Meta navigation

Data protection

comPlan General Privacy Policy

Validity date: 1 October 2022

In this General Privacy Policy, we, the comPlan pension fund (hereinafter ‘we’ or ‘us’), as a registered occupational pension foundation, explain how we collect and process your personal data.


As part of our activities as a pension fund, we receive and process your personal data. We have established data protection guidelines to fulfil our responsibility to protect your personal data and safeguard your privacy rights in accordance with applicable Swiss data protection laws.


This General Privacy Policy applies to all persons whose data we process, regardless of how they contact us (by telephone, e-mail, website, insured person portal, etc.). It also applies to the processing of all personal data that we process in connection with the implementation of the occupational pension scheme and our related activities.


We provide both mandatory and extra-mandatory occupational pensions for employees of Swisscom Ltd and its economically or financially associated companies. In the area of mandatory pension provision, we process your personal data on the basis of the applicable statutory provisions. In this area, we are exempt from the obligation to provide information about our data processing. However, this General Privacy Policy still provides you with information about our entire area of activity. The information in this General Privacy Policy applies to both mandatory and extra-mandatory portions, unless stated otherwise by us.


In this General Privacy Policy, we inform you in particular about the personal data we collect and process, the purposes for which we use it, with whom we may share it, for how long we process your personal data and your rights in this regard.

If you have any questions about this General Privacy Policy, you can e-mail at any time.


1. Controller/definitions

Who is the controller responsible for data processing?


According to this General Privacy Policy, the controller responsible for the processing and use of personal data is:


Stadtbachstrasse 36
CH-3012 Bern

Telefone: +41 58 221 72 73


What terminology is used?

In this General Privacy Policy, we use the following definitions, amongst others:


Personal data: All information relating to an identified or identifiable natural person.

Data subject: Natural person whose personal data is processed.

Processing: Any handling of personal data, regardless of the means and procedures used, in particular the collection, storage, retention, use, modification, disclosure, archiving, deletion or destruction of data.

Controllers: Private persons or federal bodies that decide alone or jointly with others on the purpose and means of processing.

Processors: Private persons or federal bodies that process personal data on behalf of the controllers.

Federal body: Federal authority or agency or person entrusted with federal public tasks.


2. Collection and processing of personal data

From whom do we receive personal data?

As controller, we primarily collect and process the personal data that we need to implement the occupational pension scheme. The data mainly comes from current or former employers, who are legally obliged to provide us with all the data required for the implementation of the occupational pension scheme. However, we may also receive information about you from people who communicate with us or from public sources. This could be, for example, the following third parties:


  • Employers
  • People known to you (family members, legal representatives)
  • Swiss Post, public bodies
  • Banks and other financial services companies, private and social insurance companies, pension funds and vested benefits institutions
  • Experts, doctors and other service providers from whom we also receive health data in the course of investigations
  • Service providers
  • Authorities, courts, parties and other third parties in connection with official and judicial proceedings
  • Public registers, such as debt collection or commercial registers, the media or the internet


The data we process in accordance with this General Privacy Policy not only relates to insured persons, but often also to third parties. If you send us data about third parties, we assume that you are authorised to do so and that the data is correct. By transmitting data about third parties, you confirm this. Please therefore inform these third parties about our processing of your data and make this General Privacy Policy available to them.


For what purpose do we collect and process personal data?

Personal data is processed primarily for the purpose of implementing the occupational pension scheme. This includes, for example:


  • Concluding and executing affiliation agreements with the employer, asserting legal claims arising from contracts, keeping accounts and terminating contracts. For this purpose, we process in particular your master data, contract, case and benefit data plus financial and communication data.
  • The admission of insured persons. In particular, we process your master data for this purpose. We then maintain one or more pension capital accounts for you, for which we process information on contributions, incoming funds, retirement savings and payments.
  • Checking and processing of insured events. This also includes coordination with other insurance providers, such as the disability insurance scheme provider, and assertion of recourse claims. For this purpose, we primarily process contract, case and benefit data from you and your relatives and beneficiaries, as well as health and other data from third parties such as external experts and service providers.


