PICS - Switzerland
Personal Information Collection Statement (PICS)
This Personal Information Collection Statement ("PICS") describes how IPG Howden Asia Holdings, Ltd. ("IPG Howden") and its subsidiaries (together referred to hereinafter as the "Company"), process your personal data, in particular within the meaning of the EU General Data Protection Regulation ("GDPR") and the Swiss Federal Act on Data Protection ("SFADP"). The specific Company with which you are in contact acts as the individual controller of your personal data (also referred to as "Data Controller"). The contact information of the relevant Company acting as Data Controller of your personal data is set out under section 10 below. As a general rule: If you are a resident in the European Union, the references to the GDPR apply. If you are a resident in Switzerland, the references to the SFADP apply.
The Company recognizes its responsibilities in relation to the collection, holding, processing, use and/or transfer of personal data. Personal data will be collected only for lawful and relevant purposes and all practicable steps will be taken to ensure that personal data held by the Company is accurate. The Company will take all practicable steps to ensure security of the personal data and to avoid unauthorised or accidental access, erasure or other use.
In order to provide you with our insurance brokerage services and other services set out in the "Purpose" section below, we may collect personal data directly from you or from other third parties. Please note that if you do not provide us with your personal data, we may not be able to provide the information, products or services you need or process your request.
Purpose: From time to time it is necessary for the Company to collect your personal data which may be used, stored, processed, transferred, disclosed or shared by us for purposes (“Purposes”), including:
- providing insurance brokerage services to you, including assessing and evaluating your needs on insurance, wealth management, estate planning, business planning, or other financial matters;
- advising or acting for you on matters relating to insurance, wealth management, estate planning, business or financing planning, or arranging insurance contracts on your behalf;
- preparing for you any applications for insurance products/services. This will entail providing your personal data to insurance carriers for the purpose of obtaining life cover;
- providing subsequent services to you, including but not limited to conducting face-to-face meetings or phone discussions for the purposes of reviewing and administering; any purposes in connection with any claims made by or against or otherwise involving you in respect of any products/services you have purchased, including investigation of claims;
- any other purposes in connection with the provision of our brokerage services;
- designing products/services for customers;
- conducting market research for statistical or other purposes;
- matching any data held which relates to you from time to time for any of the purpose listed herein;
- making disclosures as required by any applicable law, rules, regulations, codes of practice or guidelines or to assist in law enforcement purposes, investigations by police or other government, regulatory or tax authorities worldwide;
- conducting identity checks;
- complying with the laws of any applicable jurisdiction;
- carrying out other services in connection with the operation of the Company’s business; and
- other purposes directly relating to any of the above.
Legal basis: The legal basis for the processing of such personal data is Art. 6 par. 1 lit. b GDPR or the overriding private or public interest according to Art. 6 par. 1 lit. f GDPR (respectively in both cases in accordance with Art. 13 par. 1 and 2 SFADP), and, by signing the Client Referral Letter, in addition your consent in accordance with Art. 6 par. 1 lit. a GDPR respectively Art. 13 par. 1 SFAFP, which we generally use as a fallback position in case no other legal basis is given.
The legal basis for processing of Special Categories of Personal Data and Sensitive Personal Data, respectively (for further information see below "Processing of Special Categories of Personal Data" and "Sensitive Personal Data"), is Art. 9 par. 1 lit. g GDPR for reason of substantial public interest on the basis of EU or Member State law (respectively in accordance with Art. 13 par. 1 and 2 SFADP), and, by signing the Client Referral Letter, in addition your consent in accordance with Art. 9 par. 2 lit. a GDPR as well as Art. 10 GDPR respectively Art. 13 par. 1 SFAFP.
The legal basis for data transfers abroad as well as the use of your data for own purposes by third parties is your consent, Art. 6 para. 1 lit. a GDPR as well as art. 49 para. 1 lit. a GDPR respectively Art. 13 par. 1 and Art. 6 par. 2 lit. b SFAFP (see below). Please note that under certain circumstances we may rely in addition/alternatively to your consent on another legal ground for an international data transfer.
The legal basis for marketing is your consent, Art. 6 par. 1 lit. a GDPR respectively Art. 13 par. 1 SFADP (see below).
Transfer of Personal Data: The customer is expressly informed that the data which is transferred abroad by the Company is no longer protected by Swiss respectively European law. Your data may be subject to foreign law offering a lower level of protection. Foreign laws and official orders may require the disclosure of such data to authorities or other third parties. Therefore, your personal data will be kept confidential, but your data will be subject to the provisions of any applicable law. In this regard, you consent to the transfer of your data in accordance with Art. 6 para. 1 lit. a GDPR as well as art. 49 para. 1 lit. a GDPR respectively Art. 13 par. 1 and Art. 6 par. 2 lit. b SFAFP to the below listed categories of data recipients (please note that under certain circumstances we may rely in addition/alternatively to your consent on another legal ground):
- any of our affiliates, any person associated with the Company, insurance or any reinsurance company, claims investigation company, industry association or federation, or financial institution (such as banks) located worldwide;
- any agent, contractor or third party who provides administrative, technology or other services (including direct marketing services) to the Company and/or our affiliates and who has a duty of confidentiality to the same located worldwide;
- any actual or proposed assignee, transferee, participant or sub-participant of our rights or business located worldwide; and
- any government department or other appropriate governmental or regulatory authority worldwide.
