This text applies analogously to female and a plural number of persons. Edition June 2022.
Data protection is a particularly high priority for the Terzo Pension Foundation of WIR Bank (hereinafter the ‘Foundation’). In this data protection declaration, the Foundation provides information about the type, scope and purpose of the personal data that it gathers, uses and processes, and the rights of the data subject. The scope of the personal data that the Foundation processes is effectively determined by the individual pension agreement, the applicable pension rules, the pension products obtained by the data subject, the agreed service, and statutory and regulatory obligations regarding the gathering and processing of personal data.
1. Sources of the personal data
The Foundation processes the data that it receives from the data subject (e.g. customers, potential customers, third parties associated with customers). In addition, the Foundation obtains data from other pension and vested benefits institutions, service providers (e.g. databases), public registers or agencies (e.g. compensation offices, courts, taxation offices) that the Foundation requires to deliver services or for statutory or regulatory reasons.
The following, in particular, are deemed to be associated third parties:
- authorised persons/authorised signatories
- family members of the customer (e.g. current and former spouses, civil partners, parents and children) and other beneficiaries
- payees of a particular payment transaction
- contacts in social and private insurance companies, other pension and vested benefits institutions, parties to contracts and government departments and agencies
- any other natural or legal entity with a relationship to the customer that is relevant to the pension relationship between the customer and the Foundation
Where data is transmitted by or via third parties, the Foundation assumes that a corresponding authority/consent exists and that the data is accurate.
2. Categories of personal data
The categories of personal data that the Foundation processes include personal information (e.g. name, gender, date and place of birth, marital status, address, nationality, family relationships, signatures, data from ID documents, contact details (telephone number or email address), transaction data, financial situation, investment goals, tax residency, US status, occupational information, data from use of the Foundation’s website (e.g. IP address, cookies) and additional information on powers of attorney, personal relationships, regulatory relationships, log files). In accordance with the statutory retention period, the Foundation can also store previous versions of this data along with the current data.
There is a possibility that data other than that outlined above will be processed when signing up for certain pension products (e.g. VIAC). This may include: order data, payment orders, direct debit data, documentation data, investment behaviour, investment strategy, business data.
Sensitive personal data is personal data accorded special protection by the law due to its sensitivity (e.g. health data). Where the Foundation processes sensitive personal data, it does so in connection with:
- compliance with statutory or regulatory duties
- processing that relates to personal data that the data subject has made public or that has been made public
- processing for which the data subject has given their explicit consent
- the assertion, exercise or defence of legal claims
3. Purposes of the data processing
The Foundation only gathers and processes the personal data it needs to fulfil a particular purpose. In particular, personal data is processed for the following purposes:
- in connection with the pension relationship (implementing occupational pension schemes), i.e. to enable the provision of the pension products and services offered by the Foundation, for example, for the (possible) initiation, administration and termination of the pension relationship (transfer of the pension capital and payment of the benefits including cash payments as per Art. 5 VBA)
- to enable the fulfilment of statutory and regulatory obligations, e.g. tax laws, duties of disclosure to government agencies (e.g. courts)
- in connection with marketing, in other words, to improve the products and services offered or offer new products and services (including through WIR Bank Genossenschaft and its group companies), e.g. by means of marketing, sending newsletters, operating the website
- for statistical evaluations and data analyses in aggregated form without traceability to individual persons
4. Compliance with data protection principles
The Foundation processes personal data, taking particular account of the Swiss Data Protection Act (FADP) and the Data Protection Ordinance (DSV). When processing personal data, the Foundation verifies that such processing is carried out lawfully, fairly and proportionately. The data is only processed in the manner stated when it was obtained, which is evident to the data subject or provided for by law. The Foundation does not process personal data covertly or secretly, unless required to do so under law. Personal data is only obtained by the Foundation for a specific purpose that is evident to the data subject. The Foundation ensures by means of appropriate technical and organisational measures, taking into account the state of technology and implementation costs, that the processed personal data:
- is accessible only to authorised persons
- is available when required
- is not altered without authorisation or unintentionally, and
- is processed in a verifiable manner
If personal data should prove to be inaccurate or incomplete, the Foundation will rectify, erase or destroy it, unless prohibited from doing so by law or regulatory provisions.
5. Bases for data processing
Where necessary, the Foundation processes personal data on the following bases:
5.1 Legal basis
The Foundation is obliged to process personal data on various statutory and regulatory bases. In particular, these include:
- the Federal Act of 25 June 1982 on Occupational Old Age, Survivors’ and Invalidity Pension Provision (OPA)
- the implementing Ordinance of 18 April 1984 on Occupational Old Age, Survivors’ and Invalidity Pension Provision (OPO2)
- the Federal Act of 17 December 1993 on the Vesting of Occupational Old Age, Survivors’ and Invalidity Benefits (Vested Benefits Act, VBA)
- the Ordinance of 3 October 1994 on the Vesting of Occupational Old Age, Survivors’ and Invalidity Benefits (VBO)
- the Ordinance of 13 November 1985 on Tax Relief on Contributions to Recognised Pension Schemes (OPO3)
- the Ordinance of 3 October 1994 on the Promotion of Home Ownership using Occupational Pension Benefits (PHOO)
The contractual elements required for consent derive from the individual pension agreement and the applicable pension rules. Where additional consent is necessary in individual cases for special processing of personal data, the Foundation will obtain this from the data subject. Once given, consent may be withdrawn at any time. Such a withdrawal of consent only becomes effective upon receipt by the Foundation and it does not affect the lawfulness of the processing of personal data prior to the withdrawal. There may be grounds (for example by reason of law) that require the processing of the personal data despite the withdrawal of consent. A withdrawal of consent may result in the restriction of certain services or the termination of the pension relationship by the Foundation.
