Here you will find all legal information about PPCmetrics
Data protection declaration
September 2023
Introduction
This privacy policy is based on the Swiss Data Protection Act (DSG and DSV) and, where applicable, on the General Data Protection Regulation of the European Union (GDPR). The European Commission recognises that Swiss data protection law ensures adequate data protection.
In this privacy policy, we inform you about the type, scope and purpose of the personal data we collect and process and what rights you are entitled to in this context. The protection of your privacy is important to us. We comply with our legal obligations and handle your personal data responsibly, carefully and for the intended purpose.
This data protection declaration is not an exhaustive description. For individual or additional offers or services from us, other PPCmetrics AG data protection declarations may regulate specific circumstances (e.g. in contracts). If you visit our website www.ppcmetrics.ch, the separate privacy policy applies.
For the purposes of this Privacy Policy, personal data (‘personal data’) means any information relating to an identified or identifiable natural person and which allows conclusions to be drawn about their identity on the basis of the data or with additional data (e.g. name, date of birth, residential or e‑mail address, financial data, etc.). Particularly sensitive personal data’ is data that is particularly protected under data protection law, for example data relating to the health or personality of a natural person. Below (see ‘What personal data do we process?’) you will find details of the data that we process.
The processing of personal data includes any handling such as the collection, storage, retention, use, modification, disclosure, archiving, erasure or final destruction of data. We process personal data in accordance with the principles of lawfulness, transparency, purpose limitation, good faith and proportionality, data integrity, data minimisation and data security (Art. 6 FADP, Art. 5 GDPR).
Person responsible for data processing (‘controller’) and data protection advisor (FADP) or data protection officer (GDPR)
The controller for data processing within the meaning of Art. 5 FADP is
PPCmetrics AG
Badenerstrasse 6
P.O. Box
CH-8021 Zurich
Phone: +41 44 204 31 11
Email: zurich@ppcmetrics.ch
Website: www.ppcmetrics.ch
Please send requests and enquiries in connection with the processing of data in writing, enclosing a copy of your identity card or passport, to the data protection advisor of the controller in accordance with Art. 10 FADP and 25 et seq. GDPR and, insofar as the GDPR applies, in accordance with Art. 15 GDPR:
PPCmetrics AG
Data protection advisor
Badenerstrasse 6
P.O. Box
CH-8021 Zurich
Email: dataprotection@ppcmetrics.ch
We endeavour to respond to data protection requests within 30 days of receipt. We will not charge a fee for processing your enquiry unless it is clearly unfounded or disproportionate. We may not be able to fulfil your request in full or at all for other conflicting legal reasons (Art. 26 FADP), which we will explain in the information request.
What personal data do we process?
We process various categories of data about you in connection with current and possibly also previous information if details change (e.g. change of address). The most important categories are communication data, master data, contract data, financial data or peripheral data when using our electronic infrastructure (e.g. log data).
We only process particularly sensitive personal data in exceptional cases and only with the consent of the data subject, unless the data was transferred to us indirectly and for legitimate purposes, such as in the context of contract fulfilment or to fulfil legal obligations.
Examples of particularly sensitive personal data that we may receive include
- Personal identification documents that may provide information about race, ethnic origin or religious beliefs
- Information about the health of individuals
- Financial documents, bank statements, tax documents
- Documents that provide information about trade union memberships, political views, criminal offences or criminal convictions
- Food preferences when registering for events that provide information about religious beliefs or health status
Where does the personal data come from?
You provide us with personal data yourself, i.e. we generally collect it directly from you (e.g. as part of communication or the processing of contracts).
We also collect personal data that we receive as part of our business relationship with our customers and the persons involved in this relationship, as well as from our customers’ business partners, or personal data that we receive from users when operating our website, tools and applications.
To the extent permitted and if we have a need to do so, we also obtain data, including personal data, from publicly accessible sources (e.g. commercial registers, registers of supervisory authorities, media or the Internet).
If you transmit or disclose personal data and particularly sensitive personal data of other persons, e.g. colleagues, employees, work colleagues, insured persons, beneficiaries or family members, we assume that you are authorised to do so and that the data is correct. By transmitting the data, you confirm this. Please ensure that these third parties are aware of this privacy policy.
Why do we process personal data?
Business activity and operation
We process your data for the purposes explained below. Specific information for the website can be found at privacy-policy.
We use and process personal data for the initiation of business relationships, but primarily in order to conclude and professionally fulfil our contracts with our clients, business partners or suppliers; in particular as part of our advisory services in the areas of investment consulting and controlling, legal and actuarial consulting for our clients and for the purchase of products and services from our suppliers and service providers, as well as to comply with our legal obligations in Switzerland and abroad. If you work for such a client or business partner, you and your personal data may of course be affected by our data processing in this function.
