Data privacy

1 September 2023

Based on Article 13 of the Swiss Federal Constitution and the Federal Act on Data Protection (FADP), every person has the right to privacy and to protection against misuse of their personal data. We comply with these regulations and treat personal data with strict confidentiality. Personal data is neither sold nor passed on to third parties. In close cooperation with our hosting providers, we strive to protect the databases as far as possible from unauthorised access, loss, misuse or forgery. When users access our websites, the following data is stored in log files: IP address, date, time, browser request and generally transmitted information on the operating system or browser. This user data serves as the basis for statistical, anonymous evaluations which allow us to identify trends and improve our services accordingly.

If you have any questions or feedback regarding data protection or the processing of your personal data, please contact the Hitachi Occupational pension’s data protection advisor at the following contact details:

PricewaterhouseCoopers AG
Birchstrasse 160
8050 Zurich

Ref: Data privacy/Hitachi PF or Data privacy/Hitachi SIP
E-mail: ch_privacy@pwc.ch

2     Data protection in general

2.1        Personal data processed by us

Hitachi PF processes a variety of personal data regardless of the means by which individuals contact us, e.g., by telephone, via a website, an application, a social network, at an event, etc. In particular, this involves personal data

  • that we collect in connection with our business activities in mandatory, supplementary or voluntary pension provision from members and their dependants (e.g. current and former spouses, life partners, parents, children, and other beneficiaries), authorised representatives (e.g. legal representatives), future members, interested parties, service providers, or from other persons involved in the course of business activities;
  • that we collect from former, current or future employers or their contacts; from the employers’ family members and their employees;
  • that we collect from members of our bodies;
  • that we collect during the use of our websites;
  • that we collect from visitors to our offices;
  • that we collect when you contact us via e-mail / contact form / quote form / other forms or newsletters;
  • that we receive in the context of an authorisation;
  • that we collect from applicants for employment;
  • that we are legally or contractually obliged to collect;
  • that we collect from authorities and other third parties (medical examiners, social security institutions and private insurance companies, other employee and vested benefits institutions, suppliers and partners).

Depending on the nature of the relationship, we process personal data from you such as:

  • Contact data, inventory data and identification data, for example, surname, first name, address, e-mail address, telephone number;
  • Personal details such as date of birth, gender, nationality, place of birth, place of origin, residence status, marital status, details from identification data (e.g. passport or ID), beneficiaries, language, data on dependants, health data, family certificate, birth certificate, educational certificates, insurance number and social security number, contract number, any details on previous employee or vested benefits institutions;
  • Details in connection with the processing of benefit claims: Notification of a benefit claim, information on the cause of the benefit claim (e.g. accident, illness, date of the incident, etc.) and other information related to the verification and assessment of the benefit claim (e.g. highly sensitive personal data, information on persons involved and on third parties such as insurance companies, etc.), information on termination benefits and other benefit claims;
  • Information on third parties, in particular information on family members;
  • Contract data such as contract type, contract content, type of products and services, forecast data, applicable terms and conditions, contract start date, contract term, invoice data and details regarding other insurance policies;
  • Financial and employment data such as salary data, account information, payment information, payment history, credit standing, income, purchasing power, employment status, employment type, capacity for work;
  • Marginal data from telecommunications traffic such as telephone number, value-added service codes, date, time and duration of connection, type of connection, location data, IP address, and device identification numbers such as MAC address;
  • Interaction and usage data such as correspondence, preferences and target group information, type of device, device settings, operating system, software, and information from assertion of rights;
  • Documents and specific information for applications for employment: such as letter of motivation, resume and photo, job references, diplomas, educational certificates, third party references, interview notes.

If you provide us with personal data on third parties (e.g. family members, colleagues), we assume that these data are correct and that you are authorised to do so. We ask you to inform these third parties accordingly and to hand over this data protection declaration to them.

