Privacy notice for pension account holders

Data protection under the federal act on data protection (FADP)

To run our business, PostFinance Retirement Savings Foundation 3a (“we”, “our”, or “us”) processes information about natural persons (“Personal Data”), including information about our prospective, current and former pension account holder (“client”, “you”).

We take protection of your data seriously. This Privacy Notice (“Notice") contains information on what Personal Data we collect, what we do with that Personal Data, and what rights you have.

As part of our commitment to protect your Personal Data, this Notice is intended to make it easier for you to understand:

• why and how PostFinance Retirement Savings Foundation 3a collects, uses and stores your Personal Data;
• the lawful basis for the processing of your Personal Data; and
• your rights with regard to this processing and how you can exercise them.

Table of Content

What is the scope of this Privacy Notice?

This Notice applies to any and all forms of use (“processing”) of Personal Data by us if you are a former, current or prospective client.

What types of Personal Data do we collect?

For former and current clients or prospective clients with whom we take steps to enter a contractual business relationship, we collect (to the extent permitted by applicable law):

• personal information such as your name, identification number, date of birth, compliance related documents (including a copy of your national identity card or passport), telephone number, address, electronic address, and family data such as the name of your spouse, partner or children;
• financial information, including payment and transaction records and information relating to your assets, financial statements, liabilities, taxes, income and investments (including your investment objectives);
• tax residence and other tax-related documents and information;
• where relevant, information on education and employment such as your job title;
• your knowledge of and experience in investment matters;
• details of our interactions with you and the products and services you use, including information about electronic and physical communications through various channels such as e-mails and mobile applications;
• where applicable, records of telephone calls between you and us, including, but not limited to, telephone logs such as telephone number, calling-party number, receiving-party number, forwarding numbers, time and date of calls and messages, duration of calls, routing information, and types of calls;
• identifiers we assign to you, in particular your account number;
• to the extent relevant and permitted by law, the Personal Data we collect in some cases also includes particularly sensitive categories of Personal Data, such as health data, or information relating to criminal convictions or offences.

In some cases, we collect Personal Data from public available registers, public administration sources or other publicly available sources.

If it is relevant in connection with the products and services we provide to you, we may also need to collect information about dependent persons or family members, and agents or other parties. Before you provide us with this information, you should provide them with a copy of this Notice.

For which purposes do we process your Personal Data and what legal basis do we rely on?

Purposes of processing Personal Data

We always process your Personal Data for a specific purpose and only process the data relevant to this purpose. In particular, we process Personal Data, within the framework of the applicable legal provisions, for the following purposes: 

Client Onboarding process. For example:

To confirm your identity and evaluate your application. For the processing of Personal Data in order to carry out checks regarding compliance with legal or regulatory requirements (e.g. to comply with provisions for the prevention of money laundering and fraud), please see Section «Compliance and Risk Management and / or Crime Prevention, Detection and Investigation». 

Client Relationship Management. For example:

To manage our relationship, including communicating with you regarding the products and services we have purchased, to deal with customer service-related questions and complaints, to make decisions regarding your identity, to determine your whereabouts and to close your account (in accordance with relevant legal requirements) in the event that there are no account movements and we are unable to contact you after a period of time;

Product implementation and execution. For example:

To provide pension products and services to you and for their proper execution.

Processing for the purpose of client acquisition and expansion of the business relationship. For example:

To evaluate which products, services and events may be of interest to you and how they may be offered to you.

Compliance and Risk Management and / or Crime Prevention, Detection and Investigation. For example:

• to carry out legal and regulatory compliance checks in particular as part of the client onboarding process and at regular intervals thereafter (e.g. to comply with anti-money laundering and anti-fraud regulations);
• to comply with our on-going regulatory and compliance obligations (e.g., financial industry regulations, tax laws and to prevent money laundering), including in relation to recording and monitoring of communications, the disclosure of data to tax authorities, relevant supervisory authorities, other regulatory and government bodies and to investigate or prevent criminal offences;
• receive and handle complaints, requests or reports from you; and
• to respond to actual or potential proceedings, requests or investigations by the competent authorities or judicial authorities.

Other purposes. For example:

• for our prudent operational management (including compliance and risk management, technological support services, reporting, audits, system and product training, and similar administrative purposes);
• to carry out transactional and statistical analysis, as well as similar analyses; and
• to exercise our duties and/or rights to you or any third party.

