Master data is not collected on a general basis for each contact. Rather, the collection of master data is based on the individual case and the purpose of the processing. In general, it may include:
With this Privacy Policy, we, PensExpert AG (hereinafter “PensExpert” or “we”), wish to inform you (hereinafter “Data Subject”) how we process personal data on behalf of or together with the PensFlex, PensUnit, PensFree, Independent and Pens3a foundations (hereinafter “Foundations”) and notify you of your rights. We are aware of the significance that the processing of personal data has for you as a Data Subject and the protection of your privacy is extremely important to us.
I. Name and address of the data controller
The data controller within the meaning of the applicable data protection legislation who decides on the purposes for and means of processing personal data is:
PensExpert AG
The data controller’s data protection officer/data protection coordinator can be contacted using the following contact details:
PensExpert AG, Kauffmannweg 17, 6003 Lucerne (Switzerland).
Telephone number: +41 41 226 15 15
E-mail address: datenschutz@pens-expert.ch
If you have any questions in regard with this Privacy Policy or if you wish to exercise the rights listed in section XIII (Your rights) or section XIV (Right of objection), please contact us using the contact details provided unless otherwise stated or agreed. Please note that we have to identify you in order to prevent misuse, e.g. by providing a copy of your ID card or passport, unless identification is possible by other means.
II. General information about data processing
PensExpert AG takes the protection of personal data (hereinafter “Personal Data”) very seriously. Personal Data is any information relating to an identified or identifiable natural person. This includes, e.g. name, address, telephone/fax number and e-mail address, as well as IP address and the date and time at which our website was accessed.
1. Scope of processing
In principle, we process your Personal Data only to the extent necessary to provide a functional website as well as our content, products and services. The processing of our users’ Personal Data takes place on the basis of the agreed purposes or a legal basis. We only collect Personal Data that is necessary for the performance and execution of our tasks and services or that you provide to us voluntarily. The processing of your Personal Data is carried out with your consent or, if it is permitted by law or legal obligations, when we or third parties have an overriding private or public interest in processing or we are processing it for the performance of a contract.
2. Legal basis for the processing of Personal Data
If and to the extent that data processing operations take place under the GDPR, we therefore also rely on the following legal bases:
If we obtain the consent of the Data Subject for the processing of Personal Data, art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.
If we ask for your consent for certain processing operations (e.g. for receiving newsletters and for personalised content or advertising based on your usage behaviour or for processing sensitive data), we process your data on the basis of this consent. You may withdraw your consent at any time with effect for the future by written notification (e-mail is sufficient) – please see our contact details in section I. The withdrawal of your consent does not affect the lawfulness of the processing that we carried out prior to your withdrawal, nor the processing of your data on the basis of other reasons.
If we have not asked for your consent, we process your data for other legal reasons:
Art. 6 (1) (b) GDPR serves as the legal basis for the processing of Personal Data that is necessary for the performance of a contract with the Data Subject. This also applies to processing operations that are necessary to carry out pre-contractual measures.
If the processing of Personal Data is necessary in order to fulfil a legal obligation to which our company is subject, art. 6 (1) (c) GDPR serves as the legal basis.
If the vital interests of the Data Subject or another natural person necessitate the processing of Personal Data, art. 6 (1) (d) GDPR serves as the legal basis.
If the processing is necessary to protect a legitimate interest of our company or a third party and if the interests and fundamental rights and freedoms of the Data Subject do not outweigh the former interest, art. 6 (1) (f) GDPR serves as the legal basis for the processing. We rely on this legal basis, in particular (but without limitation) when we process data for marketing purposes and client management, security reasons and in relation to our corporate governance and business development (incl. risk management).
3. Data deletion and retention period
In general, we process your data only for as long as it is necessary to fulfil the purposes for which we have collected it, including compliance with statutory retention obligations and, insofar as this is necessary for the assertion of or defence against legal claims, until the end of the respective retention period or until the relevant claims have been settled. At the end of the respective retention period, we will securely destroy your data in accordance with the applicable laws and regulations.
III. Products and services
1. Description and scope of data processing
a) By PensExpert and the Foundations
We primarily process Personal Data that we receive directly as part of our contractual relationship with our insured members. We may also receive or collect data from business partners or other involved persons. This means that if you make use of a service provided by PensExpert AG and/or the Foundations, we will store and process your data, in particular personal, pension and financial data.
We process data when we provide you with advisory services (such as pension and tax advice in the context of occupational pension provision, advice on the investment of pension capital, mortgage advice, investment advice, financial planning), develop pension concepts, perform general support tasks (e.g. drawing up pension plans for new business and plan amendments, staff information events, etc.) and perform various coordination tasks. We also process data for custody account and asset management purposes, in connection with transaction costs (such as purchase/sale) and for the provision of investment advice by PensExpert and external business partners (banks), etc.
In addition, we process data when we perform risk assessments and when we provide our pension benefits, make notifications, register you as a new client/insured person, assist you in the context of the promotion of home ownership, carry out credit checks, etc., and receive data from you through third parties for the purposes set out in this Privacy Policy.
