Information on data protection

Servisa attaches great importance to its customers’ privacy and privacy rights. This also applies to the handling of personal data. The following provides detailed information on the collection and further processing of personal data.

“Processing” of personal data entails all handling of data, e.g. the collection, storage, keeping, use, modification, disclosure, archiving, deletion/erasure or destruction of data. The term “personal data” refers to data that relates to a specific or identifiable person, i.e. in-ferences may be drawn as regards their identity on the basis of the data itself or in combination with certain additional data. In the fol-lowing, the term “personal data” is used synonymously with “data”. “Sensitive personal data” is a category of personal data that is more strictly regulated under data protection law. Sensitive personal data includes, for example, health data, data revealing racial and ethnic origin, information on religious or ideological convictions, biometric data for identification purposes or information on trade un-ion membership.

“Servisa in its capacity as data controller” processes personal data when interested parties, customers or other persons (together referred to as “data subjects”) apply for and/or utilize services or products and make use of Servisa’s “online services”. This privacy statement forms the basis for processing personal data within the scope of Servisa’s various business activities. In addition to provid-ing this privacy statement, Servisa informs data subjects of any business-specific data processing in its declarations of consent, dec-larations of release, General Regulation Provisions, Standard Terms of Insurance, General Terms and Conditions and in its forms. In doing so, Servisa ensures that all data subjects are informed promptly and appropriately of any data processing, even in cases where their own personal data is not collected.

This privacy statement is designed to comply with the requirements of the Swiss Federal Act on Data Protection (“FADP”) and the EU’s General Data Protection Regulation (“GDPR”). Whether and to what extent these laws are applicable depends on the specific individual case.

Servisa in its capacity as data controller

Within the scope of the services they provide, the following foundations are responsible for the data processing described in the priva-cy statement – in each case together with Helvetia Swiss Insurance Company Ltd, Dufourstrasse 40, 9001 St. Gallen, Switzerland, in its capacity as manager of those foundations – unless provided for otherwise, e.g. in forms, in the Standard Terms of Insurance, Gen-eral Terms and Conditions or in contracts:

  • Servisa Collective Foundation, c/o Helvetia Swiss Life Insurance Company Ltd., St. Alban Anlage 26, 4052 Basel, Switzer-land
  • Servisa Supra Collective Foundation, c/o Helvetia Swiss Life Insurance Company Ltd., St. Alban Anlage 26, 4052 Basel, Switzerland

(together referred to as “Servisa”)

The privacy statement may contain references to third parties with whom Servisa collaborates and who, in turn, may be responsible for data processing. Data subjects may contact these third parties directly if they have any questions regarding the exercise of rights. A list of recipients who may receive data for processing purposes or may independently be controllers of personal-data processing can be found in the “List of recipients and countries”.

General information on data privacy

Legal basis for the processing of personal data

The following privacy statement is geared to the requirements of the Swiss Federal Act on Data Protection (FADP), the European Union’s General Data Protection Regulation (GDPR) and the United Kingdom’s General Data Protection Regulation (UK GDPR). Whether and to what extent these laws are applicable depends on the specific individual case. In terms of compulsory occupational benefit schemes, the special data protection provisions of the Federal Law on the Occupational Old-Age, Survivors’ and Disability Benefit Plans (LOB) apply.

All persons involved in providing as well as monitoring or supervising the provision of occupational benefits are subject to the duty of confidentiality in accordance with Art. 86 LOB in respect of third parties.

Servisa may process personal data in accordance with applicable data protection law.

Data processing entails all handling of personal data regardless of the tools and procedures used, particularly the procurement, sav-ing, storage, use, modification (including pseudonymization and anonymization), disclosure, archiving, deletion/erasure or destruc-tion of data. The processing must not unlawfully infringe the personality rights of data subjects, and any processing may be based on the following principles under data protection law:

  • Existence of a contract with Servisa
  • Legitimate interests of Servisa
  • Law
  • Consent
Purpose of data processing

Servisa processes personal data for the purpose of operating obligatory and supplementary occupational benefit schemes and in or-der to maintain benefit coverage in line with the tasks entrusted to it.