In addition, we also process your personal data, where permitted and where we deem it appropriate, for the following purposes in which we have an overriding legitimate interest corresponding to the purpose (Art. 31 FADP):
- Processing for purposes related to communication with you, your employer, your colleagues or family members or with your business partners
- Processing to respond to enquiries, including project and quotation requests or to manage and process contractual relationships
- Processing for relationship management, to promote our professional services and offers to existing and potential customers (including the organisation of events), provided you have not objected to the use of your data. You have the right to object to the use of your personal data for marketing purposes by us at any time, in which case we will of course place you on a blacklist
- Processing as part of our internal processes and administration or for internal training and quality assurance purposes
- Processing for internal market observation purposes, to improve our services and processes and for product development
- Further development of our websites, apps and other platforms on which we are present
- Managing, maintaining, developing and ensuring the security and functionality of our information, access or backup systems, our websites, apps and other platforms
- As part of financial management (e.g. control of debtors and creditors), the prevention and investigation of criminal offences and other misconduct (e.g. conducting internal investigations, data analyses to combat fraud)
- To comply with legal requirements and instructions or recommendations from authorities (e.g. compliance, archiving), to assert legal claims and defence in connection with legal disputes and official proceedings
Job applications
When you apply for an open position at PPCmetrics AG or submit a spontaneous application, we process your data for the entire application process (‘recruiting’). We base this on your consent, i.e. on data that you provide to us voluntarily or on our legitimate interests.
For example, we use your contact details to arrange and carry out application appointments with you. We process your information and personal data from your application documents (such as work and degree certificates or diplomas). In addition to this absolutely necessary data, you have the option of providing us with additional information for the application process as part of application correspondence and interviews. We process and use this information and data solely for the purpose of assessing the application and making a decision. We only share it with people who are involved in the recruitment process, such as our HR staff or potential line managers. Your data will generally be deleted six months after the end of the application process. If you agree, your application documents may be stored in the PPCmetrics AG candidate pool for future vacancies. We will delete the data provided to us no later than twelve months after the end of the recruitment process.
If you are hired by us following the application process, the data will be processed for the recruitment process and for the further implementation of the employment relationship. Further details are regulated in the employment contract.
Other purposes
We may also process personal data for internal use for other purposes (e.g. organisational or administrative purposes) in the interests of efficient company management and modern corporate development. In doing so, we adhere to the data processing principles mentioned in the introduction and rely on our legitimate interest or legal obligation.
On what basis do we process your data?
Data processing as a private individual
If we are not acting as a federal body (see below), we process your personal data as a private individual (e.g. activities in the area of investment consulting or controlling). We adhere to the data processing principles mentioned in the introduction and rely on our legitimate interest or legal obligation.
Where we require your consent as the basis for processing your personal data, we will inform you separately and also about the corresponding purposes of the processing. You can withdraw your consent at any time (see ‘Right to withdraw consent’).
Data processing as a federal body in the context of occupational pension provision
As part of the implementation and monitoring of occupational benefit schemes based on the Federal Law on Old Age, Survivors‘ and Disability Benefit Plans (’BVG”) of 25 June 1982, PPCmetrics AG processes personal data and possibly particularly sensitive personal data, possibly as a federal body, namely as an expert in occupational benefit schemes in accordance with Art. 52e BVG.
The entire processing procedure from the collection, processing, storage to the destruction of the data is only carried out in accordance with the FADP, namely with the special provisions of the FADP on data processing by federal bodies (Art. 33ff. FADP) and the specific data protection provisions of the Federal Law on Occupational Retirement, Survivors’ and Disability Pension Plans (Art. 85a BVG), where provided for by law.
Where applicable, this Privacy Policy also applies.
Right to withdraw consent
If you have given us your consent to process your personal data for specific purposes because we require it and we have no other legal basis, we will process this data within the scope of this purpose and based on your consent. You can withdraw your consent at any time in writing (by post or, unless otherwise stated, by e‑mail to the data protection advisor (see ‘Controller and data protection advisor’), but this has no effect on data processing that has already taken place and its lawfulness. In the event of a cancellation, we may no longer be able to provide you with certain services, which we will point out in the event of an application.
Who do we disclose your personal data to?
All our employees are subject to the professional duty of confidentiality pursuant to Art. 62 FADP and, insofar as they are involved in the implementation and monitoring of the BVG, the duty of confidentiality pursuant to Art. 86 BVG.
We protect your personal data and do not sell it to third parties.
In principle, we only process and store your personal data in Switzerland. If we have to transfer your personal data abroad (e.g. to your place of residence abroad or to potential or existing business partners designated by you), this will only take place if you have given your prior consent (in accordance with Art. 17 para. 1 lit. a FADP) or if there are statutory exceptions (in accordance with Art. 17 para. 1 lit. b to f FADP).
We do not pass on your data to third parties (e.g. outsourcing), but where appropriate or necessary, we process it together with third parties or commission third parties to process your data (processors) to fulfil contractual or legal obligations, for example with suppliers, IT and other service providers (e.g. fiduciary, cloud services, DDoS security). These service providers are located in Germany and are contractually obliged by us to maintain confidentiality and secrecy and to comply with the data protection laws applicable to them. Furthermore, they are obliged to process the data only for the purposes specified by us.
If we use foreign service providers, the same requirements apply to them as to our service providers in Switzerland and, if adequate data protection is not guaranteed in their country from a Swiss perspective, we oblige them to sign sufficient contractual guarantees based on the EU standard contractual clauses or the FDPIC.
