Data Protection Declaration

2. Points of contact for data protection issues

3. Terminology

To ensure better understanding, we would first like to clarify the most important terms used in this Data Protection Declaration. In this regard, we adhere to the definitions of terms set out in the Swiss Data Protection Act.

• Personal data: any information relating to an identified or identifiable natural person;
• data subjects: natural persons about whom data is processed;
• Sensitive personal data:
  (1) data relating to religious, ideological, political or trade union views or activities;
  (2) data relating to health, privacy, or race or ethnicity;
  (3) genetic data;
  (4) biometric data which uniquely identifies a natural person;
  (5) data relating to administrative or criminal prosecutions or sanctions; and
  (6) data relating to social welfare measures;
• Processing: any handling of personal data, regardless of the means and processes used, in particular the procurement, storage, retention, use, modification, disclosure, archiving, erasure or destruction of data;
• Profiling: any form of automated processing of personal data involving the use of such data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
• Controller: private person who or federal body that, alone or together with others, decides on the purpose and means of processing;
• Processor: private person who or federal body that processes personal data on behalf of the controller.

4. Legal bases

This Data Protection Declaration complies with the requirements of the Swiss Federal Data Protection Act (“DSG”), the associated Ordinance (“DSV”) and the General Data Protection Regulation of the European Union (“GDPR”). The type and scope of the applicable legislation depends on the individual case in question. Foreign data protection law applies only to the extent stipulated by the applicable law and only to the data processing processes and persons affected by it.

When processing personal data, we adhere to the applicable data protection regulations.

The processing of personal data may not unlawfully infringe the privacy of the data subjects. For this reason, such data processing must comply with the processing principles of data protection law and/or must be justified on legal grounds. In particular, we are authorised to process personal data if the processing:

• has a legal basis.
  The processing of personal data may be required or justified by law. This applies in particular to the implementation of social health insurance (Art. 84 KVG) and compulsory accident insurance (Art. 96 UVG). In this area, we act as a federal body, which means that our actions must always have a legal basis.
• is necessary for the performance of a contract with the data subject or for pre-contractual measures.
  Most of the processing of personal data takes place in the context of fulfilling contractual obligations (e.g. provision of compulsory health insurance or supplementary insurance, provision of insurance advisory services).
• is necessary to protect our legitimate interests or those of third parties.
  A legitimate interest on our part exists in particular if the processing of personal data takes place in the context of the purposes as well as in the context of the disclosure of data and the objectives associated with this.
• is based on consent.
  If the processing of personal data is based on your consent, we will inform you of this separately and transparently. You may revoke your consent at any time with effect for the future by notifying us in writing (see points of contact). Upon receipt of your revocation, we will cease processing the data concerned unless we can otherwise justify the processing.
• is necessary to comply with Swiss and foreign legal regulations.

5. Categories of personal data

Depending on the products and services you use and the relationship between you and us, we process the following categories of personal data in particular:

• Master data: e.g. title, surname, first name, gender, date of birth, age, address and contact details such as address, telephone numbers, email addresses, language, nationality, profession, customer numbers, user names, financial information, family members, contact persons.
• Contract data: e.g. information from the application process, information relating to applications, conclusion and termination of contracts, contract amendments, active/inactive insurance products, scope of benefits, risk assessments, information on previous insurance policies, insurance claims made, health declarations, creditworthiness, payment information, bank details, premium payments, premium reductions, outstanding amounts, reminders, collection/disbursement, selected deductibles, employer information.
• Communication data: e.g. names, contact details, communication content from written, electronic and oral correspondence (including chat messages, social media posts and messages, comments on websites, etc.), details from surveys, information on time, place, type, etc. of communication, proof of identity, peripheral data.
• Benefit processing data: e.g. information on reimbursement requests, health data, information on insured items or activities, information on claims processing, details of third parties involved, payment data.
• Behavioural data: e.g. information about attendance of events and participation in competitions, information about the use of and behaviour on our websites and applications (see also our Cookie Policy), information about the use of our infrastructure (Wi-Fi, electronic communication channels, etc.).
• Technical data: e.g. IP addresses, general information about the operating system and browser, information about visits to our websites and applications (date, time, duration of stay, number of views, content accessed), visitor source (referring website), device identifiers, access data, cookies (see also our Cookie Policy).
• Marketing data: e.g. information on personal preferences and interests, newsletter subscriptions and unsubscriptions, content of marketing correspondence, profiling.
• Visual and sound recordings: e.g. recordings of telephone conversations and video calls (only with prior notice and where necessary with your consent), video surveillance system recordings, recordings in connection with customer and staff events.
• Compliance data: e.g. data in connection with clarifications, assessments and measures in the area of compliance (incl. compliance incidents).

