Privacy Policy

1. Contact addresses

Controller for processing personal data:

Bank CIC (Switzerland) Ltd.
IT Security + Data Protection
Marktplatz 13
P.O. Box
4001 Basel

Contact form

Please note that other controllers may be responsible for processing personal data in individual cases. For customers of the Vested Benefits Foundation of Bank CIC (Switzerland) Ltd. or Stiftung Sparen 3 of Bank CIC (Switzerland) Ltd., the foundation in question is the controller. The foundations may provide these data to third parties they have appointed, provided the disclosure is in connection with opening and/or maintaining a business relationship.

Data protection representative in the European Economic Area (EEA):

The contact details of our data protection representative pursuant to Article 27 GDPR are shown below. The data protection representative acts as an additional point of contact for supervisory bodies and data subjects in the European Union (EU) and the rest of the European Economic Area (EEA) for queries relating to the General Data Protection Regulation (GDPR):

Groupe Crédit Mutuel Alliance Fédérale

THE DATA PROTECTION OFFICER

63 chemin Antoine Pardon

69814 TASSIN CEDEX

2. Definitions and basis in law

2.1. Definitions

Personal data means any information relating to an identified or identifiable natural person. A data subject is a person about whom personal data are processed.

Processing means any operation which is performed on personal data, regardless of the means and procedures used, in particular storing, disclosing, obtaining, collecting, deleting, saving, altering, deleting and using personal data.

2.2. Basis in law

We process personal data in compliance with Swiss data protection legislation, specifically the Data Protection Act  (DPA) and the Data Protection Ordinance (DPO).

3. Nature, scope and purpose

We process personal data which are necessary to allow us to carry out our activities and operations securely and reliably in a user-friendly manner on a permanent basis. This may in particular include data falling into the following categories: inventory data, contact data, browser and device data, content data, meta and usage data, location data, sales data and contract, payment, financial and asset data.

We process personal data for the period needed for the purpose(s) necessary or legally required. Personal data that no longer need to be processed are anonymised or erased.

We may arrange for personal data to be processed by third parties. We may process personal data jointly with third parties or transmit them to third parties. These third parties include in particular specialised providers whose services we use. We ensure these third parties also protect data.

We only process personal data with the consent of the data subject, unless this is permitted on other legal grounds. Processing without consent may for example be permissible to fulfil a contract with the data subject and for associated pre-contractual activities in order to protect our overriding legitimate interests, because processing is obvious in the circumstances or after giving notice.

Within this framework, we process in particular data that a data subject provides us with voluntarily or as required under banking regulations when making contact (e.g. by post, email, instant messaging, contact form, social media or telephone) or to open and maintain an account. We may for instance save this information in an address book, customer relationship management (CRM) system or similar tool. When data about other people are transmitted to us, those transmitting them are obliged to ensure data protection in respect of those persons and that the personal data are accurate.

We also process personal data we receive from third parties, obtain from publicly available sources or gather in the course of carrying out our activities and operations, provided and to the extent that such processing is lawful.

We process your data solely for the purposes of establishing, managing and processing contractual relationships, including processing transactions within the relationship and maintaining master data, for marketing and communications purposes, to maintain relationships, improve our services and firm, and for product development.

3.1. Other purposes of processing

We process data for security purposes and access control, e.g. to monitor, control, analyse and test our networks and IT infrastructure, for system and error checks, for documentation purposes and for backing up. Access controls include both access to electronic systems (e.g. logging in to user accounts) and physical access control (e.g. building access with entry records). We use monitoring systems (e.g. security cameras) for security purposes (both for preventive purposes and to investigate incidents). We have appropriate signs in the relevant locations drawing attention to our monitoring systems. We may retain recordings and records and forward these to the relevant agencies, especially judicial and criminal prosecution authorities, where legally required to do so, to enforce our own legal claims and in the event of suspected criminal activity.

We also process data for our own risk management purposes and as part of prudent management of the company. In addition, we process data for other purposes, e.g. as part of our internal procedures and administration or for training and quality assurance purposes.