Use and provision of personal data in direct marketing: the transfer of your personal data for marketing purposes will only be made for one or more of the purposes specified below.
The Company and/or its affiliates intend(s) to:
- offer, provide and market to you, insurance products/services of local or offshore insurance companies or other insurance service providers;
- use your name, contact details, products and services portfolio information, transaction pattern and behaviour, financial background and demographic data held by the Company from time to time for direct marketing and the purpose of providing additional insurance advisory activities;
- provide your personal data to insurance carriers and/or re-insurers for the purpose of obtaining life cover;
- provide information regarding your insurance policy and/or application to a financial institution for the purpose of obtaining financing;
- provide your personal data to insurance carriers and/or reinsurers for the purpose of obtaining additional life cover as well as health, wellness, annuity and other insurance products;
- provide information regarding your insurance policy to the policy’s owner which may be you or an affiliated entity as instructed by you; and
- use your data to provide “after-sales” services including face-to-face meetings and phone discussions for the purpose of advising, reviewing and administering your policy(ies).
The legal basis for the processing of such personal data is your consent in accordance with Art. 6 par. 1 lit. a GDPR respectively Art. 13 par. 1 SFADP.
Processing of Special Categories of Personal Data and Sensitive Personal Data: the Company may collect from you or receive from other third parties (such as background and reference checks service providers), special categories of personal data or sensitive personal data, respectively, for purposes of identity verification and underwriting. "Special Categories" of personal data are personal data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person (Art. 9 par. 1 GDPR and Art. 10 GDPR). "Sensitive Personal Data" are personal data on religious, ideological, political or trade union-related views or activities, health, the intimate sphere or the racial origin, social security measures, administrative or criminal proceedings and sanctions (Art. 3 lit. c SFADP).
We process the following categories of special categories of personal data respectively sensitive personal data:
- Criminal record
- Political affiliation or opinions
- Health
- Sex Life including generic data and biometric data
Data that is transferred to third parties for the above-mentioned purposes: the customer is hereby explicitly informed that data, once transmitted to some third parties, such as, insurance companies, background/reference check service providers and etc. that are located in worldwide, may be outside of the control of the Company. These third parties may use your data for their own purposes. You must contact these third parties directly if you do not agree to the use of your data.
By signing the Client Referral Letter, you are aware of this fact and agree to the worldwide transfer to the third parties in accordance with the above section "Transfer of Personal Data", points 1 to 4, by the Company and the use of the data for own purposes by third parties as described above.
By signing the Client Referral Letter, you moreover acknowledge and agree to the usage of your data for the purposes set out above.
Right of withdrawal of the data protection declaration of consent: You may in the future withdraw your consent to the processing and disclosure of your personal data at any time. The withdrawal of consent does not affect the lawfulness of the processing activities carried out upon consent until the withdrawal. Please note that for certain data processing we use the consent as a fallback. In case there is an alternative legal ground, we might continue to use your personal data based on this alternative legal ground.
If you wish to withdraw your consent, please inform us in writing to the address in the section “Data Controller” (section 10). The Company shall ensure that no further data processing is undertaken by the Company for which your consent is necessary.
Additional information with respect to your rights: As a person concerned, you might be entitled to the following rights towards the Data Controller - your specific rights and the scope of such rights depend on the laws applicable to your case:
1. Right to Information
You have the right to request from the Data Controller whether the Data Controller (i.e. the relevant Company) processes your personal data.
In the event of such processing, you may depending on applicable law request the following information from the Data Controller:
(1) the purposes for which the personal data are processed;
(2) the categories of personal data which are processed;
(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
(4) the planned duration of the storage of the personal data concerning you or, if it is not possible to give specific details, criteria for determining the duration of storage;
(5) the existence of a right of rectification or erasure of personal data concerning you, a right to have the processing limited by the controller or a right to object to such processing;
(6) the existence of a right of appeal to a supervisory authority;
(7) any available information as to the origin of the data, if the personal data are not collected from the person concerned;
(8) the existence of automated decision-making, including profiling, in accordance with Art. 22 paras. 2 and 4 GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing on the data subject.
2. Right of Rectification
You have the right to ask the Data Controller to correct and/or complete any data that is inaccurate or incomplete. The Data Controller must correct the data without delay.