We also process personal data for purposes related to the implementation of the occupational pension scheme, in particular for the following:


  • Communication: We process personal data in order to communicate with you. This includes, for example, responding to queries and customer relationship management. For this purpose, we use in particular communication and master data and, depending on the subject matter of the communication, also contract, case and performance data.
  • Contract execution: We process personal data in connection with the initiation, management and execution of contractual relationships, including those relating to contracts other than affiliation agreements. In particular, we use master, contract and communication data for this purpose.
  • Security and prevention: We also process personal data for security purposes, to ensure IT security, to prevent fraud and misuse, and for evidentiary purposes.
  • Compliance with legal requirements: We process personal data to comply with legal obligations and to prevent and detect breaches. This includes, for example, the fulfilment of disclosure, information or reporting obligations, e.g. in connection with supervisory duties, the fulfilment of archiving obligations and assistance in the prevention, detection and investigation of criminal offences and other breaches, as well as receiving and processing complaints and other reports, monitoring communications, internal or external investigations or disclosing documents to an authority if we have an objective reason for doing so or are legally obliged to do so. For these purposes, we process in particular master, contractual, financial and communication data of employers and their contact persons and, under certain circumstances, of insured persons (e.g. in the event of suspicion of improper performance).
  • Assertion of rights: We process personal data for the purposes of asserting our rights, e.g. to enforce claims through legal action, judicially, extrajudicially and before authorities in Switzerland and, if necessary, abroad, or to defend ourselves against claims. Depending on the situation, we process various personal data, such as contact details and information about processes that have or could give rise to a dispute.
  • Other purposes: We may process personal data for other purposes, such as in the context of our internal processes and administration. These include IT management, accounting, archiving data and managing our archives, training and education, auditing or conducting corporate transactions such as company acquisitions, sales and mergers, forwarding enquiries to the competent authorities, sales of receivables where we provide the purchaser with, for example, information about the reason and amount of the receivable and, where appropriate, the credit rating and behaviour of the debtors, and generally reviewing and improving internal processes.
With whom do we share personal data?

Not only pension funds are involved in the implementation of the occupational pension scheme, but also other bodies: employers, vested benefits institutions, other insurance companies, medical service providers, etc. Your data is therefore not only processed by us, but also by third parties. Below is an overview of the categories of recipients to which we may disclose your personal data:



  • Employers: We do not disclose any health data or any of your activities, such as purchases, early withdrawals, etc.
  • Disclosures in the case of insured events: In connection with the reporting and occurrence of an insured event and in connection with other benefits such as a transfer or payment of vested benefits, we may, for example, share data with vested benefits institutions, other pension funds, authorities and agencies (e.g. social insurance providers such as in particular the disability insurance scheme provider or social welfare offices), other insurance companies, medical service providers and experts, banks and creditors, courts and external lawyers. As part of the processing of insured events and the corresponding clarifications, we may collect data from third parties, but also pass it on to them, such as doctors and other service providers, experts, authorities, courts, respondents and lawyers. For example, we inform other social and private insurers about certain insured events in order to coordinate benefit obligations and to clarify and enforce recourse claims. In the event of divorce and inheritance disputes in particular, we share personal data with courts and other pension or vested benefits institutions.
  • Authorities and agencies: We may disclose personal data to authorities, agencies, courts and other public bodies if we are legally obliged or entitled to do so or if this is necessary to safeguard our interests, for example in the context of official, legal, judicial and extrajudicial proceedings and in the context of legal information and cooperation obligations. Recipients include, for example, debt enforcement offices, criminal courts and criminal investigation authorities, tax offices or social security authorities. Data is also disclosed if we obtain information from public bodies, for example in connection with the processing of benefit claims.
  • Other people: Where third parties are involved as a result of the purposes, data may also be disclosed to other recipients, such as persons involved in proceedings before courts or authorities (for example, in the case of recourse to liable third parties or their liability insurance). Other recipients include beneficiaries of a payment, agents, correspondent banks, other financial institutions and other entities involved in a legal transaction.
  • Processors (service providers): We may share your personal data with companies if we use their services. These service companies process personal data as processors on our behalf. Our processors are obliged to process personal data exclusively in accordance with our instructions and to take appropriate measures to ensure data security. By selecting service providers and entering into suitable contractual agreements, we ensure that data protection is guaranteed throughout the entire processing of your personal data. This includes, for example, IT services (such as services in the areas of insured person administration and data storage), the sending of e-mail newsletters, data analysis and processing, etc., and advisory services (such as those provided by occupational pension experts, lawyers, etc.).


