Your data privacy
At advaisor we take your data and privacy very seriously. We are a company borne out of GDPR and are happy to comply with these standards in order to respect our users' data privacy.
advaisor AG commits to respect and safeguard privacy rights through sufficient data protection.
When exchanging personal data in the course of business activity within advaisor AG or with third parties, advaisor AG commits to comply with internal data protection policy and applicable laws.
In order that advaisor AG can discharge its responsibilities, every employee is obliged to observe privacy and data protection policy of advaisor AG.
During data processing the following basic principles must be observed:
Personal data is obtained and processed transparently and lawfully. Local laws must be observed.
Data processing requires justification or consent.
Personal data may only be processed for a pre-determined purpose. Processing for other purposes is not allowed without approval.
Information about individual persons must be kept accurate, complete and present.
Personal data must be kept secret. Sufficient organizational and technical measures must be taken in order to prevent unauthorized access, unintentional loss, damage, unallowed alteration or deletion.
Data must not be kept longer than necessary or as it is prescribed by law. Possible erasure must be verified in regular intervals.
The respective person's right of information, correction, deletion or blocking of data must be respected.
When transferring data to third parties, data protection must be guaranteed.
Data transmission within advaisor AG may only be take place, if equivalent protection is ensured.
If required by local legislation, there must be a notification about cross-border data transmission and concurrence needs to be obtained in advance.
If there are questions relating to data protection, please contact the data protection officer for advaisor AG.
advaisor AG has the declared goal to be a trustworthy business partner as well as a good corporate citizen. This includes respecting personal data and their protection. We, therefore, commit ourselves to protect our employee data, client, customer data and all further personal data, which can be exchanged with advaisor AG. advaisor AG performs all activity in accordance with applicable laws regarding the protection of individual data and data security.
This policy defines the basic rules and principles on the protection of personal data. It explains how these basic rules must be realized in the various corporations and how personal identifying data must be processed.
Jurisdiction and scope of application
This policy covers all processing of personal data, particularly including collecting, processing, exchanging, storing and usage by advaisor AG – corporation.
All employees of advaisor AG have to comply with this Policy.
This policy lays down the minimum standard concerning handling of personal data.
All employees of advaisor AG are responsible to observe this Policy and commit to comply to the relevant data protection regulations.
It is expected by all employees to be aware of personal data processing, know about fundamental procedure for handling individual data and where to turn when they encounter problems.
Personal data means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly. For instance, direct identification can be done through a name or photography. Indirectly it can take place through a customer number, online identification data, or several particular factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person number.
In Switzerland, aside from natural persons‘ individual data those of legal entities are protected as well.
Special categories of personal data (sensitive data)
It includes data requiring a higher level of security. Such personal data can contain information about the religious, ideological, political or union activities, as well as information regarding health, intimacy, or the racial or ethnic origin of a person. In addition, specifications relating to social welfare or administrative measures and criminal sanctions can be included. From country to country, in particular data worthy of protection is variously defined at best. National law must be observed at any time.
It means any operation which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
It means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
This means, information cannot be related to a person anymore. Identification must be irreversible. There may not be any identification features that allow identification.
It means personal data can no longer be attributed to a specific data subject without the use of additional information. It is ensured that personal data cannot possibly be attributed to an identified or identifiable natural person.
During the entire data-lifecycle, recording of all processing of personal data is ensured. Accesses and storage locations are secured. In that manner, advaisor AG can enhance transparency and comply with its regulatory obligations.
Every person or corporation interacting with advaisor AG that is not a corporation or employee of advaisor AG. Third-party includes external corporations, particularly controllers or processors.
This means the disclosure of personal data to a third party. Third-party may be a corporation of advaisor AG or even a processor. When transferring data cross-border advaisor AG must comply with applicable regulations.
It means a breach of security, whether unintentional or unlawful, leading to destruction, loss, alteration or unauthorized disclosure of respectively unauthorized access to personal data, that have been conveyed, stored or processed otherwise.
Compliance with the principles of personal data processing
When processing personal data within advaisor AG, the General Data Protection Regulation of the EU (2016/679) principles must be followed.
Employees of advaisor AG will at all times consider the manner of collecting and processing of personal data.
Individual data must be lawfully acquired under observation of this Policy. If local law stipulates stricter rules, these must be observed.
