Data Protection Declaration for Services of Zurich Insurance Company Ltd

Woman at the computer

Data Protection Declaration for Services of Zurich Insurance Company Ltd

Zurich collects, stores and processes personal data of its customers and third parties to the extent necessary (e.g., for consultation purposes). Our Privacy Policy Services explains in detail what data is collected by Zurich, why it is collected and how you can influence the use of your data.


What does this Data Protection Declaration concern?

Zurich (hereinafter also referred to as "we"; see sub-paragraph 2) processes personal data re-lating to you or other individuals (referred to as "third parties"). For more information about Zurich, please refer to sub-paragraph 2.


"Personal data" is data relating to an identified or identifiable person, in other words, the data or cor-responding additional data can be used to make inferences about their identity. "Sensitive data" (also "special categories of personal data") is a category of personal data whose processing may be subject to special requirements. Sensitive personal data may include data from which ethnic origin can be discerned, data relating to health, data concerning religious or philosophical beliefs, biometric data for identification purposes and data concerning trade union membership. In sub-paragraph 3, you will find details of the data that we process within the scope of this Data Protection Declaration. 
"Processing" (also "handling") means any handling of personal data, e.g. obtaining, storing, using, dis-closing and deleting. 

In this Data Protection Declaration, you will find information about our data processing in con-nection with our services (we use the term "data" synonymously with "personal data" here).

Our processing concerns, for example, interested parties and contractual partners in contracts for our services and contact persons of corporate customers, suppliers and partners, persons involved in Zurich's sales organization such as contact persons and employees of Zurich and of sales partners, as well as authorities and offices.

Further information on our handling of personal data can be found in particular in the notes on, the details of the respective service and the corresponding contractual provisions.

For some products, services and offers, you will find further information on the corresponding data processing, such as in additional privacy policies and  information, which apply in addition to this Data Protection Declaration. 

In this Data Protection Declaration, we use the masculine form to make it easier to read, but this of course refers to people of all genders (in the English version, the neutral form is used where applicable).

We are happy to help should you have any questions (sub-para.2). 


Who is responsible for processing your data?

Zurich Insurance Company Ltd ("ZIC") is responsible for processing data pursuant to this Data Protection Declaration, unless otherwise communicated in individual cases, for example, in additional data protection declarations, on forms or in contractual terms. ZIC is an incorpo-rated company under Swiss law.


For each data processing operation, there are one or more bodies who bear primary responsibility for ensuring that the data processing complies with the requirements of data protection law. This body is referred to as the "data controller". It is responsible, among other things, for responding to requests for information (sub-para. 10) or for ensuring that personal data is secure and not used in a way that devi-ates from what we tell you or from what is permitted by law. Details of third parties with whom we cooperate and who are responsible for their own processing can be found in sub-paragraph 3 and in sub-paragraph 6.

If you wish to contact us in this regard, please write to the following address:

Zurich Insurance Company Ltd
Data Protection
P.O. Box
CH 8085 Zurich

We may disclose data to third parties who are separate data controllers, e.g. to certain sales partners, companies of the Zurich Group, authorities and other bodies. You will find details of this in this Data Protection Declaration under sub-paragraph 4 and sub-paragraph 6.


Which data do we process?

Depending on the occasion and purpose, we process various data from various sources. Infor-mation on the purposes of this processing can be found in sub-paragraph 4. 

We primarily collect this data directly from you, for example, when you submit a contract ap-plication to us, when you communicate with us or when you contact us through an intermedi-ary. However, we may also obtain data from other sources (referred to as "third parties"). You will find further details below.

We primarily process the categories of data described below, although this list is not exhaus-tive. If data changes over time (for example, if an address changes or in the event of another modification), we may retain the previous status in addition to the current status.

Master data: We use the term "master data" to refer to the basic data that we require, in addi-tion to the contractual data (see below), to process our contractual and other business rela-tionships or for marketing and advertising purposes. We process your master data if, for exam-ple, you are a contractual partner or a contact person of a contractual partner or an employee of a supplier, or because we want to address you for our own purposes or the purposes of a contractual partner (such as in marketing and advertising, with invitations to events, with vouchers, with newsletters, etc.; you will find further details on this in sub-paragraph 4).