3. Right to Restriction of Processing
Under the following conditions, you may request the restriction of the processing of personal data concerning you:
(1) if you dispute the accuracy of the personal data concerning you for a period of time which enables the controller to verify the accuracy of the personal data;
(2) if the processing is unlawful and you object to the deletion of the personal data and instead request the restriction of the use of the personal data;
(3) if the Data Controller no longer needs the personal data for the purposes of the processing, but you need it for the purpose of asserting, exercising or defending legal claims; or
(4) if you have lodged an objection to the processing in accordance with Art. 21 par. 1 GDPR and it has not yet been established whether the legitimate reasons of the Data Controller outweigh your reasons.
If the processing of personal data relating to you has been restricted, such data - apart from being stored - may be processed only with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest of the European Union or a member state.
If the restriction on processing has been restricted in accordance with the above conditions, you will be informed by the Data Controller before the restriction is lifted.
4. Right to Erasure ("Right to be Forgotten")
You have the right to obtain from the Data Controller the erasure of personal data without undue delay and the controller is obliged to erase your personal data without undue delay where one of the following reasons applies:
(1) if your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) if you withdraw consent on which the processing is based according to Art. 6 par. 1 lit. a or Art. 9 par. 2 lit. a GDPR, and where there is no other legal ground for the processing;
(3) if you object to the processing according to Art. 21 par. 1 GDPR and there are no overriding legitimate reasons for the processing, or the data subject objects to the processing according to Art. 21 par. 2 GDPR;
(4) if your personal data have been unlawfully processed;
(5) the personal data have to be erased for compliance with a legal obligation in the European Union or member state law to which the controller is subject;
(6) the personal data have been collected in relation to the offer of information society services referred to in Art. 8 par. 1 GDPR.
Where the Data Controller has made your personal data public and is obliged pursuant to Art. 17 par. 1 GDPR to erase your personal data, the controller, taking account of available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Exceptions: the right to erase does not apply to the extent that processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by the European Union or member state law to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 par. 2 lit. h and i GPDR as well as Art. 9 par. 3 GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 par. 1 GDPR in so far as the right to erase referred to above is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.
5. Notification Obligation regarding Rectification or Erasure of Personal Data or Restriction of Processing
If you have asserted the right to rectification, erasure or restriction of processing towards the Data Controller, the Data Controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification, erasure or restriction of processing, unless this proves impossible or involves disproportionate effort.
The Data Controller is obliged to inform you about those recipients upon your request.
6. Right to Data Portablity
You may have the right to receive the personal data concerning you that you have provided to the Data Controller in a structured, common and machine-readable format. You may also have the right to have this data communicated to another person in charge without interference from the person in charge to whom the personal data has been communicated, provided that:
(1) the processing is based on a consent pursuant to Art. 6 par. 1 lit. a GDPR or Art. 9 par. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 letter b GDPR; and
(2) the processing is executed by means of automated procedures.
In exercising this right, you may also have the right to obtain that the personal data concerning you be transferred directly from one Data Controller to another Data Controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data transferability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
7. Right to Object
You may have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 par. 1 lit. e and f GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate reasons for the processing that override the interests, rights and freedoms of you or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC of the European Union, you may exercise your right to object by automated means using technical specifications.
8. Automated Individual Decision-Making, including Profiling
You may have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
This shall not apply if the decision:
(1) is necessary for entering into, or performance of, a contract between the data subject and a Data Controller;
(2) is authorized by Union or member state law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
(3) is based on the data subject’s explicit consent.
However, decisions shall not be based on special categories of personal data referred to in Art. 9 par. 1 GDPR, unless Art. 9 par. 2 lit. a or g GDPR applies and appropriate measures to safeguard the rights and freedoms and legitimate interests are in place.
With regard to the cases mentioned in (1) and (3), the Data Controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Data Controller, to express your view and to contest the decision.
9. Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you may have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. However, to avoid misunderstandings, you do not have such right under the SFADP.
The supervisory authority with which the complaint has been lodged has to inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
10. Data Controller
The Data Controller is the specific Company with which you are in contact (see the beginning of the PICS). The Data Controller is responsible for the processing of your personal data and appointed a data protection officer in terms of the GDPR, the SFADP and other national data protection laws of the member states and other data protection regulations is. The Data Controller of your personal data is listed below together with the data protection officer that is appointed by your Data Controller:
Data Privacy Officer
International Planning Group GmbH
Bodmerstrasse 9
CH-8002 Zurich
Switzerland
Email: ComplianceZurich@ipghowden.com
Where your requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Data Controller may depending on the applicable law:
(1) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(2) refuse to act on the request.
11. Retention Periods for your personal data
The Company processes and retains your personal data as long as required for the performance of the contractual obligation and compliance with legal obligations or other purposes pursued with the processing, i.e. for the duration of the entire business relationship (from the initiation, during the performance of the contract until it is terminated) as well as beyond this duration in accordance with legal retention and documentation obligations. Personal data may be retained for the period during which claims can be asserted against the Company or insofar as the Company is otherwise legally obliged to do so or if legitimate business interests require further retention (e.g., for evidence and documentation purposes). As soon as your personal data are no longer required for the above-mentioned purposes, they will be deleted or anonymized, to the extent possible.