4. Job applications

We process personal data about applicants where this is necessary to assess suitability for employment or to subsequently perform a contract of employment. The personal data required mainly come from the details requested, e.g. in a job advertisement. We also process personal data that applicants provide voluntarily or publish, in particular in letters, CVs, other application documents and online profiles.

5. Personal data abroad

In principle, we process personal data in Switzerland. However, we may also export/transmit personal data to other countries, especially to process them or have them processed there, where this is not subject to restrictions in other legislation such as the Banking Act.

We may disclose personal data in all countries and territories, provided the law in such places ensures appropriate protection of data in the opinion of the Federal Data Protection and Information Commissioner (FDPIC) or according to the ruling of the Swiss Fedral Council. This specifically applies to the following activities:

• Exchanging information with the parent company in France and other Group companies: information on the Group is available here: https://www.cic.ch/en/company-and-career/about-us/credit-mutuel-group.html. Group companies may use the data in accordance with banking legislation and regulatory provisions under this Privacy Policy for themselves for the same purposes as us.
• For IT security monitoring, where our Swiss partner uses its Group's infrastructure in Italy to analyse and deal with security incidents. This particularly relates to data such as IP addresses and user logins; data that allow direct identification are only processed in anonymised form.

We may disclose personal data in countries where the law does not ensure appropriate data protection, provided suitable data protection is ensured on other grounds, e.g. by contractual agreements to this effect, under standard data protection clauses or by other appropriate guarantees. In exceptional cases, we may export personal data to countries without appropriate or suitable data protection if the special conditions under data protection legislation are satisfied, e.g. the express consent of the data subject or a direct connection with entering into or processing a contract.

6. Rights of data subjects

6.1. Entitlements under data protection legislation

We grant data subjects all entitlements under applicable data protection legislation. Specifically, data subjects have the following rights:

• Information: Data subjects may request information as to whether we process personal data about them and, if so, what they are. Data subjects also receive the information necessary to assert their data protection rights under data protection legislation and to ensure transparency. This includes the processed personal data per se, and also amongst other things information on the purpose of processing, the retention period, any disclosure/export of data to other countries and the origin of the personal data.
• Rectification and restriction: Data subjects can insist inaccurate personal data be rectified and processing of their personal data restricted.
• Deletion and objection: Data subjects can insist personal data be deleted ("right to be forgotten") and object to their personal data being processed.
• Release and transfer of data: Data subjects can insist their personal data be released or transferred to another controller.

We may delay, restrict or refuse the exercise of rights by data subjects to the extent permitted in law. We may also refer data subjects to any conditions that must be satisfied to exercise their rights under data protection legislation. For example, we may refuse to provide information in whole or in part with reference to commercial secrecy or to protect other people. We may also, for example, refuse to delete personal data in whole or in part with reference to statutory retention periods.

In exceptional cases, we may impose costs to exercise rights. Data subjects will be notified in advance if any costs are due.

We are obliged to take appropriate action to identify data subjects who request information or seek to enforce other rights. Data subjects have a duty to cooperate.

6.2. Right to lodge a complaint

Data subjects have the right to take legal action to enforce their entitlements under data protection legislation or lodge a complaint with a competent data protection supervisory authority.

The data protection supervisory authority for private-sector controllers and Federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

7. Data security

We take suitable technical and organisational measures to ensure data security appropriate to the level of risk. We are constantly reviewing and improving the appropriate security of our IT and other infrastructure; however, we are unable to offer any warranty of absolute data security.

Access to our website is by encrypted transmission (SSL/TLS, primarily using hypertext transfer protocol secure, or HTTPS for short).

Like all digital communication in principle, ours is subject to mass monitoring without cause or suspicion, as well as other monitoring by security agencies in Switzerland, the rest of Europe, the United States of America (USA) and other countries. We have no direct influence on the corresponding processing of personal data by secret services, police bodies or other security agencies.

8. Use of the website

8.1. Cookies

We may use cookies. Cookies – both our own (first-party cookies) and those of third parties whose services we use (third-party cookies) – are files saved in the browser. These saved files need not be restricted to traditional cookies in text form.

