Validity date: 1 October 2022
In this General Privacy Policy, we, the comPlan pension fund (hereinafter ‘we’ or ‘us’), as a registered occupational pension foundation, explain how we collect and process your personal data.
As part of our activities as a pension fund, we receive and process your personal data. We have established data protection guidelines to fulfil our responsibility to protect your personal data and safeguard your privacy rights in accordance with applicable Swiss data protection laws.
This General Privacy Policy applies to all persons whose data we process, regardless of how they contact us (by telephone, e-mail, website, insured person portal, etc.). It also applies to the processing of all personal data that we process in connection with the implementation of the occupational pension scheme and our related activities.
We provide both mandatory and extra-mandatory occupational pensions for employees of Swisscom Ltd and its economically or financially associated companies. In the area of mandatory pension provision, we process your personal data on the basis of the applicable statutory provisions. In this area, we are exempt from the obligation to provide information about our data processing. However, this General Privacy Policy still provides you with information about our entire area of activity. The information in this General Privacy Policy applies to both mandatory and extra-mandatory portions, unless stated otherwise by us.
In this General Privacy Policy, we inform you in particular about the personal data we collect and process, the purposes for which we use it, with whom we may share it, for how long we process your personal data and your rights in this regard.
If you have any questions about this General Privacy Policy, you can e-mail admin.complan@swisscom.com at any time.
According to this General Privacy Policy, the controller responsible for the processing and use of personal data is:
comPlan
Stadtbachstrasse 36
CH-3012 Bern
Telefone: +41 58 221 72 73
E-mail: admin.complan@swisscom.com
In this General Privacy Policy, we use the following definitions, amongst others:
Personal data: All information relating to an identified or identifiable natural person.
Data subject: Natural person whose personal data is processed.
Processing: Any handling of personal data, regardless of the means and procedures used, in particular the collection, storage, retention, use, modification, disclosure, archiving, deletion or destruction of data.
Controllers: Private persons or federal bodies that decide alone or jointly with others on the purpose and means of processing.
Processors: Private persons or federal bodies that process personal data on behalf of the controllers.
Federal body: Federal authority or agency or person entrusted with federal public tasks.
As controller, we primarily collect and process the personal data that we need to implement the occupational pension scheme. The data mainly comes from current or former employers, who are legally obliged to provide us with all the data required for the implementation of the occupational pension scheme. However, we may also receive information about you from people who communicate with us or from public sources. This could be, for example, the following third parties:
The data we process in accordance with this General Privacy Policy not only relates to insured persons, but often also to third parties. If you send us data about third parties, we assume that you are authorised to do so and that the data is correct. By transmitting data about third parties, you confirm this. Please therefore inform these third parties about our processing of your data and make this General Privacy Policy available to them.
Personal data is processed primarily for the purpose of implementing the occupational pension scheme. This includes, for example:
We also process personal data for purposes related to the implementation of the occupational pension scheme, in particular for the following:
Not only pension funds are involved in the implementation of the occupational pension scheme, but also other bodies: employers, vested benefits institutions, other insurance companies, medical service providers, etc. Your data is therefore not only processed by us, but also by third parties. Below is an overview of the categories of recipients to which we may disclose your personal data:
We take the necessary measures to ensure that only authorised personnel with the relevant knowledge have access to your personal data. We also carefully select our partners and processors. They must be able to guarantee that they have implemented appropriate technical and organisational measures in compliance with legal requirements. Our processors may process personal data only if we have documented instructions. They are subject to confidentiality requirements and may only use your personal data to the extent necessary to fulfil the purpose for which your personal data was collected, unless otherwise required by law. We process the following categories of personal data:
We process personal data of insured persons and surviving dependants, their partners, children and/or other beneficiaries as well as data of persons drawing old age, survivors’, invalidity or divorced person’s pensions:
Master data
Master data is the basic data about you that we need for the execution of our contractual and other business relationships. For example, we process your master data if you are an insured person, relative or beneficiary, if you are a contact person for an employer, another pension fund or a supplier company or if you are a member of one of our governing bodies. We also collect master data to control access to events and offices. Furthermore, we collect master data from contact persons and representatives of contractual partners, organisations and authorities.
Depending on the capacity in which you deal with us, master data includes, for example:
Contract, case and performance data
This is personal data relating to the conclusion, execution or termination of contracts, the admission of insured persons into the occupational pension scheme, the receipt of notifications, the processing of insured events and other benefits (e.g. payment of vested benefits). This includes, in particular, the following data:
Financial data
Financial data is personal data that relates to financial circumstances, payments and the enforcement of claims. This includes information in connection with payments and bank details, such as the employer’s contribution payments and the enforcement of claims, as well as further information on insured persons’ salary, purchases into the occupational pension scheme and disbursement of vested benefits and pensions. We also process financial data on beneficiaries, for example in connection with survivors’ benefits for surviving spouses, children and other beneficiaries.
b) Capital investments in general
We process personal data of service companies (asset managers, custodian banks, administrations, fund management companies, legal and tax advisers, etc.) and the data of individuals who work for service companies.
c) Human resources
We process the personal data of (potential) employees/members of the Foundation Council and third parties involved (spouses, partners), payroll data, health data and extracts from the criminal register/debt collection register of (potential) employees. We share this data with medical examiners and potential employees’ employers.