6. Source of data

We collect a large part of your personal data directly from you as the data subject. In particular, this includes master data, contract data, communication data, benefit processing data and preference data. Such personal data is collected as part of the initiation and execution of business relationships and the use of our products and services. If you provide us with data about other people (e.g. family members), you must ensure that you are authorised to do so and that the data is accurate. Data subjects must also be made aware of this Data Protection Declaration in advance.

We may also collect personal data about you ourselves or automatically or derive it from existing data. In particular, this includes behavioural, preference and technical data.

Finally, we also receive personal data from Sympany Group companies and other third parties to the extent permitted by law. Such third parties include, in particular, persons associated with you, service providers, business partners, other insurers, banks, sales partners, brokers, providers of online services (e.g. comparison sites), authorities, official bodies, courts, employers, parties and their legal representatives in the context of legal disputes, etc. We may also collect personal data from public sources (e.g. credit agencies).

7. Purposes of data processing

We process the data collected in order to comply with our legal and contractual obligations towards our policyholders, interested parties, applicants, business partners, employees, authorities and other involved parties (e.g. premium payers, recipients of correspondence, family members, injured parties, beneficiaries, contacts and representatives). These purposes include in particular:

• providing social health insurance, in particular in the context of Art. 84 KVG (e.g. to ensure compliance with the obligation to take out insurance, to calculate and collect premiums, to assess benefit claims, to calculate and grant benefits and coordinate these with benefits from other social insurance schemes, to assess entitlements to premium reductions as well as to calculate and grant reductions, to assert a right of recourse against a liable third party, to supervise the implementation of the applicable laws, to keep statistics, to allocate or verify the OASI number, to calculate the risk compensation, to obtain information from third parties, to disclose data to third parties pursuant to Art. 84a KVG);
• providing compulsory and voluntary accident insurance (e.g. to calculate and collect premiums, to assess benefit claims, to calculate and grant benefits and coordinate these with benefits from other social insurance schemes, to supervise the application of the provisions on the prevention of accidents and occupational diseases, to assert a right of recourse against a liable third party, to supervise the implementation of the applicable laws, to keep statistics, to assign or verify the OASI number, to prepare offers, to obtain information from third parties, to disclose data to third parties in accordance with Art. 97 f. UVG);
• providing supplementary insurance in the area of treatment costs and accident insurance (e.g. to calculate and collect premiums, to assess benefit claims, to calculate and grant benefits and coordinate these with other social insurance schemes, to assert rights of recourse against third parties, to compile statistics and offers, to carry out risk assessments and to obtain information from third parties);
• providing daily allowance insurance in accordance with Art. 67 KVG and VVG (e.g. to assess and calculate benefit entitlements, to obtain information from third parties);
• checking the suitability of applicants for vacancies and concluding and executing the associated employment contracts;
• establishing, managing and processing further contractual relationships;
• ensuring contact and customer management (including outside of a contractual relationship);
• complying with laws and recommendations of Swiss and foreign authorities and internal Group regulations (“compliance”) as well as ensuring risk management;
• developing, delivering, improving and managing access to the products, services and information requested by you;
• understanding behaviour, activities, preferences and needs (including analysing and evaluating use of our websites);
• providing training and education;
• implementing advertising and marketing measures insofar as we are authorised to do so, e.g. if you have given your consent;
• monitoring and improving the effectiveness of our services;
• enforcing our legal claims and defending against unjustified claims in Switzerland and abroad;
• detecting, preventing and investigating illegal activities (including insurance fraud);
• exchanging information between Group companies, insofar as this is necessary and legally permissible;
• generally safeguarding our business operations and the necessary infrastructure (in particular IT infrastructure, websites, etc.);
• safeguarding administrative processes (e.g. data archiving, accounting, master data maintenance, quality assurance).