Cookies may be saved in the browser temporarily as "session cookies" or for a set period ("permanent cookies"). Session cookies are deleted automatically when the browser is closed. Permanent cookies are saved for a set period. Cookies make it possible to identify a browser the next time it visits our website, which means that we can measure the reach of the website, for example. Permanent cookies can also be used for online marketing, for instance.

Cookies can be partially or fully deactivated or deleted in the browser settings at any time. Without cookies, our website may not be available to the full extent. We actively ask for express consent to use cookies that are not technically necessary.

With cookies used to measure success or reach, or for advertising, many services offer a general opt-out via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

8.2. Server log files

Every time our website is accessed, we may record the following data if they can be transmitted from your browser to our server infrastructure or identified by our web server: date and time including time zone, internet protocol (IP) address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual sub-pages accessed on our website including volume of data transferred, last website accessed in the same browser window (referrer).

We save these data, which may be personal data, in server log files. The information is needed to enable us to provide our website reliably in a user-friendly manner on a permanent basis and in particular to ensure personal data are protected – including by third parties or with the assistance of third parties.

8.3. Tracking pixels

We may use tracking pixels on our website. These are also known as web beacons. Tracking pixels – including those of third parties whose services we use – are small, generally invisible images that are automatically triggered when someone visits our website. They can record the same data as in server log files. Third-party tracking pixels can be deactivated by rejecting non-essential cookies.

8.4. Comments

We make it possible for you to post comments in the blog section of our website. As part of this, we process the details a person making a comment transmits to us themselves, as well as the internet protocol (IP) address used and the date and time. This information is needed to enable comments to be posted and protect against misuse, which is in our overwhelming legitimate interest. Specifically, we use the following to make it possible for you to post comments:

• Disqus: Discussion platform for websites; provider: Disqus Inc. (USA); data protection details: Privacy Policy, Privacy Choices ("Data Sharing Settings"), Privacy FAQ.

9. Messages and communications

We send messages and communications by email and via other communications channels such as SMS.

9.1. Measuring success and reach

Messages and communications may contain web links or tracking pixels that record whether an individual message has been opened and which web links were clicked. These web links and tracking pixels may record use of messages and communications by an individual person. We have to statistically record use to measure success and reach in order to make messages and communications effective and user-friendly and reflect addressees' needs and reading habits, and to be able to send them in a way that is secure and reliable on an ongoing basis.

9.2. Consent and objection

You must in principle give express consent to your email address being used, unless use is permitted on other legal grounds. When you subscribe to our Newsletter, we use the double opt-in procedure; in other words, you receive an email with a web link you have to click to confirm. This is to prevent misuse by unauthorised third parties. We may keep a log of these consents, including the internet protocol (IP) address and date and time, for purposes of proof and security.

You have the right in principle to object to receiving messages and communications such as newsletters at any time. When objecting, you may simultaneously object to the statistical recording of use to measure success and reach in the future. Messages and communications that are necessary in connection with our activities and operations remain reserved.

9.3. Service providers for messages and communications

We use specialist service providers to help us send the email Newsletter. Specifically, we use:

• mailXpert: newsletter distribution; provider: mailXpert GmbH (Schweiz); data protection details: Privacy Policy, "Switzerland as a data location"

10. Social media

We have a presence on social media and other platforms to enable us to communicate with interested persons and inform them about our activities and operations. In connection with these platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).

The respective General Terms and Conditions of Business (GTCs), Terms of Use, Privacy Policies and other stipulations of the individual operators of these platforms apply. The stipulations provide details in particular on the rights of data subjects to deal directly with the platform in question, including for example the right to information.

For our social media presence on Facebook, including Page Insights, where and to the extent that the EU General Data Protection Regulation (GDPR) is applicable, we share joint responsibility with Meta Platforms Ireland Limited. Meta Platforms Ireland Limited is part of the Meta Companies (which include companies in the USA). Page Insights provide information on how visitors interact with our Facebook presence. We use Page Insights so we can provide our social media presence on Facebook in a way that is effective and user-friendly.

