The VZ Group includes all Swiss group companies owned by VZ Holding Ltd in addition to companies closely associated with it. They are referred to collectively in this Policy as "VZ".
"Personal data" means any information relating to an identified or identifiable person. This includes in particular contact and master data, such as names, telephone numbers, postal addresses and email addresses. "Processing personal data" means any handling of personal data, including in particular the procurement, retention, usage, disclosure or erasure thereof. "Disclosure" means granting access to personal data (e.g. allowing data to be viewed, passed on or made public).
2. Origin and categories of personal data
VZ may process any personal data that are provided to it (e.g. within the consultation meeting, when ordering marketing materials or when accessing websites), are publicly accessible (e.g. in address books or commercial registers) or can be obtained from third parties (e.g. from address service providers or the Swiss Central Office for Credit Information [Zentralstelle für Kreditinformation]).
These data are primarily comprised of so-called master data (e.g. personal information), contractual data (e.g. information concerning the grant of a mandate, information relating to assets), financial data (e.g. ratings and information concerning creditworthiness in relation to lending), transaction data (e.g. information concerning payment transactions) or marketing data (e.g. interest in services, visiting websites).
3. Legal basis and purpose of processing
VZ processes personal data in accordance with data protection law:
VZ may process your data in order to implement a mandate that you have placed with it.
Legal and/or regulatory requirements
VZ processes personal data if necessary pursuant to legal and/or regulatory requirements (e.g. in relation to the combatting of money laundering and the financing of terrorism, for the purpose of risk management).
VZ processes personal data in order to safeguard legitimate interests (e.g. for advertising, market and opinion research and in order to ensure the security of its IT systems or to prevent fraud).
Where applicable, with your consent VZ may process your data if you have consented.
4. Data security
VZ processes as little personal data as necessary and protects them against loss and misuse (e.g. against access, alteration or disclosure by unauthorised persons). The technical and organisational measures intended to ensure data security are appropriate and comply with stringent requirements (e.g. usage of firewalls, personal passwords along with encryption and authentication technologies, access restrictions, awareness raising and employee training). They are continuously adjusted to take account of specific hazards. The level of protection is state of the art and corresponds to the type and extent of the processing.
5. Disclosure of personal data within Switzerland and abroad
VZ complies with the duties of confidentiality laid down within data protection law, the rules on bank-client confidentiality and any other applicable provisions. These duties apply to all employees and governing officers of VZ as well as to any persons working on its behalf on an outsourced basis (known as contracted data processors). Personal data may only be accessed within VZ by a person who requires them for the purpose for which they are being processed.
Personal data may be disclosed to other VZ group companies or to third parties if this is necessary in order to comply with contractual duties (e.g. to payment service providers or beneficiaries), in order to comply with legal and/or regulatory requirements (e.g. to supervisory authorities or courts), in order to safeguard legitimate interests (e.g. to marketing service providers) or if you have consented.
If personal data are disclosed to contracted data processors (e.g. for IT services, the printing and dispatch of documents), the contracted data processors may only process these data in the manner that VZ itself is entitled to. VZ carefully selects contracted data processors and contractually obligates them to comply with duties of confidentiality and to ensure data security.
VZ does not disclose any personal data to contracted data processors situated abroad under any outsourcing arrangements. However, data may be transferred abroad (worldwide) in order to comply with contractual duties (e.g. in relation to securities transactions) and legal and/or regulatory requirements (e.g. to tax authorities or to securities trading, clearing or depository bodies) in order to safeguard legitimate interests (e.g. the exercise or defence of legal claims) or if you have consented.
VZ warrants in relation to the disclosure of personal data abroad that the country concerned has an adequate level of data protection, that appropriate data protection is ensured in another manner or that there is a legal basis.
6. Automated individualised decision-making and profiling
VZ may analyse and assess personal data using automated systems in order to identify characteristics, predict developments and create profiles (so-called profiling). Profiles are used in order to manage you in an optimal manner (e.g. assessment of creditworthiness) and to tailor marketing to your needs (e.g. personalised marketing). VZ does not disclose profiles to third parties and ensures that data subjects can state their views concerning automated individualised decision-making to a specialist unit (contact: see 9.).
7. Retention period
The period of time for which personal data are retained is dependent upon legal and/or regulatory retention requirements or the purpose of the data processing. As a rule, VZ retains personal data for the duration of the business relationship and for ten years thereafter (depending upon the applicable legal basis) or erases/destroys them as soon as they are no longer used. The ten-year period corresponds to the period of time during which legal claims can be brought against VZ. Ongoing or anticipated legal and/or regulatory procedures may result in storage for longer than this period.
You have the right to obtain confirmation as to which data concerning you are being processed and may request that these data be erased or rectified. In addition, you may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC). However, these rights do not apply unconditionally: in specific individual cases, further processing of personal data may be required above all due to legal/regulatory requirements (e.g. in order to comply with duties to provide access and information) or in order to safeguard legitimate interests (e.g. for the exercise or defence of legal claims).
In order for VZ to be able to comply with your request for access, you must submit your request in writing to VZ along with a copy of valid official photographic identification (e.g. passport, identity card or driving licence).
If your personal data are processed for marketing purposes, your right to object also applies to marketing activities (e.g. mailings or newsletters) and profiling for marketing purposes. You can end any undesired marketing activities at any time by informing VZ of your wishes.
You can withdraw your consent to the processing of your personal data at any time. Any such withdrawal of consent will only apply with future effect: any data that have previously been processed will not be affected by the withdrawal of consent.
Please do not hesitate to get in touch with your contact person at VZ with any general questions, suggestions or observations.
You can also contact the following specialist unit with any questions relating to data protection:
VZ VermögensZentrum AG