8. Profiling

To the extent legally permissible, we may use profiling (see definition) to combine and analyse behavioural, master and contractual data as well as technical data about you in order to better understand you and your various interests, characteristics and personal needs. Based on these findings, we can provide you with personalised product recommendations or offers, improve your customer experience and carry out statistical analyses. Ultimately, such processes also enable us to identify risks of misuse and security risks.

9. Automated individual decisions

If we make decisions that are based solely on automated processing and that have a legal consequence for you or significantly affect you (automated individual decision), we will inform you of this separately. In these cases, you have the right to have the decision reviewed by a person.

10. Duration of processing of personal data

We process your personal data for as long as we are legally obliged to do so (e.g. retention and archiving obligations) or as long as our legitimate business interests require it (e.g. enforcing or defending against claims, ensuring IT security) or as long as the purpose of collecting your data makes it necessary or its retention is technically necessary. In the case of contracts, data is generally stored for the duration of the contractual relationship and for any statutory retention periods beyond this.

In certain cases, we store your personal data – based on your consent – for a longer period of time (e.g. job applications that we keep on file as pending).

This may result in your personal data or extracts thereof having to be stored for several years after the end of the contractual relationship between you and us. If your personal data is no longer required for the aforementioned purposes, it will be deleted or anonymised wherever possible.

We have set out binding rules on the retention periods that apply to personal data in internal regulations. Below you will find a general overview of the most important retention periods:

• Master and contract data: We generally store such data for ten years, beginning at the end of the financial year in which the contract was terminated. However, this period may also be longer if retention beyond this period is necessary for evidentiary reasons, on the basis of legal or contractual requirements or for technical reasons.
• Technical data: We generally store log data for 18 months. Session cookies are deleted when you leave our website or when your session expires. Other cookies (e.g. permanent cookies) are stored for a period of several days to two years unless you delete them manually.
• Communication data: Personal data generated in the course of our communication (e.g. e-mail, written correspondence, messages via contact forms, etc.) is normally stored for 10 years.
• Applicant data: We delete applicant data within six months of completing the application process, unless an employment relationship is established. In this case, your applicant data will be transferred to your personnel file. With your consent, we may store your application data for a longer period of time.
• Video and sound recordings: We store recordings from security cameras for three days and then delete them unless we need to store them for longer for criminal prosecution purposes, etc. We store telephone call recordings for three months.
• mySympany customer portal: Personal data is stored for as long as the account is maintained. If the deletion of the account is requested, the data will be deleted within a maximum of 20 days. If the account is deactivated due to misuse, the data will be deleted as soon as this becomes known. If the portal is not used, the data will not be deleted.
• Marketing data: We delete personal data that we process in connection with our marketing activities after you withdraw your consent. This does not apply to cases in which we can otherwise justify the processing of the data.

11. Disclosure of personal data to third parties

Insofar as we are legally entitled or obliged to do so, we may also pass on personal data to third parties. These include, but are not limited to, the following categories of recipients:

• Sympany Group companies
• Service providers and other insurance providers
• Business customers (e.g. employers in the context of daily allowance and accident insurance)
• External service providers (e.g. banks, asset managers, consultants, lawyers, assessors, debt collection agencies, credit agencies, IT providers, telemedical service providers, logistics companies)
• Business partners (e.g. retailers, suppliers, subcontractors)
• Intermediaries
• Swiss and foreign authorities, official bodies and courts
• Other parties in administrative and judicial proceedings
• Participants in corporate transactions (e.g. purchase, sale or mergers of companies, business areas, etc.)

Insofar as these third parties are not jointly responsible together with us or independently responsible for the respective data processing, they act as our processors. We have concluded corresponding processing agreements with our processors. In these agreements, they undertake to comply with data protection and data security regulations. Furthermore, they may only process personal data in accordance with our instructions. They also grant us comprehensive rights of inspection and control as well as rights of access, rectification and erasure.

Depending on the nature and content of the disclosure of personal data to third parties, we take appropriate measures to ensure that applicable professional and official secrets are kept confidential and that statutory confidentiality obligations are complied with.