2.2        How do we obtain personal data?

2.2.1 Personal data that you disclose to us

We obtain personal data from you when you submit data to us or when you contact us. This may occur through various channels, such as the online portal for members, by which you communicate with us (e.g. e-mail, letters, phone, fax, etc.) or through your use of our website (e.g. IP address, date and time stamp, the web browser and operating system you use, language and version of browser software, etc.) or other services which we offer as part of our business activities.

2.2.2 Personal data that we collect from third parties

We collect personal data in connection with the provision of occupational benefits in accordance with the relevant statutory provisions. In addition, we collect personal data from third parties with whom we collaborate to be able to carry out business activities within the scope of the provision of occupational benefits and other services. We also collect personal data from published sources.

We collect personal data from the following third parties, for example:

  • employers;
  • persons associated with you (e.g. family members, legal representatives, etc.);
  • medical experts, physicians and other service providers who make inquiries about your health;
  • private insurance companies and social security institutions, other employee and vested benefits institutions;
  • banks and other service providers involved in the provision of occupational benefits (e.g. brokers, reinsurance companies, etc.);
  • credit agencies;
  • authorities, courts, political parties and other third parties, in connection with administrative and judicial proceedings;
  • Swiss Post, for address updates;
  • other service providers;
  • public registers (commercial register, debt collection register, etc.).

2.3        Purposes for which we process personal data

2.3.1 Provision of occupational benefits

Within the scope of the provision of occupational benefits, we process the data of active members that are provided to us by the employer as part of the entry process to ensure that all active members are duly registered and insured in accordance with the occupational benefits regulations. The data collected are processed to guarantee that contributions are calculated correctly and that active members receive the benefits to which they are entitled if a benefit claim arises or in the event of disability. In addition, the processing of personal data of Hitachi PF’s active members is necessary for the effective administration of insurance contracts, including the processing of payouts and communication with employees or your employer.

2.3.2 Other purposes

Moreover, we process your personal data and those from other persons, to the extent permitted and deemed appropriate, for the following purposes, in which we (and sometimes third parties) have a legitimate interest corresponding to the purpose:

  • provision and optimisation of our services as well as our website and other platforms on which we are present;
  • communication and processing of requests (e.g. via contact forms, e-mail, telephone or media requests);
  • advertising and marketing (including the hosting of events), insofar as you have consented to the use of your data (if you receive advertising from us as an existing customer, you may object to this advertising at any time. In this case we will put you on a blocking list to stop further advertising mailings);
  • market research, media monitoring;
  • assertion of legal claims and defence in connection with legal disputes and official proceedings;
  • any transactions under company law affecting the Hitachi PF and the associated transfer of personal data;
  • prevention and investigation of criminal offences and other malpractice (e.g. conducting internal investigations, data analyses to combat fraud);
  • compliance with legal and regulatory obligations as well as Hitachi PF’s internal regulations;
  • warranties concerning our operations, in particular IT, our website and other platforms.

2.4        Legal basis of the processing

2.4.1 Mandatory occupational pension provision

In the context of mandatory occupational benefits provision, we generally process your personal data based on compliance with applicable laws, in particular:

  • the Swiss Federal Law on the Occupational Retirement, Survivors’ and Disability Benefit Plans (BVG);
  • the Swiss Federal Law on Vested Benefits in Occupational Old-Age, Survivors’ and Disability Benefit Plans (FZG);

as well as the associated ordinances. As a federal body, we process your personal data in this context within the scope of our statutory processing powers (e.g. Art. 85a ff. BVG).

2.4.2 Supplementary pension provision and other contexts

In the context of supplementary pension provision as well as other non-mandatory contexts, we process your data based on:

  • consent, to the extent you have given it to us, to process your personal data for specific purposes. We process your personal data within the scope of and based on this consent where we require such a legal basis in the absence of any other legal basis. Consent given can be revoked at any time, however this has no effect on data processing that has already taken place. You can send us a revocation by e-mail or by post to the (e-mail) address indicated in section 1.1. In addition, you may to revoke your consent at any time via the Hitachi PF online portal.
  • the conclusion or performance of a contract with your employer (affiliation agreement for the provision of occupational benefits),
  • the conclusion or performance of a contract with you or your request to do so (in the case of home financing contracts, for example),
  • an overriding interest (for example, to guarantee information security or data protection or to perform tasks in the public interest); however, in this case you may have the right to object,
  • a legal obligation (for example, in the case of documents or information that must be retained for a specific period of time).

