Data privacy statement (valid as of 19/02/2019)
This data privacy statement provides you with an overview of the personal data that HypoPlus AG (hereinafter referred to as “we”) collects on you, as well as providing information on the purpose for which we process this personal data, how we process it and, where applicable, who we disclose it to. You will also find out what your rights are under data protection legislation and how you can exercise these rights.
If you provide us with personal data concerning other individuals (e.g. members of your family), please ensure that these individuals are familiar with this data privacy statement and make sure that you only provide us with this data if you are authorized to do so and if the personal data in question is correct.
1 The Decisis Group
HypoPlus AG forms part of the Decisis Group, which includes the parent company Decisis Services AG and the other subsidiaries in the Decisis Group, comparis.ch AG, Optimatis AG, HypoPlus AG, advanti AG and iii AG (hereinafter collectively referred to as “affiliated companies”), all of which offer comparison and consultancy services on the market.
2 What do we do?
HypoPlus is a property financing service provider and a partner service of comparis.ch AG (www.comparis.ch). HypoPlus aims to support customers who are looking for a mortgage by providing practical tools and reliable information. HypoPlus gives lenders the opportunity to present their mortgages, allowing them to approach new customers in a targeted manner. For more information about HypoPlus, please visit: https://www.hypoplus.ch/en/about/about.html
3 What happens to your data?
3.1 What is personal data and what does “processing” mean?
Data protection comes into play whenever personal data is processed. If we do not process personal data, then data protection does not apply.
The term “personal data” refers to all information concerning you that allows you to be identified – either directly or with the help of other sources of information that are reasonably likely to be used. This sort of personal data is collected, for example, if we store your first name and last name, postal address, e-mail address, date of birth, telephone number and other information, for example in connection with a user account or an enquiry that you have sent us. Information that does not allow you to be identified (e.g. statistics on how many people have visited our website) is anonymous data, i.e. does not constitute personal data.
The term “processing” refers to any handling of your personal data, in particular the recording, collection, anonymization, storage, administration, use, transmission or erasure of your personal data.
3.2 What sort of personal data do we process?
The personal data that we collect from you is the data you provide us with via our online forms, apps or other digital channels. We also collect the personal data that you otherwise make available to us when you use our services (e.g. in correspondence and other forms of communication with you, for instance by telephone or e-mail). Furthermore, we collect data when you use our websites, apps and other digital channels, and those offered by affiliated companies and third-party companies.
We collect the following personal data in particular:
- Master data (name, home address, telephone number, e-mail address, date of birth, gender, means of payment, information on your account with us if you have one, etc.)
- Data on how you use our websites, apps and other digital channels, and the services offered by us
- Data concerning you which is required, or is useful, for the purposes of providing the individual services and which we either receive from you directly (e.g. information on the products for which you want us to prepare a price comparison or obtain a quote, payment data), receive from our affiliated companies or receive from the other companies that we collaborate with (e.g. a quote concerning you that we pass on to you); all of this data is non-public data
To the extent permitted, we also consult other publicly accessible sources (e.g. debt enforcement registers, land registers, commercial registers, debt enforcement registers, land registers, commercial registers, the press, the Internet) to obtain certain data, or receive this data from affiliated companies, authorities and other third parties (e.g. credit agencies). In addition to the data concerning you that we receive from you directly, the categories of personal data concerning you that we receive from third parties include, in particular, information from public registers, information that we receive in connection with official and judicial proceedings, information relating to your professional positions and activities, information concerning you that comes up in correspondence and meetings with third parties, credit rating information (insofar as we execute transactions with you personally), information concerning you that is made available to us by individuals you know (family members, consultants, legal representatives, etc.) so that we can conclude or execute agreements with you or involving you (e.g. references, your address for deliveries, powers of attorney, information on compliance with statutory requirements such as anti-money laundering requirements and export restrictions, information from banks, insurance companies, distribution and other contractual partners of ours on the use or provision of services by you (e.g. payments made, purchases made), information concerning you obtained from the media and the Internet (where this is appropriate in the case in question, e.g. in connection with an application, press review, marketing/sale), your addresses and, where appropriate, your interests and other socio-demographic data (for marketing purposes), data relating to the use of the website (e.g. IP address, information on your device and settings, cookies, date and time of visit, pages and content accessed, functions used, referring website, location information).
