Privacy policy - occupational pensions

The pension providers (hereinafter also referred to as "we"; see sub-paragraph 2") process personal data relating to you or other individuals (referred to as "third parties"). Further information can be found in sub-paragraph 2.

"Personal data" is data relating to an identified or identifiable person; in other words, the data or corresponding additional data can be used to make inferences about their identity. “Sensitive personal data” is a category of personal data to which the applicable data protection law provides special protection. Sensitive personal data may include data from which ethnic or racial origin can be discerned, data relating to health; additionally data concerning health, religious or philosophical belief or data concerning trade union membership.

In sub-paragraph 3, you will find details of the data that we process within the scope of this Privacy Policy.

“Processing” refers to any handling of personal data, e.g. collection, storage, use disclosure and deletion.

We are active in the area of compulsory and voluntary occupational pensions. In the area of compulsory occupational pensions we process your personal data based on applicable legal provisions. Here were are exempt from the obligation to inform you specifically about how we process data. We shall, however, inform you in the following privacy policy about our entire field of activity, notices in this privacy policy apply both for the compulsory and voluntary areas unless otherwise stated.

In this Privacy Policy, you will find information about our data processing (we use the term "data" here synonymously with "personal data"). This concerns, for example, the following individuals (each referred to as "you"):

• Insured persons in the compulsory, non compulsory and voluntary pension provisions,
• previous, current and future employers or their contact persons, family members of the employer and the employer’s employees,
• Dependents of insured persons (e.g. current and former spouses and registered partnerships, life partners, parents and children) and other beneficiaries,
• Authorized representative (e.g. legal representative),
• Claimants, liable persons and other involved persons,
• Members of our bodies,
• Contact persons from social and private insurers, other pension providers and vested benefits institutions, reinsurers, suppliers and partners and from government authorities and offices.

This privacy policy explains how we handle personal data which relate to you. It relates to the processing both of personal data already stored and future personal data. It applies to all our services and contracts, unless we provide you with separate privacy policies for these.

For further details regarding our data processing, please refer to the following documents, if applicable:

• Foundation documents (e.g. the pension rules),
• separate forms (e.g. withdrawal forms, retirement form),
• our websites.

For some products and services you will also find further information on the corresponding data processing in additional privacy policies, which apply in addition to this Privacy Policy, e.g. in connection with your use of our websites.

We are available at any time should you have any questions (sub-paragraph 2).

Please note that we will use the masculine form for denoting persons in the privacy policy to ensure better readability. Female persons are of course equally included.

For the processing of personal data according to this privacy statement, one of the following pension providers (“we” or “us”) is legally responsible, i.e. is the primary competent authority according to data protection law unless communicated otherwise in individual cases (e.g. in further privacy policies, on forms or in contractual provisions):

• Vita Collective Foundation,
• Vita Select Joint Foundation of Zurich Life Insurance Company AG
• Vita Invest Joint Foundation of Zurich Life Insurance Company AG
• Vita Plus Joint Foundation of Zurich Life Insurance Company AG;

based at Hagenholzstrasse 60, 8050 Zurich respectively.

You can, for example, find your own pension provider on your pension insurance certificate.

For each data processing operation, there are one or more bodies who bear primary responsibility for ensuring that the data processing complies with the requirements of data protection law. This body is referred to as the "data controller" or “controller”. It is responsible, among other things, for responding to requests for information (sub-paragraph 10) or for ensuring that personal data is secure and not used in a way that deviates from what we tell you or from what is permitted by law. Details of third parties with whom we cooperate and who are responsible for their own processing can be found in sub-paragraph 3 and in sub-paragraph 6.

If you wish to contact us in this regard, please write to the following address:

Vita
c/o Zurich Insurance Company Ltd
Zurich Data Protection
P.O. Box
CH 8085 Zurich
datenschutz@zurich.ch 

Zurich Insurance Company Ltd processes your queries on our behalf. You can also contact the responsible pension provider in writing.

Like every provider of complex products and services, we process various data from various sources. Information regarding this data can be found here in sub-paragraph 3, and information regarding the purpose of the processing in sub-paragraph 4.

