Privacy policies:
Mortgage Privacy Policy
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
What is this Privacy Policy about?
To the chapterWho is responsible for processing your data?
To the chapterWhich data do we process?
To the chapterFor what purposes do we process data?
To the chapterWhat applies in the case of profiling and automated individual decisions?
To the chapterTo whom do we disclose your data?
To the chapterDo we disclose personal data abroad?
To the chapterFor how long will we process your data?
To the chapterHow do we protect your data?
To the chapterWhat are your rights?
To the chapterCan this Privacy Policy be amended?
To the chapter
1.
What is this Privacy Policy about?
"Personal data" is data relating to an identified or identifiable person; in other words, the data or corre-sponding additional data can be used to make inferences about their identity. "Processing" refers to any handling of personal data, e.g. collection, storage, use, disclosure and deletion. "Particularly sensitive personal data" includes data about the person's intimate sphere, health data and other data subject to special protection under data protection law.
In connection with the application for obtaining a Zurich mortgage, Zurich Invest Ltd, Hagenholzstrasse 60, 8050 Zurich, Switzerland, (hereinafter referred to as "ZIAG" or "we") has informed you that a Zurich mortgage is offered in two ways: In the "agency model," you take out the mortgage from a financier as lender, usually a Zurich Group company or an affiliate. In this case, ZIAG acts as agent. In the "risk carrier" model, however, you take out the mortgage from ZIAG as the lender; upon conclusion, however, ZIAG promptly sells your mortgage loan to a financier. For further information, please refer to the "Mortgage application" form.
In both cases, we serve as your point of contact for all topics concerning your Zurich mortgage, either because the financier has requested us to do so (in the agency model) or because we are your contracting partner (in the risk carrier model).
In particular we process your personal data for the purpose of initiating, concluding, fulfilling and performing the mortgage relationship. In this context, certain personal data (including the contract documents and an identification document or similar details) are disclosed especially to the financier (see section 6 for further details in this regard).
In this Privacy Policy, you will find information on how we and the financier handle data (here, we use the term "data" as a synonym for "personal data"). Depending on its purpose and sub-ject matter, this data processing concerns, for example, the following persons (hereinafter referred to as "you"):
- applicants,
- debtors,
- beneficial owners with respect to equity, interest and repayments,
- guarantors,
- authorized representatives (e.g. legal representatives),
- advisors,
- sellers and buyers of the property pledged as collateral, the administration of a condo-minium owners' association, property management, current mortgage lender, main con-tractor and architect or their contacts,
- tenants of a property pledged as collateral,
- employers or their contacts,
- persons involved in the sales organization of Zurich Insurance Company Ltd ("ZIC"), such as contacts and employees of ZIC and of general agents and intermediaries,
- contacts of suppliers, partners, authorities and government agencies.
Where this Privacy Policy makes use of the masculine form for the sake of improved legibility, this of course refers to people of all genders.
As mentioned at the outset, this Privacy Policy pertains to the processing of personal data in connection with the Zurich mortgage. Information on the processing of data in connection with our other products and services is provided in a separate Privacy Policy at https://www.zurichinvest.ch/en/legal/privacy-policy-zurich-invest-ltd.
When you send us data about another person (e.g. information about a beneficial owner by the applicant), we assume that you are authorized to do so. In this case, please inform the respective third parties about the processing of data by us and provide them with a copy of this Privacy Policy. If we draw your attention to a new version of these documents, please also hand over these new versions in each case.
Please do not hesitate to contact us if you have any questions (section 2).
2.
Who is responsible for processing your data?
In the mortgage business, we conclude a mortgage loan agreement (e.g. framework agree-ment for mortgage loan with general terms and provisions on mortgage loans and product confirmations) with the applicant or borrower. In this context, we operate either as the agent of a financier or in our own name. In the latter case, we assign the loan claim along with pref-erential and ancillary rights and securities to a financier. In both cases, however, we remain your point of contact and continue to administer the mortgage. Under data protection law, we are thus responsible for our processing of your personal data, subject to the further provisions of this Privacy Policy.
