Privacy Policy for pension and investment products of Zurich Invest Ltd

"Personal data" is data relating to an identified or identifiable person; in other words, the data or corresponding additional data can be used to make inferences about their identity. “Processing” refers to any handling of personal data, e.g. collection, storage, use disclosure and deletion. "Particularly sensitive personal data" includes, for example, data that reveals racial and ethnic origin, health data, and other data that finds particular protection under data protection law.

For each data processing operation, there are one or more bodies who bear primary responsibility for ensuring that the data processing complies with the requirements of data protection law. This body is referred to as the "data controller" or "controller". It is responsible, among other things, for responding to requests for information (sub-paragraph 10) or for ensuring that personal data is secure and not used in a way that deviates from what we tell you or from what is permitted by law. Details of third parties with whom we cooperate and who are responsible for their own processing can be found in sub-paragraph 3, sub-paragraph 4 and in sub-paragraph 6.

Master data primarily includes name, address and contact details, date and  place of birth, age, gender, nationality and home town, marital status, details from identification data (e.g. from your passport, ID or other identification documents), with the scope of the statutory provisions the AHV number, your contract and insured number, language details, further details from application documents etc. and, where applicable, data in connection with risk assessments. 

Details regarding relationships to third persons who are also affected by the data processing also fall under this data, e.g. authorized representatives or, in the case of a retirement provision or vested benefits account, e.g. about dependents and beneficiaries.

We generally receive master data from the pension account holder or customer (directly or via sales partners), but may also consult third-party data. These may include other Zurich Group companies and credit reporting agencies, media monitoring companies, participating financial service suppliers and banks, address dealers, internet analysis services, private insurers, social insurers, public authorities, parties to proceedings and publicly available sources such as the commercial register, media and sources on the Internet, public registers, media, etc.

This data includes information related to the initiation and conclusion of the contractual relationship and to its processing and administration (e.g. information in connection with advice and customer service). Contract data also includes information relating to complaints about and adjustments to a contract, as well as information about customer satisfaction which we may collect, for example, by means of surveys. 

In connection with the retirement provision relationship we may also process data on claim entitlement, e.g. its amount, on payments into the retirement provision or vested benefits account and on our investment activities). We receive this information primarily from the pension account holder. When processing a retirement provision or vested benefits statement or corresponding applications, we also process data in connection with the regulatory grounds for an ordinary or early payment, including information about retirement provision and vested benefits institutions, other insurance companies and insurers, information about third parties such as involved individuals and beneficiaries, and particularly sensitive personal data such as health data. We receive this information primarily from the pension account holder, but may also receive it from third parties, e.g. other insurers, such as disability insurers, from whom we may also receive data – including health data, for example an annuity decision – possibly with a separate release declaration, or from spouses and registered partners. In other benefit cases, such as in the event of a divorce or the dissolution of a registered partnership, we process the associated data (information relating to the matrimonial property dispute, such as the date of divorce or dissolution of registered partnership and judicial order in this context). We obtain this information from pension account holders, asset management customers, their spouses or registered partners and from public authorities and courts.

In connection with asset management, custody accounts and investments we may, in particular, process information relating to the acquisition and management of assets.

In addition to the sources mentioned above and in addition to the pension account holder, asset management customer or investor, we also receive data from other third parties, such as sales partners, public authorities and offices, courts and lawyers, employers, other insurers, the settlement bank or custodian bank and from external bodies from which we obtain financial information.

Financial data is information relating to the financial circumstances of the customer and, where applicable, third parties. We receive this data from the policy account holder or customer, such as in the course of processing the application, but also from government offices (such as tax offices), banks and credit agencies, and from publicly accessible sources.

Behavioral data is information about certain actions, for example, payments, your use of electronic communications (such as whether and when you opened an email), your location (such as when you use a website of ours; please see the relevant separate privacy policies for our processing of data in connection with our website), your purchases of products and services from us, your interaction with our social media profiles, contacts with contractual partners and your participation in events, competitions contests and similar events.

Preference data tells us, for example, what your needs are, what products or services might be of interest to you, or when and how you respond to messages from us. We obtain this information from analyzing existing data, such as behavioral data, so that we can get to know you better, tailor our advice and offers more precisely to you and generally improve our offers. In order to improve the quality of our analyses, we may combine this data with other data that we also obtain from third parties such as address dealers, websites and government offices; this may include information on your household size, income class and purchasing power, shopping behavior, contact details of relatives and anonymous information from statistical offices.

