Information on data protection

Legal basis for the processing of personal data

The following privacy statement is geared to the requirements of the Swiss Federal Act on Data Protection (FADP), the European Union’s General Data Protection Regulation (GDPR) and the United Kingdom’s General Data Protection Regulation (UK GDPR). Whether and to what extent these laws are applicable depends on the specific individual case. In terms of compulsory occupational benefit schemes, the special data protection provisions of the Federal Law on the Occupational Old-Age, Survivors’ and Disability Benefit Plans (LOB) apply.

All persons involved in providing as well as monitoring or supervising the provision of occupational benefits are subject to the duty of confidentiality in accordance with Art. 86 LOB in respect of third parties.

Servisa may process personal data in accordance with applicable data protection law.

Data processing entails all handling of personal data regardless of the tools and procedures used, particularly the procurement, sav-ing, storage, use, modification (including pseudonymization and anonymization), disclosure, archiving, deletion/erasure or destruc-tion of data. The processing must not unlawfully infringe the personality rights of data subjects, and any processing may be based on the following principles under data protection law:

• Existence of a contract with Servisa
• Legitimate interests of Servisa
• Law
• Consent

Purpose of data processing

Servisa processes personal data for the purpose of operating obligatory and supplementary occupational benefit schemes and in or-der to maintain benefit coverage in line with the tasks entrusted to it.

Categories of personal data

The personal data processed by Servisa includes data that has been provided by data subjects, collected from them, or is publicly accessible. Data categories include:

• Communication data
• Contract details
• Master data
• Beneficiary data (e.g. first name, last name, address, place of residence, Old Age and Survivors’ Insurance (OASI) num-ber, payroll amount, start and leave dates, working hours, interruption of employment and cause, purchase (voluntary payment) calculations, advance withdrawals, e.g. to finance residential property or in connection with a divorce, infor-mation about capacity to work)
• Banking, financial and asset-related data
• Claims data
• Health data
• Registration data
• Technical data
• Data regarding behaviour and preferences
• Security, warranty and compliance data
• Other data (e.g. powers of attorney, official certifications, etc.)

Data provision

The policyholder or beneficiary is obliged to provide the data required to assess the risk, manage the contract and handle claims. If this obligation is not met, Servisa may refuse to conclude the contract or parts thereof or to pay all or part of the claim.

Data exchange

Servisa or parties it engages may, to the extent required, obtain relevant personal data from third parties to ensure optimum handling of business processes, the conclusion of contracts or contract management, and to provide services. On the basis of the insurance application forwarded or the claim (for benefits) notified, these third parties are released from their duty of confidentiality toward Servisa and the parties it engages.

Concluding the contract or providing services may require Servisa not only to obtain relevant information from third parties, but also to disclose personal data to third parties involved in the contract (such as reinsurers, commissioned parties, service providers, au-thorities, etc.). For this reason, Servisa is not subject to any duty of confidentiality in this regard under the FADP. In addition, Servisa obliges third parties to handle the data appropriately, in accordance with its sensitivity and with other circumstances. The data may be passed on to recipients in Switzerland and abroad if the circumstances of the data processing so require. For further details, please refer to the “List of recipients and countries”.

Profiling and automated individual decision-making

Profiling refers to any kind of automated processing of personal data comprising the analysis of specific personal aspects, such as economic situation, health, interests, reliability, behaviour, or relocation. Servisa may use profiling to analyse certain personal char-acteristics (interests and preferences) of data subjects, so that it can send them personalized advertising or offers, but also in order to identify fraud and security risks. The use of data analysis processes also enables Servisa to compile statistical information. If an in-dividual decision is made in a fully automated manner and that decision has negative legal consequences for the data subject or re-sults in a considerable impairment for them, Servisa will inform them accordingly and the data subject may contact Servisa to have the corresponding decision reviewed by a human being. However, any fully automated decisions are always based on Servisa’s pre-determined rules for the weighting the information.

Data security

Servisa takes adequate technical and organizational measures when processing personal data to prevent unauthorized access and other unauthorized processing. These measures are based on the international standards in this area and are checked regularly and adjusted if necessary.