Employees and managers must regard the following recommendations for action:
Personal data may only be acquired and processed, if a sufficient legal basis exists. Partially, this results from the usual object of business, however, local law must be observed as well.
The person must be informed prior to acquisition and use of individual data or there has to be legitimate interest for data processing.
Personal data may only be collected, if it is necessary for a specific purpose.
Data may only be used to the extent stipulated by a data protection provision or where the acquisition aims to serve legitimate interests and the person concerned must reasonably assume data collection.
If the processing is directly connected with the conclusion or the performance of a contract and the personal data is that of a contractual party, processing is allowed.
When processing data as processor, the third party as a controller is responsible to obtain the right to process the relevant personal. Doubts regarding their legitimacy have to be clarified with the controller.
If appropriate, personal data is anonymized or pseudonymised directly after their acquisition.
Processing for a specific purpose
Individual data may be exclusively processed for prescribed, explicit and legitimate purposes. In no event, personal data may be processed in a manner that is incompatible with the purposes, for which the individual data was collected.
Every employee processing data is responsible for lawful processing.
Where possible, advaisor AG allows cross-corporation and cross-border exchange of personal data. This requires all corporations to observe the purposes intended originally. Its expansion or a change in purpose are only permissible with the respective person's informed consent or if national law of the first corporation permits this alteration.
When processing personal data as a processor, the third party needs to authorize these permitted purposes as well as expansion or change in purpose.
Employees and managers must regard the following recommendations for action:
When collecting data, the legitimacy of processing needs to be clarified. In case of doubt, collecting must be renounced or obtain further clarification from a supervisor or data protection officer
Purposes must be determined at the time of data collection.
Personal data will only be exchanged, as far as it is required by business.
Measures must be taken to preferably prevent abuse. These measures need to adjust to the sensitivity of personal data.
Organizational and technical measures of advaisor AG must be followed.
Personal data will be kept only as long as necessary or if there is a legal obligation to do so.
Within advaisor AG, personal data shall be processed in a transparent way. Persons affected by data processing must be made aware and be informed about the purpose of processing, except when apparent from the context.
Insofar as personal data has not been gathered from the affected person informing the person will remain unnecessary to protect the affected person or the rights of other persons, the person concerned has already been informed or this would mean a disproportionate effort.
As a processor, advaisor AG informs the controller when processing personal data.
National laws must be observed. The idea of transparency weighs differently in the various national laws.
Data quality and data minimization
Merely correct personal data may be processed. It is necessary to ensure that data that is incorrect or incomplete in view of the purpose of its collection is either corrected or destroyed.
Data processing needs to adjust to the principle of data minimization. The objective is to only gather, process, or use indispensable personal data, meaning as little personal data as possible. The advantages of anonymization and pseudonymization can be used as far as effort is proportionate to the intended purpose.
Personal data gathered for an omitted objective of business, that are no longer necessary, must be erased. In case of legal obligation to keep the data, it needs to be locked rather than deleted.
Data processing must be traceable across the complete life-cycle.
Transfer of personal data to advaisor AG and third parties
It may be the case that personal data are exchanged with other employees, corporations or even third parties, who process them. Transfer is only permissible within the framework of legitimate purposes of business and according to the respective laws.
When transferring data as a processor, legitimacy and scope need to be clarified in advance with the third party and controller. Standardized procedure is possible according to technical and organizational measures.
During transfer to a third party, the following must be complied with:
Personal data may only be processed in the course of their original purpose.
It needs to be ensured, that the third party is able to and willing to protect personal data appropriately.
Data protection must be regulated in a contractually binding way.
Risk assessment should be performed to ensure, that sufficient technical and organizational security measures exist. These measures must be controlled.
A third party instructed with processing must be carefully chosen.
advaisor AG remains responsible for the legitimacy of processing.
Should the use of personal data by third parties require a transfer abroad. Partially, an exchange within business processing is imperative as a matter of fact.
The following needs to observed regarding cross-border transfers:
There must be justification for transmission (e.g. business need).
National legislation must be complied with. For instance, Switzerland and the EU permit cross-border data transmissions only in case where the recipient country has a similar data protection level or the third party guarantees a comparable data protection level.