Legal basis for processing of Personal Data

PostFinance Retirement Savings Foundation 3a processes your Personal Data in accordance with the applicable legal provisions. If necessary and depending on the purpose of the processing activity see (section «Purposes of processing Personal Data»), this may be due to one of the following reasons:

• necessary to carry out contractual measures at your request or to fulfil our contractual obligations towards you, e.g. if we process your Personal Data for some of the purposes mentioned in Section «Client Onboarding process» and «Product implementation and execution» above, and for the disclosure of some Personal Data in accordance with Section ‎«Who has access to Personal Data and with whom are they disclosed?» below;
• necessary to safeguard the legitimate interests of PostFinance Retirement Savings Foundation 3a, without unduly affecting your interests or fundamental rights and freedoms and to the extent such Personal Data is absolutely necessary for the intended purpose (e.g. if we process your data for some of the purposes mentioned in Section «Client Onboarding process», «Client Relationship Management», «Processing for the purpose of client acquisition and expansion of the business relationship», «Compliance and Risk Management and / or Crime Prevention, Detection and Investigation» and «Other purposes»). Further examples of our legitimate interests can be found below);
• necessary to comply with our legal or regulatory obligations, such as reporting or disclosure obligations to regulators, law enforcement or government agencies listed in Section «Who has access to Personal Data and with whom are they disclosed?» (e.g. where we process your data for some of the purposes set out in Section «Compliance and Risk Management and / or Crime Prevention, Detection and Investigation» and «Other purposes»);
• in certain cases, and as requested from you in each case, we have received your consent in advance (e.g. if this is required by law) or, in the case of particularly sensitive data, these will be processed with your explicit consent or
• in certain cases necessary for data processing in the public interest.

A legitimate interest of PostFinance Retirement Savings Foundation 3a is taken into account in particular in the following instances. Data processing is required:

• to maintain our relationship with you and to learn more about you as a client and about the products and services you use (see section «Client Relationship Management»);
• to evaluate which products, services and occasions may be of interest to you and how they may be offered to you (see section «Processing for the purpose of client acquisition and expansion of the business relationship»);
• for the prevention and detection of criminal offences, including fraud or criminal activity, misuse of our products or services (see sections «Compliance and Risk Management and / or Crime Prevention, Detection and Investigation» and «Other purposes»);
• to receive and handle complaints, enquiries or reports from you (see Section «Compliance and Risk Management and / or Crime Prevention, Detection and Investigation»);
• to respond to actual or potential proceedings, requests or investigations by the competent authorities or judicial authorities (see Section «Compliance and Risk Management and / or Crime Prevention, Detection and Investigation»);
• exercising our rights under Articles 26 and 27 of the Federal Constitution of the Swiss Confederation, including the freedom to conduct a business and right to property;
• for prudent operational management (see section «Other purposes») and to comply with our regulatory obligations.

Where the Personal Data we collect from you is necessary to comply with our legal or regulatory obligations or enter into an agreement with you, we may not be able to onboard you as a client or provide you with products or services if we are unable to collect such Personal Data (in which case we will inform you accordingly).

To the extent that we process particularly sensitive data about you, we will do so because:

• the processing is necessary for the establishment, exercise or defense of a legal claim;
• the processing relates to Personal Data which are manifestly made public by you; or
• you have given your explicit consent to the processing of this information (where permitted by law). 

How do we protect Personal Data?

Employees who access Personal Data must comply with the regulations and procedures for the processing of Personal Data in order to protect them and ensure their confidentiality. Appropriate technical and organisational measures are implemented to protect your Personal Data from unauthorised, accidental or unlawful destruction, modification or disclosure or unauthorized, accidental or unlawful loss, misuse or access, as well as any other unlawful forms of processing.

Who has access to Personal Data and with whom are they disclosed?

Third Parties

We transfer Personal Data to other financial services and similar companies as well as to advisors in order to fulfil our obligations to you. In particular, when providing products and services to you, to persons acting on your behalf or otherwise involved, including, where relevant, we transfer Personal Data to the following types of companies:

• payees, beneficiaries;
• other financial institutions;
• lawyers, auditors, accountants, who provide legal, auditing, or accounting services to us.

Service Providers

We share Personal Data with PostFinance AG (PostFinance) and other service providers who are contractually bound to confidentiality, such as IT hardware, software and outsourcing providers, shipping service providers, and other service providers.