3     Data protection in particular: Provision of occupational benefits

As part of the entry process, in response to a corresponding entry notification from your employer, we collect your personal data when you are admitted to the Hitachi PF as a member (hereinafter “active member”). Starting from the moment you receive a pension from us (e.g. retirement pension, disability pension, etc.), your status changes to “pension recipient”.

3.1        Personal data processed within the context of the provision of insurance services by the Hitachi PF

The personal data processed by us within the context of the provision of occupational benefits include in particular:

  • Your master data (e.g. name, address, contact details, age, gender, marital status and, if applicable, date of marriage or divorce or date of registration or dissolution of partnership, insurance number, details of previous employee or vested benefits institutions, if applicable, and, within the scope of the statutory provisions, the AHV number),
  • Health data, which are submitted to us via the entry notification from your employer, as supplementary information from active members, in response to questions on the insured risk, as disclosures from third parties within the scope of a possible in-depth health check (in particular physicians, other specialists, experts, previous employee benefits institutions, insurance companies / social security institutions, etc.),
  • Information on third parties, insofar as they are also affected by the data processing (e.g. relatives (children) or beneficiaries),
  • Data on your employment or the respective contact person (e.g. company, name and address, function in the company, and, in particular, salary data and degree of employment),
  • Contract data, case data and data with regard to benefit claims that arise in connection with a possible or actual affiliation agreement or its termination, the admission of new members into the occupational benefits scheme or the performance of a contract. These also include, for example, information provided in connection with benefit claims (e.g. notification of the benefit claim, claim number, cause) or other benefits (e.g. payment of the termination benefit) as well as health data (e.g. onset of incapacity for work or death),
  • Financial data (e.g. income, buy-ins into occupational benefits and payment of termination benefits, divorce payments, EHO advance withdrawals and pensions, financial data of beneficiaries such as surviving spouses / registered partners and bank details).

These data are submitted to us via the entry notification from your employer, as supplementary information from active members, in response to questions on the insured risk, as disclosures from third parties within the scope of a possible in-depth health check (in particular physicians, other specialists, experts, previous employee benefits institutions, insurance companies / social security institutions, etc.).

3.2        Purpose of the processing of personal data within the context of the provision of insurance services

We process your personal data for the purpose of providing occupational benefits. In more detail, the following purposes are included:

  • conclusion and processing of an affiliation agreement with your employer,
  • admission of new members and maintaining one or more pension plan capital accounts for which we process, in particular, information on contributions, buy-ins, retirement assets and payouts,
  • verification and processing of benefit claims (retirement, disability, death) and, if applicable, payment of benefits.

4     Disclosure and transfer of personal data to third parties

If your personal data are not processed by us but by processors, we ensure full compliance with the legal requirements. As a rule, data are disclosed to third parties only:

  • if the disclosure is necessary for the provision of occupational benefits or the provision of other services by us,
  • if the disclosure is necessary for the contractual arrangement with you,
  • if the disclosure is permissible due to a balancing of interests,
  • if the disclosure is necessary due to legal obligations, or
  • with your explicit consent.