We process data when you contact us.
We process data that we receive from third parties (e.g. employers) or business partners in order to fulfil our contractual duties and obligations towards you or to comply with legal requirements.
In the case of advisory services (e.g. tax advice), we also receive data from tax offices, fiduciary companies, etc., typically on the basis of powers of attorney granted by you.
We process data to the extent that we are legally obliged or entitled to do so, e.g. for verification in the context of deposits and withdrawals, account opening processes and the settlement, calculation and/or refusal of benefits.
2. Purpose of data processing
We process your data for the purposes described below:
Fulfilment of a contract
We process your data in order to conclude, execute and manage a contract with you. For this purpose, we may process communication data, master data and contract data in particular. This may also include data about third parties, e.g. if you order products or services in favour of a third party. In this context, we may receive information about you as an employee of your employer from third parties, e.g. insurance brokers who are commissioned by your employer to interact directly with us as a (potential) insurer or provider of various pension solutions in the area of occupational pensions as part of an existing mandate with your employer. We also receive data about potential customers that we obtain from communication with you, at a trade fair or other business event (for further information on the disclosure of data, please refer to Section III.3 (Disclosure to third parties, Section X ]). We also process data for the provision of services, clarification of insurance risks, beneficiary regulation, risk minimisation, early detection, customer care, notifications to authorities (e.g. IV offices, unemployment insurance funds), etc.
We process data for the provision of services, clarification of insurance risks, beneficiary arrangements, risk minimisation, early detection, client care, notifications to authorities (e.g. disability insurance (IV) agencies, unemployment funds), etc.
As part of the contract with you, we use this data to check your creditworthiness and to enter into a business relationship with you. For the purpose of managing and performing the contract with you, we may engage third parties, such as logistics companies, advertising service providers, banks, insurance companies or credit information providers, to offer you our products and services.
Communication
We process your data for the purpose of communicating with you, in particular to answer enquiries and assert your rights (see section XIV) and to contact you in the event of queries. In particular, we use communication data and master data for this purpose. We keep this data to document our communication with you, for training purposes, for quality assurance and for enquiries.
Marketing and relationship management
We process your data for marketing and relationship management purposes. For example, we send out personalised newsletters for products and services from us and, if applicable, from selected third parties (e.g. advertising partners). Marketing and relationship management may include contacting you by e-mail, telephone or other channels for which we have contact information from you. We and, if applicable, selected third parties will only show you content or advertising tailored to your usage behaviour or send e-mails for marketing purposes (e.g. newsletters) if and to the extent that you give us your consent, insofar as this is required by the applicable law. You may object to such marketing activities at any time or withdraw your consent (see sections XIV and XV).
With respect to relationship management, we may use a customer relationship management («CRM») system to store and process your data as described in this Privacy Policy (e.g. about contact persons, products and services offered to you, interactions, interests, marketing activities, newsletters, invitations to events and other information).
Newsletter
For sending our newsletters, we use the "NetMailer" platform, which is operated by PAWECO GmbH. PAWECO is a provider based in Switzerland and is subject to Swiss data protection law. The e-mail addresses of our newsletter recipients and other relevant data are stored on PAWECO's servers in Switzerland and used exclusively for the evaluation and dispatch of our newsletters. We have concluded an agreement with PAWECO on commissioned data processing, in which PAWECO undertakes to protect the data of our users in accordance with the provisions of data protection law and to process it on our behalf.
We trust that PAWECO will treat our users' data securely and confidentially and will not use it for its own purposes or pass it on to third parties. If you do not want NetMailer to analyze your data, you can unsubscribe from the newsletter at any time. We will provide you with a corresponding link in each newsletter message.
NetMailer is also used to analyze our newsletter campaigns. For this purpose, technical information such as the time of retrieval, IP address, browser type and operating system is recorded. When you open an e-mail sent via NetMailer, a file contained in the e-mail (known as a "web beacon") connects to PAWECO's servers. This makes it possible to determine whether a newsletter message has been opened and which links, if any, have been clicked on.
The data processing is based on your consent pursuant to Art. 6 para. 1 p. 1 lit. a DSGVO. You can revoke this consent at any time by unsubscribing from the newsletter. The revocation does not affect the lawfulness of the data processing that has already taken place.
Product/service improvement and innovation
We also process your data for market research, to improve our services and operations, and for product development.
Security-related reasons
We process your data to protect our IT and other infrastructure (e.g. buildings). For example, we process data for monitoring, analysing and testing our networks and IT infrastructures, including access control. We may also use surveillance systems, such as cameras, for security purposes. In such a case, we will inform you separately at the appropriate junctures.
Compliance with the law
We process your data in order to comply with legal requirements, such as health security concepts, anti-money laundering and anti-terrorist financing measures, tax obligations, etc., to make reports to authorities (e.g. disability insurance (IV) agencies, compensation funds, etc.), and we may need to request further information from you in order to comply with such requirements («Know Your Customer (KYC)») or as otherwise required by law and the authorities.