For each data processing operation, there are one or more bodies who bear primary responsibility for ensuring that the data processing complies with the requirements of data protection law. This body is referred to as the "controller." It is responsible, among other things, for responding to requests for in-formation (section 10) and for ensuring that personal data is secure and is not used in a way that devi-ates from what we tell you or from what is permitted by law. Details of third parties with whom we co-operate and who are responsible for their own processing can be found in sections 1, 4 and 6.
Please do not hesitate to contact us in connection with our data processing. For your request to be processed as fast as possible, please contact the following address:
Zurich Insurance Company Ltd
Data Privacy
P.O. Box
CH 8085 Zurich
Switzerland
datenschutz@zurich.ch
If we forward personal data to the financier (see section 6), the financier is the controller of their processing. They are only designated by us upon conclusion of the loan agreement and mentioned in the framework agreement for mortgage loans.
We may disclose data to other third parties who are also separate controllers, e.g. to interme-diary partners, Zurich Group companies, authorities and other bodies. Banks and other entities involved are also responsible for their processing of data.
3.
Which data do we process?
We process different data from different sources. Information on this data is available in sec-tion 3, and information on the purposes of its processing is available in section 4. We primarily collect this data directly from you, e.g. when submitting an application, during communication, during contact (directly or from other bodies such as distributors or third-party brokers) and when fulfilling the loan relationship. Further information on the data we process is provided in this section 3 and in the loan documents.
We primarily process the categories of data described below, although this list is not exhaus-tive. If data changes over time, we may retain earlier versions of information in addition to the current one.
Master data: We use the term "master data" to describe the basic data that we need in addi-tion to the contract data (see below) in order to fulfill the loan relationship or for marketing and advertising purposes. We process master data, for example, of applicants, of advisors, of beneficial owners or of third-party pledgors, of authorized persons, of contacts (e.g. of banks) and of recipients of notifications (e.g. marketing and advertising messages). We receive this data from you, but possibly also from third parties.
The master data primarily includes the information from the application form and the respective ap-pendices, such as name and contact details, date and place of birth, citizenship, marital status and chil-dren, information on the relationship between multiple applicants, information on the employment situation, on property pledged as collateral and associated legal circumstances, on financing and on securities, as well as other information from application documents, information from identification data (e.g. from your passport, your ID card or other identification documents) and, where applicable, data in connection with risk assessments. For information on financial and tax circumstances, see below under "Financial data."
Master data also includes details regarding relationships with third parties that are affected by the data processing, e.g. advisors, authorized representatives and beneficial owners of equity, interest and re-payments.
We receive master data from the applicants (directly or via general agents and intermediaries), but we may also use data from third parties. These may include other Zurich Group companies and credit bu-reaus, media monitoring companies, participating financial service providers and banks, address dealers, Internet analysis services, authorities, parties to proceedings and publicly available sources such as the commercial register, media and sources on the Internet, public and other registers, etc.
Contract and benefits data: This is information that accrues in connection with the prepara-tion, conclusion, fulfillment and dissolution of a contractual relationship, e.g. information in connection with property pledged as collateral, such as insurances or third-party pledges, and the loan or court orders. This may also include information about third parties. We may also collect data from other bodies in this context. When you send us an application for a mort-gage, you release these bodies from any professional secrecy obligations.
This data includes information in connection with the initiation, conclusion, fulfillment and manage-ment of the loan relationship (e.g. information in connection with the consultation and customer ser-vice). Contract data also includes information in connection with the property pledged as collateral (e.g. its value, its condition and any tenancy), insurances (fire and natural hazards insurance), insurance claims, complaints and contractual amendments, as well as information about customer satisfaction, which we may collect, for example, by means of surveys. We receive this information from the appli-cants, but possibly also from third parties, e.g. from general agents, intermediaries, authorities, govern-ment agencies, courts and lawyers, and external bodies from which we obtain creditworthiness and financial information.