Communication data includes your name and contact details, the manner, place and time of the communication and normally its content, such as details in emails or letters from you or to you or from third parties or to third parties, if the latter also relate to you. This also includes direct and indirect contacts with us, e.g. customer service and your customer consultant (e.g. via a website or an app, in a chatbot on the internet or an app).

There are certain services which we can only make available to you if you provide us with certain registration data because we or our contractual partners wish to know who, for example, has responded to an invitation to an event, because it is either technically necessary or because we wish to communicate with you. If you or someone you represent (such as your employer) wish to enter into or perform a contract with us, we need to collect relevant master, contract  and communication data from you, and we process technical data when you wish to use our website or other electronic offers. Likewise, we can only send you a response to a request you have made if we process the relevant communication data and – if you communicate with us online – any applicable technical data. It is not possible to use our website without us receiving technical data.

This includes, among other things, the legally regulated combating of money laundering and the terrorism financing. As a result, we may be obliged to make certain inquiries about legal and reputational risks such as political connections (Know Your Customer), such as via corresponding third-party directories such as World-Check, or to file reports under certain circumstances. Also the fulfillment of disclosure, information or reporting obligations, e.g. in connection with obligations to supervisory bodies, the fulfillment of archival obligations and support in preventing, exposing and clarifying criminal acts and other infringements. This includes the receipt and processing of complaints and other reports, the surveillance of communication, internal or external checks or the disclosure of documents to a public authority if we have a material reason for so doing or are required to by legal obligations. For these purposes, we process, in particular, master data, contract and financial data, communication data and, under certain circumstances, pension account holders’ behavioral data. Legal obligations can arise from statutory provisions (in particular occupational retirement provision legislation), but also from self-regulation, industry standards, the company's own "corporate governance" and official instructions and requests.

To conclude retirement provision agreements, we process in particular the pension account holder’s master data, contract data, financial data and communication data and of sales partners or their contact persons. We then maintain a pension account for each pension account holder, for which we process information on payments, the amount of the retirement provision or vested benefits credit balance and withdrawals. The assessment and processing of claims also falls under the provision of occupational pension arrangements. In this case, we primarily process contract, case and benefits data pertaining to the pension account holder and from beneficiaries for examining legitimation (you can find further information about this in the following sections) and, where required, for the provision of benefits. To this end, we may also process health data and other information that arises in the context of these purposes or is necessary for them. 

If you entrust us with asset management, we process data for the preparation, including a standard risk assessment, the conclusion and the execution of the asset management agreement. For this purpose we process your personal data – especially master data, contract data, financial data and communication data – and data from contact persons at the custodian bank. We process comparable data for investments and deposits.

Our customer service and our advisory service also fall under this purpose, as does the assertion of legal claims from contracts (payment defaults, legal proceedings etc.), accounting, the termination of contracts and public communication. We also process data for the purpose of assessing and documenting compensation paid to sales partners (see also sub-paragraph 6).

We may draw upon other bodies e.g. IT and logistics companies, advertising service providers, banks or credit reporting agencies who can make data available to us for the purpose of initiating and concluding contracts and setting up contractual relationships. We also collect data via our sales organization. Our sales partners include independent general agencies, intermediaries and brokers. 

When cooperating with companies and business partners, such as partners in projects or cooperating with parties in legal disputes, we also process data to process and initiate contracts, for planning, for accounting purposes and other purposes related to the contract.

For these purpose we process, in particular, master data, contractual data, claims and benefits data and financial data, but also behavioral and communications data. For example, we must take measures against fraudulent claims. We may also carry out profiling and create and process a profile (see sub-paragraph 5) for the above purposes and in order to protect you and us from illicit or abusive activities.

We strive to continuously improve our products and services and to be able to react quickly to changing needs. We therefore analyze how, for example, offers are used and how new products and services can be created. This gives us an indication of the market acceptance for existing products and services and the market potential of new ones. To this end, we process, in particular, your master data, behavioral data and preference data, as well as communication data and information from customer surveys, polls and studies and other information, such as from the media, from social media, from the Internet and from other public sources. As far as possible, however, we use pseudonymized or anonymized data for these purposes. We may also use media monitoring services or perform media monitoring ourselves, whereby we process personal data in order to carry out media work or to understand and respond to current developments and trends.

We may send you information, advertising and product offers from us and from selected third parties, such as newsletters, via apps and messenger services, as printed matter or by telephone, on a regular basis or as part of individual promotions (such as for events, competitions, etc.). We may also personalize notifications so that our information and offers better meet your needs and expectations. To do this, we link data that we process about you, determine preference data and use this data as the basis for personalization (see sub-paragraph 3). We may also carry out profiling for marketing purposes (see sub-paragraph 5). We also process data in connection with contests, competitions and similar events. Customer care also includes addressing existing customers – in a manner that may be personalized on the basis of behavioral and preference data or data from customer surveys – and organizing customer events (such as sponsoring , sports and cultural events and promotional events). In the case of customer events, we process personal data to carry out the events, as well as to inform the participants and to provide them with information and advertising before, during and after the event.

