Privacy policy for loan and mortgage agreements

1. Basic rule and scope

This privacy policy applies to data processing in connection with loan and mortgage agreements (hereinafter referred to as “loan agreements”) with Baloise Insurance Ltd, Baloise Life Ltd, the Pension Foundation of Baloise Insurance Ltd and Baloise Bank Ltd (together hereinafter also referred to as “Baloise” or “we”; see clause 2). At the time the application for a loan agreement is submitted, it is not yet clear which of the above-mentioned companies will be the lender. You will be informed of the company acting as the lender before the agreement is concluded, except in cases in which the application is submitted directly to Baloise Bank Ltd. In such cases, the contracting party is always Baloise Bank Ltd. We process your personal details (hereinafter also referred to as “data”) or the personal details of other persons insofar as this is necessary for the conclusion or servicing of the loan agreement.

Personal details are data that relate to an identified or identifiable natural person. Sensitive personal data are personal details that are specially protected by law due to their sensitivity, for example health data. Processing means any form of handling of your data, in particular collection, storage, use, disclosure, archiving or deletion. We comply with the Federal Data Protection Act (FADP), the implementing ordinance (DPO) and any other data protection laws applicable in individual cases (e.g. the European General Data Protection Regulation [GDPR]).

In the following, we will show what data we collect, what we use it for and what your rights are in this regard.

We not only process data of our borrowers, but also data of third parties, in particular of the following persons (each referred to as “they”):

Prospective customers
Further borrowers and third parties (e.g. family members)
Authorised representatives and agents
Guarantors (e.g. third-party pledgors, banks)
Persons asserting claims and other parties involved (e.g. sellers, notary’s offices)
Contact persons of companies and partners (e.g. intermediaries) as well as official bodies and authorities

When you transmit data to us via third parties, we assume that you are authorised to do so and that this data is correct. Therefore, please inform these third parties about the processing of their data by us and provide them with a copy of this privacy policy. If we refer you to a new version of these documents, please also hand over this new version in each case.

Our employees are regularly trained on data protection topics and are sworn to secrecy. In addition, our data protection unit monitors compliance with data protection regulations.

2. Bodies responsible and contact details

The following companies are responsible under data protection law for the data processing described here:

Baloise Insurance Ltd
Aeschengraben 21
4002 Basel, Switzerland
Baloise Life Ltd
Aeschengraben 21
4002 Basel, Switzerland
Pension Foundation of Baloise Insurance Ltd
Aeschengraben 21
4002 Basel, Switzerland
Baloise Bank Ltd
Amtshausplatz 4
4502 Solothurn, Switzerland

(together hereinafter referred to as “Baloise” or “we”)

If you have any data protection concerns or wish to exercise your rights under clause 10, you can contact our data protection unit as follows:

Baloise Insurance Ltd
Data protection unit
Aeschengraben 21, P.O. Box
4002 Basel, Switzerland
Email: datenschutz@baloise.ch

Baloise Bank Ltd
Data protection unit
Amtshausplatz 4
4502 Solothurn, Switzerland
Email: datenschutz-bank@baloise.ch

3. Categories of personal details processed

3.1 General information

In the context of loan and mortgage agreements, we process the categories of data described below, although this list is not exhaustive.

In the event of changes to data over time (e.g. due to a change of address, a change in civil status or another modification), we may continue to store the previous status of such data in addition to the current status within the framework of the statutory storage periods.

3.2 Master data

Master data includes, in particular, contact information (e.g. name, address, telephone number and email address), personal details (e.g. date of birth, age, gender, nationality, data from identification documents, occupation, employer), other identification data (e.g. AHV number, customer number, tax identification number) or information about your relationship with us (e.g. partner / customer status, customer history). Account information is also collected, including bank account details (e.g. account numbers).

We receive master data from you or from third parties, for example Baloise Group companies, custodian banks, credit agencies or public registers (e.g. the Land Register). We also receive data in connection with address changes, as we are involved in an address update network which sends us and the other companies involved in the network updated address data (e.g. the new address after a move).

