Data Protection

This data protection declaration is based on the Swiss Data Protection Act (DSG and DSV) and, where applicable, on the General Data Protection Regulation of the European Union (GDPR). The European Commission recognises that Swiss data protection law ensures adequate data protection.

In this data protection declaration, we inform you about the type, scope and purpose of the personal data we collect and process and what rights you are entitled to in this context. The protection of your privacy is important to us. We comply with our legal obligations and handle your personal data responsibly, carefully and for the intended purpose.

This data protection declaration is not an exhaustive description. For individual or additional offers or services from us, other Novaq Investment Management ("NIM") data protection declarations may regulate specific circumstances (e.g. in contracts).

For the purposes of this Privacy Policy, personal data (‘personal data’) means any information relating to an identified or identifiable natural person and which allows conclusions to be drawn about their identity on the basis of the data or with additional data (e.g. name, date of birth, residential or e‑mail address, financial data, etc.). Particularly sensitive personal data’ is data that is particularly protected under data protection law, for example data relating to the health or personality of a natural person. Below (see ‘What personal data do we process?’) you will find details of the data that we process.

The processing of personal data includes any handling such as the collection, storage, retention, use, modification, disclosure, archiving, erasure or final destruction of data. We process personal data in accordance with the principles of lawfulness, transparency, purpose limitation, good faith and proportionality, data integrity, data minimisation and data security (Art. 6 FADP, Art. 5 GDPR).

1. What personal data do we process?

We process various categories of data about you in connection with current and possibly also previous information if details change (e.g. change of address). The most important categories are communication data, master data, contract data, financial data or peripheral data when using our electronic infrastructure (e.g. log data).

We only process particularly sensitive personal data in exceptional cases and only with the consent of the data subject, unless the data was transferred to us indirectly and for legitimate purposes, such as in the context of contract fulfilment or to fulfil legal obligations.

Examples of particularly sensitive personal data that we may receive include

Personal identification documents that may provide information about race, ethnic origin or religious beliefs
Information about the health of individuals
Financial documents, bank statements, tax documents
Documents that provide information about trade union memberships, political views, criminal offences or criminal convictions
Food preferences when registering for events that provide information about religious beliefs or health status

2. Where does the personal data come from?

You provide us with personal data yourself, i.e. we generally collect it directly from you (e.g. as part of communication or the processing of contracts).

We also collect personal data that we receive as part of our business relationship with our customers and the persons involved in this relationship, as well as from our customers’ business partners, or personal data that we receive from users when operating our website, tools and applications.

To the extent permitted and if we have a need to do so, we also obtain data, including personal data, from publicly accessible sources (e.g. commercial registers, registers of supervisory authorities, media or the Internet).

If you transmit or disclose personal data and particularly sensitive personal data of other persons, e.g. colleagues, employees, work colleagues, insured persons, beneficiaries or family members, we assume that you are authorised to do so and that the data is correct. By transmitting the data, you confirm this. Please ensure that these third parties are aware of this privacy policy.

3. Why do we process personal data?

Business activity and operation

We process your data for the purposes explained below.

We use and process personal data for the initiation of business relationships, but primarily in order to conclude and professionally fulfil our contracts with our clients, business partners or suppliers; in particular as part of our advisory services in the areas of investment consulting and controlling, legal and actuarial consulting for our clients and for the purchase of products and services from our suppliers and service providers, as well as to comply with our legal obligations in Switzerland and abroad. If you work for such a client or business partner, you and your personal data may of course be affected by our data processing in this function.