Risk management, corporate governance and business development
We process your data as part of our risk management and corporate governance processes in order to protect ourselves from criminal or improper activities. As part of our business development, we may sell or acquire businesses, parts of businesses or companies to others or enter into partnerships, which may result in the exchange and processing of data based on your consent.
3. Disclosure to third parties
As part of our business activities, we may disclose your Personal Data to third parties for the purposes stated and where appropriate:
Banks, employers, insurers (including reinsurers), brokers/agents, trustees, asset managers, pension funds/social security funds and third parties commissioned by you
Based on your authorisation/consent, we may pass on data to reinsurers and pension funds to review the risk and benefit entitlement and to process contracts.
If indicated or based on your consent/authorisation, we may also pass on data (e.g. pension information) to the custodian bank/depositary bank, asset manager and the responsible broker (agent) or intermediary. We pass on your personal data to brokers if they are commissioned by your employer as brokers within the scope of their mandate to interact directly with us as a (potential) insurer or provider of various pension solutions in an area of occupational pensions.
We also receive data from employers and other partners or third parties concerning you, which we pass on to banks, insurance companies, social security funds, pension funds, brokers, agents and other third parties for processing in order to fulfil the purposes stated in this Privacy Policy.
We may also pass on data that we have collected to fiduciary and consulting companies or other third parties in the context of contractual fulfilment or client care.
Authorities, social security organisations/funds, pension funds
In addition, based on your consent, we may obtain information from authorities, social security organisations and third parties in order to assess the risk and entitlement to benefits, in particular from the previous pension scheme about any benefits provided, and process this data if and to the extent that you have released the persons, their auxiliaries and organisations from their duty of confidentiality.
Other third parties
Please refer to the information in section X below.
4. Retention period
The Personal Data we collect is only processed or saved for as long as it is necessary to manage the contractual relationship between you and the Foundations (from the initiation to the termination of a contract) or for the other purposes for which the data is being processed and/or for as long as a statutory retention and documentation obligation applies or there is an overriding private or public interest in the data processing or the data processing is necessary for the purpose of asserting or defending against legal claims, until the expiry of the retention period in question or until the claims in question have been dealt with. As soon as the Personal Data we collect is no longer required for the above purpose(s) respectively the applicable retention period has expired, the data will be deleted or anonymised as far as possible.
5. Categories of data
Master data
The term “master data” refers to the basic data that we need in addition to the contract data (see below) for the processing of our contractual and other business relationships or for marketing and advertising purposes, such as your name, contact data and information like your role and function, details of your bank account(s), your date of birth, client history, powers of attorney, signature authorisations and declarations of consent. We process your master data if you are a client or other business contact or are working for one (e.g. as a contact person for the business partner), or because we want to contact you for our own purposes or those of a contractual partner (e.g. in the context of marketing and advertising, with newsletters, etc.). We receive master data from you (e.g. in the context of a purchase or within the scope of a registration), from your employer and from bodies for which you work, or from third parties such as our contractual partners, associations and address traders, and from publicly accessible sources such as public registers or the Internet (websites, social media, etc.). We generally retain this data for 10 years from the last contact with you, but from no earlier than the end of the contract. This period may be longer if this is necessary for evidence purposes, to comply with statutory or contractual requirements or for technical reasons. For pure marketing and advertising contacts, the retention period is normally much shorter, usually no more than 2 years since the last contact.
Master data is not collected on a general basis for each contact. Rather, the collection of master data is based on the individual case and the purpose of the processing. In general, it may include:
Surname, first name
Address (address, postcode, town/city, country)
E-mail address
Telephone number and other contact details
Gender
Date of birth
Nationality
Language
OASI (AHV) number
Marital status, date of marriage, date of divorce
Relocation to Switzerland from abroad
Health data, such as height, weight, disability insurance (IV) examinations, medical treatments, medical examinations, medication enquiries, medical tests, benefits (e.g. disability insurance (IV), accident insurance (UV), military insurance (MV)), existence of a medical restriction, etc.
Pension and insured member data (e.g. contributions, contribution benefits, data on purchases, termination benefits, pledging, registration forms, etc.)
Details of the residential property, ownership structure, details of mortgages, mortgage certificates, land register extract, copy of loan agreement, copy of pledge notice, etc.
Status of capacity to work, degree of employment, employment relationship (e.g. self-employment)
Salary data, such as annual salary and bonus, as well as insured salaries
Bank account information and other bank details (e.g. pension assets, amount of assets, custody account number, portfolio positions, account number, bank, fee rate, advisory fees, etc.)
Other financial data
Other data in connection with the employment relationship (e.g. starting date, leaving date, incapacity for work, unpaid leave, retirement, position, etc.)
Data about employers, banks, partners, suppliers, including all related accounting documents
Data on related persons
Websites
Social media profiles
Photos and videos
Copies of ID cards
Information about your relationship with us (e.g. client, supplier, visitor, service provider or service recipient, etc.)