Master data primarily includes information such as your name, address, email address, telephone number and other contact details, date and   place of birth, age, gender, nationality and hometown, details from identification documents (such as from your passport or ID card), your customer number and other details such as your tax number or tax country.

Information on relationships with third parties who are affected by the data processing is also part of this data, e.g. on beneficial owners of assets, recipients of correspondence and other persons involved in the contract and, if applicable, on family members.

In the case of customers and other contractual partners who are companies, we process data concern-ing our contact persons, this may include name and address, details of titles, position in the company, qualifications and, where applicable, details of supervisors and employees. Depending on the area of activity, we are also required to check the company in question and its employees more closely, for example, by carrying out a security audit. In this case, we collect and process additional data, if neces-sary also from third-party providers. 

We often obtain master data from you, for example in application documents, but we may also obtain data from third parties such as providers of address updates or the commercial register. 

Contract details: These are disclosures that arise in connection with the conclusion of the con-tract (including, for example, consultation) or the execution of the contract. This may also in-clude information about third parties. We may also obtain such data from third parties such as sales partners, public authorities and offices, employers, insurers or banks, if necessary on the basis of a corresponding power of attorney.


This data includes information about contract conclusion, about contracts, for example, the type and date of contract conclusion, and information from the application process and other information about the contract in question, as well as information from the administration, processing and enforcement of contracts (e.g., information related to invoicing, consulting and customer service as well as pay-ments, reminders, debt collection and enforcement). Contract data also includes information on com-plaints about and adjustments to a contract, as well as information about customer satisfaction, which we may collect, for example, by means of surveys.

Depending on the product or service, we process further data in connection with the contract:

  • in financial and retirement provision planning, we process data relating to financial circumstances. This data may include information on income and assets and expens-es, e.g. for taxes, including the religious denomination; your risk and investment pro-file; your risk tolerance and your knowledge and experience in relation to financial products. It also includes information on determination of creditworthiness and on the origin of assets. We receive this data from you, for example, in relation to a con-sultation or payments that you make, as well as from credit agencies and from public-ly accessible sources;
  • Behavioral and preference data: Despite our large number of customers, we strive to get to know you better and to tailor our advice and offers to you in the best possible way. We may therefore process certain data about you and your behavior. By ‘behavioral data', we mean data about your behavior in the context of your interactions with us. We may combine this information with other information – including information from third parties – to determine whether you may have an interest in or need for certain Zurich products or services (preference data).

Behavioral data is information about certain actions, for example, payments, your use of electronic communications (such as whether and when you opened an email), your use of our websites (such as your location and other information when you use a website of ours; please see the relevant separate data protection policies), your purchases of products and services from us, your interaction with our social media profiles, contacts with intermediaries and your participation in events, competitions, con-tests and similar events.

Preference data tells us, for example, what your likely needs are, what products or services might be of interest to you, or when and how you are likely to respond to messages from us; this helps us to get to know you better, tailor our advice and offers more accurately to you and generally improve our offers. We obtain this information from the analysis of existing data such as behavioral data. In order to improve the quality of our analyses, we may combine this data with other data that we also obtain from third parties, such as address data providers, websites and government offices; this may include information on your household size, income class and purchasing power, shopping behavior, contact details of relatives and anonymous information from statistical offices.

Communication data: This is data relating to our communications with you and information concerning your use of our website (for further details of this, please see the separate Data Protection Declaration at If you contact us via the contact form, email, telephone or chat, by letter or by any other means of communication, we record the data that is exchanged between you and us, your contact details and other information about the communication (metadata). If we record telephone conversations, we will draw your atten-tion to this fact. If we want or need to establish your identity, for example, in the context of a request for information, application for media access, etc., we collect data to identify you (such as a copy of an identity document). 


Communication data includes your name and contact details, the manner, place and time of the com-munication and its content, such as details in emails or letters from you or to you or from third parties or to third parties, if the latter also relate to you. We collect communication data, for example, when you contact us via our Customer Service or a Customer Consultant or via a website or app, or chatbot on the internet.

Other data: We also collect data from you in other situations, which we cannot exhaustively list in this Data Protection Declaration. 


For example, data (such as files or evidence) accrues in connection with official or judicial proceedings, and some of this data may also relate to you. We may also collect data for health protection reasons (for example, in the context of protection concepts). We may obtain or produce photographs, videos and audio recordings in which you may be identifiable (for example, at events, via security cameras etc.). We may also collect data about who enters certain buildings and when (including in the case of access controls, on the basis of registration data or visitor lists, etc.), who participates in events or campaigns (such as contests) and when or who uses our infrastructure and systems.