We frequently gather data from the employers of insured persons, e.g. when the employer registers you as a new employee with us, when the employer registers a resignation, a change to remuneration or informs us of another change or registers a claim event. However, we also gather data directly from you, e.g. when you register with us as a self-employed person, provide us with health information, register a beneficiary or a civil partnership, buy into a pension fund or wish to draw on your termination benefits, or if you change your job, wish to transfer your vested termination benefit to another pension or vested benefits institution or if you communicate with us about another matter. We can also collect data from other sources. You will find further details in this sub-paragraph 3.

We primarily process the categories of data described below, although this list is not exhaustive. If data changes over time (for example, if an address changes or in the event of another modification), we may, as circumstances dictate, process the previously provided data in addition to the current data. Beneficiary data in connection with compulsory pension provisions is only processed within the framework of the BVG.

Master data: We use the term "master data" to refer to the basic data that we require, in addition to the contractual data (see below), to process our contractual and other business relationships. We process your master data for example if you are an insured person, a dependent or beneficiary of an insured person, if you are a contact person from an employer, another pension provider or a supplier for such an organization or if we need to otherwise contact you for our own purposes or for the purposes of a contractual partner.

The master data consists first and foremost of name, address and contact details and, if applicable, date and place of birth, age and gender.

Furthermore, both private and professional contact data for insured persons likewise belong to the master data e.g. email address and telephone number, marital status and, if applicable, the date of marriage or divorce, or the date of entry or dissolution of a partnership, date and place of birth, age, gender, nationality and hometown, details of identification data (e.g. from your passport, your ID or other identification documents), OASI number (to the extent required by law), your contract, policy and insured-person numbers, details regarding previous pension or vested benefit institutions, the date you started or ended employment with an employer, personnel category, degree of fitness to work, level of employment, whether or not you are working in a fixed term contract, the registered and insured annual salary and the BVG annual salary.

Details regarding relationships to third persons, who are also affected by the data processing also fall under this data, e.g. about dependents and beneficiaries.

In the case of employers and other contractual partners who are companies, we process data concerning our contact persons, this may include name and address, details of titles, position in the company, qualifications and, where applicable, details of supervisors and employees. Depending on the area of activity, we are also required to check the company in question and its employees more closely, for example, by carrying out a security audit. In this case, we collect and process additional data, if necessary also from third party providers.

We frequently receive master data from your employer and from you but also incorporate further third party data. Third parties from whom we obtain data may include other Zurich Group companies and credit reporting agencies, media monitoring companies, financial service suppliers and banks from which you transfer assets to us or make transfers to us, address dealers, internet analysis services, public authorities, other insurers, parties to proceedings and publicly available sources such as the commercial register, media and sources on the Internet, public registers, media, etc.

Contract, claim and benefits data: This is information arising in connection with a possible or actual subsequent contract or its dissolution, the processing of a contract and the incorporation of insured persons into the occupational pension plan, but may also include information relating to the receipt of reports and the processing of pension claims (i.e. retirement, disablement or death) and relating to other services such as, for examples, a transfer, payout or termination benefit. Health related data and information about third parties also all under this category, e.g. if a person is declared unfit for work or upon the death of an involved person. We may also obtain this kind of data from third parties such as public authorities and agencies (e.g. social insurers or social offices), employers, other insurers, medical benefits providers and experts, from law courts or external lawyers.

Data relating to the conclusion of a subsequent contract with the employer, type and completion date and its processing and administration (e.g. information in connection with billing, consultation and customer service) also form part of this data. Contract data also includes information relating to complaints about and adjustments to a contract, as well as information about customer satisfaction which we may collect, for example, by means of surveys.

Furthermore, we also process data regarding termination benefits during the benefits relationship, e.g. their amount and about possible and completed buy-in. We receive this information from the insured person, from their employers and from other pension or vested benefits institutions.