The data can be linked – including over the course of several visits and contact points, for example if you are recognized by means of your user name, an e-mail address or a device ID.
3.3 For what purpose and on what legal basis do we process your personal data?
We use the personal data we collect concerning you primarily in order to allow you to use our services and to execute the agreements we have concluded with you, in order to enable you to use our websites, apps and other digital channels as part of our legitimate interest in offering attractive services, and in order to meet our statutory obligations in Switzerland and abroad. This naturally also affects other individuals whose personal data you provide us with.
If, for example, you request advice, then we record your personal data and process this data in order to, among other things, fulfil and process your request (e.g. forwarding the data in the request to the mortgage providers) and to manage and maintain the customer relationship (e.g. changes of address).
We also process personal data concerning you and other individuals, insofar as this is permitted and we consider it appropriate, for the following purposes in which we (and also, in some cases, third parties) have a legitimate interest that is consistent with the purpose in question:
- Offering and further development of our products, services, website, apps and other platforms on which we have a presence
- Communication with third parties and the processing of their requests (e.g. applications, media enquiries)
- Review and optimization of procedures for requirements analysis so that we can approach customers directly, and collection of personal data from publicly available sources for customer acquisition purposes
- Advertising and marketing (including the organization of events) insofar as you have not objected to your data being used (if we send you advertising as an existing customer, you can object to this at any time; we will then add you to a restricted list so that you do not receive any further advertising)
- Market research and opinion polling, media monitoring
- Assertion of legal claims and defence in connection with legal disputes and administrative proceedings
- Prevention and investigation of criminal offences and other forms of misconduct (e.g. performance of internal investigations, data analysis for fraud prevention purposes)
- Safeguarding our operations, in particular IT, our websites, apps and other platforms
- Monitoring in order to safeguard rights to control who can enter and stay at the premises and other measures to ensure IT, building and site protection and to protect our employees and other individuals, as well as the assets that belong, or are entrusted, to us (e.g. access controls, visitor lists, network and e-mail scanners, telephone records)
- Purchase and sale of business areas, companies or parts of companies and other transactions under corporate law, and the transfer of personal data in this context
- Business management measures and measures to comply with statutory and regulatory obligations and internal regulations of the Decisis Group and out company
If you have granted us your consent to the processing of your personal data for certain purposes (e.g. when you subscribe to newsletters), we will process your personal data within the context of, and based on, this consent insofar as no other legal basis applies and we require such a legal basis. Consent granted can be withdrawn at any time, although this withdrawal will not affect data processing operations that have already taken place.
3.4 Direct marketing and profiling
If you have consented to us using your e-mail address or other electronic means of communication for advertising purposes, then we or our affiliated companies will send you newsletters and other advertising information on a regular basis using the channels in question in order to draw your attention to other products and services offered by the Decisis Group. If you register with us, then we can also use your personal data, including data on how you use our websites, apps and other digital channels, in order to personalize our advertising measures. Profiling is also used in connection with the development and optimization of the products and services we offer. This is based on our legitimate interest in more effective direct marketing, unless we obtain your consent separately in this regard.
If you have registered for our services/created an account, or if you are one of our customers, we can provide you with information on the areas of business that we cover using your e-mail address and other electronic means of communication even without the need for separate consent.
You have the right to object to being sent these newsletters and this advertising information, and to the further processing of your e-mail address and other electronic means of communication for this purpose, at any time in the newsletter just received by clicking on the link at the end of the newsletter to unsubscribe, or by following the other instructions provided at the end of the message.
If you do not wish to receive any personalized advertising communications, you can also raise a corresponding objection at any time (see section 6).