We obtain the above information from you, but may also obtain it from other areas.


These areas may include other Zurich Group companies and intermediaries, credit reporting agencies, media monitoring companies, financial service suppliers and banks from which you transfer assets to us or make transfers to us, address data providers, internet analysis services, public authorities, other insurers, parties to proceedings and publicly available sources such as the commercial register, media and sources on the Internet, public registers, media, etc.

The data we process in accordance with this Data Protection Declaration relates not only to our customers, but also in part to third parties (you will find information on this in sub-paragraph 1). If you provide us with information about third parties, we will assume that you are author-ized to do so and that the information is accurate. By transmitting data about third parties, you confirm this fact. Therefore, please inform these third parties about our processing of their data and provide them with a copy of this Data Protection Declaration. If we direct you to a new version of these documents, please also provide these new versions to the respective third parties in each case. 

With the exception of certain individual cases, such as in the context of binding protection con-cepts (legal obligations), you are not obliged to disclose data to us. However, for legal and op-erational reasons, we must process data to establish and process the contractual relationship. Therefore, if you do not wish to provide us with this data (in particular master data, contract and general behavioral data), we will therefore be unable to review, enter into or continue a contractual relationship. When using our website, technical data processing is unavoidable. If you wish to gain access to certain systems or buildings, you will need to provide us with regis-tration details.


We only make certain offers available to you – such as the use of a Zurich online portal or that of one of our partners, or participation in a virtual event – when you provide us with registration data, be-cause we or our contractual partners want to know who is using our services or has accepted an invita-tion to an event, because it is technically necessary or because we want to communicate with you. If you or someone you represent (such as your employer) wish to enter into or perform a contract with us, we need to collect relevant master, contract  and communication data from you, and we process technical data when you use our website or other electronic offers. If you do not provide us with the data required to conclude and perform the contract, you must expect that we will refuse to conclude the contract, that you will be in breach of contract or that we will be unable to perform a contract. Likewise, we can only send you a response to a request you have made if we process the relevant communication data and, if you communicate with us online, technical data as well. Using our website without providing us with technical data is not possible. And when you interact with us or we interact with you, behavioral data is generated.


For what purposes do we process data?


In particular, we process your personal data for the following purposes, which must be agreed upon:

We process personal data to fulfill legal and regulatory requirements and to comply with laws, directives and recommendations imposed by authorities, as well as internal regula-tions (Compliance).

This may include the legally regulated combating of money laundering and terrorism financing. In cer-tain cases, this may oblige us to make inquiries (Know Your Customer) or to file reports. The fulfillment of disclosure, information or reporting obligations – such as in connection with supervisory and tax obligations – also presupposes or entails data processing, for example, in the context of automatic information exchange, fulfillment of archiving obligations and to support the prevention, detection and clarification of criminal offenses and other violations. This includes receiving and processing complaints and other reports, monitoring communications, conducting internal investigations or disclosing records to a government agency when we have a material reason or are legally required to do so. Your person-al data may also be processed in the course of external investigations, for example by a regulatory authority. For these purposes, we process in particular master data, contract data, communication data and, under certain circumstances, behavioral data. The legal obligations can stem from Swiss law as well as foreign provisions to which we are subject, as well as self-regulation, industry standards, our own corporate governance and official directives and requests.


We also process data for the purpose of concluding the contract, including risk clarification, as well as for processing the contract and  administration. We can also carry out profiling in this context (see sub-paragraph 5).


In the course of contract initiation and contract conclusion, personal data – in particular master data, contract data and communication data – are collected about potential customers for the purposes of consulting and risk assessment (e.g. in an application form and generally via our sales organization). Our sales partners include independent general agencies, intermediaries and brokers. The information received during contract initiation and contract conclusion is reviewed for compliance with legal re-quirements (such as compliance with anti-money laundering and anti-fraud regulations). When initiat-ing and concluding a contract, under certain circumstances we also process particularly sensitive data, such as health data for consultation, risk assessment and premium calculation. 

