Privacy Policy of Swiss Finance & Property Group governing job applicants’ data
1. Introduction/what is this Privacy Policy about?
Data protection and data privacy require trust and transparency. This is why we are explaining to you in this Privacy Policy how and for what purposes we collect, process and use your personal data.
Among other things, this Privacy Policy will tell you:
- what personal data we collect and process;
- for what purposes we use your personal data;
- who has access to your personal data;
- what benefits our processing of your data have for you;
- how long we process your personal data;
- what your rights are with regard to your personal data; and
- how you can contact us.
We have aligned this Privacy Policy with the Swiss Data Protection Act and the EU General Data Protection Regulation (GDPR). The GDPR has established itself globally as a benchmark for strong data protection. Whether and to what extent the GDPR is applicable depends on the individual situation.
We may make additional privacy policies available to you if this seems useful to us. Such additional privacy policies will supplement this Privacy Policy and have to be read together with this Policy.
2. Who are we?
We are Swiss Finance & Property Group AG (“SFP”) and its subsidiaries (“SFP Group”), Seefeldstrasse 275, 8008 Zurich. As an independent fund management company and securities firm, we specialise in the entire value chain of real estate and infrastructure investments and combine our real estate and financial market expertise. We offer our products and services to investors in Switzerland and are expanding into selected international markets.
The following companies are currently part of the SFP Group:
- Swiss Finance & Property Ltd, Zurich
- Swiss Finance & Property Funds Ltd, Zurich
- VIGA Re Management ApS, Copenhagen
- Swiss Finance & Property UK Ltd, London
- SFP Infrastructure Partners Ltd, Zurich
- Swiss Finance & Property Deutschland GmbH, Frankfurt
You can find more information about the SFP Group at www.sfp.ch.
3. Who is responsible for data processing?
Under data protection law, the party who is responsible for data processing is the person who determines whether the processing should be done, for which purposes it should be done, and how it is to be done. Under this Privacy Policy, the Group company to which you apply for a position is responsible for data processing. In this case, this Privacy Policy must be observed, as well as any additional privacy rules of the subsidiary concerned. If your application is not for a specific position at a specific Group company, Swiss Finance & Property Group AG, Seefeldstrasse 275, 8008 Zurich, the parent company of the SFP Group, is responsible.
4. To whom and for what purposes does this Privacy Policy apply?
This Privacy Policy applies to all persons who apply for a job at the SFP Group as part of an application process or unsolicited and whose data we process as a result, regardless of how they contact us, e.g. in person, via the careers portal on the website, by telephone, via a social network, at an event, etc. It is for information purposes and does not form part of any contract. It applies to the processing of both personal data that have already been collected and that will be collected in future.
Our contractual provisions may contain additional references to our data processing activities. Please also consult these provisions. In addition, please read our Cookie Policy for more information about the collection and processing of personal data in connection with the use of our websites and social media, in particular with regard to cookies and similar technologies.
5. What personal data do we process?
“Personal data” are information that can be linked to a specific person. We process different categories of personal data. The most important categories are explained below. In some cases, however, we may also process additional personal data.
Section 6 provides more details of where these data come from; section 7 sets out the purposes for which we process them.
5.1. Personal data of job applicants (“recruiting data”)
We process the data required as part of the application process, such as your name, contact details, date of birth and details of your CV, as well as other personal data in connection with filling a vacancy where this is required by legal obligations or special duties of due diligence, e.g. information in connection with references (in what follows, the term “recruiting data” is used for all personal data of job applicants).
Recruiting data include, for example:
- title, first name, surname, gender, date of birth;
- address, email address, telephone number and other contact details;
- details of your CV (employer, position, function, etc.);
- degrees and certificates;
- excerpts from criminal and debt collection records;
- information obtained from background checks;
- details of your application status; and
- official documents in which you appear (e.g. identity documents, commercial register excerpts, permits, etc.).
5.2. Communication data
If you are in contact with us or we are in contact with you, we process the communication content exchanged and information about the type, time and place of communication.
Communication data include, for example:
- name and contact information, e.g. postal address, email address and telephone number;
- contents of emails, written correspondence, chat messages, social media messages, telephone conversations, video conferences, etc.;
- information about the type, time and reason for the communication; and
- metadata of the communication.