3.5 Disclosure of personal data to third parties and abroad
To the extent permitted and if we consider it appropriate, we also pass personal data on to third parties as part of our business activities and within the context of the purposes set out in section 3.3, either because these third parties process the data on our behalf or because they wish to use it for their own purposes. These third parties include the following, in particular:
- Our service providers (within the Decisis Group and external providers such as banks and insurance companies), including contract data processors (e.g. IT providers)
- Subcontractors and other business partners
- Providers (e.g. insurance companies, banks, commercial enterprises)
- Other companies in the Decisis Group that are entitled to process the data for the purposes set out in section 3.3 or otherwise for their own purposes (pursuant to their separate data privacy statements)
These third parties are hereinafter collectively referred to as “recipients”. While some of these recipients are based in Switzerland, they can be located anywhere in the world. In particular, you must be aware that your data may be transferred to other European countries and to the US, where the service providers we use are based (e.g. Microsoft). If we transmit data to a country without an adequate level of statutory data protection, we use corresponding agreements as provided for by law (namely based on the standard contractual clauses of the European Commission, which can be accessed here, here and here) to ensure an adequate level of protection, or we rely on the statutory exceptions of consent, the performance of contracts, the establishment, exercise or enforcement of legal claims, overriding public interests, published personal data or because it is necessary to protect the integrity of the persons affected. You can obtain a copy of these contractual safeguards at any time by sending a request to the address set out in section 6, if they cannot be accessed by following the links provided above. We reserve the right, however, to render copies illegible, or only to provide excerpts, for data protection law or confidentiality reasons.
Your personal data will not be disclosed, transmitted or sold to third parties outside of the Decisis Group in any other way, unless this is necessary in connection with one of our services or you have granted your consent.
3.6 How long do we store your personal data for?
We process and store your personal data for as long as is necessary to fulfil our contractual and statutory obligations or to achieve the purposes that the processing is designed to achieve, for example for the duration of the entire business relationship (from the initiation to the execution and termination of an agreement) and thereafter in line with the statutory retention and documentation obligations. Within this context, it is possible that personal data will be retained for the period during which claims can be asserted against our company and to the extent that we are otherwise subject to a statutory retention obligation, or if legitimate business interests require such retention (e.g. for evidentiary and documentation purposes). If your personal data is no longer required for the purposes set out above, it will be erased or rendered anonymous insofar as possible. Shorter retention periods of 12 months or less apply to operating data (e.g. [system] logs).
3.7 Are you obliged to provide us with personal data?
In some cases, you can use our websites, apps and digital channels without registering. As part of our business relationship, you must provide us with the personal data that is required for the initiation and performance of a business relationship and for the fulfilment of the associated contractual obligations (in general, you are not under any statutory obligation to make data available to us). Without this data, we will generally not be able to conclude an agreement with you (or with the entity or individual you are representing) or process an order placed by you.
It is also not possible to use the website if certain information designed to secure the data traffic (e.g. IP address) is not disclosed. The question as to whether this information always constitutes personal data is another matter.
3.8 Cookies/tracking and other technologies relating to the use of our websites
3.8.1 What data do we collect?
When you contact us, various technologies are used by us and by third parties on our websites and in our applications to collect data that we generally allocate to other data collected by us (e.g. user account), i.e.:
- data that is transmitted or generated automatically (e.g. date and time of use, previous page and page accessed, IP address, data on the browser used, device ID, current location, insofar as this information has been released); and
- interaction data insofar as this data can be collected without installing additional programs on the computer (e.g. mouse movements and clicks, and keystrokes on the website).
We collect and process this data so that we can continuously improve our products and services and adapt them to suit your needs, identify trends and prepare and evaluate statistics on the use of our digital services. The data is also used to provide you with a positive user experience. You can opt to prohibit the processing of non-personal data at any time. Please refer to section 3.8.3 for information on how to do this.
3.8.2 What technologies do we use and why do we use them?
In some cases, we use elements and third-party services on our website, in our apps and in other digital products that provide us with use statistics allowing third-party advertisements to be displayed or enabling users to access social networks and other third-party websites. In particular, these third parties include Facebook, Twitter, Google (YouTube), NetMetrix and Optimizely. We use these third-party services, the providers of which can be based in any country worldwide (in Google’s case, the provider is Google LLC in the US, www.google.com), to measure and evaluate the use of the website (without any link to specific individuals). Permanent cookies set by the service provider are also used for this purpose. While service providers do not receive any personal data from us (and do not store any IP addresses either), they can track your use of the website, combine this data with data from other websites that you have visited and that are also tracked by them, and then use this information for their own purposes (e.g. to manage advertisements). If you have registered with the service provider in question itself, then the service provider will also know who you are. Your personal data is then processed by the service provider on the latter’s responsibility and based on its data privacy provisions. The service provider only provides us with information on how our website is used (no information is provided on you as an individual).