Categories of personal data

The personal data processed by Servisa includes data that has been provided by data subjects, collected from them, or is publicly accessible. Data categories include:

  • Communication data
  • Contract details
  • Master data
  • Beneficiary data (e.g. first name, last name, address, place of residence, Old Age and Survivors’ Insurance (OASI) num-ber, payroll amount, start and leave dates, working hours, interruption of employment and cause, purchase (voluntary payment) calculations, advance withdrawals, e.g. to finance residential property or in connection with a divorce, infor-mation about capacity to work)
  • Banking, financial and asset-related data
  • Claims data
  • Health data
  • Registration data
  • Technical data
  • Data regarding behaviour and preferences
  • Security, warranty and compliance data
  • Other data (e.g. powers of attorney, official certifications, etc.)
Data provision

The policyholder or beneficiary is obliged to provide the data required to assess the risk, manage the contract and handle claims. If this obligation is not met, Servisa may refuse to conclude the contract or parts thereof or to pay all or part of the claim.

Data exchange

Servisa or parties it engages may, to the extent required, obtain relevant personal data from third parties to ensure optimum handling of business processes, the conclusion of contracts or contract management, and to provide services. On the basis of the insurance application forwarded or the claim (for benefits) notified, these third parties are released from their duty of confidentiality toward Servisa and the parties it engages.

Concluding the contract or providing services may require Servisa not only to obtain relevant information from third parties, but also to disclose personal data to third parties involved in the contract (such as reinsurers, commissioned parties, service providers, au-thorities, etc.). For this reason, Servisa is not subject to any duty of confidentiality in this regard under the FADP. In addition, Servisa obliges third parties to handle the data appropriately, in accordance with its sensitivity and with other circumstances. The data may be passed on to recipients in Switzerland and abroad if the circumstances of the data processing so require. For further details, please refer to the “List of recipients and countries”.

Profiling and automated individual decision-making

Profiling refers to any kind of automated processing of personal data comprising the analysis of specific personal aspects, such as economic situation, health, interests, reliability, behaviour, or relocation. Servisa may use profiling to analyse certain personal char-acteristics (interests and preferences) of data subjects, so that it can send them personalized advertising or offers, but also in order to identify fraud and security risks. The use of data analysis processes also enables Servisa to compile statistical information. If an in-dividual decision is made in a fully automated manner and that decision has negative legal consequences for the data subject or re-sults in a considerable impairment for them, Servisa will inform them accordingly and the data subject may contact Servisa to have the corresponding decision reviewed by a human being. However, any fully automated decisions are always based on Servisa’s pre-determined rules for the weighting the information.

Data security

Servisa takes adequate technical and organizational measures when processing personal data to prevent unauthorized access and other unauthorized processing. These measures are based on the international standards in this area and are checked regularly and adjusted if necessary.

Storage period

Servisa processes personal data for as long as is necessary to fulfil the processing purposes, to comply with the statutory retention periods, to meet legitimate interests, such as for the purposes of documentation or evidence, or for as long as claims may be brought against Servisa or storage is required for technical reasons, as is the case, for example, with backup copies.

Further information on respective storage periods can be found in the sections under “ Data processing in connection with websites and online services”. If there are no legal or contractual obligations to the contrary, we will delete or anonymize your data after the storage period has expired as part of our usual procedures.

Special information on data privacy

In relation to specific business transactions or instances of data processing, Servisa provides information in its “Special information on data privacy” regarding the persons responsible, the collection and processing of personal data, data categories, purposes, retention periods, the passing on of data, data security, the rights of data subjects, and changes.

BVGonline

[Certain offerings may be used via BVGonline. To complete the registration and login process and ensure operation of the customer portal, Servisa processes the following data: salutation, first name, last name, date of birth, telephone number, e-mail address, language, password for portal access and IP address. Users of the Servisa portal BVGonline can modify their saved personal data at any time. Behaviours on Servisa web-sites may be compared with data from the Servisa BVGonline portal (e.g. age group, region the user lives in, and gender) in order to offer customer-specific products. Automated decisions are not taken in specific indi-vidual cases.]