We may also pass on data to research institutions and researchers for scientific research and statistical purposes. In this case, we ensure that the data is anonymised or pseudonymised.
How long do we process your data?
We process and store your personal data for as long as is necessary for the fulfilment of our contractual and legal obligations or other purposes pursued with the processing, i.e. for the duration of the entire business relationship (from the initiation, processing to the termination of a contract) and beyond in accordance with the statutory retention and documentation obligations. We may also retain personal data for the period during which claims can be asserted against PPCmetrics AG (i.e. in particular during the statutory limitation period) and insofar as we are otherwise legally obliged to do so or legitimate business interests require this (e.g. for evidence and documentation purposes). As soon as your personal data is no longer required for the above-mentioned purposes, it will be deleted or anonymised as far as possible. Shorter retention periods of twelve months or less generally apply to operational data (e.g. system protocols, logs).
How do we protect your data?
The security of our company and customer data is of central importance to us. We take appropriate technical and organisational security precautions to protect your personal data from unauthorised access, loss, unintentional disclosure and alteration or misuse. These include a state-of-the-art IT infrastructure with appropriate network security solutions, regular external security audits for the early detection of potential vulnerabilities, internal data protection instructions and access controls and restrictions.
Our digital communication, like all digital communication, is subject to mass surveillance without cause or suspicion and other surveillance by security authorities in Switzerland, the rest of Europe, the USA and other countries. We cannot directly influence the corresponding processing of personal data by intelligence services, police forces or other security authorities.
Profiling and automated individual decisions
In principle, we do not use automated processing of personal data (‘automated individual decisions’ as defined in Art. 4 GDPR or Art. 22 GDPR) for the establishment and implementation of the business relationship or otherwise, nor do we engage in profiling (Art. 5 FADP or Art. 22 GDPR). If we use such procedures in individual cases, we will inform you of this separately if this is required by law and inform you of the associated rights.
Legal basis for data processing in accordance with the GDPR
Insofar as the GDPR is applicable, we base our data processing (Art. 6 et seq. GDPR) either on your consent or, as described below, on our overriding legitimate interest or legal obligation. E.G:
- Offering our services, initiating a business relationship, contract processing, customer support incl. correspondence
- Ensuring a secure organisation and maintaining business operations, efficient company organisation and further development of our systems and customer relationship, data security, protection against unauthorised use and combating fraud, archiving of data
- Processing in fulfilment of a legal obligation or, in the case of processing as part of the performance of public duties (see ‘Data processing as a federal body in the context of occupational pensions’)
- Enforcement of own legal claims and compliance with Swiss law
Reference to your rights
You have rights under the FADP and other applicable data protection laws (including, where applicable, the GDPR) in relation to personal data that we collect about you and that we process.
You have the right to request information from us at any time about the personal data we have stored about you (Art. 25 FADP) and, insofar as the GDPR applies, in accordance with Art. 15 GDPR. In addition, you have a legal right (Art. 6 and Art. 32 FADP, Art. 16 et seq. GDPR) to rectification, blocking and erasure of your personal data, a right to object to the processing of personal data, to prohibit such processing or to request a confirmation notice (Art. 32 para. 3 FADP). If our processing is based on your consent, you also have the right to withdraw your consent to the processing of your data at any time (see ‘Right to withdraw consent’).
Furthermore, under the conditions of Art. 28 FADP, and insofar as the GDPR applies, you can request data transfer to another controller or a copy of your personal data in electronic form to yourself at any time (so-called data portability).
Please note that exceptions or restrictions apply to these rights. In particular, we may still need to process and store your personal data in order to fulfil a contract with you, to protect our own legitimate interests such as the assertion, exercise or defence of legal claims, or to comply with legal obligations. To the extent permitted by law, in particular to protect the rights and freedoms of other data subjects and to protect our legitimate interests (e.g. confidentiality and security interests as well as the consideration of our operational resources and possibilities), we can therefore also reject your data protection-related requests, e.g. requests for information and deletion, or only comply with them to a limited extent. However, you have the right to lodge a complaint with a competent supervisory authority (see ‘We are here for you if you have any questions!’).
How can this privacy policy be amended?
This privacy policy applies in addition to our contract with you. The version published on our website is deemed to be the valid version in each case.
We may amend this privacy policy unilaterally at any time in compliance with the legal requirements and framework conditions.
We are here for you if you have any questions!
If you have any questions about data protection or would like to request information about your data or the deletion of your data, including your personal data, please contact us by email at dataprotection@ppcmetrics.ch.
Supervisory authority:
To raise concerns about our handling of your data, you can also contact the relevant data protection supervisory authority and lodge a complaint. We recommend that you first contact PPCmetrics AG’s Data Protection Advisor (see ‘Data Controller and Data Protection Advisor’).
For Switzerland:
Federal Data Protection and
Commissioner for Data Protection and Freedom of Information (FDPIC)
Feldeggweg 1
CH-3003 Bern
If you are located in the EEA or the United Kingdom, you also have the right to lodge a complaint with the data protection supervisory authority in your country.
The above text is an automatic translation by deepl.com — the german version is legally binding.