Information about your status, your assignments, classifications and mailing lists
Details of interactions with you
Reports
Official documents (e.g. commercial register extracts, permits)
Payment information (e.g. bank details, account number and credit card details)
Declarations of consent
For clients, suppliers and partners, master data also includes information about the role or function in the company, qualifications and information about line managers, employees and information about interactions with these people.
Data on previous pension solutions/relationships (domestic/international)
Contract data
We collect contract data in connection with the conclusion or performance of a contract, (e.g. information about the products and services provided or to be provided, as well as data from the period prior to the conclusion of the contract, information required or used for the performance of a contract, and information about feedback (e.g. complaints, satisfaction feedback, etc.). We generally collect this data from you, contractual partners and third parties involved in the performance of the contract (such as employers), but also from third-party sources and from publicly accessible sources. We generally retain this data for [10] years from the last contract activity, but from no earlier than the end of the contract. This period may be longer if this is necessary for evidence purposes, to comply with statutory or contractual requirements or for technical reasons.
The contract data includes, among other things:
Information about the conclusion of the contract and about your contracts, e.g. contract type, date of conclusion and its duration
The performance and administration of the contracts (e.g. information in connection with billing, client service, technical support and the assertion of contractual claims)
Information about defects, complaints and contract amendments, as well as information about client satisfaction that we may collect through surveys, for example.
Financial data, such as information on creditworthiness (i.e. information that allows conclusions to be drawn about the likelihood that amounts owed will be paid), dunning and payment collection information
We receive some of this data from you (e.g. when you make payments), but also from credit agencies and payment collection companies and from public sources (e.g. commercial registers).
Communication data
If you contact us via the contact form, e-mail, telephone, chat, letter or other communication channels, we will collect the data exchanged between you and us, including your contact details and the peripheral data on the communication. If we record telephone conversations or video conferences, we will draw your attention to this separately. If we want or need to ascertain your identity, e.g. when you make a request for information, we collect data to identify you (e.g. a copy of your ID). We generally store this data for 12 months from the last contact with you. This period may be longer if we process your communication data in connection with the performance of a contract, or if this is necessary for evidence purposes, to comply with legal or contractual requirements or for technical reasons. E-mails in personal mailboxes and written correspondence are generally kept for at least 10 years. Chats are usually stored for 2 years.
Communication data includes, among other things:
Your name, contact details, e-mail address, telephone number, home address
Other data
We also collect your data in other situations. In connection with official or court proceedings, for example, data (such as files, evidence, etc.) is generated that may also relate to you. We may also collect data for reasons of health protection (e.g. as part of protection concepts). We may receive or produce photos, videos and sound recordings in which you may be recognisable (e.g. at events, security camera footage, etc.). We may also collect data about who enters certain buildings and when they do so, or has corresponding access rights (including access controls, based on registration data or visitor lists, etc.), who participates in events or campaigns and when they do so, and who uses our infrastructure and systems and whey they do so. The retention period for this data depends on the purpose and is limited to what is necessary. This ranges from a few days for many of the security cameras and typically a few weeks for contact tracing data, to visitor data which is usually kept for 3 months, to several years or more for event reports with images.
You disclose much of the aforementioned data to us yourself (e.g. via forms, in the context of communication with us, in connection with contracts, when using the website, etc.). Except in individual cases, e.g. within the framework of binding protection concepts (statutory obligations), you are not obliged to do so. If you wish to conclude contracts with us or make use of services, you must also provide us with data as part of your contractual obligation in accordance with the relevant contract, in particular master, contract and guest access or registration data. The processing of technical data is unavoidable during the use of our website. If you wish to gain access to certain systems or buildings, you must provide us with registration data. In the case of behavioural and preference data, however, you have the option of objecting or refusing to give your consent.
We will only provide certain services to you if you provide us with registration data because we or our contractors want to know who is using our services, because it is technically necessary or because we want to communicate with you.
If you or a person you represent (e.g. your employer) wishes to enter into or fulfil a contract with us, we must collect relevant master, contract and communication data from you, and we process technical data if you use our website or other electronic services for this purpose. If you do not provide us with the data required to enter into and perform the contract, it is likely that we will refuse to enter into the contract, that you will be in breach of the contract, or that we will not fulfil the contract. Similarly, we can only reply to your enquiries by processing the corresponding communication and – if you communicate with us online – possibly also technical data. In addition, it is not possible to use our website without us receiving technical data.
Insofar as it is not prohibited, we may also obtain data from publicly available sources (e.g. debt enforcement registers, land registers, commercial registers, media or the Internet including social media) or obtain data from other companies within our group, authorities and other third parties (such as credit agencies, address traders, associations, contractual partners, Internet analytics services, etc.).