Business partners and services

The following categories of personal data are processed by Servisa in the context of its relationships with business partners, which may comprise groups of persons such as instructing parties, cooperation partners, contractors, service providers, suppliers, or their repre-sentatives.

  • Communication data
  • Contract details
  • Master data
  • Registration data
  • Technical data
  • Security, warranty and compliance data
  • Additional data

Servisa processes the above-mentioned personal data for the following purposes:

  • Initiation, management and execution of contractual relationships such as supply or advisory contracts
  • Compliance with laws, directives and recommendations of authorities in Switzerland and abroad as well as internal regulations
  • Risk management as part of prudent corporate governance, including operational organization and corporate development
  • Business partner management and contact maintenance
  • Collaboration with business partners
  • Exchange of information between group companies
  • Other purposes

To ensure optimum handling of business processes, the conclusion of contracts or contract management, and to provide services, Servisa or parties it engages may obtain relevant personal data from third parties (e.g. information centres, data providers, address brokers, reference providers) to the extent required. The following categories of data may be collected:

  • Bank and financial data
  • Security, warranty and compliance data

The data may be passed on to recipients both within Switzerland and abroad. Details can be found in the “List of recipients and coun-tries”.

Building security

The categories of personal data processed by Servisa in connection with guaranteeing security are:

  • Video recordings from CCTV cameras
  • Technical information, e.g. location of the camera, time of the recording
  • Recordings from access control systems
  • Movement data of persons in connection with access controls
  • Personal data of visitors and guests

Servisa processes the above-mentioned personal data for the following purposes:

  • To guarantee protection of persons, employees, data, business secrets, assets, systems and buildings
  • To clear up instances of theft and security-related incidents
  • To use as evidence in court and out-of-court proceedings
  • To exercise domiciliary and ownership rights
  • To control access
  • To comply with laws, directives and recommendations of authorities in Switzerland and abroad as well as internal regulations

The following are monitored by CCTV cameras:

  • Waste disposal sites
  • Underground car parks and entrances
  • Certain secure areas such as server rooms, storage rooms containing valuable goods, or sensitive work areas
  • Parking spaces
  • Stairwells
  • Inner courtyards
  • Lifts
  • Entrances and access routes (doors, gates)
  • Other signposted areas

The data may be passed on to recipients both within Switzerland and abroad. Details can be found in the “List of recipients and coun-tries”.

Servisa processes personal data for as long as it is needed for the described purposes and usually deletes it after 30 days.

Data subject rights

Provided certain requirements are met, the applicable data protection laws grant data subjects certain rights, e.g. the right to request information on the personal data Servisa is processing, to object to processing in particular circumstances or to lodge a complaint with the authorities.

Right of information

The right to request information from Servisa on whether and, if so, what personal data it is processing and to receive a copy of that data.

Right to rectification

The right to have inaccurate data rectified.

Right to erasure

The right to request the erasure of personal data, to the extent that Servisa is no longer obliged or entitled under applicable laws or regulations to retain it.

+Right to restrict processing

The right to object at any time to the future processing of personal data, insofar as that processing is not absolutely essential for con-tract performance and/or Servisa is not obliged or entitled to process it under applicable laws or regulations.

Right to object to data processing and revoke consent

The right to object to the processing of personal data, in particular insofar as processing is based on legitimate interests or where data is processed for the purposes of direct marketing, and the right to revoke consent insofar as data processing is based on consent.

Right to data portability

The right to request that Servisa transfer certain personal data.

Rights in the case of automated individual decision-making

The right of the data subject to express their point of view in the case of exclusively automated decisions and to request that decisions be reviewed by a human being.

Right of complaint

Data subjects have the right to lodge a complaint with the competent data protection authority.

Contact details of regulatory authority

  • The Swiss regulatory authority may be contacted here.
  • The contact details for the data protection office of Liechtenstein are available here.
  • You will find a list of the the relevant authorities within the EEA here.
  • You can reach the UK’s regulatory authority here.