3.3 Contract data

This is data that is collected in connection with the conclusion or processing of a contract. Contract data includes data from applications, contracts and information from pre-contractual relationships, for example information from consultations, information from other existing (third-party) contracts, for example type and date of contract conclusion as well as further information on the relevant contract, portfolios and watch lists, liabilities, income, turnover and investments, documentation on the property to be financed, market value estimate, interest rate, collateral, repayment and fees, term of the contract.

Contract data also includes financial data, that is, information on assets and their origins as well as budget details (e.g. own funds, savings, pension assets, liabilities and expenditure), information on earned income, pension income and income from investments, your creditworthiness (e.g. scoring, rating and creditworthiness data in the context of lending) and your payment history (i.e. information regarding payment demands and debt collection).

We generally collect contract data directly from you and from third parties involved in the processing of the contract as well as from publicly accessible registers (e.g. Land Register).

3.4 Data relating to compliance with legal obligations

This includes data relating to the compliance with legal obligations incumbent on us and the related clarification and reporting in the context of combating fraud, money laundering and terrorism. We obtain such data from publicly available sources and registers (e.g. sanctions lists) or from public authorities (e.g. information on US citizens / double citizens, economic background, beneficial owners, information on the origins of, and rights to, assets, controllers, politically exposed persons, matching with sanctions lists).

3.5 Communication data

When you contact us via the contact form, our Customer Service, by email, telephone or chat, by letter or via other means of communication (e.g. customer portal), we collect the data exchanged between you and us, including your contact details and the marginal data of the communication.

We will specifically point out to you if we record telephone conversations, such as for evidence or training purposes. If you do not wish to be recorded, please let us know or end your call.

When communicating with you, for example when you submit a request for information, we sometimes also collect data to establish your identity (e.g. information from official identification documents, answers to security questions) in order to prevent us releasing information to unauthorised third parties.

3.6 Behavioural and preference data

In order to provide you with the best possible service and advise you on our products and services, we would like to find out your preferences and determine your requirements. To do this, we collect and use data about your behaviour when you interact with us and about the preferences you tell us or that we identify.

Behavioural data are details of certain actions, such as the use of electronic means of communication (e.g. whether and when you opened an email), the use of our websites (for more information, see baloise.ch/en/about-us/information/privacy-policy.html) or customer portals, the way in which you obtain products and services, your interaction with our social media profiles and your participation in prize draws, competitions and events. Preference data tells us about your requirements and which products or services might be of interest to you. We obtain this information from the analysis of existing data, such as behavioural data, so that we can tailor our consultation and our offers more precisely to you.

3.7 Other data

We may also collect data from you in other situations. In connection with official or judicial proceedings, for instance, data accumulates (e.g. files, evidence) that may also relate to you. We may also collect data for health protection reasons (e.g. within the framework of protection concepts).

We may receive or produce photographs, videos and audio recordings in which you may be identifiable (e.g. at events, by security cameras, etc.). You will always be asked for your consent or informed accordingly in advance. For security purposes, we may also collect data on who enters certain buildings and when, or who has corresponding access rights (e.g. in the case of access controls or based on registration data or visitor lists, etc.), who participates in events or campaigns (e.g. competitions) and when, or who uses our infrastructure and systems.

We obtain the data mentioned here primarily from you, but also from third parties (e.g. authorities) and in some cases also from our Baloise Group companies.

4. Purposes of data processing

Your data will only be processed by us for the purposes we have indicated to you when collecting your data, or if we are legally obliged or entitled to process it. For further details on the basis of our processing, please refer to clause 5.

4.1 Pre-contractual measures, conclusion of contract, contract settlement

Prior to the conclusion of a contract, we process your data in order to offer you the desired consultation and relevant products as well as to contact you in this regard.