We gather data in the course of processing pension claims such as, for example, reporting the occurrence of a claim event, claim number, details about the reason for the insurance event (if inability to work has been determined then the cause, e.g. illness or accident) and the date of the occurrence, details in connection with assessing the pension claim, details about other insurances and insurers, details about third parties, if applicable, such as persons involved, also especially sensitive personal data such as health data. We obtain this information from the insured person, from the insured person’s employer, and also work with third parties, e.g. with other insurers such as disability insurers, experts and doctors and all service providers from whom we receive data – including health data, if applicable with a separate release agreement.

For other claim events we process the data related to them, e.g. for the payment of termination benefits, data relating to the reasons for payment of the termination benefit (e.g. if the insured has become self-employed, completed a buy-in into the second pillar, left Switzerland permanently or if the termination benefit is negligible), details regarding your private account or that of a vested benefits institution and, if applicable, spousal agreement or agreement from registered life partner and the attestation of your signature. In the case of divorce or dissolution of a registered partnership we process information relating to the settlement of pension benefits (e.g. date of divorce or dissolution of registered partnership, any termination benefits obtained, advance withdrawals or drawn disability pension payments and court order in this context). We obtain this information from insured persons, their spouses or registered partners and from public authorities and courts.

Depending on the product we also process other data.

Financial Data: This is data relating to financial circumstances, payments and the securing of claims.

Financial data is, for example, information relating to payments and bank account details. This includes data in connection with premium payments from the employer and the securing of claims. For insured persons this also includes information about salary, buying into occupational retirement provisions and about the payment of termination benefits and pensions. We process financial data about beneficiaries, e.g. in connection with pensions to surviving spouses and registered partners, to children and other beneficiaries. We receive this data from insured persons, e.g. in the course of buying in or from the payment of termination benefits but also from banks, credit reporting agencies and from publicly available sources.

Communication Data: This is data relating to our communication with you and information regarding your use of our website. If you contact us via the contact form, email, telephone or chat, by letter or by any other means of communication, we record the data that is exchanged between you and us, including your contact details and other marginal data. If we record telephone conversations, we will draw your attention to this fact. If we want or need to establish your identity, for example, in the context of a request for information, application for media access, etc., we collect data to identify you (such as a copy of an identity document).

Communication data includes your name and contact details, the manner, place and time of the communication and normally its content, such as details in emails or letters from you or to you or from third parties or to third parties, if the latter also relate to you. This also includes direct and indirect contacts with us, e.g. customer service and your customer consultant (e.g. via a website or an app, in a chatbot in the internet or an app).

Other Data: We also collect data from you in other situations. This also would include data relating to you which accrues in connection with official or judicial proceedings (e.g. files, evidence etc.). We may also collect data for health protection reasons (for example, in the context of protection concepts). We may obtain or produce photographs, videos and audio recordings in which you may be identifiable (for example, at events, via security cameras etc.). We may also collect data about who enters certain buildings and when (including in the case of access controls, on the basis of registration data or visitor lists, etc.), who participates in events or campaigns (such as competitions) and when or who uses our infrastructure and systems.

The data we process in accordance with this Privacy Policy relates not only to our customers, but often also to third parties (you will find information on this in sub-paragraph 1 and in this sub-paragraph 3). We receive some data regarding third parties from employers (e.g. reporting a death) and from third party sources, but or the main part from the insured person. If you provide us with information about third parties, we shall assume that you are authorized to do so and that the information is accurate. By transmitting data about third parties, you confirm this fact. Therefore, please inform these third parties about our processing of their data and provide them with a copy of this Privacy Policy or the Customer Information Sheet on Data Protection. If we refer you to a new version of these documents, please also hand over these new versions in each case.

Certain data must be disclosed to us in connection with compulsory pension provisions due to a legal obligation i.e. as part of the employer’s cooperation obligations, e.g. affiliation with the pension scheme, and by insured persons in the event of pension claims and in connection with the legal obligations of other insurers. You are not usually obliged to disclose data to us, with the exception of certain individual cases, such as in the context of binding protection concepts. However, in the case of voluntary processes, such as buying into voluntary pension schemes or drawing upon termination benefits, we must process data for legal and operational reasons. If you do not wish to made this data available to us, we would therefore be unable to complete the applicable processes. When using our website, the processing of specific technical data is unavoidable (it is not usually personal data).