All of this processing is not only important to enable us to promote our offers in the most effective way possible, but also to make relationships with customers and other third parties more personal and positive, to concentrate on our most important relationships and to use our resources as efficiently as possible.

We continuously review and improve the appropriate security of facilities and buildings and our IT. In doing so, we process data, among other reasons, in connection with the surveillance of buildings and publicly accessible premises. We are not able to rule out data breaches with absolute certainty but we do use our very best endeavors to reduce the risk. We therefore process data, for purposes such as monitoring, control, analysis and testing of our networks and IT infrastructures, to carry out system and error checks, for documentation purposes and in the context of security copies.

These other purposes may include training and educational purposes, administrative purposes (such as the administration of master data, accounting and data archiving or the administration of real estate and the testing, administration and ongoing improvement of IT infrastructure), the protection of our rights (for example, to enforce claims in or out of court and before authorities in Switzerland and abroad or to defend ourselves against claims, for example by preserving evidence, through legal clarifications and by participating in judicial or official proceedings), the evaluation and improvement of internal processes. In the course of developing our business, we may also sell or acquire businesses, operations or companies to or from other companies or enter into partnerships, which may also result in the exchange and processing of data (including from you, for example, as a customer or supplier or as a supplier representative). This also includes the protection of other legitimate interests, which cannot be named exhaustively.

If we receive sensitive data (such as health data), we may also process your data on the basis of other legal grounds, for example, in the event of disputes arising from the necessity to process the data for a possible lawsuit or the enforcement or defense of legal claims. In individual cases, other legal grounds may apply; we will communicate these to you separately where necessary.

Profiling is the automated processing of data for analysis and forecasting purposes. The most important examples are profiling to combat money laundering and terrorist financing in investment products, to combat fraud, for customer care and for marketing purposes (as described in more detail in sub-paragraph 4). For the same purposes, we may also create profiles, i.e. we may combine behavioral and preference data, as well as master data, contract data and technical data assigned to you, in order to better understand you as a person and your different interests and various characteristics. 

In every case we pay attention to the appropriateness and reliability of the results and take measures against the misuse of this profile or profiling.

In each individual case, we will inform you or indicate the decision accordingly if an automated decision has been made which creates negative legal consequences or a comparable significant impairment for you. In this case, you shall have the rights set out in sub-paragraph 9 if you do not agree with the outcome of the decision.

In the case of a retirement provision or vested benefits account, we may exchange data with other bodies such as retirement provision and vested benefits institutions, public authorities and government offices (e.g. social insurance institutions such as, in particular, disability insurers), other insurers, banks and lenders, courts and external lawyers in connection with the notification and occurrence of benefit claims. When executing an asset management mandate, we exchange data with banks and with counterparties. In the case of payments into a vested benefits account, we may also disclose data to the Zurich Investment Foundation. In the context of processing benefit claims and the relevant clarifications, we may gather data from third parties (sub-paragraph 3), but also pass data to them, for example to public authorities, government offices, courts, respondents and lawyers. For example, we inform other social and private insurers about specific benefit claims for the coordination of obligations to pay indemnities and for clarifying and implementing recourse claims. Particularly in the case of divorce or the dissolution of a registered partnership, inheritance disputes or other disputes, we will provide personal data to courts and other retirement provision or vested benefits institutions. 

In the context of asset management, we exchange data in particular with the custodian bank and with other banks and counterparties. This also applies to deposits and investments.

In addition to master data, this may include information on the period of insurance, the performance and  termination of the contract, the sum insured and coverage, claims data, further information on the assessment of compensation and for the – also personalized – marketing of our products. Contractual partners are required by law and contract to comply with the provisions of the Swiss Data Protection Act.

We may involve third parties for risk assessments and the enforcement of any claims and disclose data to them in the process, such as data concerning a planned conclusion of a contract, contract documents, outstanding claims and communication between you and us.

Where necessary and permitted, we may share your information with other companies belonging to the Zurich Group as well as joint foundations that provide occupational retirement provision, in particular  for the purpose of risk measurement and assessment and the provision of reinsurance solutions. We may also engage companies of the Zurich Group as service suppliers (see below). In order to offer you the best possible insurance coverage and individualized financial solutions, we may also disclose your data – in particular your master data, contract data and registration data as well as behavior and preference data – to other companies belonging to the Zurich Group for the purpose of offering their products and services tailored to your individual needs (this data is not especially worthy of protection).