For further information on the nature, extent and purpose of data processing, details of the rights of data subjects and the contact details of Facebook, including the Facebook Data Protection Officer, please see the Facebook Privacy Policy. We have entered into the Controller Addendum with Facebook, and in particular we have agreed that Facebook is responsible for ensuring the rights of data subjects. For Page Insights, the relevant details can be found on Information about Page Insights and Information about Page Insights Data.

11. Third-party services

We use services from specialist third parties to allow us to carry out our activities and operations securely and reliably in a user-friendly manner on a permanent basis. These services enable us, amongst other things, to embed functionalities and content in our website. When carrying out embedding, for technical reasons the services used include (at least temporarily) users' internet protocol (IP) addresses.

Third parties whose services we use may process data in connection with our activities and operations in aggregated, anonymised or pseudonymised form for essential security, statistical and technical purposes. These include, for instance, service and usage data in order to be able to offer the service in question.

We do not use any of the services mentioned in this section for elounge.cic.ch.

Specifically, we use:

• Services from Google: provider: Google LLC (USA)/Google Ireland Limited for users in the European Economic Area (EEA) and in Switzerland; general information on data protection: "Our privacy and security principles", Privacy Policy, "We are committed to complying with applicable data protection laws", "Google product privacy guide", "How Google uses information from sites of apps that use our services" (information from Google), "Types of cookies and other technologies used by Google", "Settings for personalized ads" (activation/deactivation/settings).

11.1. Digital infrastructure

For the website vorsorgesparen.cic.cic, we used services from specialist providers to enable us to access the digital infrastructure we need in connection with our activities and operations. These include, for example, hosting and storage services from selected providers.

11.2. Audio and video conferences, working online

We use specialist services for audio and video conferences and working online to allow us to communicate online. For example, we may hold virtual meetings or online training sessions and webinars. In exceptional cases – i.e. where we do not use services installed in our own premises – the legal notices of the individual services such as their privacy policies and terms of use apply in addition.

Depending on your domestic situation, we recommend that when taking part in audio or video conferences you mute your microphone as standard and blur your background or display a virtual background.

11.3. Social media functionalities and content

We use services and plug-ins from third parties to enable us to embed functionalities and content from social media platforms and share content on social media platforms and by other means. Specifically, we use:

• Facebook (social plugins): embedding Facebook functionalities and content such as "Like" and "Share"; provider: Meta Platforms Ireland Limited and other Meta companies (which include companies in the USA); data protection details: Privacy Policy.
• Instagram Platform: embedding Instagram content; provider: Meta Platforms Ireland Limited and other Meta companies (which include companies in the USA); data protection details: Privacy Policy (Instagram), Privacy Policy (Facebook).
• LinkedIn Consumer Solutions Platform: embedding functionalities and content from LinkedIn, for example with plugins such as "Share Plugin"; provider: Microsoft; information specific to LinkedIn: "Privacy", Privacy Policy, Cookie Policy, Cookie preferences/unsubscribe from email and SMS communications from LinkedIn, Opt out of interest-related advertising.
• Twitter for web sites: integrating Twitter functionalities and content, e.g. embedded tweets or "Follow" and "Twitter" buttons; Twitter International Unlimited Company (Ireland) for users in the European Economic Area (EEA), the UK and Switzerland/X Corp. (USA) in the rest of the world; data protection details: Privacy Policy, "Additional information about data processing", "Privacy...on Twitter for Websites", "About personalization based on your inferred identity", "Your privacy controls for personalized ads".

11.4. Mapping material

We use third-party services to enable us to embed maps in our website.

Specifically, we use:

• Google Maps including Google Maps Platform: map service; provider: Google; information specific to Google Maps: "How does Google use location information?".

11.5. Digital audio and video content

We use services from specialist third parties to enable us to directly play digital audio and video content such as music and podcasts.

Specifically, we use:

• Vimeo: video platform; provider: Vimeo Inc. (USA); data protection details: Privacy Policy, "Video privacy".
• YouTube: video platform; provider: Google; information specific to YouTube: "Privacy and safety center", "My data in YouTube".

11.6. Advertising

With the exception of elounge.cic.ch, we make use of the option to arrange for third parties to display targeted advertising for our activities and operations, e.g. on social media platforms and search engines.