Telephone conversations and video conference calls with us may be recorded, e.g. owing to regulatory requirements. We will inform you at the beginning of the conversation whether it will be recorded or not. If you do not wish us to record such conversations you can interrupt them at any time and contact us via another medium (e.g. email).
5.3. Technical data
When you use our websites, wifi network or other electronic offers, we collect specific technical data, e.g. your IP address or device ID. Technical data also include log files recording the use of our systems. Sometimes we may also allocate a unique identifying number (ID) to your end device (PC, smartphone, etc.) using cookies or similar technologies, so we can recognise your device the next time you visit us.
We may in particular also use the technical data to obtain information about your behaviour, such as details of your website use. More information about this is provided in our Cookie Policy.
5.4. Film and sound recordings
For security and evidential purposes, we may take video recordings of our office premises. These may provide us with information about your behaviour in these places. The use of video surveillance systems is limited to specific locations and is indicated.
Film and sound recordings include, for example:
- recordings from video surveillance systems; and
- recordings of telephone conversations and video conference calls (owing to regulatory requirements).
6. Where do the personal data come from?
6.1. Personal data made available to us
You disclose your personal data to us yourself when you register on the career portal, upload application documents or communicate with us.
You usually provide your personal data to us voluntarily, i.e. you are not obliged to give it to us. However, some personal data we need to collect and process in order to be able to consider you in the application process, in particular under legal provisions.
If you send us data about third parties (e.g. as an recruitment agency or headhunter), we assume that you are authorised to do so and that the data are correct. Please make sure that such persons have been informed about this Privacy Policy.
6.2. Collected data
We may also collect personal data about you ourselves or automatically, e.g. when you visit our websites. Most of the time these are technical data.
6.3. Received data
We may also receive personal data from other SFP Group companies. More information on this is provided in section 9.1. In addition, we may receive your personal data from other third parties, e.g. business partners, persons who communicate with us, or public sources.
For example, we may receive your personal data from third parties in the following cases:
- from Group companies that forward the documents of potential candidates;
- from recruitment agencies or headhunters;
- from people close to you (family members, legal representatives, etc.), e.g. your contact details, references or powers of attorney;
- from the Swiss Post Office and address dealers, e.g. for address updates;
- from authorities, parties and other third parties in connection with official and court proceedings;
- from public registers such as the debt enforcement or commercial register.
7. For what purposes do we process the personal data?
7.1. Application process
You are a candidate for a vacant position or have submitted an unsolicited application to SFP. We therefore process your personal data for the purposes of recruitment and, potentially, to establish employment. In particular, we use recruiting data and communication data for this purpose.
During the application process, we may carry out the following processes, for example:
- registering in the SFP candidate profile;
- recruitment tests;
- conducting application processes and interviews; and
- carrying out background checks.
7.2. Communication
We will be in touch with you during the application process. We therefore process personal data for the purposes of communicating with you, e.g. arranging a job interview or answering questions from you. In particular, we use recruiting data and communication data for this purpose.
7.3. Security
As we wish to provide the best possible security, we also process personal data for security purposes, in particular to guarantee IT security and for evidentiary purposes. This generally involves all data categories, but in particular film and sound recordings and technical data. We may capture, analyse and store the data for the purposes mentioned.
To guarantee security we may carry out processing for the following purposes, for example:
- producing and evaluating audio and video recordings (manually and automatically);
- analysing log files showing the usage of our systems;
- preventing, warding off and investigating cyber attacks and malware attacks;
- analysing and testing our networks and IT infrastructure as well as system and error checks;
- controlling access to electronic systems (e.g. log-ins to user accounts);
- physical access control (e.g. access to offices); and
- documenting and preparing backups.
7.4. Safeguarding our rights
As we wish to be able to enforce our claims and defend ourselves against third-party claims, we also process personal data in order to safeguard our rights, e.g. to enforce claims before the court, prior to court proceedings or out of court, before Swiss and foreign authorities, or to defend ourselves against claims. Depending on the situation, we process various personal data, including of course recruiting data.