In the course of initiating business, personal details – in particular master data, contract data and communication data – of potential customers and other contracting parties are collected or they result from a communication. We also process data in connection with the conclusion of the contract to check creditworthiness, in this case regarding credit standing and rating, to value collateral and to initiate the customer relationship. In some cases, this information is checked for compliance with legal requirements. If you apply to us for a loan, we also need your information to assess and evaluate the risk to be assumed by us (if necessary also with the assistance of third parties, e.g. companies of the Baloise Group). We may also carry out automated data processing and create customer profiles as a basis for our calculations (see clause 6 below). The decision to offer you a suitable loan agreement is not governed by any automated individual decision-making process.

If the contractual relationship is established, we process your data to implement the contractual relationship, in particular to provide and claim contractual services (e.g. repayments and interest charges), to manage the customer relationship (to prepare loan interest and capital certificates), as well as to communicate with you. This also includes consultation and customer support, the enforcement of legal claims arising from contracts (debt collection, court proceedings, etc.) as well as accounting or termination of contracts. In cases involving non-performing loans, we may need to process your data with the involvement of third parties. In this context, we process primarily master data, contract data and communication data.

In the case of collaboration with other companies, such as within the framework of corporate partnerships or in relation to intermediaries, we also process master and contract data in particular for the purpose of initiating and processing contracts.

4.2 Statistical evaluations and data analyses

Data that we require for statistical evaluations and data analyses are anonymised and aggregated and no longer allow any conclusions to be drawn about your person. The aggregated data is required for the creation of statistics (e.g. for the development of new insurance rates, product development and adjustments) or for topic-specific evaluations and data analyses, as well as for sales reporting. We also use the data of all existing contracts – likewise without the possibility of drawing conclusions about you personally – to analyse the entire customer base and for the fulfilment of our contractual obligations, for example for consultation regarding a contract adjustment or contract amendment or for the provision of comprehensive information.

4.3 Marketing and offers for further products and services

We may use your data to send you advertising about our products and services as well as those of our group companies and business partners (including products and services not related to mortgages), for example in the form of newsletters or other regular contacts (by email or post, by telephone or as part of other marketing campaigns such as competitions, events). In particular, we use your communication data for this purpose.

In order to make our offers more relevant to your requirements and interests, we personalise some of our communications to allow for an individual approach. The individual approach can be made in writing or by telephone. To do this, we link data that we process about you – in particular master data, contract data, behavioural data and communication data – and determine preference data as a further basis for personalisation. We can also create interest profiles about you and divide you into advertising groups.

In order to provide you with comprehensive advice on insurance, assets, pension and financial matters (e.g. financing, fund and other financial investments) and to make you offers for further products and services or to advertise them to you, we may process your master and contract data as well as the information disclosed on the occasion of the consultation conducted with your customer adviser.

To manage our relationships with customers and third parties, we may also invite you to our customer events and inform you about our products and services before, during or after the event.

You can inform us if you do not wish your data to be processed for the above purposes or if you wish to revoke your consent in this regard (see contact address in clause 10).

4.4 Market research and product optimisation

We are committed to continuously developing our products and services to meet your needs. Therefore, we also sometimes contact you for market research purposes and use the results in anonymised form for addressing various questions within the company. To determine customer satisfaction, we can ask you about your experience with us. We also use your responses to contact you personally, to actively address your concerns and to improve our internal processes. We also collect, store and process your data for the evaluation, improvement and redevelopment of our products and services. In doing so, we analyse which products are used by which groups of people and which adjustments would be necessary in the future. The results of these analyses are – as far as possible – carried out in pseudonymised or anonymised form. For this purpose, we process the previously described master data, behavioural data and preference data as well as communication data.

4.5 Statutory and regulatory obligations

In order to comply with laws and regulatory obligations (e.g. Anti-Money Laundering Act, sanctions), we must subject your data to more detailed investigations (e.g. with regard to identity, beneficial owners of funds or shareholdings in companies as well as for automated comparison with external watch lists) and in some cases share this data within the Baloise Group. We may be required to report to authorities or disclose records in certain cases. Personal details about you may be processed in the course of internal and external investigations, for example by law enforcement or supervisory authorities or an appointed private body.