Financial data: This is data relating to financial circumstances, payments and the enforcement of claims.
Financial data is information in connection with the financial circumstances of the applicants (e.g. in-come, liabilities, assets, creditworthiness, third-party financing, securities as well as any property pledged as collateral and tax data) and possibly third parties such as beneficial owners, as well as dis-bursements, interest payments and repayments, claims in the event of early dissolution of the loan relationship, payment default and enforcement of claims. We receive this data from the applicants, but also from third parties such as government agencies (e.g. land register, tax offices and offices for bank-ruptcy proceedings), notary's offices, banks, credit bureaus and publicly accessible sources; this list is not exhaustive.
Behavioral and preference data: We process certain data about the behavior of people we interact with, in the context of their interactions with us, e.g. about the behavior of our con-tracting partners. We may combine this information with other information – also from third parties – and derive from it, for example, the statistical probability that borrowers will have an affinity for certain products and services or will behave in a certain way (preference data).
Behavioral data refers to details about certain actions, e.g. payments, the use of electronic communica-tions (e.g. whether and when an email was opened), the location (e.g. when a website of ours is used; concerning this subject, please refer to the separate privacy policy), the purchase of products and ser-vices from us, interaction with our social media profiles, contact with general agents and intermediaries, and participation in events, prize draws, competitions and similar events.
Preference data tells us, for example, about needs, about interest in products or services, or when and how our messages are responded to. We obtain this information from analyzing existing data such as behavioral data in order to get to know borrowers better, to tailor our consultation services and offers more precisely to borrowers and to improve our offerings in general. To improve the quality of our anal-yses, we may combine this data with other data that we also obtain from third parties such as address dealers, websites and government agencies, e.g. information on the household size, income class and purchasing power, shopping behavior, contact details of relatives and anonymous information from statistical offices.
Communication data: This is data relating to our communication and information regarding the use of our website. If you contact us via the contact form, email, phone, letter or by any other means of communication, we record the data that is exchanged between you and us, including your contact details and other marginal data. We may also record phone conversa-tions. When we establish your identity, we collect data to identify you (e.g. copy of an identifi-cation document).
Communication data includes name and contact details, the manner, place and time of the communica-tion and usually its content, e.g. details in emails or letters from you or to you or from third parties or to third parties, if the latter also relate to you. This also includes direct and indirect contact with us, e.g. customer service and your customer consultant (e.g. via a website or an app, in a chatbot on the Inter-net or an app).
Other data: We also collect data in other situations. For example, data (such as files or evi-dence) accrues in connection with official or judicial proceedings. We may also collect data for health protection reasons (for example, in the context of protection concepts). We may obtain or produce photographs, videos and audio recordings in which you may be identifiable (for example, at events, via security cameras, etc.). We may also collect data about who enters buildings or has access rights (including in the case of access controls, on the basis of registra-tion data or visitor lists, etc.) or who participates in events or campaigns (e.g. competitions) or who uses our infrastructure and systems.
Except in individual cases, you are under no obligation to disclose data to us. However, we need to process data for legal and operational reasons even in connection with voluntary pro-cesses, e.g. interest payments and repayments. Without this data, we are unable to handle these processes. When using our website, technical data processing is unavoidable. Moreover, we need to process registration data for access to certain systems and buildings.
There are certain services that we can only make available to you if we are provided with registration data, e.g. because we or our contracting partners wish to know who, for example, has responded to an invitation to an event, because this is technically necessary or because we wish to communicate with you. If you or someone you represent (e.g. a company as your employer) wishes to enter into or realize a contract with us, we need to collect relevant master, contract and communication data from you, and we process technical data when you use our website or other electronic offerings.
4.
For what purposes do we process data?
We process personal data in particular for the following purposes and related matters:
We process data for the initiation, conclusion, management, fulfillment and enforcement of the loan relationship. This purpose also includes the allocation of the mortgage claim to a fi-nancier and possibly the assignment to them (see section 2), consultation, customer care, the monitoring and management of the mortgage, the receipt and enforcement of interest pay-ments and repayments, and the compensation of general agents and intermediaries. In this context, we may also carry out profiling (see section 5).