There are certain services which we can only make available to you if you provide us with certain registration data because we or our contractual partners wish to know who, for example, has responded to an invitation to take an action, because it is either technically necessary or because we wish to communicate with you. If you or someone you represent (such as your employer) wish to enter into or perform a contract with us, we need to collect relevant master, contract and communication data from you, and we process technical data when you wish to use our website or other electronic offers. Likewise, we can only send you a response to a request you have made if we process the relevant communication data and - if you communicate with us online - any applicable technical data. It is not possible to use our website without us receiving technical data.

Our activities and services are complicated. We therefore process your personal data (especially the data categories specified in sub-paragraph 3) for different purposes. These include in particular the following agreed purposes:

We initially process data for processing occupational pensions, e.g. for follow-up contracts with employers and self-employed persons, for registering insured persons and for assessing and processing pension claims including coordination with other insurers e.g. disability insurers and for the assertion of recourse claims. We can also carry out profiling in this context (see sub-paragraph 5). In the area of compulsory pension provisions, this activity is regulated by legislation for occupational pensions, especially through the Occupational Pensions Act (BVG) and the Swiss Federal Law on Vesting in Pension Funds (FZG) together with the associated regulations. As a federal organ we process your personal data in this area as part of our legal processing authorization (e.g. Art. 85a et seq. BVG). In the area of non compulsory pension provision, our data processing is not subject to the data protection provisions of the BVG but is subject to those of the Data Protection Law (DSG).

The preparation and completion of a affiliation contract with the employer or self-employed person who is joining us is required for the provision of occupational pension arrangements. For this purpose we process personal data – especially master data, contract data, financial data and communication data – from employers or from their contact persons and, if required, from brokers. Our customer service and advising our clients also falls under this, as does the assertion of legal claims from contracts (payment defaults, legal proceedings etc.), accounting, the termination of contracts and public communication.

Furthermore, the receipt and processing the registrations of new insured persons is also part of providing occupational pensions arrangements. For this purpose we primarily process your master data. We then run a pension capital account for every insured person for which we process information regarding contributions, buy-ins, retirement assets and payouts.

The assessment and processing of pension claims also falls under the provision of occupational pension arrangements. If a pension claim event occurs or if one is reported to us, we will process primarily contract, case and benefits data pertaining to the insured person and from dependents and beneficiaries for assessing the entitlement to a claim (you can find further information about this in the following sections) and, where required, for the provision of payments. We can also process any related health data, including data which we obtain from third parties e.g. from external experts and doctors (you can find further information in sub-paragraph 3), and further information which falls under the remit of these purposes or which are necessary for them. If inability to work is determined, the necessary data may be processed and forwarded in the event of recourse to a liable third party (or the liable third party’s liability insurer).

We may draw upon third parties e.g. IT and logistics companies, advertising service providers, banks, other insurers or credit reporting agencies who can make data available to us for the purpose of concluding contracts and setting up contractual relationships.

When cooperating with companies and business partners, such as partners in projects or cooperating with parties in legal disputes, we also process data to process and initiate contracts, for planning, for accounting purposes and other purposes related to the contract.

We process personal data for the fulfillment of additional legal and regulatory requirements and for adhering to instructions and recommendations from public authorities and internal regulations (“compliance”).

This includes, for example, the fulfillment of disclosure, information or reporting obligations, e.g. in connection with obligations to supervisory bodies, the fulfillment of archival obligations and support in preventing, exposing and clarifying criminal acts and other infringements. This includes the receipt and processing of complaints and other reports, the surveillance of communication, internal or external checks or the disclosure of documents to a public authority if we have a material reason for so doing or are required to by legal obligations. For these purposes we process primarily master data, contractual data, financial data, communication data and, if required, also behavioral data from employers and their contact persons, from self-employed persons and again, if necessary, from insured persons (e.g. if insurance fraud is suspected).

