"Editing" (also "processing") means any handling of personal data, e.g. obtaining, storing, using, disclosing and deleting.
We would be happy to help you if you have any questions (section2).
For each data processing operation, there are one or more bodies who bear primary responsibility for ensuring that the data processing complies with the requirements of data privacy law. This body is referred to as the "data controller". It is responsible, among other things, for responding to requests for information (section 10) or for ensuring that personal data is secure and not used in a way that deviates from what we tell you or from what is permitted by law. Details of third parties with whom we cooperate and who are responsible for their own processing can be found in section 3 and under section 6.
If you wish to contact us in this regard, please write to the following address:
Zurich Insurance Company Ltd
CH 8085 Zurich
3.1. When do we process personal online data?
As a rule, you can also use our online service offer without disclosing any personal data such as your name or e-mail address to us (subject to certain functions or content, e.g. when communicating with us). In this case, we can clearly assign the data collected in connection with the use of our online service offer (you will find further information on this below; e.g. an IP address and information on accessed content; together "online data") to specific visitors, but not to persons known by name. In this sense, online data is not personal in any way.
However, if you provide us with your name, an e-mail address or other personal data via an online service offer (see below), we will process this data. In addition to this processing, it would also allows us to link you to online data that would otherwise be non-personal. In this case, we may collect online data in connection with your continued use of the online service offer on a personal basis, and we will merge online data with other data about you in our systems and process it on a personal basis for additional purposes. Further information on this can be found in this section 3 and under section 4.
3.2. Log data
Every time you use the online service offer, certain data is generated, so-called log data. This data is stored automatically for technical reasons.
This includes, in particular, the following data:
Log data, including IP addresses, are not in themselves usually personal.
3.3. Other behavioral data
Other technologies can also record behavior within the online service offering in similar way to cookies.
With "pixels", invisible image files are loaded in a web page or an e-mail via a coded link from a server that records the corresponding access and the data transmitted with the link. This can also be used to record behavior within the online service offer.
Please note that when visiting our online service offer from outside Switzerland, we only collect the online data that is needed to ensure the online service offer functions correctly. We do not collect further online data using cookies or other technologies, as long as as we can recognize the geographical origin of the access. To enable us to make this distinction, we also collect data about your approximate location.
3.4. Disclosed personal data
As a rule, you can use our online service offer without providing any personal information. However, if you provide us with personal data via an online service offer (e.g. via a contact form, an offer inquiry, a quote, a premium calculator, as part of an online conclusion process, a notification of claim, or in a chat), we process the data provided during the process.
Above all, we process online data for the following purposes. Further information on specific purposes can be found under figure5 ff. Please note that when you visit our online service offer from outside Switzerland, we generally refrain from using online data insofar as this is not necessary for essential purposes, such as the operation of the online service offer, for security and purely statistical purposes, and insofar as we can identify the geographical origin of the access.
Operation of the online service offer: Log data is recorded automatically when using the online service offer, which is why they are necessary for the operation of the online offer. We also require other online data, in particular data collected via cookies, in order to be able to provide certain functions of the online service offer.
For example, we may store information about your settings (e.g. language selection) in cookies and read it out on your next visit, and we may cache data you enter (e.g. information in a premium calculator or as part of an online purchase) for the duration of your visit so that it is not lost when you use different parts of the online service offer. We do not require any personal data for the purpose of operating the online service offer.
Provision of certain contents and functions: If you use the content and functions of our online service offer and provide us with data in the process, e.g. if you use a premium calculator, submit an insurance application via a website or register for a newsletter, we process the online data you provide in the process in accordance with the respective purpose of the function or content, e.g. to accept an application or a notification of claim or to communicate with you.
Security and stability: We use online data to improve the security and stability of our online service offer (e.g. to recognize whether data is entered by a human or a bot in a contact form). As a rule, we do not require any personal data for this purpose (see section 3.1). To the extent that we can personally match the online data to you, we may use it for security and stability purposes to the extent necessary, but also on a personal basis.
Statistics: We use non-personal and personal online data for statistical purposes, i.e. for evaluations with the aim of obtaining certain information. For example, information on variations in the use of our online service offer. This information is aggregated, which means it is no longer personalized. You will find further details on this under section 5.
Improving offers: We use online data to continuously improve our online service offers, as well as other offers (e.g. by reacting to different types of usage or adapting or developing new content). We use performance cookies for this purpose, among other things (section 3.3). However, we only use online data for this purpose in aggregated form.
Market research and marketing: We also use online data for market research and marketing purposes, e.g. to send newsletters or to display advertisements within our online service offering and on third-party sites. We can also personalize the relevant content. We use marketing cookies for this purpose, among other things, but only use the online data in aggregated form. You will find further details on this under section 6.
Communication: We use online data to communicate with you through electronic channels. To do this, we process the content of the communication process, but also log data regarding the type and time of the communication.