If data subjects wish to exercise the above rights, they may do so by contacting the relevant data controller. For central points of con-tact, please refer to section “Contact details for data protection concerns”.

Data subjects also have these rights in relation to other, independently responsible, entities with whom Servisa collaborates and should contact these entities directly when wanting to exercise their rights in relation to data processing performed by them. Data sub-jects will find details of Servisa’s key business partners and service providers in the “List of recipients and countries”.

Data subjects must be aware that conditions, exceptions and restrictions apply in relation to these rights under the applicable data pro-tection legislation. In particular, Servisa may have to continue processing and storing personal data in order to fulfil a contract, safe-guard its own legitimate interests, such as to enforce, exercise or defend its legal rights, or to comply with its statutory obligations. To the extent permissible by law, in particular to protect the rights and freedoms of other data subjects and safeguard legitimate interests, Servisa may entirely or partially reject a data subject’s request (e.g. by redacting certain content relating to third parties or business secrets). In such cases, Servisa will inform the data subject separately.

Contact details for data protection concerns

If data subjects have any queries in relation to data protection or their rights as data subjects, they may contact Servisa quoting “data privacy”. Their enquiry will then be directed to the data privacy advisor or to Servisa’s or Helvetia’s data privacy officer, the latter also being responsible under the management agreement for the Servisa foundations.

Helvetia Insurance
Data Privacy
St. Alban Anlage 26
4002 Basel Switzerland

Tel.: +41 58 280 10 00
E-mail: datenschutz@helvetia.ch

Data processing in connection with websites and online services

In connection with websites, online services and other offers, Servisa processes data primarily for the purpose of responding to con-tacts initiated by customers. In addition, data is also processed for the purpose of improvement and optimization, operation and secu-rity as well as the preservation of evidence in connection with the websites, online services and other offers. Moreover, data is also used to make individual offers, for the purposes of marketing, market research and for statistical evaluations, such as customer sur-veys following the use of the online services. In all other cases, express reference is made to other purposes when the data is being collected.

“Servisa in its capacity as data controller” is responsible for websites, online services and other offers that are clearly recognizable as belonging to Servisa and where nothing else is specified.

Servisa’s websites and online services may contain links to other providers’ websites and online services (e.g. within the scope of what are known as social plug-ins), to which the present privacy statement does not apply. The respective privacy statements of the other providers apply in such cases.

Data subjects may visit Servisa’s websites anonymously; in such cases metadata – e.g. browser, device type, duration of interaction, type of interaction, Servisa web pages visited and IP address – is recorded. This metadata can be correlated with other data kept by Servisa (e.g. regarding newsletter subscribers or distribution lists). Service providers who are contractually bound to Servisa and other third parties in Switzerland or abroad are involved in processing this data. For further information on this, please refer to the “List of recipients and countries” and the “Cookie settings”. Individual “Cookie settings” and the desired browser configurations can also be made there.

Personal data is processed to the extent that it is provided when using the online services (e.g. via a contact form).

Data exchanged over the Internet is often transmitted via third countries. Website content can be transmitted via servers around the world in order to optimize the performance and security of the websites. Data may therefore be transferred abroad even if the sender and recipient are located in the same country.

The data transmitted to Servisa via Servisa websites is transferred in an encrypted format. However, Servisa is not liable for any damage that may arise from the loss or manipulation of data. Visitors to the websites must ensure that their own systems are secured at all times by an appropriate means of protection (e.g. anti-virus software) and that their own systems and browsers are up to date.

Contractually bound service providers and other third parties in Switzerland or abroad are used in the operation of “communication, online services and other offers”. For further information on this, please refer to the “List of recipients and countries”.