To conclude mortgage agreements, we especially process master data, contract data, financial data and communication data of the applicants and of general agents and intermediaries or their contacts.
Our customer service and our advisory service may also fall under this purpose, as may the assertion of legal claims from contracts (debt collection, legal proceedings, etc.), accounting, the termination of con-tracts and public communication. We also process data for the purpose of assessing and documenting compensation paid to general agents and intermediaries (see also section 6).
We may draw upon other bodies, e.g. IT and logistics companies, advertising service providers, banks or credit bureaus, which may make data available to us for the initiation and conclusion of contracts and the fulfillment and enforcement of contractual relationships. We also collect data via ZIC and via distrib-utors and third-party brokers that work for ZIC. For further information on this, please see section 6.
When cooperating with companies and business partners, e.g. with partners in projects or with parties in legal disputes, we also process data to initiate and fulfill contracts, for planning purposes, for ac-counting purposes and for other purposes related to the contract.
We process personal data to fulfill legal and regulatory requirements and to comply with di-rectives and recommendations imposed by authorities and internal regulations ("compliance").
For example, this includes the legally regulated combating of money laundering and terrorism financing. As a result, we may be under the obligation to make certain inquiries about legal and reputational risks such as political connections ("know your customer"), e.g. by means of relevant third-party directories, or to file reports under certain conditions. Moreover, compliance with disclosure, information or report-ing obligations, e.g. in connection with regulatory obligations, compliance with archiving obligations and support in preventing, exposing and clarifying crimes and other infringements may necessitate or involve the processing of personal data. This includes the receipt and processing of complaints and other re-ports, the surveillance of communication, internal or external checks or the disclosure of documents to a public authority if we have a material reason for so doing or are required to by legal obligations. For these purposes, we especially process master data, contract and financial data, communication data and, under certain circumstances, behavioral data of applicants and customers. Legal obligations may arise from statutory provisions, but also from self-regulation, industry standards, the company's own corporate governance and official instructions and requests.
We also process data to prevent fraud and for legal processes, for our risk management and in the context of prudent corporate governance, including the business organization and company development.
For these purposes, we especially process master data, contract data, claims and benefits data, financial data as well as behavioral and communication data. For example, we are required to take measures against fraudulent claims. We may also carry out profiling and create and process a profile (see section 5) for the above purposes and in order to protect you and us from tort and abuse.
We also process your data for market research purposes, to improve our services and our operations, and for product development.
We strive to continuously improve our products and services and to be able to react quickly to changing needs. We therefore analyze how, for example, offers are used and how new products and services can be created. This gives us an indication of the acceptance of existing products and services in the market and the market potential of new ones. To this end, we process, in particular, your master data, behav-ioral data, preference data as well as communication data and information from customer surveys, polls and studies and other information, e.g. from the media, from social media, from the Internet and from other public sources. As far as possible, however, we use pseudonymized or anonymized data for these purposes. We may also use media monitoring services or perform media monitoring ourselves, whereby we process personal data in order to carry out media work or to understand and respond to current developments and trends.
We may also disclose data to other Zurich Group companies for market research purposes (section 6).
We also process data for marketing purposes, e.g. for the personalization and transmission of information on products and services from us and from third parties and for relationship management. You can refuse such contact at any time (see the end of this section 4). Furthermore, we want to enable our contracting partners to address our and other contracting partners for advertising purposes (see section 7).
We may send you information, advertising and product offers from us and from selected third parties, such as as newsletters, via apps and messenger services, as printed matter or by phone, on a regular basis or as part of individual promotions (such as for events, competitions, etc.). We may also personalize notifications so that our information and offers better meet your needs and expectations. To do this, we link data that we process about you, determine preference data and use this data as the basis for personalization (see section 3). We may also carry out profiling for marketing purposes (see section 5). We also process data in connection with contests, prize draws and similar events. Customer care also includes addressing existing customers – in a manner that may be personalized on the basis of behavioral and preference data or data from customer surveys – and organizing customer events (e.g. sponsoring, sports, cultural and promotional events). In the case of customer events, we process personal data to carry out the events, as well as to inform the participants and to provide them with information and advertising before, during and after the event.