Compliance with legal and regulatory requirements: We may process online data to comply with laws, directives and recommendations from authorities and internal regulations. This includes the prevention, detection and investigation of criminal offenses and other violations, internal and external investigations and the disclosure of online data to a public authorities.
Defense and enforcement of claims: We may use online data for civil and criminal legal action or defense in such proceedings. Within the scope of such procedures, your IP address may also be used for identification by the competent authorities, even if this initially has no personal reference for us.
Two of the most important service providers are Google and Hotjar. You will find further details below. Other service providers usually process online data in a similar way:
We and our advertising partners have an interest in targeting specific groups with our advertising, i.e. only displaying the advertising to people we want to address, if possible.
This means advertising can be displayed that is tailored to you - in our online offers and on third-party sites.
We operate our own sites on social networks and other platforms (e.g. on Facebook, Instagram, LinkedIn, TikTok, Snapchat, Pinterest and YouTube). If you communicate with us there or comment on or disseminate content, we collect information for this purpose, which we use primarily for communication with you, for marketing purposes and for statistical evaluations (see section 3). The platforms may collect further online data, e.g. log data (section 3.2) and other details. Based on this, these platforms can evaluate how you use our online service offers (e.g. what content you view, what you comment on, "like" or share, etc.), and they can combine this behavioral data with other information about you (e.g. information about age or gender), and thereby create profiles about you, as well as statistics on usage of the site. The platforms use this information to personalize advertising and content, for market and user research, and to provide us and third parties with statistical user information. The respective providers also collect and use online data for their own purposes, possibly together with other data known to them, e.g. for marketing purposes or to personalize content. Insofar as we are jointly responsible with the provider, we enter into a corresponding agreement, about which you can obtain information from the respective provider (see below for Facebook).
We process the data we receive from the platforms for the purposes described under section 4, in particular for communication, marketing purposes and market research. Content published by you (e.g. comments on public profiles and posts) may be redistributed by us (e.g. in our advertising on the platform or elsewhere), and we and the provider may delete content in accordance with the usage policy.
You can find further information on the processing activities of the platform operators (e.g. to which countries data is disclosed or which data subject rights you have) in the privacy policies of the providers:
We send electronic newsletters to our customers in Switzerland, which also contain advertising for our offers and offers from group companies in Switzerland, but also for offers from other companies with which we cooperate. We ask for your consent beforehand, except when we promote certain offers to existing customers.
In this regard, in addition to your name and e-mail address, we also process online data and other information about you so that we can personalize the content of our newsletters, including, for example, information about whether and when you open a newsletter, and which links you click on and when. For this purpose, our e-mail service provider provides a function that essentially works with invisible image data, which is loaded from a server via an encoded link and thereby transmits the relevant information. This is a common method that helps us to assess the effect of newsletters and to optimize our newsletters. You can avoid this by configuring your e-mail program accordingly (e.g. by switching off the automatic loading of image files).
We may also offer applications for installation on mobile devices ("apps") as part of the online service offer. During installation, the operator of the respective app store (e.g. Apple or Google) processes certain data for itself and according to its own data protection rules.
When you use the app, we process data that you provide to us in the process (including, as the case may be, direct personal data such as name or e-mail address) and other online data, such as a unique mobile device identification number, your IP address, device information such as operating system information, and behavioral data (e.g. search queries, pages viewed and session duration) for the purposes set out under section 4.
Our processing of online data generally corresponds with the information above (cf. section 3 on the data processed, section 4 on the processing purposes, and section 5 on evaluations and statistics), even if the technologies used differ to a certain extent. For example, we use Google Analytics for Firebase, an analysis service from Google, which essentially works like Google Analytics described in section 5.
Our online services are provided and handled in cooperation with third parties and service providers who may consequently receive data about you. Below you will find an overview of the categories of recipients to whom we may disclose personal data, and in section 9 you will find details of the service providers we use for our online service offering.
Companies of the Zurich Group: If necessary, we may pass on the online data to other companies belonging to the Zurich Group.
Public authorities and agencies: Within the scope of exercising rights, defending against claims and fulfilling legal requirements, we may disclose online data to public authorities, agencies, courts and other public bodies, for example, in relation to official, legal and pre- and extra-judicial proceedings, and within the scope of legal obligations to provide information and to cooperate. Public authorities are responsible for processing data about you that they receive from us.
Service providers: We work with service providers at home and abroad who process data about you on our behalf or in joint responsibility with us, or receive data about you from us within their own sphere of responsibility. For example, we procure IT services such as hosting, support and maintenance, shipping services and testing from service providers. Our service providers are each subject to contractual and/or statutory confidentiality and data protection obligations. They may use such data for their own purposes in justified, exceptional cases, for example, information on outstanding debts and your payment history in the case of credit agencies or anonymized information for the purpose of improving services. For further information on service providers in the area of evaluations and statistics, please see section 8.
