CFG Trading Whistleblowing Line

CFG Whistleblowing Line by Ethicontrol

Privacy Statement

Data Protection

This whistleblowing line operates in compliance with the Swiss Federal Act on Data Protection (revFADP, RS 235.1) and, where applicable, the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679). The process ensures confidentiality, integrity, and protection of personal data throughout the reporting workflow.

1. Categories of Personal Data and Their Sources

CFG Trading Switzerland SA, CHE‑273.441.944 may process the following personal data:

  • Identification & Contact Data: full name, job title, organization, phone number, email address (of whistleblowers, reported individuals, and witnesses)
  • Nature of Violation: details and description of alleged misconduct
  • Supporting Evidence: documents, correspondence, images, technical logs, or any business-related proof

Sources include the whistleblower, internal investigation processes, and publicly available or lawfully obtained information. Irrelevant or unlawfully obtained data will be excluded.

2. Purpose of Data Processing

Data is processed in order to:

  • Manage and resolve whistleblowing reports
  • Identify or prevent illegal activities or breaches of internal policy
  • Protect the legal and compliance interests of CFG Trading Switzerland SA
  • Cooperate with competent authorities as legally required

3. Legal Basis for Processing

The legal grounds include:

  • Consent (Article 6(1)(a) GDPR), if the whistleblower voluntarily discloses their identity
  • Legitimate Interest (Article 6(1)(f) GDPR) for internal investigations
  • Legal Obligation (Article 6(1)(c) GDPR) under Swiss or EU law
  • Public Interest (Article 6(1)(e) GDPR), when applicable under the EU Whistleblower Directive (2019/1937)

4. Data Recipients and International Transfers

Data may be disclosed to:

  • Internal teams responsible for ethics, compliance, or security
  • Legal advisors and auditors
  • Swiss or EU regulatory, judicial, or supervisory authorities

Cross‑border transfers (e.g., to Ethicontrol as a service provider) will include appropriate safeguards under the revFADP (Articles 16–18) and GDPR (Chapter V), such as Standard Contractual Clauses, adequacy decisions, or Binding Corporate Rules.

5. Data Retention

  • During investigation: data is kept until the case is closed
  • Post-closure: data is retained for 5 years after closure, unless longer retention is required by law
  • Extended retention: may apply if needed for legal defense or compliance with legal obligations

6. Technical and Organizational Safeguards

The Company ensures data protection through:

  • Controlled, role-based access and authentication
  • Encryption in transit and at rest
  • Pseudonymisation and data minimisation
  • Logging, audits, and secure infrastructure

These measures comply with Article 8 of revFADP and Article 32 of GDPR.

7. Withdrawal of Consent

If processing is based on your consent, you may withdraw it at any time by contacting [email protected]. Such withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.

8. Data Subject Rights

You have the following rights under revFADP and GDPR:

  • Access: check if your data is processed and access it
  • Rectification: correct or update inaccurate or incomplete data
  • Erasure: request deletion if no legal basis exists for further processing
  • Restriction: temporarily limit processing in specified situations
  • Objection: contest processing based on legitimate or public interest
  • Portability: receive your data in a structured format or request transfer to another controller
  • Human Intervention: request that profiling or automated decisions are subject to human review

Note: Some rights may be restricted if exercising them would compromise an investigation, infringe on others' rights, or conflict with legal obligations.

9. Whistleblower Protection

The identity of the whistleblower remains confidential and is only disclosed:

  • To individuals directly involved in handling or investigating the report
  • When required by Swiss or EU authorities
  • If necessary for legal defense or procedural fairness

Prior notification will be provided unless it would impede the investigation.

10. Data Controller

CFG Trading Switzerland SA
CHE‑273.441.944
Rue des Alpes 5
Genève, 1201
Switzerland

📧 Data Protection Officer: [email protected]