To safeguard our rights we may carry out processing for the following purposes, for example:
- investigating and enforcing our claims;
- defending claims made against us, our employees, and companies affiliated with us;
- investigating the prospects for litigation and other legal, economic and other issues; and
- participating in proceedings before courts and authorities in Switzerland and abroad. For example, we may secure evidence, arrange for the chances of success in litigation to be investigated or submit documents to an authority. The authorities may also require us to disclose documents and data carriers that contain personal data.
7.5. Administrative support within the SFP Group
As we wish to organise our internal processes efficiently, we also process personal data for the internal administrative purposes of the SFP Group. For this purpose we process communication data and technical data in particular, but also recruiting data if necessary.
Administration may include processing for the following purposes, for example:
- IT, risk and compliance management;
- central storage and management of data used by several companies within the SFP Group;
- forwarding enquiries to the units responsible; and
- generally reviewing and improving internal processes.
Like every corporate group, the SFP Group has an overall interest in ensuring the successful operations of its group companies, and our group companies in turn have an interest in their own activities and purposes of processing. We may therefore also disclose personal data to other companies of the SFP Group in order to support their own processing purposes under this Privacy Policy in the interests of the whole SFP Group.
8. On what lawful basis do we process personal data?
Depending on the purpose for processing, our processing of personal data is based on different lawful bases. We may in particular process personal data if processing:
- is required for the performance of a contract with you or the execution of pre-contractual measures (e.g. to review an application for a contract);
- is based on consent; and
- is required for compliance with Swiss or foreign legal provisions.
We in particular have a legitimate interest in processing data for the purposes described in section 7 and the disclosure of data in accordance with section 9 and the related objectives. Legitimate interests refer to our own interests as well as the interests of third parties.
Legitimate interests include for example, an interest in
- supporting the internal management and communication processes in the Group that are essential for cooperation in a company that also employs part-time staff;
- providing mutual support for the activities and objectives of Group companies;
- compliance and risk management;
- ensuring IT security, in particular in connection with the use of websites and other IT infrastructure;
- securing and organising business operations, in particular the operation and further development of websites and other systems;
- managing and developing the company;
- enforcing or defending legal claims; and
- complying with Swiss and foreign law as well as internal regulations.
9. To whom do we forward personal data?
9.1. Within the SFP Group
We may forward personal data received from you or from third-party sources to other companies of the SFP Group. Data may be passed on for internal Group administration or to support the Group companies concerned and their own processing purposes. The relevant Group companies may also compare and link the personal data received to personal data already held.
9.2. Outside the SFP Group
We may also forward your personal data to companies outside the SFP Group if we make use of their services. These service providers generally process personal data on our behalf as “order processors”. Our order processors are obliged to process personal data solely in accordance with our instructions and implement suitable measures to ensure data protection. Some service providers are also responsible jointly with us or independently, and in these instances we ask you to note the privacy policies that the service provider in question provides.
It may also happen that we forward personal data to other parties for their own purposes, e.g. if you have given us your consent or we are obliged or authorised by law to forward the data. In these cases, the recipients of the data are their own controllers under data protection law.
This includes the following cases, for example:
- obtaining references in which we disclose your application to us and details of the relevant position:
- disclosing personal data to courts and authorities in Switzerland and abroad, e.g. to the prosecuting authorities if there is suspicion of criminal offences;
- processing personal data to comply with a court ruling or official order or enforce or defend legal claims or when we consider it necessary for other legal causes. We may also disclose personal data to the other parties involved in legal proceedings.
Again, please note the privacy policies that the third party may provide to you. Please also see our Cookie Policy for information about the independent collection of data by third-party providers whose tools are integrated into our websites and apps.
10. To whom do we disclose personal data abroad?
We mostly process and store personal data in Switzerland and the European Economic Area (EEA). In specific cases we may also disclose personal data to service providers and other recipients located outside this area or who process data or have data processed by their own service providers outside this area, i.e. in any country in the world. Such countries may not have laws that protect your personal data to the same extent as in Switzerland or the EEA. Where we transmit your personal data to such countries, we implement measures to ensure your personal data are adequately protected.