The categories of Personal Data that we receive about you from third parties include, in particular, information from public registers, information that we obtain in connection with official and legal proceedings,
information relating to your professional functions and activities (to enable us, for example, to conclude and execute transactions with your employer with your assistance), information about you in correspondence and discussions with third parties, credit information (insofar as we conduct personal transactions with you), information about you provided to us by people close to you (family, advisors, legal representatives, etc.) so that we can enter into contracts with you or be able to conclude or perform contracts with your involvement (e.g. references, your address for deliveries, powers of attorney, information on compliance with legal requirements such as fraud, money laundering and terrorism prevention and export restrictions), information from banks, insurance companies and sales and other contractual partners of ours regarding the use or provision of services by you (e.g. payments, purchases, etc.), information from the media and the Internet about you (where appropriate in the specific case). Your address and, if applicable, interests and other sociodemographic data (in particular for marketing and research) and data in connection with the use of third-party websites and online offerings, where such use can be attributed to you.
As part of the optimisation of our marketing measures, the following data may be collected and processed via HubSpot:
Geographic location
Browser type
Navigation information
Reference URL
Performance data
Information about how often the application is used
Mobile app data
Login information for the HubSpot subscription service
Files that are displayed locally
Domain name
Pages viewed
Aggregated use
Operating system version
Internet service provider
IP address
Device identifier
Duration of the visit
Where the application was downloaded from
Operating system
Events occurring within the application
Access times
Clickstream data
Device model and version
Technical data
Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer (see section IV below).
6. Possibility of objection and deletion
As part of our business relationship, you must provide all Personal Data that is necessary for the commencement and performance of our service and the fulfilment of the associated contractual obligations. Without this data, we will generally not be able to conclude or perform a contract with you (or the insured person who is employed by you).
You have the option to revoke your consent to the processing of your Personal Data at any time.
IV. Provision of the website and creation of log files
1. Description and scope of data processing
As already mentioned above, we also process technical data. This is the case, for example, each time our website is accessed, whereby our system automatically collects data and information from the computer system of the accessing computer. The following data is collected:
Information about the browser type and version used
The user’s operating system
The user’s Internet service provider
The user’s IP address
Date and time of access
Websites from which the user’s system accesses our website
Websites accessed by the user’s system via our website
Data volumes transferred.
2. Purpose of data processing
The temporary saving of the user’s IP address by the system is necessary to enable the website to be delivered to the user’s computer. To this end, the IP address has to be saved for the duration of the session. The data is also stored in the log files of our system.
The log files contain IP addresses or other data that can be assigned to a user. This could be the case, for example, if the link to the website from which the user accesses our website or the link to the website to which the user switches contains Personal Data.
The data is stored in log files in order to ensure that the website functions correctly. In addition, the data enables us to optimise the website and ensure the security of our IT systems. However, no data is evaluated for marketing purposes in connection with this.
3. Retention period
The data is deleted as soon as it is no longer required for the purpose it was originally collected for. In the case of data collected for the purpose of providing the website, this is the case when the respective session has ended.
If the data is stored in log files, this is the case after 7 days at the latest. The data may be retained beyond this period. In this case, the users’ IP addresses are deleted or altered in such a way that attribution to the accessing client is no longer possible. However, this data is not stored together with other Personal Data of the user.
4. Possibility of objection and deletion
The collection of data for the provision of the website and the storage of the data in log files is essential for the operation of the website. Consequently, there is no possibility of objetion to this kind of data processing.
V. Use of cookies
1. Description and extend of data processing
Our website uses cookies. Cookies are text files that are stored in respectively by the Internet browser on the user’s computer system. If you access a website, a cookie may be stored on your operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is accessed again.
We only store necessary cookies, i.e. cookies that are necessary for the functioning of the website as such or for certain functions. For example, some cookies ensure that you can switch between pages without losing the information entered in a form. They also make sure that you will remain logged in. These cookies only exist temporarily (“session cookies”). Session cookies are deleted automatically when you leave our website. If you block them, the site may not work properly. Other cookies are necessary for the server to store options or information (that you have entered) beyond the end of a session (i.e. a visit to the site) when you use this function (e.g. language settings, consent, automatic log-in functions, etc.).
2. Duration of storage, possibility of objection and deletion
Technically necessary cookies have an expiry time of up to 12 months.
VI. Simulation calculator
1. Description and scope of data processing
On our website you will find simulation calculators, such as purchase and withholding tax and other calculators, which allow you to simulate the effects of certain actions on assets, capital, savings and the like. In particular, we collect the following data from you for the simulation calculators:
Year of birth
Gender
Marital status
Confession
Postcode and place of residence
Net income per year/income
Purchase amount
Lump-sum payment amount
Number of children/children in initial education
Registered office of your pension fund
2. Purpose of data processing
The data is processed for the purpose of performing the simulation/simulation calculation requested by you. Based on the information you provide in the input screen, we calculate respectively simulate (possible) scenarios (such as tax savings, additional retirement capital, savings opportunities, etc.).
3. Retention period
The data is processed temporarily for the execution of the simulation. The data is not stored and is deleted automatically when you leave the website.