All of this processing is not only important to enable us to promote our offers in the most effective way possible, but also to make relationships with customers and other third parties more personal and positive, to concentrate on our most important relationships and to use our resources as efficiently as possible.
We may also disclose data to other Zurich Group companies for marketing purposes (section 6).
You may object to processing for marketing purposes at any time by notifying us. For further information on your rights, please refer to section 9.
We may also process your data for security purposes and for access control purposes.
We continuously review and improve the appropriate security of facilities and buildings and our IT. For this purpose, we process data, for example, in connection with the surveillance of buildings and publicly accessible premises. We are not able to rule out data breaches with absolute certainty, but we do our best to reduce the risk. Thus, we process data, for example, to monitor, control, analyze and test our networks and IT infrastructures, to carry out system and error checks, for documentation purposes and in the context of security copies.
We may process your data for other purposes, such as our internal processes and administration.
These other purposes may include training and educational purposes, administrative purposes (such as the management of master data, accounting and data archiving or the management of real estate and the testing, management and ongoing improvement of IT infrastructure), the protection of our rights (e.g. for the enforcement of claims in court, out of court or prior to going to court, before authorities in Switzerland and abroad or to defend ourselves against claims, e.g. by securing evidence, through legal clarifications and by participating in judicial or official proceedings) and the evaluation and improvement of internal processes. In the course of developing our business, we may also sell or acquire businesses, operations or companies to or from other companies or enter into partnerships, which may also result in the exchange and processing of data (including from you, e.g. as a customer or supplier or as a supplier representative). This also includes the protection of other legitimate interests, which cannot be named exhaustively.
If we ask for your consent for certain processing, we will inform you separately about the respective purposes of the processing. You may revoke your consent at any time with effect for the future by notifying us in writing; you will find our contact details in section 2. Once we have received the revocation of your consent, we will no longer process your data for the relevant purposes unless we have another legal basis for doing so. The legality of the processing that has taken place until the point of time at which the consent was revoked will remain unaffected.
5.
What applies in the case of profiling and automated individual decisions?
For the purposes stated in section 4, we may process and evaluate your data (section 3) automatically, i.e. in a manner aided by a computer; we may also do so to determine preference data, as well as to identify abuse and security risks, to carry out statistical evaluations or for operational planning purposes. These processing operations also include profiling.
Profiling is the automated processing of data for analysis and forecasting purposes. The most important examples are profiling to combat money laundering and terrorist financing in investment products, to combat fraud, for customer care and for marketing purposes (as described in more detail in section 4). For the same purposes, we may also create profiles, i.e. we may combine behavioral and preference data, as well as master data, contract data and technical data assigned to you, in order to better understand you as a person and your different interests and various characteristics.
In every case, we pay attention to the appropriateness and reliability of the results and take measures against the misuse of this profile or profiling.
To ensure the efficiency and uniformity of our decision-making processes, we may also automate certain decisions, i.e. make these with the aid of a computer according to certain rules and without review by an employee. For example, this may include the allocation of a mortgage to a financier.
We will inform you in each individual case or mark the decision accordingly if it takes place automatically and results in negative legal consequences or a similar significant impairment for you. In this case, you shall have the rights set out in section 9 if you do not agree with the outcome of the decision.
6.
To whom do we disclose your data?
In connection with the processing of contracts, we exchange data between ourselves, i.e. between ZIAG and the financier (see sections 1 and 2) as well as with Group companies and other third parties and service suppliers, including but not limited to the distributors and third-party brokers involved. Below you will find an overview of the categories of recipients to whom we may disclose personal data. This section 6 explains the most important data disclosures with references to the respective data. For further information, please refer to sections 3 and 4 and to the documents of the mortgage loan agreement.