The legal obligations may be subject to Swiss law, but also to foreign regulations to which we are subject. For these purposes, we process in particular your master data, contract data, claims data and communication data, but also behavioural data under certain circumstances.

4.6 Other purposes

We may also process your data for other purposes, for instance, as part of our internal processes and administration. This includes training, educational and administrative purposes (such as the management of master data, accounting, data archiving and the management and ongoing improvement of the IT infrastructure), the protection of our rights (e.g. to enforce claims in and out of court and before authorities in Switzerland and abroad, or to defend ourselves against claims, such as by preserving evidence, legal clarifications and participation in judicial or official proceedings), security purposes (e.g. access controls, monitoring of buildings), statistical purposes and the evaluation and improvement of internal processes. As part of the development of the company, we may also sell or acquire businesses, parts of businesses or companies to other companies or enter into partnerships, which may also lead to the exchange and processing of data.

Where we ask for your consent for certain forms of processing, we will inform you separately about the relevant purposes of the processing.

5. Principles of data processing

Where we ask for your consent for certain forms of processing, we will inform you separately about the relevant purposes of the processing. You can revoke your consent at any time by notifying us in writing with effect for the future. Once we have received notification of the revocation of your consent, we will no longer process your data for the purposes to which you originally consented. If consent is revoked, this will not affect the lawfulness of the processing carried out based on the consent previously given, up until the date of its revocation.

Unless we ask you for your consent to processing, we base the processing of your personal details on the fact that the processing is necessary for the initiation or execution of a contract with you or that we or third parties have a legitimate interest in doing so, for example in order to pursue the purposes described above under clause 4 and the associated objectives as well as to be able to take appropriate measures. Our legitimate interests also include the marketing of our products and services.

In addition, we may also base some of our data processing on a legal basis that entitles us to process personal details.

6. Profiling and automated individual decisions

For the purposes mentioned in clause 4, we may also process and evaluate your data automatically, i.e. electronically, in order to assess certain personal characteristics or behaviour (so-called profiling). This includes automated data processing, for example for combating money laundering and terrorist financing, for credit checks or individual risk evaluation and assessment as a necessary calculation basis for the agreement, as well as for identifying different interests and personal requirements for marketing purposes, product and service offers and services.

In the event that we base our decisions when concluding or processing a contract exclusively on automated data processing (so-called automated individual decisions) and if such decisions cause negative legal effects or significant disadvantages for you (e.g. conclusion of the contract, termination, risk exclusions, premium amount, denial of benefits) or if they affect you significantly in a similar way, we will inform you of this in an appropriate manner and separately inform you that you can have the relevant decision reviewed by us if necessary.

7. Recipients of personal details

In connection with the purposes set out in clause 4 above, we may also disclose your personal details to third parties, in particular to the recipients categorised below, who are bound by us to treat your details as confidential:

7.1 Baloise Group companies (group companies)

If necessary for contract conclusion or processing, data may also be shared with other companies belonging to the Baloise Group for the purposes of risk evaluation and assessment.

In order to comply with statutory obligations (e.g. in connection with investigations to combat money laundering and terrorist financing), we also transmit some data to companies of the Baloise Group (see clause 4.5).

In order to provide you with comprehensive advice on insurance, assets, occupational pensions and financial matters (e.g. financing, fund and other financial investments) and to provide you with offers for our own products and for the services of other group companies or to advertise them to you, we may also pass on your master and contract data as well as the information provided during the consultation conducted with your adviser within the Baloise Group (e.g. Baloise Bank Ltd, Baloise Insurance Ltd) for the purposes of contacting you and providing you with individual offers.

All group companies have been obligated by us to treat your data confidentially.