Additional notes

E-mail

Servisa would like to remind data subjects that the Internet is an open, global network that is accessible to everyone. Communication via e-mail is not usually encrypted and takes place only during regular office hours. It is possible that data may be lost or intercepted and/or manipulated by third parties, for example, to make it appear authentic. Servisa takes appropriate technical and organizational security measures to prevent this from happening within the Servisa system. Nevertheless, the confidentiality of data transmitted by e-mail cannot be guaranteed. This applies, in particular, to the transmission of sensitive personal data (such as health data). E-mails may be delayed, deleted, misrouted or shortened during transmission due to transmission errors, technical defects or other malfunc-tions. External access devices (Internet users’ PCs, smartphones, etc.) and parts of the infrastructure used for transmission between the sender and Servisa are located outside the secure area over which Servisa has control. It is the responsibility of each Internet user to find out about the necessary security precautions and to take appropriate measures (e.g. up-to-date anti-virus software, etc.). Servisa is not liable for any damage or consequences arising from the electronic exchange of information, particularly from the mis-use of the e-mail system, for which Servisa itself is not responsible. Servisa reserves the right to seek indemnification from the data subject for any intentional damage it suffers as a result of its business dealings with the data subject via the electronic exchange of information. Servisa reserves the right not to respond via e-mail in individual cases or to request that orders placed or information sent by e-mail be confirmed in another form (e.g. using a signed form).

Log files
  • The providers of Servisa Collective Foundation's websites collect and store data in the form of log files when those websites are accessed. This includes the following data:
    • IP address of the website user
    • User name (user ID) when using the customer portal
    • User name (user ID) when using the customer portal
    • Designation of the websites accessed
    • Definition of the files accessed (downloads)
    • Notification of successful access
    • Previously visited sites
  • This data is not stored together with other personal data of the user. Furthermore, this data is col-lected only for statistical purposes relating to website use, security and optimization of the offering and the website, and is not passed on to third-parties for any other purpose.
    • This data is deleted as soon as it is no longer needed to fulfil the purpose for which it was collect-ed, or if there is no legal basis for its storage.
    • As this access data is absolutely necessary for providing the website, it is not possible to object to this form of data processing.
insuree portal

Certain offerings may be used via the insured person portal. To complete the registration and log-on process and ensure operation of the portal, Servisa processes the following data: salutation, first name, last name, telephone number, e-mail address, password for portal access and IP address. Users of the Servisa insured person portal can change the customer data created in connection with the portal at any time. Behaviours on Servisa websites may be correlated with data from the Servisa insured person portal (e.g. age group, region the user lives in, and gender) in order to offer customer-specific products. Automated decisions are not taken in specific individual cases.

Online events

Servisa uses the technological services of third parties when organizing webinars, brown-bag sessions and other online events. When participating in online events, the names and e-mail addresses of the participants, as provided during registration, enrolment or upon joining, are usually communicated to third-party providers for the purposes of technical implementation of the event. As a rule, the data is hosted in Switzerland. It cannot be ruled out that this data will be stored outside Switzerland, is subject to other legal systems and/or will be passed on to other third parties by the third-party providers. The respective privacy policy of the service provider(s) applies. Servisa itself does not pass on any other customer data in connection with the organization of events and the deployment of third-party providers. As a rule, Servisa collects participants’ details during the registration process for events. This may involve in-formation about persons other than those completing the registration. On completion of the registration process, Servisa obliges the person carrying out registration to inform all those registered by name about Servisa’s privacy statement. Servisa assumes, once registration has been completed, that the persons registered by name have been adequately informed about data processing at Servi-sa. All data entered is used solely in connection with the organization and staging of the event and is deleted within a reasonable and/or the statutory period. Data may be passed on to third parties if, for example, lists of names have to be disclosed for the organization of events. For further details, please refer to the “List of recipients and countries”. As a rule, the disclosure is evident from the circum-stances of the registration (e.g. registration for travel, a stay in a hotel or a restaurant booking); otherwise, Servisa reserves the right to provide separate information in the login mask. The retention period for the data is based on the purpose and is limited to what is absolutely necessary. Data is deleted within the corresponding time period.

Amendments

Servisa reserves the right to amend this privacy statement at any time without notice. The current published version or the version for the corresponding time period applies. This privacy statement has been published in various different languages. If the content differs between these languages, the German version takes precedence.