5.3 Overriding public or private interest
The Foundation processes personal data to bring about or enter into a pension relationship (e.g. account management/custodian account management or execution of orders and transactions), for analysis of customer behaviour, for measures to improve products and services or for marketing.
The Foundation has additional legitimate private interests in processing personal information:
- to secure or enforce the claims of the Foundation vis-à-vis the customer and when realising customers’ securities or those of third parties (where the third-party securities have been furnished for claims against the customer)
- when collecting receivables of the Foundation against the customer
- investigations by the Foundation conducted by government agencies
- in the event of legal disputes of the Foundation with the customer
- in cases of administrative assistance (Art. 87 OPA)
- in investigations into entitled parties in the absence of contact or communication
6. Storage period for personal data
The Foundation processes and stores personal data for as long as this is necessary to fulfil the purpose for which the personal data was gathered or to fulfil contractual or statutory obligations. As a rule, this is 10 years after the ending of the pension relationship (cf. Art. 27j OPO2).
If personal data cannot be erased, technical and organisation measures are taken to ensure that:
- technical and organisational procedures are implemented to safeguard the integrity of the data, in particular the guarantee of authenticity and integrity of the data or the documents (e.g. digital signature or date stamp). In addition, measures are taken to ensure that the data cannot be modified subsequently without this being detectable.
- the contents of the data are verifiable at all times
- access and logins are logged and documented in log files
7. Rights arising from data protection
The data subject is fundamentally entitled to the following rights, unless precluded by a statutory obligation:
- access to personal data
- rectification of personal data
- handover of personal data
- transmission of personal data
- ban on specific personal data processing
- restriction of the processing of personal data
- prohibition of disclosure of personal data to third parties
- withdrawal of consent for processing of personal data
- erasure and objection to the personal data gathered
The detailed procedures for exercising the above-named rights of the data subject and the obligations of the Foundation, such as the spoken or written form, are to be settled by mutual agreement between the data subject and the Foundation. If the provision of access, the handover or the transmission of data is associated with disproportionate expense, the Foundation may insist on a cost contribution to a maximum of CHF 300.
8. Recipients of personal data
Pursuant to the pension agreement and pension rules, the personal data is processed only by those persons who require the data to fulfil contractual or legal obligations. Service-providers and third parties (e.g. outsourcing partners) are given access to the data where necessary.
Service providers and third parties as recipients of personal data may include:
- WIR Bank Genossenschaft (founder) and its group companies (in particular VIAC AG, VIAC Invest AG, VIAC Services AG etc.)
- processors and other service providers (e.g. custodian banks, software developers, IT providers, insurance companies)
- other pension institutions (e.g. transfer)
- public bodies (e.g. government agencies) where provided for by statutory or official obligation (e.g. administrative assistance pursuant to Art. 87 OPA)
9. Transmission of data to foreign countries
In principle, there is no transmission of data to other countries. If personal data is to be transmitted to foreign countries, this will take place in compliance with the provisions prescribed by law and where this is necessary in order to perform the contract (e.g. to process international transactions or execute orders in foreign trading venues). If processors are employed in other countries, they are required to comply with the obligation of secrecy (Art. 86 OPA) and the Data Protection Act.
10. Automated individual decisions
In principle, the Foundation does not use any automated individual decisions in order to establish and carry out the business relationship. If the Foundation should employ this process in individual cases, customers will be informed of this separately, where prescribed by law.
11. Protection of personal data
The protection of personal data has top priority for the Foundation. Customers’ personal data is subject to the obligation of secrecy under pension law (Art. 86 OPA). Personal data is treated as strictly confidential and protected from access by unauthorised third parties. In general, anyone who is not subject to a duty of confidentiality has no access to the personal data gathered. The Foundation likewise ensures that the recipients of personal data comply with the applicable data protection provisions.
12. Data relating to internet presence
13. Subject to change
The Foundation reserves the right to amend the data protection declaration at any time while complying with legal data protection requirements. You can retrieve the current version of this data protection policy at https://www.wir.ch/fileadmin/user_upload/Dokumente/Formulare/datenschutzerklärung.pdf and https://viac.ch/en/data-protection-use-of-analysis-tools/.
14. Contact details
The Foundation is the data controller for the processing of personal data. Queries in relation to data protection may be addressed to:
Terzo Pension Foundation of the WIR Bank
Data Protection Consultant
Basel, 19 June 2023