When processing contractual relationships, we process data for the provision and receipt of services, for the administration of the customer relationship and for customer support (including for the as-sessment and documentation of compensation of sales partners). The enforcement of legal claims stemming from contracts (debt collection, court proceedings, etc.) also forms part of the processing, as do accounting, termination of contracts and public communication.

In order to conclude contracts and process contractual relationships, we involve third parties, such as IT and logistics companies, advertising service suppliers, banks, insurance companies or credit refer-ence agencies, who may in turn provide us with data.

When cooperating with companies and business partners, such as partners in projects or parties in legal disputes, we also process data to initiate and execute contracts, for planning, for accounting pur-poses and other purposes related to the contract.

We also process data to prevent and identify fraud and for legal proceedings, for our risk management and in the context of prudent company administration, including business or-ganization and development.


For these purposes, we process, in particular, master and contract data, but also behavioral and com-munication data. We may also create and process profiles (see sub-paragraph 5) for the above purpos-es and in order to protect you and us from illicit or abusive activities.

We also process your data for market research purposes, to improve our services and our operations and for product development.


We strive to continuously improve our products and services and to be able to react quickly to changing needs. We therefore analyze, for example, which products are used by which groups of people in what way and possible designs for new products and services. This gives us an indication of the acceptance of existing products and services in the market and the market potential of new ones. To this end, we process, in particular, your master data, behavioral data and preference data, as well as communication data and information from customer surveys, polls and studies and other information, such as from the media, from social media, from the Internet and from other public sources. As far as possible, however, we use pseudonymized or anonymized data for these purposes. We may also use media monitoring services or perform media monitoring ourselves, whereby we process personal data in order to carry out media work or to understand and respond to current developments and trends.


Like all competitive businesses, we may also process data such as master data, contract data, behavioral data, preference data and communications data for marketing purposes, such as for personalization and transmitting information on products and services provided by us and third parties and for relationship management. You can decline such contacts at any time (see the end of this sub-paragraph 4).


For example, we may send you information, advertising and product offers provided by us and third parties in the insurance and other sectors as well as newsletters and other periodic communications, in print or by telephone. Such communications are also made as part of individual marketing campaigns (e.g. events, contests, etc.). We personalize some of these communications in order to provide you with customized information and offers that meet your needs and interests. To do this, we link data that we process about you, determine preference data and use this data as the basis for personalization (see sub-paragraph 3). We may also carry out profiling for marketing purposes (see sub-paragraph 5). We also process data in connection with contests, prize drawings and similar events. Customer care also includes addressing existing customers – in a manner that may be personalized on the basis of behavioral and preference data or data from customer surveys – and organizing customer events (such as sponsoring , sports and cultural events and promotional events). In the case of customer events, we process personal data to carry out the events, as well as to inform the participants and to provide them with information and advertising before, during and after the event.

All of this processing is important to allow us to promote our offers in a way that is most relevant to your needs, to personalize our relationships with customers and other third parties and to use our resources efficiently.

You may object to processing for marketing purposes at any time by notifying us. Automatically generated messages that cannot be customized, such as invoice texts, are excluded from this. Further information on your rights can be found in sub-paragraph 10.

We may also process your data for security purposes and for access control purposes. 


We continuously review and improve the appropriate security of facilities and buildings and our IT. In doing so, we process data, among other reasons, in connection with the surveillance of buildings and publicly accessible premises. Ensuring adequate security is also very important, especially for digitized products. Like all companies, we cannot rule out data breaches with absolute certainty, but we do our best to reduce the risks. We therefore process data, for purposes such as monitoring, control, analysis and testing of our networks and IT infrastructures, to carry out system and error checks, for documentation purposes and in the context of security copies.

We may process your data for other purposes, such as our internal processes and administration.


These other purposes may include training and educational purposes, administrative purposes (such as the administration of master data, accounting and data archiving or the administration of real estate and the testing, administration and ongoing improvement of IT infrastructure), the protection of our rights (for example, to enforce claims in or out of court and before authorities in Switzerland and abroad or to defend ourselves against claims, for example by preserving evidence, through legal clarifications and by participating in judicial or official proceedings), the evaluation and improvement of internal processes and the general preparation of anonymous statistics and evaluations. In the course of developing our business, we may also sell or acquire businesses, operations or companies to or from other companies or enter into partnerships, which may also result in the exchange and processing of data (including from you, for example, as a customer or supplier or as a supplier representative). This also includes the protection of other legitimate interests, which cannot be named exhaustively.