We also process data for our risk management, for preventing insurance fraud, for legal processes and in the context of prudent company administration, including the business organization and corporate development.

For these purpose we process, in particular, master data, contractual data, claims and benefits data and financial data, but also behavioral and communications data. We can, for example, carry out risk assessments prior to the contract being signed. Like all insurers, we must likewise take measures to prevent insurance fraud. This also includes clarification in the event of a claim with third parties, including doctors, experts and in public sources.

In the area of non-compulsory pension provisions we can also process your data for market research to improve our services and operation, and for product development purposes.

We strive to continuously improve our products and services and to be able to react quickly to changing needs. We therefore analyze how, for example, offers in the non-compulsory area are used and how new products and services can be created. This gives us an indication of the market acceptance for existing products and services and the market potential of new ones. For this purpose we process your master data but also communications data and information from customer surveys, questionnaires and studies and further details e.g. from the media, from social media, from the internet and from other public sources. As far as possible, however, we use pseudonymized or anonymized data for these purposes. We may also use media monitoring services or perform media monitoring ourselves, whereby we process personal data in order to carry out media work or to understand and respond to current developments and trends.

We also process data for marketing purposes, to contact employers and their contact persons and to send them information about products and services from us and from third parties, and to maintain relationships. Some of the information we send out is personalized. We only market to beneficiaries after separate permission has been obtained. You may object to processing for marketing purposes at any time by notifying us. Further information on your rights can be found in sub-paragraph 10.

We can provide employers and/or their contact persons with information, advertising or product offerings from us or from third parties (e.g. from other companies in the Zurich Group), in the form of newsletters, printed material or via telephone, regularly or as part of an individual campaign (e.g. for events, competitions etc.). We may also personalize notifications so that our information and offers better meet the needs and expectations of the recipient. We can also send marketing information to beneficiaries provided that permission to do so has been obtained. To do this, we link data that we process about you as the basis for personalization (see sub-paragraph 3).

We may also process your data for security purposes and for access control purposes.

We continuously review and improve the appropriate security of facilities and buildings and our IT. In doing so, we process data, among other reasons, in connection with the surveillance of buildings and publicly accessible premises. We are not able to rule out data breaches with absolute certainty but we do use our very best endeavors to reduce the risk. We therefore process data, for purposes such as monitoring, control, analysis and testing of our networks and IT infrastructures, to carry out system and error checks, for documentation purposes and in the context of security copies.

We may process your data for other purposes such as our internal processes and administration.

These other purposes may include training and educational purposes, administrative purposes (such as the administration of master data, accounting and data archiving or the administration of real estate and the testing, administration and ongoing improvement of IT infrastructure), the protection of our rights (for example, to enforce claims in or out of court and before authorities in Switzerland and abroad or to defend ourselves against claims, for example by preserving evidence, through legal clarifications and by participating in judicial or official proceedings), the evaluation and improvement of internal processes. In the course of developing our business, we may also sell or acquire businesses, operations or companies to or from other companies or enter into partnerships, which may also result in the exchange and processing of data (including from you, for example, as a customer or supplier or as a supplier representative). This also includes the protection of other legitimate interests, which cannot be named exhaustively.

If we ask for your consent for certain processing, we will inform you separately about the corresponding purposes of the processing. You may withdraw your consent at any time with effect for the future by notifying us in writing; you will find our contact details in sub-paragraph 2. Once we have received the revocation of your consent we will no longer process your data for the relevant purposes unless we have another legal basis for doing so. The legality of processing which has taken place up until the point of time at which consent was revoked shall remain unaffected.

For the purposes stated in sub-paragraph 4, we may process and evaluate your data (sub-paragraph 3) automatically, i.e. in a manner supported by computer, as well as to determine the security and reputational risks, the risk of abuse, to carry out statistical analyses or for operational planning purposes. These processing operations also include profiling.

Profiling is the automated processing of data for analysis and forecasting purposes. The most important examples are profiling for combatting abuse, for determining security and operational risks, for servicing customers and for marketing purposes (as described in more detail in sub-paragraph 4).