Within the scope of our business activities and for the above-mentioned purposes, we also disclose personal data to third parties, insofar as this is permitted and appropriate. This is the case either if such parties process the data for us (processing) or if they want to use it for their own purposes (data disclosure). This applies in particular to (all hereinafter referred to as “Recipients”):

  • employers (affiliated companies; however, no information about your health, your retirement assets or individual transactions such as buy-ins or advance withdrawals will be disclosed);
  • service providers who take over the management of the employee benefits institution as well as the technical administration and asset management on our behalf;
  • other service providers, including processors (such as external administrators or IT providers) for the processing and storage of your data, sending and receiving e-mails, offering and developing certain functions in connection with our website, as well as for research, analysis, maintenance and security in connection with our website;
  • our auditors;
  • occupational benefits experts;
  • medical experts, physicians and other service providers;
  • pension fund committees and guarantee fund;
  • advisors, such as lawyers;
  • business partners (e.g. brokers and distributors), logistics partners, credit agencies, debt collection agencies;
  • authorities (supervisory and tax authorities);
  • other social security institutions (e.g. AHV or other employee benefits institutions);
  • insurance companies (e.g. for the reinsurance of risks);
  • government offices and courts.

5     Duration of data processing

We process personal data for as long as it is necessary for the fulfilment of our contractual obligations or for other purposes pursued with the processing, often for the duration of the entire business relationship (from the initiation, to the processing and termination of a contract) and beyond in accordance with the statutory retention and documentation obligations. In this context, it is possible that personal data will be retained for the time during which claims can be asserted against us or we are otherwise legally obligated to do so, or as long as is necessary due to legitimate interests (e.g. for evidence and documentation purposes). As soon as your personal data are no longer required for the above-mentioned purposes, they will, as a principle, be deleted or anonymised.

6     Transmission of personal data abroad

Personal data are processed exclusively in Switzerland. An exception is the disclosure of personal data in the context of the provision of benefits in the event of a benefit claim by a person insured by us (payment of occupational benefits to members living abroad) or when we use IT services for which the transmission of personal data abroad is unavoidable.

Where we transmit personal data to a country without an adequate level of data protection, we safeguard the protection of these data in an adequate manner. One means of guaranteeing sufficient data protection is the conclusion of data transfer agreements with the recipients of your personal data in third countries that ensure the necessary data protection. This may include, for example, contracts approved, issued or recognised by the European Commission and the Federal Data Protection and Information Commissioner, so-called standard contractual clauses, which are available here. Please note that such contractual arrangements can partially compensate for weaker or missing legal protection, but cannot completely exclude all risks (e.g. from government access abroad). In exceptional cases, the transfer to countries without adequate protection may also be permitted in other cases, e.g. based on consent, in connection with legal proceedings abroad or if the transmission is necessary for the performance of a contract.

7     Data security

To protect your personal data against unauthorised access, tampering, loss, destruction or disclosure by unauthorised persons, we have taken technical and organisational security measures that are state of the art.

Our security mechanisms include, among others, encryption of your personal data. All information that you enter online, for example, is transmitted via an encrypted transmission path, which means that this information cannot be viewed by unauthorised third parties at any time. Organisational security measures include, for example, directives to our bodies, confidentiality agreements and regular monitoring. In addition, we require our processors to take appropriate technical and organisational security measures.

With the support of external experts, we continuously improve our security measures in line with the latest technological developments.

Our bodies and external providers are subject to strict confidentiality and are obliged to comply with the provisions of data protection law. Furthermore, external providers are granted access to your personal data only to the extent necessary.

8     Your rights

You have the right

Please note that we reserve the right to enforce the restrictions provided for by law, for example if we are obliged to retain or process certain data, have an overriding interest in doing so (insofar as we are entitled to invoke such overriding interest), or require certain data for the assertion of claims.

If you believe that the processing of your personal data breaches data protection law, or that your data protection rights have been breached in any other way, you may also complain to the competent supervisory authority. In Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC; https://www.edoeb.admin.ch/edoeb/en/home.html).

The exercise of your rights under data protection law generally requires that you prove your identity (e.g. by means of a copy of your ID card, if your identity is not otherwise ascertained or cannot be verified). To assert your rights, please contact us by e-mail at the e-mail address specified in section 1.1.

9     Amendments to this Privacy Policy

This Privacy Policy may be amended at any time, in particular to incorporate any changes to our data processing practices or any new legal requirements. In general, the version current at the start of the processing in question shall apply to the data processing in each case.