Disclosures in the course of the initiation, conclusion, fulfillment and enforcement of contracts: In connection with the conclusion of a mortgage agreement, we may exchange data with other bodies such as authorities and banks.
In the context of the initiation, conclusion, fulfillment and possibly enforcement of the loan relationship and the respective clarifications, we may collect data from third parties (section 3), but also forward data to these, e.g. to authorities (e.g. land register and tax offices and offices for bankruptcy proceedings), notary's offices, courts, respondents and lawyers, and jointly and severally liable debtors. Particularly in the case of divorce or the dissolution of a registered partnership, inheritance disputes or other disputes, we will provide personal data to courts and other retirement provision or vested benefits institutions. When receiving payments, we exchange data with banks.
Financiers: We conclude the mortgage agreement either as an agent on behalf of a financier or act in our own name but then subsequently assign the mortgage claim to the financier (see section 2). In this context, we may disclose the required data to the financier and provide information on receivables and other details relevant to the enforcement of claims. The financier processes this data under their own responsibility. They may in turn disclose this data to other recipients, including but not limited to service suppliers (e.g. IT service suppliers), their group companies and, in the context of statutory obligations, to authorities. These recipients may not only be based in Switzerland. Your data may therefore be processed worldwide, including outside the EU or the European Economic Area. Section 7 applies analogously.
Sales: The information required to provide you with guidance and advice and for the sale of our products is transmitted by us to ZIC and to the distributors and third-party brokers who operate for ZIC.
In addition to master data, this includes, for example, information for the marketing of our products, also in personalized form. General agencies and intermediaries are required by law and contract to comply with the provisions of the Swiss Data Protection Act.
Enforcement of claims: We may involve third parties for the enforcement of claims.
We may involve third parties, e.g. advisors and lawyers, for the enforcement of any claims and disclose data to them in the process, e.g. on a mortgage agreement, on outstanding claims and on communication between you and us.
Zurich Group companies: We may transfer personal data to other Zurich Group companies in Switzerland and abroad to support our risk management and for their own marketing and market research purposes.
To the extent necessary, we may share your data with other companies of the Zurich Group, including pensions plans of Zurich Life Insurance Company Ltd, especially for risk measurement and assessment. We may also engage companies of the Zurich Group as service suppliers (see below). We may also disclose your data – especially your master data, contract data and registration data as well as behavioral and preference data – to other companies belonging to the Zurich Group for the purpose of offering their products and services tailored to your individual needs and for their own market research purposes.
Authorities and government agencies: We may disclose personal data to public authorities, agencies, courts and other public bodies if we are legally obliged or entitled to do so, or if this is necessary to protect our interests.
In connection with the exercising of rights, the defense against claims and the fulfillment of legal requirements, we may forward personal data to authorities, government agencies (e.g. bankruptcy offices), courts and other public bodies, e.g. in the context of official, judicial, pre-judicial and extra-judicial proceedings and in the context of statutory information and cooperation obligations. For example, recipients may include offices for bankruptcy proceedings, criminal courts and criminal investigation authorities and tax offices. Data will also be disclosed if we receive information from public bodies, e.g. from tax offices (see above). The authorities process data about you, which they receive from us, under their own responsibility.
Buyers in the case of sales: We may assign the claims resulting from the loan relationship together with their collateral securities to third parties in Switzerland and transfer data to third parties in this context. In the case of debt enforcement, data may be disclosed to the buyer of property pledged as collateral.
The loan relationship and the resulting claims may be transferred by way of assignment or other processes, e.g. for refinancing and other purposes according to the contractual agreements. In this context and for the preparation of such transactions, the required personal data may be sent to potential and actual acquirers and other bodies, e.g. to rating agencies.
Other persons: If third parties are involved for the purposes pursuant to section 4, data may also be disclosed to other recipients.