In every case we pay attention to the appropriateness and reliability of the results and take measures against the misuse of profiling. In the compulsory area this data processing is subject not only to the Data Protection Act but also legislation concerning occupational pensions.

In order to ensure the efficiency and uniformity of our decision-making processes, we can also automate certain decisions, i.e. make these with the aid of a computer according to certain rules and without review by an employee. These may, for example, include decisions about concluding a contract, terminating a contract or risk exclusions.

In each individual case, we will inform you or indicate the decision accordingly if an automated decision has been made which creates negative legal consequences or a comparable significant impairment for you. In this case, you shall have the rights set out in sub-paragraph 10 if you do not agree with the outcome of the decision.

Occupational pension provision is a collaborative process. There are not only pensions institutions involved but several other additional organizations – employers, vested benefits institutions, other insurers, medical service providers etc. Your data is therefore not only processed by us but also by third parties. Below you will find an overview of the categories of recipients to whom we may disclose personal data.

This sub-paragraph 6 explains the most important data disclosures with references to the corresponding data. For further information please refer to sub-paragraphs 3 and 4.

Employer: We do not disclose any data to your employer about your health or other processes such as buy-ins, advance withdrawals. The employer is only informed that a change has been made but receives no further information.

Declarations in the event of pension claims: In connection with the reporting of an occurrence of a pension claim (e.g. retirement, disablement or death) and in connection with other services, such as a transfer or payout of a termination benefit, we may exchange data with vested benefits institutions, other insurers, public authorities and offices (e.g. social insurers, particularly disability insurers or government social offices), other insurers, medical service providers and experts, banks and credit providers, courts and external lawyers.

In the context of processing pension claims and the relevant clarifications we may gather data from third parties (sub-paragraph 3), but also pass data to them, for example to doctors and other service providers, to experts, to public authorities, government offices, courts, respondents and lawyers. For example, we inform other social and private insurers about specific pension claims for the coordination of benefit obligations and for clarifying and implementing recourse claims. Particularly in the case of divorce or the dissolution of a registered partnership or inheritance disputes we will provide personal data to courts and other pension or vested benefits institutions.

Address verification, credit check and debt collection: We may involve third parties to carry out credit checks and debt collection.

We may involve third parties to carry out credit checks and for debt collection purposes and may disclose data, such as that concerning outstanding debts and your payment history, to them in the process.

Companies of the Zurich Group: We may transfer personal data to companies in the Zurich Group.

Where necessary, we may share your information with other companies belonging to the Zurich Group, in particular for the purpose of risk measurement and assessment and for providing further support services. In order to offer you as an employer the best possible insurance coverage and individualized financial solutions, we may disclose your data – in particular your master data, contract data and registration data – to other companies belonging to the Zurich Group for the purpose of offering products and services tailored to your individual needs (this data is not especially worthy of protection).

Public authorities and agencies: We may disclose personal data to public authorities, agencies, courts and other public bodies if we are legally obliged or entitled to do so, or if this is necessary to protect our interests.

In the context of exercising of rights, defense of claims and fulfillment of legal requirements, we may disclose personal data to public authorities, agencies, courts and other public bodies, for example in the context of official, judicial and pre- and extra-judicial proceedings and in the context of legal obligations to provide information and to cooperate. Recipients are, for example, debt enforcement offices, criminal courts and prosecution authorities, tax offices or social insurance authorities. Data is also disclosed if we obtain information from public bodies, for example, in connection with the processing of pension claims (see above). Public authorities are responsible for processing data about you that they receive from us.

Additional Individuals: If third parties are involved for the purposes outlined in sub-paragraph 4, data can also be disclosed to other recipients.

We may disclose data, for example, to individuals involved in proceedings before courts or authorities (for example, in the case of recourse to the liable third party or its liability insurer), as well as reinsurers, potential purchasers of companies, receivables and other assets where necessary and, in the case of securitizations, to financing companies and to other third parties, about whom we will inform you separately where possible, for example, in declarations of consent or special privacy policies. Other individuals include, in particular, payment recipients, authorized representatives, correspondent banks, other financial institutions and other bodies involved in a legal transaction.