In particular, the aim of this advertising is to reach people who are, or could potentially be, interested in our activities and operations (remarketing and targeting).  To do this, we may transmit relevant data (possibly including personal data) to third parties who make the advertising possible. We may also determine whether our advertising is successful, in particular whether it results in visits to our website (conversion tracking).

Third parties with whom we advertise and where you are registered as a user may associate use of our online offering with the profile you have with them.

Where you have given express consent on the website, we use in particular:

• Facebook Ads: social media advertising; provider: Meta Platforms Ireland Limited and other Meta companies (which include companies in the USA); data protection details: remarketing and targeting, especially with the FacebookPixel and Custom Audiences including Lookalike Audiences, Privacy Policy, "Advertising preferences" (user registration required).
• Google Ads: search engine advertising; provider: Google; information specific to Google Ads: advertising, including based on search queries – various domain names including doubleclick.net, googleadservices.com and googlesyndication.com are used for Google Ads, "Advertising" (Google), "Why do I see a particular ad?".
• LinkedIn Ads: social media advertising; provider: LinkedIn Corporation (USA), LinkedIn Ireland Unlimited Company; data protection details: remarketing and targeting, especially with the LinkedIn Insight Tag, "Privacy ", Privacy Policy, Cookie Policy, Opt out of personalised advertising.
• Twitter Ads: social media advertising; provider: Twitter International Unlimited Company (Ireland) for users in the European Economic Area (EEA), the UK and Switzerland/X Corp. (USA) in the rest of the world; data protection details: Privacy Policy, "Interest-based opt-out policy".

12. Website extensions

We use extensions for our website so we can make use of additional functionalities.

In particular we use:

• Friendly Captcha: protection against misuse and spam; provider: Friendly Captcha GmbH (Deutschland); data protection details: "Friendly Captcha Privacy Center", "Privacy Policy for End Users, "Privacy Policy for Service Users".

13. Measuring success and reach

We use services and programs to determine how our online offering is used. As part of this, we may, for example, measure the success and reach of our activities and operations, as well as the effectiveness of third-party links to our website. We may also, for instance, test and compare how different versions of our online offering, or parts of it, are being used ("A/B testing"). We may use the results of measuring success and reach in particular to fix errors, strengthen popular content or improve our online offering.

When we use services and programs to measure success and reach, the internet protocol (IP) addresses of individual users have to be saved. In principle, IP addresses are truncated ("IP masking") so that the resultant pseudonymisation observes the principle of data minimisation, thereby improving users' privacy.

When we use services and programs to measure success and reach, cookies may be deployed and user profiles created. User profiles include, for example, the sites visited or content viewed on our website, details on screen or browser window size and – at least approximately – location. In principle, user profiles are only drawn up anonymously. We do not use user profiles to identify individual users. Some third-party services where users are logged in may associate the use of our online offering with that service's user account or user profile.

Where you have given express consent on the website, we use in particular:

• Google Analytics: measuring success and reach; provider: Google; information specific to Google Analytics: measuring across different browsers and devices (cross-device tracking) and using pseudonymised internet protocol (IP) addresses, which are only transmitted to Google in the USA in exceptional cases, "Safeguarding your data", "Google Analytics Opt-out Browser Add-on".
• Google Tag Manager: connecting and managing various services to measure success and reach, plus other services from Google and third parties; provider: Google; information specific to Google Tag Manager: "Data collected by Google Tag Manager "; further details on data protection can be obtained from the individual services connected and managed.

We do not use Google Analytics or Google Tag Manager on elounge.cic.ch, and deploy the following locally installed solution:

• Matomo: measuring success and reach; provider: Matomo (free open source software); data protection details: Use of own server infrastructure and with pseudonymised internet protocol (IP) addresses, "List of all Matomo Features".

14. Final provisions

We drew up this Privacy Policy using the Data Protection Generator from Datenschutzpartner, amending and expanding it as necessary.

We may amend and expand this Privacy Policy at any time. We will provide information on any such amendments and additions in a suitable manner, in particular by publishing the latest Privacy Policy on our website.