Measures to ensure adequate data protection include, for example, entering into data transfer agreements that require the recipients of your personal data in third-party countries to ensure the required data protection. These include agreements that have been approved, issued or recognised by the European Commission and the Federal Data Protection and Information Commissioner, known as standard contract clauses. Please note that while such contractual agreements partly compensate for weaker or absent statutory protection, they cannot completely rule out all risks (e.g. state access abroad). In exceptional cases it may be permitted to transfer data to countries that do not apply adequate data protection, e.g. on the basis of consent, in connection with foreign legal proceedings, or if the transfer of data is required for the performance of a contract.
11. How do we process sensitive personal data?
Some types of personal data are considered “sensitive” under data protection law, e.g. information about health, trade union activity or criminal prosecution. Depending on the situation, the categories of personal data specified in section 5 may also include sensitive personal data. As a rule, however, we only process sensitive personal data if it is necessary as part of the application process, you have disclosed these data to us voluntarily or you have consented to the processing. We may also process sensitive personal data if this is necessary for legal protection or to comply with Swiss or foreign regulations, if the relevant data have obviously been publicly disclosed by the data subject or if the applicable law otherwise permits processing.
We process sensitive personal data insofar as you provide information about your health, trade union membership or criminal record as part of the application process.
12. How do we protect your personal data?
We take suitable security measures of a technical and organisational nature to ensure the confidentiality of your personal data, defend against unauthorised or unlawful processing and counteract the risks of loss, unintended amendment, involuntary disclosure or unauthorised access. Like all companies, we cannot entirely rule out breaches of data protection, and some residual risks unavoidably remain.
Technical security measures may include, for example, encrypting and pseudonymising data, logging, access restrictions and storing backup copies. Organisational security measures may include, for example, directives to our employees, confidentiality agreements and controls. We also oblige our order processors to implement adequate technical and organisational security measures.
13. How long do we process personal data?
We process and store your personal data:
- for as long as necessary for the purpose of processing or purposes compatible with this;
- for as long as we have a legitimate interest in storing the data. This may in particular be the case if we need personal data to enforce or defend claims, for archiving purposes and to guarantee IT security;
- for as long as the data is subject to a statutory archiving obligation. Some data, for example, must be retained for ten years. Shorter retention periods apply to other data, e.g. video surveillance recordings or records of specific Internet processes (log files).
We are guided by the following retention periods, for example, although we may deviate from them in individual cases:
- Recruiting data: with job applications we delete personal data within six months of completion of the application process. With your consent, we may keep your application pending for future employment.
- Communication data: emails, messages included in contact forms and written correspondence are usually stored for at least ten years or ten years after the end of the relevant client or tenant relationship.
- Technical data: we usually store technical data for six months. The storage period for cookies mostly ranges from a few days to two years, unless they are deleted immediately after the end of the session.
- Film and sound recordings: the retention period depends on the purpose. It ranges from a few days for recordings by surveillance cameras to several years for reports about events that contain photos.
14. What are your rights in connection with the processing of your personal data?
You have the right to object to the processing of your data, in particular if we process your personal data on the basis of a legitimate interest and the other applicable conditions are met.
If the applicable conditions are met and no statutory exceptions apply, you also have the following rights:
- the right to ask us about your personal data stored by us;
- the right to have inaccurate or incomplete personal data rectified;
- the right to request the erasure or anonymisation of your personal data;
- the right to request restriction of processing of your personal data;
- the right to receive specific personal data in a structured, commonly used and machine-readable format;
- the right to revoke your consent with future effect where processing is based on consent.
Please note that these rights may in individual cases be limited or excluded, e.g. if there is doubt regarding your identity or this is required to protect other persons or overriding interests or to ensure compliance with statutory obligations.
You can contact us at any time if you wish to exercise one of the above rights or if you have questions about the processing of your personal data.
Please also contact us if you have any doubts about whether the processing of your personal data complies with the law. The competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC).
15. How can you contact us?
You are welcome to contact us at any time if you have any questions about this Privacy Policy or the processing of your personal data:
Swiss Finance & Property Group AG
Seefeldstrasse 275
8008 Zurich
Switzerland
Email: dataprotection@remove-this.sfp.ch
However, you can also contact any of the other controllers (section 2).
16. Amendments to this Privacy Policy
We reserve the right to update and amend this Privacy Policy from time to time in order to take account of changes in the manner in which we process your personal data or changes in the law. All future amendments to our Privacy Policy will be published on our website.