As explained above, as well as us, third parties and service providers also process online data. For example, your data may be transferred abroad if personal data is transmitted to other companies within the Zurich Group or to service providers. Your data may therefore be processed worldwide, including outside the EU or the European Economic Area (i.e. also in third countries such as the US). Many third countries do not currently have laws that guarantee a level of data protection equivalent to that provided by Swiss law. We therefore take contractual precautions to contractually compensate for the weaker statutory protection.
For this purpose, we generally use the standard contractual clauses issued or recognized by the European Commission and the Swiss Data Protection and Information Commissioner (FDPIC) (for further details and a copy of these clauses, please see www.edoeb.admin.ch), unless the recipient is already subject to a legally recognized set of rules to ensure data protection and we cannot rely on an exemption clause. An exception may apply, in particular, in the case of legal proceedings abroad, but also in cases of overriding public interests or if the processing of a contract requires such disclosure, if you have granted your consent or if it is a matter of data that you have made generally accessible and whose processing you have not objected to.
The contractual provisions mentioned above can partially compensate for this weaker or missing legal protection, but they cannot eliminate all risks (namely of state access abroad). You should be aware of these residual risks, even though the risk may be low in individual cases and we have taken measures, such as pseudonymization or anonymization to minimize it.
Please also note that data exchanged over the Internet is often routed via third countries. Your data may therefore be sent abroad even if the sender and recipient are in the same country.
We process online data for the purposes stated in section 4 and evaluate it automatically for this purpose. This also includes so-called "profiling", i.e. the automated processing of data for analysis and forecasting purposes. Profiling is primarily used for marketing and security purposes. We may also create profiles, i.e. combine online data and possibly other data already known to us (see section 3.1) to better understand you as a person with your different interests and personal needs. In both cases, we pay attention to the appropriateness and reliability of the results and take measures against misuse of these profiles or profiling.
In order to ensure the efficiency and uniformity of our decision-making processes, we can also automate decisions with the aid of a computer according to certain rules and without review by an employee.
In each individual case, we will inform you if an automated decision creates negative legal consequences or a comparable significant impairment. In this case, you shall have the rights set out in section 10 if you do not agree with the outcome of the decision.
We store your data for as long as our processing purposes, any retention periods and our legitimate interests in processing for documentation and evidence purposes require, or for as long as the storage is technically necessary. Therefore, the period for which we retain data depends on legal and internal regulations and on the purposes of processing (see section 4), which also include the protection of our interests, for example, to enforce or defend claims, or for documentation and evidence purposes. For more information on the lifetime of cookies, see section 3.2.
We handle online data confidentially and take appropriate technical and organizational security measures to protect the confidentiality, integrity and availability of your personal data, to protect it against unauthorized or unlawful processing and to protect it against the risk of loss, accidental alteration, unauthorized disclosure or access. We utilize recognized security standards such as ISO 27001. However, security risks cannot generally be ruled out completely; certain residual risks are unavoidable.
When your data is transmitted via our web pages or apps, we protect it during transmission using suitable encryption mechanisms. However, we can only secure areas that are under our control. If you contact us by e-mail, you do so at your own risk and agree that we may respond to you at the sender's address via the same channel. If you send us e-mails via the Internet in unencrypted form, third parties may be able to access, view and manipulate them, and data can be lost or intercepted and/or manipulated by third parties. What's more, we take appropriate technical and organizational security measures to reduce the risk on our web pages and in our apps. However, your end device is outside the security area that lies within our control. You are therefore required to learn about the necessary safety precautions and to take appropriate measures in this regard.
Applicable data protection law grants you the right to object to the processing of your data in certain circumstances, in particular for direct marketing purposes, profiling used for direct marketing and other legitimate interests.
In order to make it easier for you to maintain control over the processing of your personal data, you have various rights in connection with our data processing under applicable law:
If we inform you about an automated decision (section 5), you have the right to express your position on this and request that the decision be reviewed by a natural person.
Please note that certain conditions must be met in order to exercise these rights and that exceptions or restrictions may apply (e.g. to protect third parties or trade secrets). We will inform you accordingly where necessary.
In particular, we may need to process and store your personal data in order to perform a contract with you, to protect our legitimate interests, such as the assertion, exercise or defense of legal claims, or to comply with legal obligations. To the extent legally permissible, in particular to protect the rights and freedoms of other data subjects and to safeguard sensitive interests, we may therefore also reject a data subject’s request in whole or in part (for example, by blacking out certain content relating to third parties or our trade secrets).
If you wish to exercise any rights against us, please contact us in writing (see section 2). To enable us to rule out abuse, we must identify you (for example, with a copy of an identity card, if not otherwise possible). You also have these rights in relation to other bodies who work with us under their own responsibility – please contact them directly if you wish to exercise any rights in relation to their processing.
If you do not agree with our handling of your rights or data protection, please let us know via the contact details listed under section 2. You can contact the Swiss supervisory authority here: www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html and the Liechtenstein Supervisory Authority at www.datenschutzstelle.li.