Service Providers: We work with service suppliers at home and abroad who process data about you on our behalf or in joint responsibility with us, or receive data about you from us within their own sphere of responsibility. This may also include health data.

We procure services from third parties to ensure that we can deliver our products and services securely and cost-effectively and that we can concentrate on our core competencies. These services include, for example, IT services, the dispatch of information, marketing, sales, communication or printing services, facility management, security and cleaning, the organization and holding of events and receptions, debt collection, credit agencies, anti-fraud measures and services provided by consulting firms, auditing firms and claims service suppliers. In each case, we provide service suppliers with the data necessary for their services. One example is hosting service suppliers who store electronic data on our behalf, which may include sensitive data such as health data. These service suppliers are each subject to contractual and/or statutory confidentiality and data protection obligations. They may exceptionally use such data for their own purposes in justified cases, for example, information on outstanding debts and your payment history in the case of credit agencies or anonymized information for the purpose of improving services.

To the extent provided by law, these categories of recipients may in turn involve third parties, meaning that your data may also become accessible to them.

We also reserve the right to make these data disclosures if they affect confidential data subject to statutory duties of secrecy.

In many cases, it is also necessary to disclose confidential data in order to process contracts or provide other services. Even non-disclosure agreements neither generally exclude this type of data disclosure, nor disclosure to service suppliers. However, given the sensitivity of the data and other circumstances, we take care to ensure that these third parties handle the data in an appropriate manner.

Brokers: We provide insurance intermediaries (such as general agencies and other bound and unbound intermediaries) with the information they need to serve you, advise you and market our products.

Information which we provide to insurance brokers includes in particular master data, contract, claim and services data. Intermediaries are required by law and contract to comply with the provisions of the Swiss Data Protection Act.

We also allow certain third parties to collect personal data from you on our website and at events organized by us (such as media photographers, providers of tools that we have embedded on our website, etc.). Where we are not decisively involved in these cases of data collection, these third parties are solely responsible for them.

The aforementioned disclosures to within and outside Switzerland (see sub-paragraph 7) are required for legal or operational reasons. Therefore, legal and contractual confidentiality obligations do not prevent these disclosures. Beneficiary data in connection with compulsory pension provisions is only disclosed within the framework of the BVG.

As explained in sub-paragraph 6, other organizations also process your personal data in addition to us. For example, your data may be transferred abroad if personal data is transmitted to other companies in the Zurich Group or to service providers. These recipients are not only based in Switzerland. Your data may therefore be processed worldwide, including outside the EU or the European Economic Area (in so-called third countries such as the USA). Many third countries do not currently have laws that guarantee a level of data protection equivalent to that provided by Swiss law. We therefore take contractual preventative measures in order to balance out the weaker legal protection, provided the data protection legislation does not allow disclosure in individual cases for other reasons. For this purpose, we generally use the standard contractual clauses issued or recognized by the European Commission and the Swiss Data Protection and Information Commissioner (FDPIC) (for further details and a copy of these clauses, please see www.edoeb.admin.ch), unless the recipient is already subject to a legally recognized set of rules to ensure data protection and we cannot rely on an exemption clause. An exception may apply, in particular, in the case of legal proceedings abroad, but also in cases of overriding public interests or if the processing of a contract requires such disclosure, if you have granted your consent or if the data concerned is that which you have made generally accessible and whose processing you have not objected to.

Many countries outside Switzerland or the EU and EEA currently do not have laws that guarantee an adequate level of data protection from the perspective of the Swiss Federal Acton Data Protection or the GDPR. The contractual arrangements mentioned above may partially compensate for this weaker or missing statutory protection. However, contractual precautions cannot eliminate all risks (with particular regard to state intervention abroad). You should be aware of these residual risks, even though the risk may be low in individual cases and we have taken additional measures (such as pseudonymization or anonymization) to minimize it.