We take the necessary measures to ensure that only authorised personnel with the relevant knowledge have access to your personal data. We also carefully select our partners and processors. They must be able to guarantee that they have implemented appropriate technical and organisational measures in compliance with legal requirements. Our processors may process personal data only if we have documented instructions. They are subject to confidentiality requirements and may only use your personal data to the extent necessary to fulfil the purpose for which your personal data was collected, unless otherwise required by law. We process the following categories of personal data:

a) Insured person support

We process personal data of insured persons and surviving dependants, their partners, children and/or other beneficiaries as well as data of persons drawing old age, survivors’, invalidity or divorced person’s pensions:


Master data


Master data is the basic data about you that we need for the execution of our contractual and other business relationships. For example, we process your master data if you are an insured person, relative or beneficiary, if you are a contact person for an employer, another pension fund or a supplier company or if you are a member of one of our governing bodies. We also collect master data to control access to events and offices. Furthermore, we collect master data from contact persons and representatives of contractual partners, organisations and authorities.



Depending on the capacity in which you deal with us, master data includes, for example:


  • Title, surname, first name, gender, date of birth
  • Address, e-mail address, telephone number and other contact details
  • Marital status, date of change in marital status, age, nationality and place of origin, social security number, personnel number, organisational unit, employee group, user account
  • Bank details, details of previous pension or vested benefits institutions, starting and leaving dates with the employer, staff category, degree of ability to work, level of employment, insured annual salary and occupational pension-related salary, details of relationships with third parties, such as relatives and beneficiaries


Contract, case and performance data


This is personal data relating to the conclusion, execution or termination of contracts, the admission of insured persons into the occupational pension scheme, the receipt of notifications, the processing of insured events and other benefits (e.g. payment of vested benefits). This includes, in particular, the following data:


  • Information in connection with the affiliation agreement with the employer (e.g. type and date of conclusion of the agreement, processing and administration, as well as information relating to complaints and contractual amendments)
  • Information in connection with the processing of insured events , such as the notification of the occurrence of an insured event, the claim number, details of the reason for the insured event, such as accident or illness, and the date of the event, details in connection with the assessment of the insured event, details of other insurance providers and third parties such as persons involved, and sensitive personal data (e.g. health data) and information about third parties (e.g. persons involved in the occurrence of the incapacity to work or death)
  • Information on vested benefits, e.g. voluntary purchases
  • In other cases, for example, details in connection with the payment of vested benefits (such as the reason for the payment, but also details of accounts and vested benefits institutions and, where applicable, the consent of the spouse) or in connection with a change in marital status (such as the date of a divorce and acquired vested benefits, early withdrawals or invalidity benefits received and court orders in this context)


Financial data


Financial data is personal data that relates to financial circumstances, payments and the enforcement of claims. This includes information in connection with payments and bank details, such as the employer’s contribution payments and the enforcement of claims, as well as further information on insured persons’ salary, purchases into the occupational pension scheme and disbursement of vested benefits and pensions. We also process financial data on beneficiaries, for example in connection with survivors’ benefits for surviving spouses, children and other beneficiaries.


b)  Capital investments in general


We process personal data of service companies (asset managers, custodian banks, administrations, fund management companies, legal and tax advisers, etc.) and the data of individuals who work for service companies.


c) Human resources


We process the personal data of (potential) employees/members of the Foundation Council and third parties involved (spouses, partners), payroll data, health data and extracts from the criminal register/debt collection register of (potential) employees. We share this data with medical examiners and potential employees’ employers.


The processing of employees’ personal data is governed separately in Swisscom (Switzerland) Ltd’s General Privacy Policy.


Personal data transmitted automatically via the website, the insured person portal or other electronic offerings


We collect and process information that your browser automatically transmits to us by means of server log files when you visit our website. This personal data is collected automatically and includes, for example:


  • IP address used (anonymised, truncated if necessary)
  • Information about your device and its configuration
  • Date and time stamp
  • Web browser and operating system used
  • Language and version of the browser software
  • Information about your movements and actions on our website and in our insured person portal
  • Information about your internet provider
  • Recording of access and log data within the system


We use the automatically collected personal data for the following purposes:


  • To enable the display, operation and functionality of the website
  • To ensure the stability and security of the system
  • To improve and protect our services
  • For statistical purposes in the event of attacks on the network infrastructure on which the website is made available
  • To analyse your usage behaviour


Contact with us


We collect and process personal data that you send to us voluntarily via our contact form, to our e-mail address, via any other applications connected to the website, by telephone or in any other way.


3. Legal basis


On what legal grounds do we collect or process data?


Our activities in the area of mandatory occupational pensions are governed by the legislation on occupational pensions, in particular the Swiss Federal Act on Occupational Old Age, Survivors’ and Invalidity Pension Provision (BVG) and the Swiss Federal Act on the Vesting of Occupational Old Age, Survivors’ and Invalidity Benefits (FZG) and the associated ordinances. As a federal body, we process your personal data in this area within the scope of our statutory processing powers (e.g. Art. 85a et seq. BVG). In the area of extra-mandatory pension provision, our data processing is not subject to the data protection provisions of the BVG, but to those of the Swiss Data Protection Act (DSG). In this context, we process your personal data in particular for the performance of a contract or for pre-contractual measures (e.g. checking a contract application), for the defence of legitimate interests, based on separate consent or in order to comply with legal provisions.