We may disclose data, for example, to persons involved in proceedings before courts or authorities, but also to potential buyers of assets and other third parties about whom we will inform you separately where possible, e.g. in declarations of consent or special privacy policies. Other persons include, but are not limited to, authorized representatives, advisors, correspondent banks, other financial institutions and other bodies involved in a legal transaction.
Service suppliers: We work with service suppliers in and outside the Zurich Group in Switzerland and abroad who process data about you on our behalf or in joint responsibility with us or who receive data about you from us under their own responsibility.
We procure services from providers to ensure that we can deliver our products and services securely and cost-effectively and can concentrate on our core competencies. For example, these services include sales (see section 4), IT services, the dispatch of information, marketing, sales, communication or printing services, facility management, security and cleaning, the organization and holding of events and receptions, debt collection, credit bureaus, anti-fraud measures and services provided by trustees, consultancies and auditing firms. In each case, we provide service suppliers with the data necessary for their services. For example, hosting service suppliers store electronic data on our behalf, which may include sensitive data such as health data. Our service suppliers are each subject to contractual and/or statutory confidentiality and data protection obligations. In exceptional justified cases, they may use such data for their own purposes, e.g. information on outstanding debts and your payment history in the case of credit bureaus or anonymized information for the purpose of improving services.
To the extent provided by law, these categories of recipients may in turn engage third parties, which may also gain access to your data.
Unless special professional secrecy applies in the individual case, we are not subject to any professional secrecy in connection with these disclosures.
In many cases, the disclosure is necessary in order to process contracts or provide other services. Even non-disclosure agreements usually do not rule out such types of data disclosure or disclosure to service suppliers. However, given the sensitivity of the data and other circumstances, we take care to ensure that these third parties handle the data in an appropriate manner.
We also allow certain third parties to collect personal data from you on our website and at events organized by us (such as media photographers, providers of tools that we have embedded on our website, etc.). Where we do not play a key role in these cases of data collection, these third parties are solely responsible for them. If you have any concerns or wish to exercise your data privacy rights, please contact these third parties directly.
The aforementioned disclosures within Switzerland and abroad (see section 7) are required for legal or operational reasons. Therefore, such disclosures do not conflict with legal and contractual confidentiality obligations.
7.
Do we disclose personal data abroad?
As explained in section 6, your personal data is not only processed by us, but also by other bodies. For example, when transferring personal data to banks and other bodies in connection with assets located abroad or to service suppliers, your data may also end up abroad. These recipients are not only based in Switzerland. Your data may therefore be processed worldwide, including outside the EU or the European Economic Area (in so-called third countries such as the USA). Many third countries do not currently have laws that guarantee a level of data privacy equivalent to that provided by Swiss law. We therefore take contractual precautions in order to compensate for the weaker legal protection, unless data protection law allows disclosure for other reasons in individual cases. For this purpose, we generally use the standard contractual clauses issued or recognized by the European Commission and the Federal Data Protection and Information Commissioner (FDPIC) (for further details and a copy of these clauses, see www.edoeb.admin.ch/edoeb/en/home/data-protection/handel-und-wirtschaft/transborder-data-flows.html), unless the recipient is already subject to a legally recognized set of rules to ensure data protection and we can rely on an exception clause. An exception may apply especially in the case of legal proceedings abroad, but also in cases of overriding public interests or if the processing of the contract requires such disclosure, if you have granted your consent or if the data concerned has been made generally accessible by you and you have not objected to its processing.
Many countries outside Switzerland or the EU and EEA currently do not have any laws that guarantee an adequate level of data protection from the perspective of the Swiss Data Protection Act or the GDPR. The contractual arrangements mentioned above may partially compensate for this weaker or missing statutory protection. However, contractual precautions cannot eliminate all risks (in particular with regard to state intervention abroad). You should be aware of these residual risks, even though the risk may be low in individual cases and we take additional measures to minimize it (e.g. pseudonymization or anonymization).
Please also note that data exchanged over the Internet is often routed via third countries. Your data may therefore be sent abroad even if the sender and recipient are in the same country.