In the context of exercising of rights, defense of claims and fulfillment of legal requirements, we may disclose personal data to public authorities, agencies, courts and other public bodies, for example in the context of official, judicial and pre- and extra-judicial proceedings and in the context of legal obligations to provide information and to cooperate. Recipients are, for example, offices for bankruptcy proceedings, criminal courts, law enforcement agencies and tax offices. Data is also disclosed if we obtain information from public bodies, for example, in connection with the processing of pension claims (see above). Public authorities are responsible for processing data about you that they receive from us.

We may disclose data, for example, to individuals involved in proceedings before courts or authorities (in the case of retirement provision or vested benefits account, for example, in the event of regress to the liable third party or its liability insurer), as well as potential purchasers of companies, receivables and other assets and, in the case of securitizations, to financing companies and to other third parties, about whom we will inform you separately where possible, for example, in declarations of consent or special privacy policies. Other individuals include, in particular, payment recipients, authorized representatives, correspondent banks, other financial institutions and other bodies involved in a legal transaction.

We procure services from third parties to ensure that we can deliver our products and services securely and cost-effectively and that we can concentrate on our core competencies. These services include, for example, sales via other sales partners (see sub-paragraph 3) IT services, the dispatch of information, marketing, sales, communication or printing services, facility management, security and cleaning, the organization and holding of events and receptions, debt collection, credit agencies, anti-fraud measures and services provided by consulting firms, auditing firms and claims service suppliers. In each case, we provide service suppliers with the data necessary for their services. One example is hosting service suppliers who store electronic data on our behalf, which may include sensitive data such as health data. Our service suppliers are each subject to contractual and/or statutory confidentiality and data protection obligations. They may exceptionally use such data for their own purposes in justified cases, for example, information on outstanding debts and your payment history in the case of credit agencies or anonymized information for the purpose of improving services.

In many cases, it is also necessary to disclose confidential data in order to process contracts or provide other services. Even non-disclosure agreements neither generally exclude this type of data disclosure, nor disclosure to service suppliers. However, given the sensitivity of the data and other circumstances, we take care to ensure that these third parties handle the data in an appropriate manner.

Many countries outside Switzerland or the EU and EEA currently do not have laws that guarantee an adequate level of data protection from the perspective of the Swiss Federal Acton Data Protection or the GDPR. The contractual arrangements mentioned above may partially compensate for this weaker or missing statutory protection. However, contractual precautions cannot eliminate all risks (with particular regard to state intervention abroad). You should be aware of these residual risks, even though the risk may be low in individual cases and we have taken additional measures (such as pseudonymization or anonymization) to minimize it.

Therefore, the period for which we retain data depends on legal and internal regulations and on the purposes of processing (see sub-paragraph 4), which also include the protection of our interests (for example, to enforce or defend claims, for archiving purposes and to ensure IT security). If these purposes have been achieved or no longer apply, and if there is no longer a retention obligation, we shall delete or anonymize your data as part of our normal procedures.

Documentation and evidence purposes include our interest, processes, interactions and other facts in the event of legal claims and other discrepancies, for IT and infrastructure security purposes and to provide evidence of good corporate governance and compliance. Retention may be technically necessary if certain data cannot be separated from other data and we therefore need to retain it with this other data (such as in the case of backups or document management systems).

Our security measures may include measures such as encrypting and pseudonymizing data, logging, access restrictions, storage of backup copies, instructions to our employees, confidentiality agreements, audits, etc. We also oblige our contracted data processors to take appropriate security measures. In general, however, security risks cannot be completely ruled out; certain residual risks are unavoidable. 

When your data is transmitted via our web pages, we protect it during transport using suitable encryption mechanisms. However, we can only secure areas that are under our control. 
If you contact us by email, you do so at your own risk and agree that we may respond to you at the sender's address via the same channel. If you send us emails via the Internet in unencrypted form, third parties may be able to access, view and manipulate them. When we contact you by email, we encrypt the emails.

In particular, we may need to process and store your personal data in order to perform a contract with you, to protect our legitimate interests, such as the assertion, exercise or defense of legal claims, or to comply with legal obligations. To the extent legally permissible, in particular to protect the rights and freedoms of other data subjects and to safeguard sensitive interests, we may therefore also reject a data subject’s request in whole or in part (for example, by blacking out certain content relating to third parties or our trade secrets).