You can inform us if you do not wish your data to be shared for the above purposes or if you wish to revoke your consent in this regard (see contact address in clause 10).

You can request a list of the Baloise Group companies via the postal address or email address stated under clause 10 below.

7.2 Intermediaries

If you are advised by an intermediary with regard to your loan or mortgage agreements, this intermediary will receive the information necessary for your support and consultation as well as the marketing of our products (e.g. contract term, contract fulfilment and termination) from the data created about you with us. In doing so, we comply with the power of attorney issued to the intermediary by you. Intermediaries are bound by law and contract to observe the provisions of the FADP.

Baloise’s business partners that arrange mortgages for Baloise through their sales network are also considered intermediaries. When you conclude such a loan or mortgage agreement, your data may also be shared, with your consent, between us and the business partner for marketing purposes.

Please let us know if you do not wish your data to be shared for marketing purposes (see contact address in clause 10 below).

7.3 Official bodies and authorities

We may also share your data with official bodies, courts and other authorities in Switzerland and abroad if we are legally obliged or entitled to do so or if this appears necessary to protect our interests. This includes compliance with statutory notification obligations, the exercise of rights, the defence against claims and compliance with legal requirements, for example within the framework of official, judicial and pre- and extra-judicial proceedings as well as within the framework of statutory duties to inform and cooperate.

Data is also disclosed if we obtain information from public bodies, for example when checking an address.

7.4 Other third parties

When checking your creditworthiness with the help of credit agencies and when commissioning debt collection companies (e.g. to collect outstanding payments), we may share your data (concerning changes in payment behaviour occurring before and during the term of the contract) with these companies. In this respect, our legitimate interest is to ensure that the tariffs we set reflect the risks involved. These companies store your personal data and may disclose it to other contracting parties as part of their activities, provided such contracting parties have presented a credible legitimate interest in individual cases for having the data transferred to them.

Your data may also be shared for the aforementioned purposes with other recipients (e.g. parties to judicial proceedings or purchasers of assets or divisions of Baloise, auditing firms, Land Registry Offices and other public registers, notaries, pension funds, independent property appraisers and banks). Other persons are, in particular, recipients of a payment, authorised representatives, correspondent banks, other financial institutions and other bodies involved in a legal transaction.

7.5 Service providers in Switzerland and abroad

Some of our services and business functions (e.g. in connection with the purchase of IT services or for marketing campaigns) are provided on our behalf by legally independent companies in Switzerland and abroad (see clause 9 below), which may process data about you if this is necessary for the performance of the contract. These service providers are contractually obliged to adhere to our standards for data processing, as well as to the applicable data protection legislation. Where contractually or legally provided, such service providers may in turn engage third parties under the same conditions.

8. Transmission of personal details abroad

When your personal details are processed by recipients in accordance with clause 8 above, your data may also be transmitted abroad, for example when personal details are forwarded to other Baloise Group companies or to service providers. Under certain circumstances, we may also transmit data to third parties abroad who are involved in the processing of the contract (e.g. authorities and courts), as well as to other bodies such as foreign tax authorities.

Your data may therefore be processed worldwide, including outside Switzerland or the European Union or the European Economic Area (i.e. also in so-called third countries such as the US). Many third countries currently do not have laws that ensure a level of data protection equivalent to the applicable FADP. Therefore, following a risk assessment, we take contractual precautions to contractually compensate for the weaker legal protection, as well as further measures (e.g. pseudonymisation) to reduce the risk of state/government access abroad authorised by foreign legislation. We rely on the guarantees required by law, insofar as the recipient is not already subject to a legally recognised set of rules to ensure data protection and we cannot rely on an exceptional provision. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests, if the performance of a contract requires such disclosure, if you have given your consent or if it is a matter of data that you have made generally accessible and you have not objected to its processing.