VII. Contact form and e-mail contact
1. Description and scope of data processing
On our website there is a contact form which can be used to contact us electronically. If a user makes use of this option, the data entered in the input mask is transmitted to us and stored. This data consists of:
The following data is also processed and stored when the message is sent:
The user’s IP address
Date and time of the enquiry
Whether you are already a client
First name and surname
Postcode
E-mail address/telephone number
Contract number
Subject area selected
Comments made
Name of the company.
Your consent to the processing of the data is obtained as part of the sending process and reference is made to this Privacy Policy. Alternatively, you can contact us using the e-mail address provided. In this case, the user’s Personal Data transmitted with the e-mail will be stored.
Data will not be passed on to third parties in this context. The data is used exclusively for processing the conversation.
2. Legal basis for data processing
If the user has given his or her consent, the legal basis for processing the data is Art. 6 (1) (a) GDPR.
The legal basis for processing data transmitted via e-mail is Art. 6 (1) (f) GDPR. If the purpose of the e-mail contact is to conclude a contract, the additional legal basis for processing is Art. 6 (1) (b) GDPR.
3. Purpose of data processing
We process the Personal Data from the input screen solely for the purpose of processing the contact. If you contact us by e-mail, this also constitutes the necessary legitimate interest in processing the data. The other Personal Data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our IT systems.
4. Retention period
This data is deleted as soon as it is no longer required for the purpose it was originally collected for. For the Personal Data from the input screen of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation ends when it can be inferred from the circumstances that the matter in question has been conclusively clarified.
The additional Personal Data collected during the sending process will be deleted after a period of 7 days at the latest.
5. Possibility of objection and deletion
You have the option of withdrawing your consent to the processing of your Personal Data at any time (see contact details in section I). If you contact us by e-mail, you can object to the storage of your Personal Data at any time. In such a case, the conversation cannot be continued.
In this case, all Personal Data stored during the contact with you will be deleted.
VIII. Web analysis by Google Analytics
On the basis of your consent, we use tracking tools to ensure that our website and other electronic services (e.g. app) are designed in a needs-based manner and continuously optimised. We also employ tracking tools to statistically record the use of our website and to evaluate it for the purpose of optimising the content we show you.
We use Google Analytics on the basis of your consent.
Google Analytics: Google Ireland (which has its registered office in Ireland) is the provider of the Google Analytics service and acts as our data processor. For this purpose, Google Ireland relies on Google LLC (which has its registered office in the US) as its data processor (both referred to as “Google”). Google uses performance cookies (see above) to track the behaviour of visitors to our website (duration, frequency of page views, geographical origin of access, etc.) and on this basis compiles reports on the use of our website. We have configured the service in such a way that the IP addresses of visitors are truncated by Google in Europe before being forwarded to the US and thus cannot be traced. We have disabled the «Data transfer» and «Signals» settings. Although we may assume that the information we share with Google is not Personal Data for Google, it is possible that Google may use that information to infer the identity of visitors, create personal profiles and link that information to these individuals’ Google accounts for its own purposes. If you consent to the use of Google Analytics, you explicitly consent to such processing, which also includes the transfer of Personal Data (in particular usage data for the website and app, device information and individual IDs) to the US and other countries. Information on Google Analytics privacy is provided here https://support.google.com/analytics/answer/6004245 and, if you have a Google account, you can find further details about how Google processes it here https://policies.google.com/technologies/partner-sites?hl=en.
IX. Profiling and automated decision-making
We may perform automated evaluations of certain personal characteristics of yours for the purposes named in this Privacy Policy on the basis of your data («profiling») in order to ascertain preference data, assess fraud and security risks, perform statistical evaluations or for operational planning purposes. We may also draw up profiles for the same purposes, i.e. we may combine behavioural and preference, master, contract and technical data attributed to you in order to understand you better as a person with your different interests and other characteristics. We may also use profiling to assess your creditworthiness. We do not do any profiling that could have legal implications or a similar negative impact for you without human verification.
For reasons of efficiency and consistency in decision-making processes, it may be necessary in certain situations for us to automate discretionary decisions related to you with legal implications or potentially significant disadvantages («automated individual decisions»). We will inform you accordingly if this is the case and take the measures necessary under the applicable law.
X. Forwarding of data to third parties
In connection with our contracts, the website, our services and products, our legal obligations or otherwise to protect our legitimate interests and the other purposes listed in this privacy policy, we also transfer your personal data to third parties (see also Section III.3 above), in particular to the following categories of recipients:
Foundations
We may disclose data to our Foundations, which may use the data for the same purposes as set out in this Privacy Policy, including advertising their own products and services.
Service providers
We work with service providers in Switzerland and abroad who process data about you on our behalf or under joint responsibility with us or who receive data about you from us on their own responsibility (e.g. IT providers, shipping companies, advertising service providers, login service providers, cleaning companies, security firms, banks, insurers, telecommunications companies, credit agencies, address verification providers, lawyers) or whom we commission to process Personal Data on our behalf for one of the above purposes and only in accordance with our instructions.