Transmission of personal data within advaisor AG is regulated by standard agreements among the various corporations. Through IT-infrastructure, access is already partially regulated and where it is necessary, restricted. Access must be limited to the minimum necessary. If an employee needs additional access to personal data of another corporation, this must be approved by senior management.
Transmission of personal data within projects may only take place after consultation with the client. Standardized procedure is possible in accordance with technical and organizational measures.
If personal data are to be exchanged with a third party who is located in an insecure third country, data protection must be ensured by other means (e.g. conclusion of standard contract).
It should be noted, that for a cross-border data transmission, data doesn't have to be actually transferred. It is sufficient to enable access to the personal data to a third party (e.g. remote access suffices).
advaisor AG is very attentive to the assurance of data security. Personal data must be protected as well as all sensitive business records.
Every employee is called upon assuming responsibility for a secure and responsible handling with the IT-equipment.
To guarantee the required data security, every corporation takes adequate technical and organizational measures to protect personal data against unintentional or unlawful erasure, wrongful use, alteration, loss, destruction and against unauthorized transmission or access.
For an appropriate protection of personal data, particularly entry, access and admission controls, transmission controls, input controls, order controls, availability controls, and separation controls are applied. More detailed measures are recorded in the technical and organizational measures.
advaisor AG and all subsidiary companies have to take relevant security measures and must observe the General Policy regarding technical and organizational measures as well as the Security Policy.
Data protection compliance is vetted by the data protection officer. Supervising compliance with data protection and confidentiality requirements, the data protection officer is entitled to demand information and inspection from advaisor AG at all times. He may perform audits at regional companies or let those be carried out by third parties.
The results of an inspection must be communicated to the advaisor AG management. If nonconformities are found, corrective measures must be pointed out.
Regular trainings are required to convey the basic knowledge for maintaining data protection.
Data protection officer (DPO)
The data protection officer is responsible for data protection of advaisor AG.
The data protection officer performs his tasks independently and without directives. He must be assigned with the necessary competences by the management.
Right of Information, Correction, Erasure and Blocking of Data
advaisor AG must create a process to satisfy requests of persons concerned within one month.
It is necessary to ensure that affected persons can exercise their individual rights. A person has the right to demand information regarding his processed personal data, as well as their correction, blocking or erasure.
The data protection officer must be informed about such requests.
A request concerning a client’s customer personal data must be forwarded and replied to in consultation with the client.
When collecting personal data and particularly acquiring IT-systems it has to be ensured that an appropriate process is implemented.
Cooperation with each other and with Data Protection Supervisory Authorities
Upon requests and complaints, advaisor AG will provide each other with assistance regarding non-compliance.
advaisor AG further commits itself to cooperate with the Data Protection Supervisory Authority in connection with the implementation of data protection concurring with compliance.
The admissibility of personal data processing is assessed in the light of the respectively applicable local law. Insofar as local law demands a higher level of security than this policy, data processing conforms to applicable law. Every advaisor AG subsidiary must examine by itself, if there are such local regulations (e.g. data protection laws) and ensure their observance.
Provided that applicable local law in each case stipulates lower protection for personal data than this policy, the following regulations will be applicable.
If obligations arise from the applicable local law that conflict with this policy, the concerned advaisor AG subsidiary must inform the data protection officer without delay.
Introduction and Implementation
Training and Awareness
At the beginning of a new employment, the respective employee must be informed about the data protection regulations. All employees are obliged to familiarize themselves with this Policy as well as the data protection regulations applicable in their country.
Every employee is required to take part in data protection training.
Reporting (potential) breach of contract
Every employee learning about a violation of applicable data protection law or this Policy, is required to report this. The data protection officer can be notified directly. advaisor AG will not permit any retaliatory measures as a consequence of such reports and will protect its employees.
Violation of this Policy
In case of violation of this Policy or applicable data protection law, advaisor AG may take disciplinary action or further measures. Aside from warnings, grave and repeated violations may imply employment law measures. If a third party infringes on these data protection regulations, the respective contractual relationship may be dissolved.
Every employee is required to observe data protection within his or her position. Superiors shall be a role model for employees and offer assistance regarding questions of their subordinate employees.
This policy comes into effect on 01.09.2019
The implementation of these policies within advaisor AG is overseen by our Data Protection Officer available at dpo'at'advaisor.io