4. Disclosure and transfer of data abroad

Do we transfer data abroad?


We process personal data almost exclusively in Switzerland. An exception is the disclosure of personal data in connection with an insured event involving a person insured with comPlan.


We also use standard IT services where certain data flows outside Switzerland are unavoidable (this generally includes all countries in the world). If, in individual cases, we transfer your personal data to a country without an adequate level of data protection, we ensure that your personal data is adequately protected.


One means of ensuring adequate data protection is, for example, the conclusion of data transfer agreements with the recipients of your personal data in third countries that ensure the necessary data protection. This includes contracts that have been approved, issued or recognised by the European Commission and the Federal Data Protection and Information Commissioner (‘Standard Contractual Clauses’). Such contractual precautions partly compensate for weaker or missing legal protection, but cannot completely exclude all risks (such as government access abroad). In exceptional cases, transfer to countries without adequate protection may also be permitted in other cases, for example on the basis of consent, in connection with legal proceedings abroad or if the transfer is necessary for the performance of a contract.



5. Retention period for personal data


How long do we process personal data?


We process and store your personal data:


  • As long as it is necessary for the particular purpose of the processing.
  • As long as we have a legitimate interest in storage. This may be the case in particular if we need personal data to enforce or defend against claims, for archiving purposes and to ensure IT security.
  • As long as it is subject to a statutory retention obligation (cf. Art. 27i et seq. of the Swiss Ordinance on Occupational Old Age, Survivors’ and Invalidity Pension Provision).


6. Data security


How do we protect your personal data?


We take appropriate technical and organisational security measures to safeguard the security of your personal data, to protect it against unauthorised or unlawful processing and to counter the risk of loss, unintentional alteration, unwanted disclosure or unauthorised access. We review these security measures on a regular basis. Like all companies, however, we cannot exclude data security breaches with absolute certainty; certain residual risks are unavoidable. Technical security measures include encryption and pseudonymisation of data, logging, access restrictions and storage of back-up copies. Organisational security measures include instructions to our employees, confidentiality agreements and controls. We also oblige our processors to take appropriate technical and organisational security measures.


7. What rights do you have in connection with the processing of your personal data?

Right of access: You have the right to obtain information about the personal data stored about you and a copy of the available documents at any time. This right of access includes the following information:


  • The identity and contact details of the controllers
  • The personal data processed as suc
  • The purpose of the processing
  • The period of retention of your personal data or, if this is not possible, the criteria for determining this period
  • The available information on the origin of your personal data, unless it was obtained from you
  • Where applicable, the recipients or categories of recipients to whom personal data is disclosed, as well as information if personal data is processed by processors


Furthermore, you have the right to information as to whether your personal data has been transferred to a third country or to an international organisation. If this is the case, you also have the right to obtain information about the appropriate guarantees in connection with the transfer.


Right to data portability: You have the right to receive your personal data in a structured and machine-readable format. In addition, you have the right to have this data transmitted to another controller by the controller to whom the personal data was provided, insofar as the processing is based on consent or on a contract and the processing is carried out by automated means, insofar as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.


Other rights: In addition to the right of access and the right to data portability, you have the right to request the rectification, deletion or restriction of the processing of your personal data as well as to object to the processing of your personal data. If the processing of personal data is based on your consent, you may withdraw that consent at any time.


Exercise of rights: We accept requests for information in writing, together with a legible copy of a valid official form of identification (e.g. passport, identity card, driving licence).


Right to lodge a complaint with the supervisory authority: You have the right to lodge a complaint with a supervisory authority (in particular at your place of residence, place of work or place of the alleged infringement of data protection regulations).



Competent supervisory authority for Switzerland:


Federal Data Protection and Information Commissioner (FDPIC)

Feldeggweg 1

CH-3003 Bern

Telephone: +41 58 462 43 95


Please note that these rights may be restricted or excluded on a case-by-case basis, e.g. if there are doubts about your identity or if this is necessary to protect another person, safeguard legitimate interests or comply with legal obligations.


8. Changes

We reserve the right to adapt, supplement or otherwise change this General Privacy Policy in relation to personal data at any time and without giving reasons. The latest General Privacy Policy in relation to personal data published on this website applies.