Sympany uses the services of jacando AG, Münchensteinerstrasse 41, 4052 Basel and Prospective Media Services PMS AG, Seestrasse 513, CH-8038 Zurich to operate the careers portal. The service providers are contractually obliged not to use the data for their own purposes and to comply with the currently applicable data protection legislation, security standards and Sympany’s instructions.

12. Disclosure of personal data abroad

We generally process and store personal data in Switzerland and the European Economic Area (EEA). In certain cases, we may also disclose personal data to service providers and recipients who are located outside this territory or process personal data outside this territory, which could, in principle, be in any country in the world. In particular, you must expect personal data to be disclosed in all countries in which the service providers engaged by us and their subcontractors are located (in particular the USA).

We ensure compliance with the legal requirements by taking appropriate measures. Unless an adequacy decision has been issued by the competent authority, the transfer of personal data is carried out on the basis of appropriate safeguards (in particular standard contractual clauses approved by the European Commission and the Swiss Federal Data Protection and Information Commissioner [FDPIC]) or if there are exceptions for certain situations (contract processing, law enforcement abroad, etc.) or we obtain your express consent.

13. Data security

We implement appropriate technical (e.g. encryption, pseudonymisation, logging, access restriction, data backup, etc.) and organisational (e.g. instructions to our employees, confidentiality agreements, audits) security measures in accordance with the current state of the art in order to ensure the confidentiality, availability and integrity of your data to the best of our ability.

Our employees are subject to both a contractual and a legal duty of confidentiality (e.g. Art. 62 DSG and Art. 33 ATSG). In addition, we regularly train and raise awareness among our employees in matters of data protection. Our data protection and information security experts are also proactively consulted and involved in projects.

The Processing Regulations for Data Collection document (in German) governs the details on how customer data is to be handled. Sympany works with its outsourcing partner, Centris AG, Solothurn, to process data in accordance with the DRG remuneration model. Both Sympany and Centris AG, Solothurn, have been certified as DRG collection points by SQS (Vivao Sympany AG certificate). The details of the data processing are defined in a set of regulations.

We would like to point out that, despite all measures taken, data security breaches cannot be completely ruled out. There is always some degree of residual risk.

In particular, unencrypted e-mail messages sent to Sympany may be viewed by unauthorised third parties. Your data may also be viewed by third parties abroad, as Internet traffic is regularly routed through third countries. Sympany cannot guarantee data security for unencrypted e-mails and therefore excludes any warranty or liability for this. This also applies in particular to the sending of particularly sensitive personal data (e.g. health data) by unencrypted e-mail. Communication in the mySympany customer portal is secure. If you would like secure and encrypted communication with us, you can achieve this by using HIN or Fex, for example. If necessary, our Customer Services can advise you in this regard.

14. Rights of data subjects

Provided that the requirements of applicable data protection law are met and no statutory exceptions apply, you have the following rights in connection with the processing of your personal data:

• the right to request information about your personal data that we process;
• the right to have incorrect or incomplete personal data rectified;
• the right to request the erasure or anonymisation of your personal data;
• the right to request the restriction of the processing of your personal data;
• the right to receive certain personal data in a commonly used electronic format or to have it transferred to another controller;
• the right to object to the processing of your personal data, in particular if such processing is based on legitimate interests or serves direct marketing purposes;
• the right, in the event that any solely automated individual decisions are made, to state one’s own point of view and request that the decision be reviewed by a natural person;
• the right to revoke consent given with effect for the future.

Please note that these rights may be restricted or excluded in specific individual cases (e.g. to protect third parties or trade secrets).

Further information on your rights as a data subject can also be found in the Processing Regulations for Data Collection.

In order to assert your rights as a data subject or if you have any questions about this Data Protection Declaration and the processing processes described therein, you can contact the parties specified in section 2 by post, enclosing a copy of an official form of identification.

If you believe that your data has been processed unlawfully, we would be grateful if you could contact us directly. Alternatively, you can lodge a complaint with your competent supervisory authority. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC). In the EU, the complaint must be submitted to the respective national data protection authority.

15. Changes to this Data Protection Declaration

We may amend this Data Protection Declaration at any time and without prior notice. The current version published on our website shall apply.

The data protection information has been written in several languages. In the event of differences in content, the German version shall take precedence.