In addition, we also process your personal data, where permitted and where we deem it appropriate, for the following purposes in which we have an overriding legitimate interest corresponding to the purpose (Art. 31 FADP):

Processing for purposes related to communication with you, your employer, your colleagues or family members or with your business partners
Processing to respond to enquiries, including project and quotation requests or to manage and process contractual relationships
Processing for relationship management, to promote our professional services and offers to existing and potential customers (including the organisation of events), provided you have not objected to the use of your data. You have the right to object to the use of your personal data for marketing purposes by us at any time, in which case we will of course place you on a blacklist
Processing as part of our internal processes and administration or for internal training and quality assurance purposes
Processing for internal market observation purposes, to improve our services and processes and for product development
Further development of our websites, apps and other platforms on which we are present
Managing, maintaining, developing and ensuring the security and functionality of our information, access or backup systems, our websites, apps and other platforms
As part of financial management (e.g. control of debtors and creditors), the prevention and investigation of criminal offences and other misconduct (e.g. conducting internal investigations, data analyses to combat fraud)
To comply with legal requirements and instructions or recommendations from authorities (e.g. compliance, archiving), to assert legal claims and defence in connection with legal disputes and official proceedings

Other purposes

We may also process personal data for internal use for other purposes (e.g. organisational or administrative purposes) in the interests of efficient company management and modern corporate development. In doing so, we adhere to the data processing principles mentioned in the introduction and rely on our legitimate interest or legal obligation.

4. On what basis do we process your data?

We process your personal data as a private individual (e.g. activities in the area of investment management or advisory). We adhere to the data processing principles mentioned in the introduction and rely on our legitimate interest or legal obligation.

Where we require your consent as the basis for processing your personal data, we will inform you separately and also about the corresponding purposes of the processing. You can withdraw your consent at any time (see ‘Right to withdraw consent’).

Where applicable, our Privacy Policy also applies.

5. Right to withdraw consent

If you have given us your consent to process your personal data for specific purposes because we require it and we have no other legal basis, we will process this data within the scope of this purpose and based on your consent. You can withdraw your consent at any time in writing (by post or, unless otherwise stated, by e‑mail to the data protection advisor (see ‘Controller and data protection advisor’), but this has no effect on data processing that has already taken place and its lawfulness. In the event of a cancellation, we may no longer be able to provide you with certain services, which we will point out in the event of an application.

6. Who do we disclose your personal data to?

We protect your personal data and do not sell it to third parties.

In principle, we only process and store your personal data in Switzerland. If we have to transfer your personal data abroad (e.g. to your place of residence abroad or to potential or existing business partners designated by you), this will only take place if you have given your prior consent (in accordance with Art. 17 para. 1 lit. a FADP) or if there are statutory exceptions (in accordance with Art. 17 para. 1 lit. b to f FADP).

We do not pass on your data to third parties (e.g. outsourcing), but where appropriate or necessary, we process it together with third parties or commission third parties to process your data (processors) to fulfil contractual or legal obligations, for example with suppliers, IT and other service providers (e.g. fiduciary, cloud services, DDoS security). These service providers are located in Germany and are contractually obliged by us to maintain confidentiality and secrecy and to comply with the data protection laws applicable to them. Furthermore, they are obliged to process the data only for the purposes specified by us.

If we use foreign service providers, the same requirements apply to them as to our service providers in Switzerland and, if adequate data protection is not guaranteed in their country from a Swiss perspective, we oblige them to sign sufficient contractual guarantees based on the EU standard contractual clauses or the FDPIC.

We may also pass on data to research institutions and researchers for scientific research and statistical purposes. In this case, we ensure that the data is anonymised or pseudonymised.

7. How long do we process your data?

We process and store your personal data for as long as is necessary for the fulfilment of our contractual and legal obligations or other purposes pursued with the processing, i.e. for the duration of the entire business relationship (from the initiation, processing to the termination of a contract) and beyond in accordance with the statutory retention and documentation obligations. We may also retain personal data for the period during which claims can be asserted against NIM (i.e. in particular during the statutory limitation period) and insofar as we are otherwise legally obliged to do so or legitimate business interests require this (e.g. for evidence and documentation purposes). As soon as your personal data is no longer required for the above-mentioned purposes, it will be deleted or anonymised as far as possible. Shorter retention periods of twelve months or less generally apply to operational data (e.g. system protocols, logs).