If we ask for your consent for certain processing, we will inform you separately about the corresponding purposes of the processing. You may withdraw your consent at any time by notifying us in writing; you will find our contact details in sub-paragraph 2. Once we have received notification that you have withdrawn your consent, we will no longer process your data for the respective purposes unless we have another legal basis for doing so. The revocation of your consent does not affect the lawfulness of the processing carried out on the basis of the consent prior to the revocation.

Insofar as we are subject to the GDPR when processing your personal data, we base this processing on the fact that it is necessary for the preparation and execution of the contract with you or the entity you represent (e.g., the processing of master and contract data for application verification, fraud prevention, credit rating and creditworthiness checks, transaction processing, etc.; Art. 6 para. 1 b and Art. 9 para. 2 g and h GDPR and Art. with 21 para. 1 fig. 2 DSG-FL), that it is required or permitted by law (Art. 6 para. 1 c GDPR), that it is necessary for legitimate interests of us or third parties (e.g. processing for administrative and security purposes, for credit assessment and purposes of market research, marketing, improvement of our services and product development; Art. 6 para. 1 f GDPR) or that you have consented, e.g. to the processing of health data in view of a possible conclusion of a contract (Art. 6 para. 1 a and Art. 9 para. 2 a GDPR).

If we receive data that is particularly sensitive (such as health data), we may also process this data – where necessary – on the basis of other legal grounds, for example, in the event of disputes arising from the necessity to process the data for a possible lawsuit or the enforcement or defense of legal claims (Art. 9 para. 2 f GDPR). In individual cases, other legal grounds may apply; we will communicate these to you separately where necessary.


What applies in the case of profiling and automated individual decisions?

For the purposes stated in sub-paragraph 4, we may process and evaluate your data (sub-paragraph 3) automatically, i.e. in a manner aided by a computer and, because of this, may also determine preference data, as well as to identify compliance, misuse and security risks, to carry out statistical evaluations or for operational planning purposes. These processing operations also include profiling.


Profiling is the automated processing of data for analysis and forecasting purposes. The most important examples are profiling to combat money laundering and terrorist financing, to combat misuse, to check creditworthiness, for customer care and for marketing purposes. For the same purposes, we may also create profiles, i.e. we may combine behavioral and preference data, as well as master, contract data and technical data assigned to you, in order to better understand you as a person and your different interests and personal needs. In both cases, we pay attention to the appropriateness and reliability of the results and take measures against misuse of these profiles or profiling.


In order to ensure the efficiency and uniformity of our decision-making processes, we can also automate certain decisions, i.e. make these with the aid of a computer according to certain rules and without review by an employee.


In each individual case, we will inform you if an automated decision creates negative legal consequences or a comparable significant impairment. In this case, you shall have the rights set out in sub-paragraph 10 if you do not agree with the outcome of the decision.


To whom do we disclose your information?

Our products and services are provided and handled in cooperation with third parties and service suppliers who may consequently receive data about you. Below you will find an overview of the categories of recipients to whom we may disclose personal data. For further information please refer to sub-paragraphs 3 and 4. 

Referral: We provide our sales partners with the information they need for their support and advice, for the sale and distribution of our products and for the calculation of their compensation.


In addition to master data, this may include information on the period of insurance, the performance and  termination of the contract, information on the assessment and documentation of compensation and information for the marketing of our products, which may include personalized marketing. Contractual partners are required by law and contract to comply with the provisions of the Swiss Data Protection Act.

Address verification, credit check and debt collection: We may involve third parties to carry out address and credit checks and debt collection.


We may involve third parties to carry out address verification, credit checks and for debt collection purposes, and in the process disclose data to them, such as that concerning outstanding debts and your payment history.

Companies of the Zurich Group: We may transmit personal data to other companies in the Zurich Group.


If necessary, we may pass on your data to other companies belonging to the Zurich Group. In order to offer you individualized financial solutions, we may disclose your data – in particular your master data, contract data and registration data as well as behavioral and preference data – to other companies belonging to the Zurich Group for the purpose of offering products and services tailored to your individual needs.

Public authorities and agencies: We may disclose personal data to public authorities, agencies, courts and other public bodies if we are legally obliged or entitled to do so, or if this is necessary to protect our interests.