The processing of employees’ personal data is governed separately in Swisscom (Switzerland) Ltd’s General Privacy Policy.
Personal data transmitted automatically via the website, the insured person portal or other electronic offerings
We collect and process information that your browser automatically transmits to us by means of server log files when you visit our website. This personal data is collected automatically and includes, for example:
We use the automatically collected personal data for the following purposes:
Contact with us
We collect and process personal data that you send to us voluntarily via our contact form, to our e-mail address, via any other applications connected to the website, by telephone or in any other way.
On what legal grounds do we collect or process data?
Our activities in the area of mandatory occupational pensions are governed by the legislation on occupational pensions, in particular the Swiss Federal Act on Occupational Old Age, Survivors’ and Invalidity Pension Provision (BVG) and the Swiss Federal Act on the Vesting of Occupational Old Age, Survivors’ and Invalidity Benefits (FZG) and the associated ordinances. As a federal body, we process your personal data in this area within the scope of our statutory processing powers (e.g. Art. 85a et seq. BVG). In the area of extra-mandatory pension provision, our data processing is not subject to the data protection provisions of the BVG, but to those of the Swiss Data Protection Act (DSG). In this context, we process your personal data in particular for the performance of a contract or for pre-contractual measures (e.g. checking a contract application), for the defence of legitimate interests, based on separate consent or in order to comply with legal provisions.
Do we transfer data abroad?
We process personal data almost exclusively in Switzerland. An exception is the disclosure of personal data in connection with an insured event involving a person insured with comPlan.
We also use standard IT services where certain data flows outside Switzerland are unavoidable (this generally includes all countries in the world). If, in individual cases, we transfer your personal data to a country without an adequate level of data protection, we ensure that your personal data is adequately protected.
One means of ensuring adequate data protection is, for example, the conclusion of data transfer agreements with the recipients of your personal data in third countries that ensure the necessary data protection. This includes contracts that have been approved, issued or recognised by the European Commission and the Federal Data Protection and Information Commissioner (‘Standard Contractual Clauses’). Such contractual precautions partly compensate for weaker or missing legal protection, but cannot completely exclude all risks (such as government access abroad). In exceptional cases, transfer to countries without adequate protection may also be permitted in other cases, for example on the basis of consent, in connection with legal proceedings abroad or if the transfer is necessary for the performance of a contract.
How long do we process personal data?
We process and store your personal data:
How do we protect your personal data?
We take appropriate technical and organisational security measures to safeguard the security of your personal data, to protect it against unauthorised or unlawful processing and to counter the risk of loss, unintentional alteration, unwanted disclosure or unauthorised access. We review these security measures on a regular basis. Like all companies, however, we cannot exclude data security breaches with absolute certainty; certain residual risks are unavoidable. Technical security measures include encryption and pseudonymisation of data, logging, access restrictions and storage of back-up copies. Organisational security measures include instructions to our employees, confidentiality agreements and controls. We also oblige our processors to take appropriate technical and organisational security measures.
Right of access: You have the right to obtain information about the personal data stored about you and a copy of the available documents at any time. This right of access includes the following information:
Furthermore, you have the right to information as to whether your personal data has been transferred to a third country or to an international organisation. If this is the case, you also have the right to obtain information about the appropriate guarantees in connection with the transfer.
Right to data portability: You have the right to receive your personal data in a structured and machine-readable format. In addition, you have the right to have this data transmitted to another controller by the controller to whom the personal data was provided, insofar as the processing is based on consent or on a contract and the processing is carried out by automated means, insofar as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Other rights: In addition to the right of access and the right to data portability, you have the right to request the rectification, deletion or restriction of the processing of your personal data as well as to object to the processing of your personal data. If the processing of personal data is based on your consent, you may withdraw that consent at any time.
Exercise of rights: We accept requests for information in writing, together with a legible copy of a valid official form of identification (e.g. passport, identity card, driving licence).
Right to lodge a complaint with the supervisory authority: You have the right to lodge a complaint with a supervisory authority (in particular at your place of residence, place of work or place of the alleged infringement of data protection regulations).
Competent supervisory authority for Switzerland:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
CH-3003 Bern
www.edoeb.admin.ch
Telephone: +41 58 462 43 95
Please note that these rights may be restricted or excluded on a case-by-case basis, e.g. if there are doubts about your identity or if this is necessary to protect another person, safeguard legitimate interests or comply with legal obligations.
We reserve the right to adapt, supplement or otherwise change this General Privacy Policy in relation to personal data at any time and without giving reasons. The latest General Privacy Policy in relation to personal data published on this website applies.