We also use what are known as plug-ins offered by social networks such as Facebook, Twitter, YouTube, Pinterest or Instagram on our websites. You can see that these plug-ins are being used (typically because corresponding symbols are displayed). The operators of the social networks in question can register the fact that you are on our website and where you are on our website, and can use this information for their own purposes. Your personal data is then processed by this operator on the latter’s responsibility and based on its data privacy provisions. We do not receive any information on you from the operator.
In order to protect your privacy, we take account of browser settings indicating that tracking is not to be used; in such cases, we only work with third parties that also take these settings into account (more information can be found here for Internet Explorer, Firefox, Chrome, Safari). If, however, you click on a link in an advertisement or other third-party offering, this will result in you leaving our sphere of influence and we cannot control the further collection of data. In these cases, you have to refer to the policy of the third party in question.
Most Internet browsers accept cookies automatically as a default setting. You have the option, however, of configuring your browser settings to reject cookies in general by selecting “Block all cookies” in your browser settings, or by configuring your settings so that you are always prompted before a cookie set by a website that you have visited is accepted. You can also delete cookies on your computer or mobile device by selecting the corresponding function in your browser. Please be aware that you have to deactivate or delete the cookies on all of your devices. If you decide to use one of the options described above, you may no longer be able to use all of the website functions in full. We would also like to remind you that you cannot object to general, i.e. non-personalized, advertisements on our websites.
4 What are your rights with regard to your personal data?
Within the context of the data protection legislation that applies to you and insofar as this legislation contains corresponding provisions (such as in cases involving the EU General Data Protection Regulation (GDPR) and, in some cases, also the Swiss Federal Act on Data Protection (FADP), you have the right of access (the right to information, free of charge, on whether or not we process personal data concerning you and, if so, which data we process, among other things), rectification (if the personal data concerning you that we process is incorrect), erasure (if you want us to erase the data we have stored), the right to the restriction of processing or the right to object to our data processing operations (e.g. if you want us to stop using your data in a certain way, for instance so that it is not used for direct marketing purposes), and the right to be provided with certain personal data so that it can be transferred to another entity (data portability).
Please note, however, that we, in turn, reserve the right to apply the restrictions provided for by law, for example if we are obliged to retain or process certain data, have an overriding interest in the data (to the extent that we are entitled to invoke it) or require the data in order to assert claims. If you are required to pay any costs, we will notify you in advance.
We have already informed you of your right to withdraw your consent in sections 3.3 and 3.4.
Please note that the exercise of these rights may conflict with contractual agreements, resulting, for example, in the premature termination of the agreement or in costs being incurred. We will inform you in advance in such cases, unless such information is already set out in the contractual provisions.
In general, you must be able to clearly prove your identity in order to exercise these rights (e.g. by presenting a copy of your ID card if your identity is not otherwise clear/cannot otherwise be verified). You can use the address set out in section 6 to contact us in order to assert your rights.
In addition, all data subjects have the right to enforce their rights in court or to lodge a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (www.edoeb.admin.ch).
5 Data security
We operate data networks and systems that comply with general standards of technology. Appropriate technical and organizational protection measures have been implemented to diligently protect your data from loss, destruction, falsification, manipulation or unauthorized access, such as providing instructions and training, IT and network security solutions, access controls and restrictions, the encryption of transmission and other controls. Nevertheless, the Internet is an open network that can be accessed by anyone. Consequently, neither we nor our service providers guarantee confidentiality when data is transmitted via the Internet, or your anonymity when you use our websites, apps and other digital channels.
6 Who can you contact? Who is responsible?
The entity responsible for the data processing operations described in this document is HypoPlus AG.