8. How do we protect your data?

The security of our company and customer data is of central importance to us. We take appropriate technical and organisational security precautions to protect your personal data from unauthorised access, loss, unintentional disclosure and alteration or misuse. These include a state-of-the-art IT infrastructure with appropriate network security solutions, regular external security audits for the early detection of potential vulnerabilities, internal data protection instructions and access controls and restrictions.

Our digital communication, like all digital communication, is subject to mass surveillance without cause or suspicion and other surveillance by security authorities in Switzerland, the rest of Europe, the USA and other countries. We cannot directly influence the corresponding processing of personal data by intelligence services, police forces or other security authorities.

9. Profiling and automated individual decisions

In principle, we do not use automated processing of personal data (‘automated individual decisions’ as defined in Art. 4 GDPR or Art. 22 GDPR) for the establishment and implementation of the business relationship or otherwise, nor do we engage in profiling (Art. 5 FADP or Art. 22 GDPR). If we use such procedures in individual cases, we will inform you of this separately if this is required by law and inform you of the associated rights.

10. Legal basis for data processing in accordance with the GDPR

Insofar as the GDPR is applicable, we base our data processing (Art. 6 et seq. GDPR) either on your consent or, as described below, on our overriding legitimate interest or legal obligation. E.G:

Offering our services, initiating a business relationship, contract processing, customer support incl. correspondence
Ensuring a secure organisation and maintaining business operations, efficient company organisation and further development of our systems and customer relationship, data security, protection against unauthorised use and combating fraud, archiving of data
Processing in fulfilment of a legal obligation
Enforcement of own legal claims and compliance with Swiss law

11. Reference to your rights

You have rights under the FADP and other applicable data protection laws (including, where applicable, the GDPR) in relation to personal data that we collect about you and that we process.

You have the right to request information from us at any time about the personal data we have stored about you (Art. 25 FADP) and, insofar as the GDPR applies, in accordance with Art. 15 GDPR. In addition, you have a legal right (Art. 6 and Art. 32 FADP, Art. 16 et seq. GDPR) to rectification, blocking and erasure of your personal data, a right to object to the processing of personal data, to prohibit such processing or to request a confirmation notice (Art. 32 para. 3 FADP). If our processing is based on your consent, you also have the right to withdraw your consent to the processing of your data at any time (see ‘Right to withdraw consent’).

Furthermore, under the conditions of Art. 28 FADP, and insofar as the GDPR applies, you can request data transfer to another controller or a copy of your personal data in electronic form to yourself at any time (so-called data portability).

Please note that exceptions or restrictions apply to these rights. In particular, we may still need to process and store your personal data in order to fulfil a contract with you, to protect our own legitimate interests such as the assertion, exercise or defence of legal claims, or to comply with legal obligations. To the extent permitted by law, in particular to protect the rights and freedoms of other data subjects and to protect our legitimate interests (e.g. confidentiality and security interests as well as the consideration of our operational resources and possibilities), we can therefore also reject your data protection-related requests, e.g. requests for information and deletion, or only comply with them to a limited extent. However, you have the right to lodge a complaint with a competent supervisory authority (see ‘We are here for you if you have any questions!’).

12. How can this privacy policy be amended?

This privacy policy applies in addition to our contract with you. The version published on our website is deemed to be the valid version in each case.

We may amend this privacy policy unilaterally at any time in compliance with the legal requirements and framework conditions.

13. We are here for you if you have any questions

If you have any questions about data protection or would like to request information about your data or the deletion of your data, including your personal data, please contact us by email at investmentmanagement@novaq.ch.

14. Supervisory Authority

To raise concerns about our handling of your data, you can also contact the relevant data protection supervisory authority and lodge a complaint. We recommend that you first contact NIM's Data Protection Advisor (see ‘We are here for you if you have any questions’).

For Switzerland:
Federal Data Protection and
Commissioner for Data Protection and Freedom of Information (FDPIC)
Feldeggweg 1
CH-3003 Bern

www.edoeb.admin.ch

If you are located in the EEA or the United Kingdom, you also have the right to lodge a complaint with the data protection supervisory authority in your country.