Contractual partners including clients
If the respective contract requires it, we will pass on your data to other contractual partners. If we sell or buy a business or assets, we may pass on your data to the potential seller or buyer of such business or assets, to whom we assign or transfer our rights and obligations.
We may pass on data to banks, asset managers, brokers, intermediaries, pension funds, social insurance schemes, reinsurers, employers, etc. in order to fulfil contractual or legal obligations towards you or your employer, if applicable, also based on your consent, explicit instructions from your employer or if there is a legitimate interest in doing so.
Authorities
We may pass on Personal Data to administrative bodies, courts and other authorities (e.g. disability insurance (IV) offices, OASI (AHV) offices, etc.) in Switzerland or abroad, if we are legally obliged or entitled to do so or it appears necessary to protect our interests. The authorities process your data that they receive from us on their own responsibility.
Social plug-ins
Our website uses social plug-ins from social media sites such as LinkedIn and Twitter and integrates them as follows:
When you visit our website, the social plug-ins are deactivated, i.e. no data is transmitted to the operators of these networks. If you wish to use one of the networks, you must establish a direct connection to the network’s server by clicking on the respective social plug-in, i.e. the integration only takes place with your consent.
The social media provider stores the data collected about you as usage profiles and uses it for the purposes of advertising, market research and/or needs-based design of its website. Such an evaluation is carried out in particular (including for users who are not logged in) to show needs-based advertising and to inform other users of the social network about your activities on our website. Your connection to a social network, the data transfers between the network and your system and your interactions on this platform are subject exclusively to the privacy policy of the respective social media provider. Further information on the purpose and scope of data collection and processing by the social media provider can be found in the privacy policies of these providers, which are provided below. There you will also find further information about your rights in this regard and settings options to protect your privacy.
Data is passed on regardless of whether you have an account with the social media provider and are logged in there. If you are logged in to the social media provider, your data collected from us is assigned directly to your account with the social media provider. If you click the activated button and, for example, link to the page, the social media provider also stores this information in your user account and publicly shares it with your contacts.
We recommend that you regularly log out after using a social network, but especially to deactivate social media buttons , as this will prevent data from being as-signed to your profile with the social media provider.
If you activate a social plug-in, Personal Data may reach providers in countries outside the European Economic Area that, from the point of view of Switzerland or the European Economic Area (EEA), may not guarantee an adequate level of protection for the processing of Personal Data in accordance with Swiss/EU standards. Accordingly, if you activate a social plug-in, you also consent to such transmission.
You may withdraw your consent at any time, without this affecting the lawfulness of the data processing up to the time of withdrawal. The easiest way to revoke your consent is to use the functions of the social media providers.
Integration of YouTube videos
Our online offering includes integrated YouTube videos, which are stored on YouTube.com and can be played directly from our website. These are all integrated in «extended data protection mode», i.e. no data about you as a user is transmitted to YouTube if you do not play the videos. The following data is only transmitted when you play the videos. We have no control over this data transmission. The legal basis for viewing the videos is your consent, i.e. the integration only takes place with your consent.
When you visit the website, YouTube is informed that you have accessed the corresponding subpage of our website. In addition, the above-mentioned basic data such as IP address and time stamp is transmitted. This is done regardless of whether YouTube provides a user account through which you are logged in or whether there is no user account. If you do not want the data to be assigned to your YouTube profile, you must log out before activating the button. YouTube stores your data as user profiles and uses it for the purposes of advertising, market research and/or needs-based design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right of objection to the creation of these user profiles; you must contact YouTube to exercise this right.
The information collected is stored on Google servers, including in the US. In such cases, the provider states that it has imposed on itself a standard which corresponds to the former EU-US Privacy Shield and has undertaken to comply with applicable data protection laws when transmitting data internationally.
Further information on the purpose and extend of data collection and processing by YouTube can be found in its privacy policy. There you will also find further information about your rights and settings options to protect your privacy.
Our social media presence
We have various presence on social media platforms. We operate these pages with the following providers: LinkedIn, YouTube.
We receive this data from you and the platforms when you contact us via our websites (e.g. when you communicate with us, comment on our content or visit our page). At the same time, the platforms evaluate your use of our online presence and link this data with other data about you that is known to the platforms (e.g. about your behaviour and preferences). They also process this data for their own purposes on their own responsibility, in particular for marketing and market research purposes (e.g. to personalise advertising) and to manage their platforms (e.g. what content they display to you).
Please note that when you use our pages on social media platforms and their functions, you do so at your own responsibility. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating).
The individual data processing operations and their scope vary depending on the operator of the social network in question. For details about the collection and storage of your Personal Data as well as the nature, scope and purpose of its use by the operator of the respective social media platform, please refer to the privacy policy of the respective operator.