Storage period

Servisa processes personal data for as long as is necessary to fulfil the processing purposes, to comply with the statutory retention periods, to meet legitimate interests, such as for the purposes of documentation or evidence, or for as long as claims may be brought against Servisa or storage is required for technical reasons, as is the case, for example, with backup copies.

Further information on respective storage periods can be found in the sections under “ Data processing in connection with websites and online services”. If there are no legal or contractual obligations to the contrary, we will delete or anonymize your data after the storage period has expired as part of our usual procedures.

Business partners and services

The following categories of personal data are processed by Servisa in the context of its relationships with business partners, which may comprise groups of persons such as instructing parties, cooperation partners, contractors, service providers, suppliers, or their repre-sentatives.

• Communication data
• Contract details
• Master data
• Registration data
• Technical data
• Security, warranty and compliance data
• Additional data

Servisa processes the above-mentioned personal data for the following purposes:

• Initiation, management and execution of contractual relationships such as supply or advisory contracts
• Compliance with laws, directives and recommendations of authorities in Switzerland and abroad as well as internal regulations
• Risk management as part of prudent corporate governance, including operational organization and corporate development
• Business partner management and contact maintenance
• Collaboration with business partners
• Exchange of information between group companies
• Other purposes

To ensure optimum handling of business processes, the conclusion of contracts or contract management, and to provide services, Servisa or parties it engages may obtain relevant personal data from third parties (e.g. information centres, data providers, address brokers, reference providers) to the extent required. The following categories of data may be collected:

• Bank and financial data
• Security, warranty and compliance data

The data may be passed on to recipients both within Switzerland and abroad. Details can be found in the “List of recipients and coun-tries”.

Building security

The categories of personal data processed by Servisa in connection with guaranteeing security are:

• Video recordings from CCTV cameras
• Technical information, e.g. location of the camera, time of the recording
• Recordings from access control systems
• Movement data of persons in connection with access controls
• Personal data of visitors and guests

Servisa processes the above-mentioned personal data for the following purposes:

• To guarantee protection of persons, employees, data, business secrets, assets, systems and buildings
• To clear up instances of theft and security-related incidents
• To use as evidence in court and out-of-court proceedings
• To exercise domiciliary and ownership rights
• To control access
• To comply with laws, directives and recommendations of authorities in Switzerland and abroad as well as internal regulations

The following are monitored by CCTV cameras:

• Waste disposal sites
• Underground car parks and entrances
• Certain secure areas such as server rooms, storage rooms containing valuable goods, or sensitive work areas
• Parking spaces
• Stairwells
• Inner courtyards
• Lifts
• Entrances and access routes (doors, gates)
• Other signposted areas

The data may be passed on to recipients both within Switzerland and abroad. Details can be found in the “List of recipients and coun-tries”.

Servisa processes personal data for as long as it is needed for the described purposes and usually deletes it after 30 days.

Right of information

The right to request information from Servisa on whether and, if so, what personal data it is processing and to receive a copy of that data.

Right to rectification

The right to have inaccurate data rectified.

Right to erasure

The right to request the erasure of personal data, to the extent that Servisa is no longer obliged or entitled under applicable laws or regulations to retain it.

+Right to restrict processing

The right to object at any time to the future processing of personal data, insofar as that processing is not absolutely essential for con-tract performance and/or Servisa is not obliged or entitled to process it under applicable laws or regulations.

Right to object to data processing and revoke consent

The right to object to the processing of personal data, in particular insofar as processing is based on legitimate interests or where data is processed for the purposes of direct marketing, and the right to revoke consent insofar as data processing is based on consent.

Right to data portability

The right to request that Servisa transfer certain personal data.

Rights in the case of automated individual decision-making

The right of the data subject to express their point of view in the case of exclusively automated decisions and to request that decisions be reviewed by a human being.

Right of complaint

Data subjects have the right to lodge a complaint with the competent data protection authority.