Where your data is transferred to service providers who process data on our behalf, we take steps to ensure they comply with our data security standards, so that your Personal Data is protected. Service providers, regardless of their location, are required to comply with a number of technical and organisational security measures, including measures regarding: (i) information security management; (ii) information security risk assessment and (iii) information security measures (e.g., physical controls; logical access controls; protection against malware and hacking; data encryption measures; backup and recovery management measures).

Authorities or public bodies

In certain cases, we pass on Personal Data to authorities, e.g. supervisory authorities, enforcement authorities or government bodies, courts or parties to proceedings to whom disclosure is required by law or other legal provision or if these authorities or bodies request such disclosure or if we are obliged to safeguard our legitimate interests.

Other recipients

• Disclosure of Personal Data may be necessary for the assertion, exercise or defense of legal claims of PostFinance Retirement Savings Foundation 3a, its employees or other interest groups or to process enquiries from persons or their representatives;
• Authorized Notice Recipients, as required by applicable law or regulation.

How long do we store your data?

In general, we retain Personal Data in accordance with applicable Swiss law, which reflects the duration for which legal claims can be asserted after the termination of such business relationships.

We are also obliged to keep all correspondence and evidence of telephone calls in accordance with applicable Swiss law. If necessary, PostFinance Retirement Savings Foundation 3a must make this information available to the "BVG- und Stiftungsaufsicht beider Basel" (BSABB)

If you request the deletion of your Personal Data from our databases, you can submit a request in accordance with the section «What data protection rights do you have and how can you exercise them?», which we then check as described therein. 

What data protection rights do you have and how can you exercise them?

Your data protection rights

You can request information about your Personal Data processed by us. If you believe that the information collected about you is incorrect or incomplete, you can also request that your Personal Data be corrected.

In addition, you have the right to:

• object to the processing of your Personal Data;
• request the erasure of your Personal Data;
• request a restriction on the processing of your Personal Data; or
• to withdraw your consent where PostFinance Retirement Savings Foundation 3a obtained your consent to the processing of your Personal Data (this does not affect the lawfulness of any processing that took place prior to the withdrawal).

Where we process your Personal Data with your consent, or where such processing is necessary to enter into a contract with you or to fulfil our obligations under a contract with you, you may have the right to request your Personal Data be transferred to you or another controller in accordance with applicable data protection laws (”data portability right”). You have the right to request a copy of some or all of the Personal Data that we collect and process from you from PostFinance Retirement Savings Foundation 3a.

You are entitled to these rights in accordance with the provisions of the Data Protection Act. They are not fully applicable, as they may not always apply and exceptions can be made. In order to process a request, we will usually ask you to prove your identity and/or provide information to help us better understand your request. If we do not comply with your request, we will explain the reasons for this. 

Exercising your rights

To exercise the above rights, please:

Contact PostFinance Retirement Savings Foundation 3a, Aeschenvorstadt 1, 4051 Basel. In order to avoid delays, we ask you to enclose a copy of your passport or identity card with your signed letter.

If you are not satisfied with how we process your Personal Data, please let us know and we will review your request. You can contact the Group Data Protection Officer by emailing dpo-ch@ubs.com.

Changes to your Personal Data

We are committed to keeping your Personal Data accurate and up to date. Therefore, if your Personal Data changes, please inform us of the change as soon as possible.

Status of this data protection Notice

This Privacy Notice was last updated in August 2023. We reserve the right to amend it from time to time. Any amendments or updates to this Notice we will make available to you at postfinance.ch/dps-3a. Please visit this website regularly to familiarize yourself with our privacy policy. 

PostFinance Retirement Savings Foundation 3a Contact Details

Entity Name

PostFinance Retirement Savings Foundation 3a
Aeschenvorstadt 1,
4051 Basel, Switzerland,
Telephone number: +41 (0)61 289 10 00

Group Data Protection Officer

UBS Data Protection Office
dpo-ch@ubs.com

Further data protection declarations

PostFinance and UBS Switzerland AG (UBS) also process your Personal Data as independent controllers.

On behalf of the PostFinance Retirement Savings Foundation 3a, PostFinance sells the retirement savings account and the retirement funds. PostFinance may use the Personal Data collected as part of the ongoing pension agreement for customer care and marketing purposes as an independent controller. PostFinance's privacy policy can be found here: postfinance.ch/dps.

UBS processes your Personal Data as an independent controller as part of its management of the PostFinance Retirement Savings Foundation 3a and as part of its data protection advice for the PostFinance Retirement Savings Foundation 3a. UBS's privacy policy can be found here: The link will open in a new window ubs.com/pn-ch.