9. Your rights

You have the following rights in accordance with the applicable data protection law and if the conditions are met:

You can request information about whether we process your personal details and, if so, what these details are.
You can request us to correct incorrect data or complete incomplete data or correct or complete such data yourself to a limited extent via the customer portal at any time.
You may request the erasure of your data unless we are required or authorised to retain your data under applicable laws and regulations.
You may request that the data you have provided be released or transferred to another data controller in a commonly used electronic format, provided that the processing is carried out using automated processing, you have consented to the processing, or your data is processed for the conclusion or settlement of the contract.
In cases in which the data processing is based on your consent, you have the right to revoke this at any time. If you revoke your consent this does not affect the lawfulness of the data processing undertaken on the basis of your consent up until the revocation.
Where applicable, you have the right to object to the processing of your data, in particular for direct marketing purposes, profiling for direct marketing purposes and other legitimate interests in processing.
You have the right to express your point of view in the case of automated individual decisions (see clause 7) and to request that the decision be reviewed by a natural person.
You also have the right to lodge a complaint with our data protection unit or the competent data protection supervisory authority if you do not agree with our handling of your rights. You can contact the Swiss supervisory authority at edoeb.admin.ch.

Please note that these rights are subject to statutory requirements and that exceptions and limitations apply. In particular, we may need to process and store your personal details in order to fulfil a contract with you, to protect our own legitimate interests, such as the assertion, exercise or defence of legal claims, or to comply with statutory obligations. To the extent legally permissible, in particular to protect the rights and freedoms of other data subjects and to safeguard interests worthy of protection, we must therefore also reject a data subject request in whole or in part (e.g. by blacking out certain content that concerns third parties or our trade secrets). In order for us to be able to rule out fraudulent use, we must verify your identity (e.g. with a copy of your identity card, if identification is not possible in any other way). We generally retain information in connection with the processing of data subject requests for three years.

If you wish to exercise your rights, you can contact us in writing or by email at the address below.

Baloise Insurance Ltd
Data protection unit
Aeschengraben 21, P.O. Box
4002 Basel, Switzerland
Email: datenschutz@baloise.ch

Baloise Bank Ltd
Data protection unit
Amtshausplatz 4
4502 Solothurn, Switzerland
Email: datenschutz-bank@baloise.ch

10. Storage period

Your data will only be stored by us for as long as is required for reaching the aforementioned purposes and for as long as we are legally or contractually obligated to store it.

In individual cases, it is possible to retain personal details for longer, for example if claims are asserted against us (during the statutory limitation period) or if we are otherwise contractually, legally or officially obliged to do so, if you consent to this or if legitimate business interests (e.g. documentation and evidence purposes) require this. As soon as your data is no longer required for the above purposes, it will be deleted or anonymised as part of our standard deletion processes.

11. Data security

11.1 Confidentiality

We treat your data as confidential and comply with the applicable privacy policy. We also follow recognised security standards, for example ISO 27001, and continuously adapt our security measures to maintain the confidentiality, integrity and availability of your personal details.

11.2 Internet risks

In transferring data via the Internet, you are acting at your own risk. We protect the data you transmit via our web pages during transit by means of appropriate encryption mechanisms.

In addition, we take appropriate technical and organisational security measures to reduce the risks on our websites. Your device, however, is outside the security area that we are able to control. You are therefore required to inform yourself about the necessary security precautions and to take suitable measures in this regard.

11.3 Email encryption

We will send you requested information by email if you have provided us with your email address. Confidential information is transmitted in encrypted form. If information cannot be shared in encrypted form via email, we will use other channels for this purpose (e.g. the customer portal or Baloise Secure Transfer). If you use our customer contact form, your data will be sent to us in encrypted form.

11.4 Blocking of access

In the event of security risks being identified, we explicitly reserve the right to temporarily suspend or, in severe cases, to block access to our websites and customer portals. We do not accept any liability for any loss or consequential damage arising from the suspension or blocking of access.

12. Amendments to this privacy policy

This privacy policy is not part of the contract and can be amended by us at any time. In each case, the version published here applies.

Last updated in June 2023.