The data collected about you in this context is processed by the platforms and may be transferred to countries outside the European Union, in particular the US. Many of the aforementioned providers state that they have an adequate level of data protection equivalent to that of the former EU-US Privacy Shield, and in addition, these platforms or we, where necessary, have concluded what are known as standard data protection clauses with the companies.
We are not aware of how the social media platforms use the data from your visit to our account and the interaction with our posts for their own purposes, how long this data is stored and whether data is passed on to third parties. Data processing may vary depending on whether you are registered and logged in to the social network or are visiting the site as a non-registered and/or non-logged-in user. When accessing a post or an account, the IP address assigned to your end device is transmitted to the provider of the social media platform. If you are currently logged in as a user, a cookie on your end device may be used to track your movements in the network. Using buttons integrated into websites, the platforms are able to record your visits to these websites and assign them to your respective profiles. This data can then be used to offer you tailored content or advertising. If you want to prevent this from happening, you should log out respectively disable the «stay logged in» function, delete the cookies stored on your device and restart your browser.
To exercise your rights as a Data Subject, you can contact both us and the provider of the social media platform.
The providers describe what information the social media platform receives and how it is used in their own privacy notices (see link in the overview above). There you will also find information about contact possibilities and setting options for advertisements.
Integration of Google Maps
This website uses the services of Google Maps. This allows us to show you interactive maps directly on the website and allows you to conveniently use the map function. The legal basis for the use of the maps is your consent, i.e. the integration only takes place with your consent.
When you visit the website, Google is informed that you have accessed the corresponding sub-page of our website. In addition, the above-mentioned basic data such as IP address and time stamp is transmitted. This is done regardless of whether Google provides a user account through which you are logged in or whether there is no user account. If you are logged in to Google, your data will be assigned directly to your account. If you do not want the data to be assigned to your Google profile, you must log out before activating the button. Google stores your data as user profiles and uses it for the purposes of advertising, market research and/or needs-based design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right of objection to the creation of these user profiles; you must contact Google to exercise this right.
The information collected is stored on Google servers, including in the US. For such cases, we have agreed standard data protection clauses with Google, the purpose of which is to maintain an appropriate level of data protection in the third country.
Further information on the purpose and extend of data collection and processing by the plug-in provider can be found in the privacy policies of the provider.
XI. Transfer of data outside Switzerland
As explained in sections III.3 and X, we also disclose data to other parties. These are not only located in Switzerland.
If we transfer data to countries without adequate statutory data protection, we will only do so if it is necessary to perform a contract or to assert or defend legal claims, or if such transfer is based on your express consent or is subject to safeguards to protect your data, such as the standard contractual clauses approved by the European Commission.
XII. Security of your Personal Data
We take suitable security measures to preserve the confidentiality, integrity and availability of your Personal Data in order to protect you against unjustified or illegal processing thereof and reduce the risks of loss, unintentional alteration, unwanted disclosure or unauthorised access.
Despite this, it is still possible that we and your Personal Data will fall victim to cyber attacks, cyber crime, brute force methods, hacking and other fraudulent and malicious activities, including but not limited to viruses, forgeries, malfunctioning and disruptions, which are out of our control and responsibility.
However, we have no control over how third-party providers store your Personal Data under their own responsibility. This information can also be found in their own privacy policies.
XIII. Your rights
Depending on the applicable data protection legislation, you have various rights in relation to our processing of your Personal Data:
Right of information
You have the right to request information from us about whether we process your data and if so, which data of yours it is.
Right ofrectification
We endeavour to keep your Personal Data correct, up-to-date and complete. Please contact us and inform us if your Personal Data is incorrect or changes so that we can keep it up-to-date.
Right of deletion
You have the right to request that we delete your Personal Data if that data is no longer required for the purpose for which it was collected or if your Personal Data has been processed unlawfully.
Right to restrict processing
You have the right to ask us to restrict the processing of your Personal Data under certain circumstances.
Right to data portability
You have the right to request that we return certain Personal Data to you in a common electronic format or pass it on to another data controller.
Right to withdraw consent
If we process data on the basis of your consent, you have the right to withdraw your consent. As soon as we receive the notification that you have withdrawn your consent, we will cease processing your data for the purpose(s) to which you originally agreed, unless there is another legal reason for us to continue processing it.
Right to revoke consent
If we process data on the basis of your consent, you have the right to revoke your consent. As soon as we receive the notification that you have revoked your consent, we will cease processing your data for the purpose(s) to which you originally agreed, unless there is another legal reason for us to continue processing it.
Complaint
If you believe that your data protection rights could have been breached, please notify us and contact the responsible supervisory authority.
XIV. Right to object
According to applicable data protection legislation, you have the right to object to the processing of Personal Data relating to you at any time under certain circumstances, particularly if your data is being processed in the public interest, on the basis of a balancing of interests or for direct marketing purposes.
XV. Validity of this Privacy Policy
Due to the continuous development of our website and its content, and in light of changes in the legislation or regulatory requirements, we may need to amend this Privacy Policy from time to time. The version published on this website is the latest version.
Last updated: February 2023