7 Legal basis
This data privacy statement is based on the GDPR. Although the GDPR is a European Union regulation, it is significant to us. The FADP is heavily influenced by EU law and companies outside of the European Union/EEA have to comply with the GDPR in certain circumstances.
8 Amendments to this data privacy statement
We have the right to amend this data privacy statement at any time without prior notice. The version most recently published on our website applies. If the data privacy statement forms part of an agreement with you, then we will inform you of any updates or changes by e-mail or using other suitable means.
Version dated 28 November 2018
Data privacy statement (valid until 19/02/2019)
This data privacy statement specifies the type of data HypoPlus AG (HypoPlus) collects from you, the user of the website and services ( user), for which purpose the data are collected and how such data are processed.
By transferring your data to HypoPlus, you, the user, agree to the processing of your personal data as set out in this data privacy statement; where any data entered by you concern third parties, you vouch for the fact that such third parties also agree to the processing of their data according to this data privacy statement.
Legal bases, changes
In processing the personal data of the users of its facilities, in particular of its website and services, HypoPlus complies with this data privacy statement and all applicable statutory provisions, in specific the Swiss Data Protection Act (Schweizerisches Datenschutzgesetz, DSG).
The range of services offered by HypoPlus is subject to continuous expansion. Due to this reason and any other changes in circumstances that may occur, HypoPlus may amend this data privacy statement at any time and without prior notice. Insofar as this data privacy statement has become an integral component of a service agreement between HypoPlus and the user, HypoPlus will advise the user of any amendments in advance in a suitable form; should the user fail to object to the amendment, the amendment is deemed to have the user's approval as of the date the amendment enters into force. Otherwise, HypoPlus may terminate the agreement concluded with the user for cause.
What type of data is being collected?
In principle, HypoPlus collects all personal data that accumulate when users utilise the services offered by HypoPlus (website, apps, etc.) and communicate with HypoPlus, hence in particular when they use the Hypo services offered in the comparis.ch website. These include:
- Data entered by users via online forms or apps or otherwise communicated by them while using the services offered by HypoPlus (e.g. by telephone or e-mail), including personal data (name, address, telephone number, e-mail address, income, assets, date of birth, sex, etc.);
- User data transmitted or generated automatically (e.g. date and time a service was used, previous and current page called up, IP address, data relating to the browser used, device code, current location, if such information is released, etc.) as well as interaction data if accessible without installation of additional programmes on the computer (e.g. mouse movements and clicks or keyboard strokes on the website);
- Personal data generated by HypoPlus, comparis.ch or third parties (e.g. codes, suppliers' personal services made available to HypoPlus users and transferred to HypoPlus for dissemination);
- Correspondence and other communications with users (e.g. e-mails, telephone conversations that may also be recorded).
Such data may be linked, possibly over several visits and communications, if a user or a user profile is recognised, for example via a user name, an e-mail address, a device code or cookies saved in the browser.
To some extent, the website and apps of HypoPlus use elements and services by third parties supplying user statistics that serve to display advertising or give users access to social networks or other third party services. As a consequence, such third parties may, to a certain extent, also collect personal data relating to users of HypoPlus if they recognise them, for example, due to their own cookies or logins. These third parties consist, in specific, of Facebook, Google (Adwords, Analytics, Google+, Youtube), NetMetrix (user statistics), Optimizely (user statistics) and m-pathy (user statistics). comparis.ch may also collect personal data relating to HypoPlus users to the extent that the HypoPlus services are integrated into the comparis.ch website. To protect the privacy of its users, HypoPlus respects browser settings which indicate that tracking is unwanted and works exclusively with third parties that also respect such settings (for further information see here forInternet Explorer, Firefox). Where users click on advertisement links or links provided by third party services, they leave the sphere of influence of HypoPlus, and HypoPlus has no means of controlling any subsequent data collection. In this respect, users must deal with the respective third party.
Which type of data processing takes place?
