personal data to third countries or to an international organisation
    The recipients mentioned in the previous section may reside outside The Bahamas. In that case, the Bank will require such recipients to enter into a legally binding agreement to take appropriate measures to protect personal data, unless the receiving country is recognized as ensuring an appropriate level of data protection. Your data may also be transmitted to or within third countries to the extent necessary to carry out your orders (e.g., in the case of payment orders and securities trading orders), if such data transmission is required by law (e.g., tax reporting obligations) or if you have expressed your consent to that purpose. In such cases, transfers or personal data shall take place only where:
    • the receiving country ensures an adequate level of protection; or
    • appropriate safeguards are implemented, including contractual clauses or other legally recognised transfer mechanisms; or
    • the transfer in otherwise permitted under the Data Protection Act 2025.

Please contact us if you would like to examine the data transmission guarantees that have been agreed upon.

  1. Data Retention
    Personal data shall be retained only for as long as necessary for the purposes for which they were collected, in accordance with the principles of data minimization and storage limitation under the Data Protection Act, 2025 and in line with the Bank’s documented retention schedule.
    Upon expiry of such periods, we delete or anonymize your personal data. Deletion or anonymization is carried out securely and in accordance with internal data destruction procedures.
  2. Rights of Data Subjects
    Every data subject has the right to be informed about his or her personal data. Under the Data Protection Act 2025, you have the right to access your personal data, request the rectification of inaccurate data, request the erasure of personal data where applicable, request the restriction of processing, object to processing based on legitimate interests or for direct marketing purposes, request data portability where applicable, and not be subject to a decision based solely on automated processing that produces legal or similarly significant effects, subject to applicable safeguards. You also have the right to lodge a complaint with the Data Protection Commissioner of The Bahamas. The requests may be submitted in writing to the Bank or to the Data Protection Officer.
    You may revoke your consent to personal data processing at any time. Please note that any such revocation will only be applicable to the future. Any processing performed before the revocation will not be affected. If you submit such an objection, we shall no longer process your personal data unless we have compelling legally protected reasons for such processing that outweigh your own interests, rights and freedoms, or unless the processing is used for the enforcement, exercise or defense of legal claims. Please note that if you make such objections, we will no longer be able to provide you with services or to maintain a business relationship with you.
    To exercise your rights, please use the following contact details:
    Banca del Sempione (Overseas) Ltd., Data Protection Officer, Old Fort Bay Town Center, Nassau, The Bahamas.
    If you make use of more than one Bank’s product or service, please specify, in exercising your right to object, which types of processing you object to. If there are uncertainties concerning the scope of your objection, we shall take the liberty of contacting you to clarify the matter.
  3. Is there an obligation to provide data?
    In the course of our business relationship, you must supply such of your personal information as we need to initiate and conduct our business relationship and to perform the related contractual obligations and such information as we are required to collect by law. Without such data, we will not generally be able to enter into or perform the contract (in which case, we will inform you of that fact).
    In particular, before we can start a business relationship with you, the anti-money laundering laws require us to check your identity by means of your identification documents and to collect and record your first and last names, place and date of birth, nationality, address and the identification document data. To enable us to meet that legal obligation, you need to provide us with the information and documents required by the Anti-Money Laundering Act, and to promptly report any relevant changes over the course of our business relationship. If you fail to provide us with the necessary information and documents we will be unable to initiate or continue our business relationship.
  4. To what extent is the decision-making process automated?
    We do not generally use any fully automated decision-making system to initiate and to continue the business relationship. If we use such methods in specific cases, we shall inform you of it separately, to the extent required by law. Where automated decision-making is used and produces legal or similarly significant effects, you have the right to request human intervention, to express your point of view, and to contest the decision, in accordance with the Data Protection Act, 2025.
  5. Is profiling done?
    The Bank does not perform any automated profiling activity nor any automated decision-making process.
  6. Data security
    We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. In the event of a personal data breach, the Bank will assess the risk and, where required under the Data Protection Act 2025, notify the Office of the Data Protection Commissioner and, where applicable, the affected data subjects within the timeframe prescribed by law (e.g., encryption, pseudonymization, logging, access control, data backups, etc.) and organizational measures (e.g., instructions to our employees, confidentiality agreements, reviews, etc.) to ensure the security of the information collected and processed against unauthorized access, misuse, loss, falsification and destruction. Access to your personal data is allowed on a strictly need-to-know basis.
    Nevertheless, it is generally impossible to rule out security risks completely: certain residual risks are mostly unavoidable. In particular, since perfect data security cannot be guaranteed for communications by e-mail, Instant Messaging or similar means of communication, we advise you to send confidential information by especially secure means (e.g., send it by post).
  7. Change to Privacy Policy
    We invite you to review the latest version of this notice online and we will inform you of any substantial changes throughout website or through our usual communication channels.

Disclaimer – The website, all pages thereof and the material contained therein are not intended for natural or legal persons who, by virtue of their nationality, place of business, residence or for other reasons are subject to a legal system that prohibits or limits access thereto, consultation, availability or publication thereof, the presentation of financial services or the marketing of certain financial products. Access to the Banca del Sempione (Overseas) Ltd. website is prohibited to all persons to whom such restrictions apply. Please also read the legal notes.
Banca del Sempione (Overseas) Ltd. – All rights reserved

Back top