In the context of exercising rights, defending against claims and fulfilling legal requirements, we may disclose personal data to public authorities, agencies, courts and other public bodies, for example in the context of official, judicial and pre- and extra-judicial proceedings and in the context of legal obligations to provide information and to cooperate. Data is also disclosed if we obtain information from public authorities. Public authorities are responsible for processing data about you that they receive from us.

Additional individuals: Where third parties become involved within the framework of the processing purposes pursuant to sub-paragraph 4, data may also be disclosed to other recipients on the basis of your separate consent or due to legal or regulatory requirements, directives and recommendations made by authorities or internal regulations.


We may disclose data, for example, to individuals involved in proceedings before courts or authorities, as well as potential purchasers of companies, receivables and other assets and, in the case of securitizations, to financing companies and to other third parties, about whom we will inform you separately where possible, for example, in declarations of consent or special data protection policies. Other individuals include, in particular, payment recipients, authorized representatives, correspondent banks, other financial institutions and other bodies involved in a legal transaction.

Service suppliers: We work with service suppliers at home and abroad who process data about you on our behalf or in joint responsibility with us, or receive data about you from us within their own sphere of responsibility. This may also include health data.


We procure services from third parties to ensure that we can deliver our products and services securely and cost-effectively and that we can concentrate on our core competencies. These services include, for example, sales via other sales partners (see sub-paragraph 4) IT services, the dispatch of information, marketing, sales, communication or printing services, facility management, security and cleaning, the organization and holding of events and receptions, debt collection, credit agencies, anti-fraud measures and services provided by consulting firms and auditing firms. In each case, we provide service suppliers with the data necessary for their services. One example is hosting service suppliers who store electronic data on our behalf, which may include sensitive data such as health data. Our service suppliers are each subject to contractual and/or statutory confidentiality and data protection obligations. They may use such data for their own purposes in justified, exceptional cases, for example, information on outstanding debts and your payment history in the case of credit agencies or anonymized information for the purpose of improving services.

To the extent provided by law, these categories of recipients may in turn involve third parties, meaning that your data may also become accessible to them. 

We reserve the right to make these disclosures even if they concern confidential data.


In many cases, it is also necessary to disclose confidential data in order to process contracts or provide other services. Even non-disclosure agreements generally exclude neither this type of data disclosure, nor disclosure to service suppliers. However, given the sensitivity of the data and other circumstances, we take care to ensure that these third parties handle the data in an appropriate manner.

We also allow certain third parties to collect personal data from you on our website and at events organized by us (such as media photographers or providers of tools that we have embedded on our website). Where we are not decisively involved in these cases of data collection, these third parties are solely responsible for them. If you have any concerns or wish to exercise your data protection rights, please contact these third parties directly.
The aforementioned disclosures within and outside Switzerland (see sub-paragraph 7) are required for legal or operational reasons. Therefore, legal and contractual confidentiality obligations do not prevent these disclosures.


Do we disclose personal data abroad?

As explained in sub-paragraph 6, third parties and service suppliers also process your personal data in addition to us. Your data may also be transferred abroad, such as when personal data is transferred to other companies of the Zurich Group or to service suppliers, and possibly also when it is disclosed to third parties involved in the processing of the contract, to authorities and courts and to other bodies. Your data may therefore be processed worldwide, including outside the EU or the European Economic Area (i.e. also in third countries such as the US). Many third countries do not currently have laws that guarantee a level of data protection equivalent to that provided by Swiss law. We therefore take contractual precautions to contractually compensate for the weaker statutory protection. For this purpose, we generally use the standard contractual clauses issued or recognized by the European Commission and the Swiss Data Protection and Information Commissioner (FDPIC) (for further details and a copy of these clauses, please see, unless the recipient is already subject to a legally recognized set of rules to ensure data protection and we cannot rely on an exemption clause. An exception may apply, in particular, in the case of legal proceedings abroad, but also in cases of overriding public interests or if the processing of a contract requires such disclosure, if you have granted your consent or if it is a matter of data that you have made generally accessible and whose processing you have not objected to.


Many countries outside Switzerland or the EU and EEA currently do not have laws that guarantee an adequate level of data protection from the perspective of the Swiss Federal Act on Data Protection or the GDPR. The contractual arrangements mentioned above may partially compensate for this weaker or missing statutory protection. However, contractual precautions cannot eliminate all risks (with particular regard to state intervention abroad). You should be aware of these residual risks, even though the risk may be low in individual cases and we have taken additional measures (such as pseudonymization or anonymization) to minimize it.