Please also note that data exchanged over the Internet is often routed via third countries. Your data may therefore be sent abroad even if the sender and recipient are in the same country.

We store your data for as long as our processing purposes, the legal retention periods and our legitimate interests in processing for documentation and evidence purposes require, or for as long as the storage is technically necessary. Other information regarding the respective storage and processing durations can be found in the individual data categories in sub-paragraph 3.

Therefore, the period for which we retain data depends on legal and internal regulations and on the purposes of processing (see sub-paragraph 4), which also include the protection of our interests (for example, to enforce or defend claims, for archiving purposes and to ensure IT security). If these purposes have been achieved or no longer apply, and if there is no longer a retention obligation, we shall delete or anonymize your data as part of our normal procedures.

Documentation and evidence purposes include our interest, processes, interactions and other facts in the event of legal claims and other discrepancies, for IT and infrastructure security purposes and to provide evidence of good corporate governance and compliance. Retention may be technically necessary if certain data cannot be separated from other data and we therefore need to retain it with this other data (such as in the case of backups or document management systems).

We handle your data confidentially and take appropriate technical and organizational security measures to protect the confidentiality, integrity and availability of your personal data, to protect it against unauthorized or unlawful processing and to protect it against the risk of loss, accidental alteration, undesired disclosure or unauthorized access. We use recognized security standards such as ISO 27001 as a guide.

Our security measures may include measures such as encrypting and pseudonymizing data, logging, access restrictions, storage of backup copies, instructions to our employees, confidentiality agreements, audits, etc. We also oblige our contracted data processors to take appropriate security measures. In general, however, security risks cannot be completely ruled out; certain residual risks are unavoidable.

When your data is transmitted via our web pages, we protect it during transport using suitable encryption mechanisms. However, we can only secure areas that are under our control.

If you contact us by email, you do so at your own risk and agree that we may respond to you to the sender's address via the same channel. If you send us emails via the Internet in unencrypted form, third parties may be able to access, view and manipulate them.

In addition, we take appropriate technical and organizational security measures to reduce the risk within our Internet pages. However, your end device is outside the security area that lies within our control. You are therefore required to learn about the necessary safety precautions and to take appropriate measures in this regard.

Applicable data protection law grants you the right to object to the processing of your data in certain circumstances, in particular for direct marketing purposes, profiling used for direct marketing and other legitimate interests concerning the processing.

In order to give you more control over the processing of your personal data, you have various rights in connection with our data processing:

• The right to request information from us as to whether we are processing your data, and which data we are processing;
• the right to have data corrected by us if it is inaccurate;
• the right to object to our processing for specific purposes and to request the deletion of data unless we are obliged or entitled to continue processing it;
• the right to obtain from us the disclosure of certain personal data in a commonly used electronic format or to request that we transfer this to another controller;
• the right to revoke consent, provided our processing is based on your consent.

If we inform you about an automated decision (sub-paragraph 5), you have the right – with certain exceptions – to express your position on this and request that the decision be reviewed by a natural person.

Please note that certain conditions must be met in order to exercise these rights and that exceptions or restrictions may apply (e.g. to protect third parties or trade secrets). We will inform you accordingly where necessary.

In particular, we may need to process and store your personal data in order to perform a contract with you, to protect our legitimate interests, such as the assertion, exercise or defense of legal claims, or to comply with legal obligations. To the extent legally permissible, in particular to protect the rights and freedoms of other data subjects and to safeguard sensitive interests, we may therefore also reject a data subject’s request in whole or in part (for example, by blacking out certain content relating to third parties or our trade secrets).

If you wish to exercise any rights against us, please contact us in writing (see sub-paragraph 2). To enable us to rule out abuse, we must identify you (such as with a copy of an identity card, if not otherwise possible).

If you do not agree with our handling of your rights or data protection, please let us know via the contact details listed under sub-paragraph 2. You can contact the Swiss supervisory authority here: www.edoeb.admin.ch.

This Privacy Policy does not form part of any contract with you. We may amend this Privacy Policy at any time. The version published on this website is the current version.