HypoPlus may use the user data collected by it or on its behalf for the following purposes:
- provision of the services offered by HypoPlus or comparis.ch;
- preparation of various types of statistics relating, for example, to the amount of interest shown by users in product and service comparisons or in other services provided by HypoPlus or comparis.ch;
- design and development of the range of services offered by HypoPlus or comparis.ch;
- internal training and quality control;
- maintenance and development of customer relationships (e.g. newsletter);
- controlling the display of advertisements and invoicing, relating both to third party advertisements on the HypoPlus or comparis.ch website and HypoPlus or comparis.ch advertisements on third party websites;
- guaranteeing the safety and availability of HypoPlus or comparis.ch systems and data and those of its service providers;
- corporate transactions performed by HypoPlus or comparis.ch that may affect user data (e.g. transfer of a business division to an affiliated company or third party);
- prevention, discovery and combating any misuse;
- responding to justified official enquiries or enquiries in connection with the assertion of claims or other legal disputes that concern HypoPlus or comparis.ch or which HypoPlus or comparis.ch is otherwise involved in.
HypoPlus may also process personal data for other purposes to the extent that such purposes arise from the law or are indicated or discernable in the context of the collection of the respective data.
Furthermore, users authorise the mortgage suppliers contacted on their behalf, and their partners, to provide HypoPlus with information regarding their transaction to the extent that this is necessary to allow HypoPlus to ascertain, calculate and check the conclusion of the transaction and the amount and due date of any associated commission.
Are any data being passed on to third parties?
With the following exceptions, HypoPlus does not pass on any personal data to third parties as a matter of principle:
- HypoPlus may call in third parties to process personal data on behalf, and exclusively for the purposes, of HypoPlus (e.g. market research institutions). HypoPlus shall implement appropriate measures to ensure that such third parties process the data exclusively in the manner in which HypoPlus is authorised to process them.
- HypoPlus may disclose the personal data collected by it for the purposes specified in this data privacy statement to comparis.ch, in particular the data entered by users in the context of the comparis.ch website.
- HypoPlus may disclose personal data to third parties if the user so requests (registrations, requests for quotations, etc.), or this is otherwise necessary to provide the service requested by the user, or if HypoPlus has expressly informed the user of the fact that his/her data will be disclosed. In particular, by sending an enquiry, users authorise HypoPlus to send their data by e-mail to the selected mortgage suppliers, and their partners, for processing. In exceptional cases (e.g. suspected misuse), user data may also be disclosed to third parties for the other purposes listed in this data privacy statement or for purposes provided for by law. HypoPlus is not in a position to control, guarantee or vouch for the fact that such third parties comply with the applicable data protection rules; they process the data for their own purposes, possibly abroad where data protection laws such as in Switzerland may not exist.
In any case, HypoPlus may disclose anonymised user data to third parties. These are data taking a form which does not allow the third parties to draw any sensible conclusions as to the identity of the respective users or makes such conclusions unlikely.
Where and how are the data stored?
Principally, HypoPlus processes all collected data in Switzerland and stores them in systems in Switzerland. Where external service providers are called in, individual user data collected by HypoPlus may also be processed abroad; HypoPlus will conclude an agreement with such providers according to which they will be obliged to process the data exclusively to the extent that HypoPlus is permitted to process them. Transmission of user data to third parties may also involve transferring data to countries outside Switzerland, in particular in cases whereby social networks or third party services are used via the services provided by HypoPlus or users request the transmission of data to third parties; HypoPlus does not have the means to control, guarantee or vouch for the third parties' compliance with applicable data protection rules.
In the context of storing and otherwise processing user data, HypoPlus shall implement appropriate technical and organisational measures to prevent unauthorised and otherwise unwarranted processing. Such measures are subject to regular control and are amended where necessary. This also applies to the third parties charged with operating the systems.
Newsletter, commercial communication
In connection with the services offered by HypoPlus and comparis.ch, HypoPlus may from time to time send newsletters or other contents (of a commercial nature) to the address, number or app of any users that have registered their e-mail address or any other electronic address or mobile phone number with HypoPlus. With their registration or installation of an app, users agree to receive such newsletters and contents. They may, however, notify HypoPlus at any time and free of charge that they no longer wish to receive, or be notified of, the above (further information will be provided at the end of the respective notification).
Questions and suggestions, requests for information, correction or deletion
Zurich, 29 January 2014