Please also note that data exchanged over the Internet is often routed via third countries. Your data may therefore be sent abroad even if the sender and recipient are in the same country.


How long do we process your data for?

We store your data for as long as our processing purposes, the legal retention periods and our legitimate interests in processing for documentation and evidence purposes require, or for as long as the storage is technically necessary.


Therefore, the period for which we retain data depends on legal and internal regulations and on the purposes of processing (see sub-paragraph 4), which also include the protection of our interests (for example, to enforce or defend claims, for archiving purposes and to ensure IT security). 
Documentation and evidence purposes include our interests, processes, interactions and other facts in the event of legal claims and other discrepancies, for IT and infrastructure security purposes and to provide evidence of good corporate governance and compliance. Retention may be technically necessary if certain data cannot be separated from other data, and we therefore need to retain it with this other data (such as in the case of backups or document management systems).


How do we protect your data?

We handle your data confidentially and take appropriate technical and organizational security measures to protect the confidentiality, integrity and availability of your personal data, to protect it against unauthorized or unlawful processing and to protect it against the risk of loss, accidental alteration, unauthorized disclosure or access. We use recognized security standards such as ISO 27001 as a guide.


Our security measures include measures such as encrypting and pseudonymizing data, logging, access restrictions, storage of backup copies, instructions to our employees, confidentiality agreements, audits, etc. We also require our contracted data processors to take appropriate security measures. In general, however, security risks cannot be completely ruled out; certain residual risks are unavoidable. 

When your data is transmitted via our web pages, we protect it during transport using suitable encryption mechanisms. However, we can only secure areas that are under our control. 
If you contact us by email, you do so at your own risk and agree that we may respond to you at the sender's address via the same channel. If you send us emails via the Internet in unencrypted form, third parties may be able to access, view and manipulate them. 

In addition, we take appropriate technical and organizational security measures to reduce the risk within our Internet pages. However, your end device is outside the security area that lies within our control. You are therefore required to learn about the necessary safety precautions and to take appropriate measures in this regard.


What are your rights?

Applicable data protection law grants you the right to object to the processing of your data in certain circumstances, in particular for direct marketing purposes, profiling used for direct marketing and other legitimate interests.

In order to make it easier for you to maintain control over the processing of your personal data, you have various rights in connection with our data processing under applicable law: 

  • the right to request information from us as to whether we are processing your data, and which data we are processing; 
  • the right to have data corrected by us if it is inaccurate;
  • the right to object to our processing for specific purposes and to request the restriction or deletion of data unless we are obliged or entitled to continue processing it;
  • the right to obtain from us the disclosure of certain personal data in a commonly used electronic format or to request that we transfer this to another controller;
  • the right to revoke consent, provided our processing is based on your consent. 

If we inform you about an automated decision (sub-paragraph 5), you have the right to express your position on this and request that the decision be reviewed by a natural person. 

Please note that certain conditions must be met in order to exercise these rights and that exceptions or restrictions may apply (e.g. to protect third parties or trade secrets). We will inform you accordingly where necessary.


In particular, we may need to process and store your personal data in order to perform a contract with you, to protect our legitimate interests, such as the assertion, exercise or defense of legal claims, or to comply with legal obligations. To the extent legally permissible, in particular to protect the rights and freedoms of other data subjects and to safeguard sensitive interests, we may therefore also reject a data subject’s request in whole or in part (for example, by blacking out certain content relating to third parties or our trade secrets).

If you wish to exercise any rights against us, please contact us in writing (see sub-paragraph 2). To enable us to rule out abuse, we must identify you (such as with a copy of an identity card, if not otherwise possible). You also have these rights in relation to other bodies who work with us under their own responsibility – please contact them directly if you wish to exercise any rights in relation to their processing. 

If you do not agree with our handling of your rights or data protection, please let us know via the contact details listed under sub-paragraph 2. You can contact the Swiss data protection authority here: and the Liechtenstein data protection authority at


Can this Data Protection Declaration be changed?

This Data Protection Declaration does not form part of any contract with you. We may amend this Data Protection Declaration at any time. The version published on this website is the current version.