8.
For how long will we process your data?
We store your data for as long as our processing purposes, the legal retention periods and our legitimate interests in processing for documentation and evidence purposes require, or for as long as the storage is technically necessary.
Therefore, the period for which we retain data depends on legal and internal regulations and on the purposes of processing (see section 4), which also include the protection of our interests (e.g. for the enforcement of claims, for the defense against claims, for archiving purposes and to ensure IT security). If these purposes have been achieved or no longer apply, and if there is no longer a retention obligation, we will delete or anonymize your data as part of our normal procedures.
Documentation and evidence purposes include our interest, processes, interactions and other facts in the event of legal claims and discrepancies, for IT and infrastructure security purposes and to provide evidence of good corporate governance and compliance. Retention may be technically necessary if certain data cannot be separated from other data and we therefore need to retain it with this other data (such as in the case of backups or document management systems).
9.
How do we protect your data?
We handle your data confidentially and take appropriate technical and organizational security precautions to protect the confidentiality, integrity and availability of your personal data, to protect it against unauthorized or unlawful processing and to protect it against the risk of loss, accidental alteration, accidental disclosure and unauthorized access. We use recognized security standards such as ISO 27001 as a guide.
Our security precautions may include measures such as encrypting and pseudonymizing data, logging, access restrictions, storage of backup copies, instructions to our employees, confidentiality agreements, audits, etc. We also oblige our contracted data processors to take appropriate security precautions. In general, however, security risks cannot be completely ruled out; certain residual risks are unavoidable.
When your data is transmitted via our web pages, we protect it during transport using suitable encryption mechanisms. However, we can only secure areas that are under our control.
If you contact us by email, you do so at your own risk and acknowledge the respective information in the General Terms and Conditions.
In addition, we take appropriate technical and organizational security precautions to reduce the risk within our Internet pages. However, your end device is outside the security area that lies within our control. You are therefore required to learn about the necessary safety precautions and to take appropriate measures in this regard.
10.
What are your rights?
Applicable data protection law grants you the right to object to the processing of your data in certain circumstances, in particular for direct marketing purposes, profiling used for direct marketing and other legitimate interests concerning the processing.
To enable you to control how your personal data is processed, you have various rights in connection with our data processing:
- the right to ask us whether we process your personal data, and which data we process;
- the right to have data corrected by us if it is inaccurate;
- the right to object to our processing for specific purposes and to request the deletion of data unless we are obliged or entitled to continue processing it;
- the right to obtain from us the disclosure of certain personal data in a commonly used electronic format or to request that we transfer this to another controller;
- the right to revoke consent, provided our processing is based on your consent.
If we inform you about an automated decision (section 5), you have the right – with certain exceptions – to express your position on this and request that the decision be reviewed by a natural person.
Please note that certain conditions must be met in order to exercise these rights and that exceptions or restrictions may apply (e.g. to protect third parties or trade secrets). We will inform you accordingly where necessary.
In particular, we may need to process and store your personal data in order to fulfill a contract with you, to protect our legitimate interests, such as the assertion, exercising or defense of legal claims, or to comply with statutory obligations. To the extent legally permissible, in particular to protect the rights and freedoms of other data subjects and to safeguard sensitive interests, we may therefore also reject a data subject's request in whole or in part (e.g. by blacking out certain content relating to third parties or our trade secrets).
If you wish to exercise any rights against us, please contact us in writing (see section 2). To enable us to rule out abuse, we must identify you (e.g. with a copy of an identity card, if not otherwise possible). You also have these rights in relation to other bodies who work with us under their own responsibility – please contact them directly if you wish to exercise any rights in relation to their processing.
If you do not agree with our handling of your rights or data privacy, please let us know, using the contact details in section 2. You can reach the supervisory authority at www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html.
11.
Can this Privacy Policy be amended?
This Privacy Policy is not part of a contract concluded with you. We may amend this Privacy Policy at any time. The version published on this website is the current version.