E-mail

Servisa would like to remind data subjects that the Internet is an open, global network that is accessible to everyone. Communication via e-mail is not usually encrypted and takes place only during regular office hours. It is possible that data may be lost or intercepted and/or manipulated by third parties, for example, to make it appear authentic. Servisa takes appropriate technical and organizational security measures to prevent this from happening within the Servisa system. Nevertheless, the confidentiality of data transmitted by e-mail cannot be guaranteed. This applies, in particular, to the transmission of sensitive personal data (such as health data). E-mails may be delayed, deleted, misrouted or shortened during transmission due to transmission errors, technical defects or other malfunc-tions. External access devices (Internet users’ PCs, smartphones, etc.) and parts of the infrastructure used for transmission between the sender and Servisa are located outside the secure area over which Servisa has control. It is the responsibility of each Internet user to find out about the necessary security precautions and to take appropriate measures (e.g. up-to-date anti-virus software, etc.). Servisa is not liable for any damage or consequences arising from the electronic exchange of information, particularly from the mis-use of the e-mail system, for which Servisa itself is not responsible. Servisa reserves the right to seek indemnification from the data subject for any intentional damage it suffers as a result of its business dealings with the data subject via the electronic exchange of information. Servisa reserves the right not to respond via e-mail in individual cases or to request that orders placed or information sent by e-mail be confirmed in another form (e.g. using a signed form).

Log files

• The providers of Servisa Collective Foundation's websites collect and store data in the form of log files when those websites are accessed. This includes the following data:
  • IP address of the website user
  • User name (user ID) when using the customer portal
  • User name (user ID) when using the customer portal
  • Designation of the websites accessed
  • Definition of the files accessed (downloads)
  • Notification of successful access
  • Previously visited sites
• This data is not stored together with other personal data of the user. Furthermore, this data is col-lected only for statistical purposes relating to website use, security and optimization of the offering and the website, and is not passed on to third-parties for any other purpose.
  • This data is deleted as soon as it is no longer needed to fulfil the purpose for which it was collect-ed, or if there is no legal basis for its storage.
  • As this access data is absolutely necessary for providing the website, it is not possible to object to this form of data processing.

insuree portal

Certain offerings may be used via the insured person portal. To complete the registration and log-on process and ensure operation of the portal, Servisa processes the following data: salutation, first name, last name, telephone number, e-mail address, password for portal access and IP address. Users of the Servisa insured person portal can change the customer data created in connection with the portal at any time. Behaviours on Servisa websites may be correlated with data from the Servisa insured person portal (e.g. age group, region the user lives in, and gender) in order to offer customer-specific products. Automated decisions are not taken in specific individual cases.

Online events

Servisa uses the technological services of third parties when organizing webinars, brown-bag sessions and other online events. When participating in online events, the names and e-mail addresses of the participants, as provided during registration, enrolment or upon joining, are usually communicated to third-party providers for the purposes of technical implementation of the event. As a rule, the data is hosted in Switzerland. It cannot be ruled out that this data will be stored outside Switzerland, is subject to other legal systems and/or will be passed on to other third parties by the third-party providers. The respective privacy policy of the service provider(s) applies. Servisa itself does not pass on any other customer data in connection with the organization of events and the deployment of third-party providers. As a rule, Servisa collects participants’ details during the registration process for events. This may involve in-formation about persons other than those completing the registration. On completion of the registration process, Servisa obliges the person carrying out registration to inform all those registered by name about Servisa’s privacy statement. Servisa assumes, once registration has been completed, that the persons registered by name have been adequately informed about data processing at Servi-sa. All data entered is used solely in connection with the organization and staging of the event and is deleted within a reasonable and/or the statutory period. Data may be passed on to third parties if, for example, lists of names have to be disclosed for the organization of events. For further details, please refer to the “List of recipients and countries”. As a rule, the disclosure is evident from the circum-stances of the registration (e.g. registration for travel, a stay in a hotel or a restaurant booking); otherwise, Servisa reserves the right to provide separate information in the login mask. The retention period for the data is based on the purpose and is limited to what is absolutely necessary. Data is deleted within the corresponding time period.