Privacy Policy for employees and job applicants

Version dated July 2023

Kessler & Co Inc. (hereinafter referred to as “Kessler” or “we” or “us”) processes personal data concerning its employees and job applicants as part of its employment relationships.

This privacy policy outlines how we process personal data concerning our employees and applicants. If you send or disclose to us data about others, e.g. family members, work colleagues, etc., we will assume that you are authorized to do so and that this data is accurate. By sending data about third parties, you confirm this. Please inform the third parties in question that you are sending their personal data to us.

Responsibility for the data processing described in this privacy policy lies with Kessler, with which you have concluded an employment contract as an employee or are applying for an employment contract as an applicant.

The following individuals are on hand as a point of contact you can use for any questions relating to this privacy policy or general privacy law concerns: Kessler & Co Inc., Forchstrasse 95, 8032 Zurich, headquarters: Zurich.

If you have any concerns concerning data protection law, you can share these with us using the following contact address: Kessler & Co Inc., Forchstrasse 95, 8032 Zurich; email: empfang@kessler.ch.

We process different categories of data about you in your role as our employee or a job applicant, specifically the following data categories:

• Personal details (e.g. name, address, city/country, date of birth, marital status, children, names and details of family members, emergency contacts, private email, cellphone number, photo, etc.)
• Details of employment relationship (e.g. employment contract, name of role, job profile, hierarchal and position level, organizational chart details)
• Details relating to logged working hours and absences (e.g. details of working hours and corresponding work days, absences, vacation and sick leave, training and development days, etc.)
• Financial data (e.g. account details, payroll accounting data incl. social insurance contributions as well as bonuses, expenses, travel receipts, training agreements, other costs, etc.)
• Data in connection with the administration of social insurance schemes (OASI numbers, Occupational Old-age, Survivor's and Disability Insurance benefits, information on investment and pension plans, severance schemes, etc.)
• Information and data we collect from you to evaluate your performance (e.g. performance appraisals, qualifications, minutes from performance reviews, target agreements, reports from external analyses like assessments)
• Other documents and data from a personnel file (e.g. information in connection with employment law disciplinary measures and proceedings, criminal records, extracts from enforced payment register, social insurance information, tickets, your application documents, details of former employers and references); withholding tax-related data/data in connection with requests for child and educational allowances

We process your personal data for the purpose of executing our employment contract with you. That also includes internal management and administrative purposes (running the IT infrastructure, payroll accounting, email systems, etc.), carrying out personality analyses, monitoring measures where this is necessary or deemed necessary for assessing security, quality or performance, and other measures in our interests, e.g. compliance with statutory requirements, fulfillment of legal obligations, observance of official or court orders and judgments, conducting adequate risk management, corporate governance and corporate development, and furnishing evidence of good corporate governance and compliance. In this sense, our processing for this purpose is justified by our legitimate interest.

We may also process your personal data for Kessler’s marketing purposes (e.g. website, other web pages, brochures, social media pages, publications in trade journals and newspapers, talks as part of internal or external (professional) events.

We do not use profiling and do not make any automated individual decisions within HR.

As part of the administration of your employment contract, we may also transmit your personal data to third parties, specifically the following categories of recipients:

• Other group companies as defined in Section 1 for internal administrative purposes, organizing employee events, providing the IT infrastructure, internal communication (e.g. sending employee newspapers, newsletters, etc.)
• Authorities and other public bodies which perform a duty relevant to the administration of our employment relationship with you, e.g. social insurance organizations, social security funds and pension funds, health insurance companies, criminal records authorities, debt enforcement offices, FINMA; tax office
• Contractual partners that assist us with recruitment and HR consultancy, e.g. employment agencies, HR consultancy firms, IT service providers for application tool
• Our service providers at home and overseas that process personal data on our behalf as an independent or joint data controller or our contract data processor, e.g. IT service providers, advertising service providers (e.g. sending Christmas, birthday, anniversary cards), banks, security companies, telecommunications providers (e.g. Swisscom for company cellphones), transport companies (e.g. car dealers for fleet discounts, etc.), medical practices (e.g. in-office flu vaccination offer)

As explained in Section 5, we share your data with other entities too. Some of these are located outside of Switzerland. Your data may therefore be processed in Europe and, in exceptional cases, in any other country worldwide.

If a recipient is located in a country without adequate statutory data protection regulations, we will contractually oblige the recipient to comply with the applicable level of data protection (for this we use the revised standard contractual clauses of the European Commission available here: eur-lex.europa.eu/eli/dec_impl/2021/914/oj, where it is not already subject to a legally recognized regulatory framework to ensure data protection and we cannot use an exemption clause. Exceptions may namely apply in the case of legal proceedings overseas, but also in cases of overwhelming public interest or if contract execution requires such disclosure where you have given your consent to this.

Many countries outside of Switzerland or the EU and the EEA do not currently have legislation in place that grants an adequate level of data protection in the view of the Swiss Data Protection Act or the GDPR. This weaker or lacking statutory protection may be partially offset by the contractual precautions mentioned. However, contractual precautions cannot eliminate all risks (namely that of state access overseas). You should be aware of these residual risks, even if the risk in individual cases is low and we are taking additional measures (e.g. pseudonymization or anonymization) to minimize these.

Please note that data shared online is often routed via third countries. Your data could therefore end up overseas even if the sender and recipient are based in the same country.

We will process your data for as long as our processing purposes, statutory retention periods and our justified interests require it, or storage takes place for technical reasons. Provided no legal or contractual obligations state the contrary, we will erase or anonymize your data following the expiry of the storage or processing duration in our standard processes.

Specifically, we reserve the right to retain personal data for documentation and evidentiary purposes, which includes our interest in documenting processes, interactions and other facts in the event of any legal claims, discrepancies, for the purposes of IT and infrastructure security and for demonstrating good corporate governance and compliance. Storage may also be warranted for technical reasons if certain data cannot be separated from other data, and we have to keep this data together (e.g. in the case of backups or document management systems).

We take appropriate security measures to maintain the confidentiality, integrity and availability of your personal data, to protect it against unauthorized or unlawful processing and to counteract the risks of loss, accidental alteration, unwanted disclosure or unauthorized access.

In addition to the security measures of a technical and organizational nature, we may also use measures such as email encryption, VPN, access and physical entry restrictions, storage of backup copies, employee briefings and confidentiality agreements. However, we can only secure areas that we control. We also oblige our processors to take appropriate security measures. However, security risks cannot generally be completely ruled out; residual risks are unavoidable.

In order to make it easier for you to control the processing of your personal data, you also have the following rights in connection with our data processing, depending on the applicable data protection law:

• The right to obtain information as to whether and which data of yours we process
• The right to have us correct incorrect data
• The right to request the erasure of data
• The right to request that we issue certain personal data in a standard electronic format or transmit this to another controller
• The right to revoke consent insofar as our processing is based on your consent
• The right to demand receipt of further information necessary for the exercise of these rights
• The right to express your opinion where individual decisions have been made on an automated basis and request that the decision be reviewed by a physical person

If you would like to exercise one of the above-mentioned rights against us (or one of our Group companies), please refer in writing to the contact details provided in Section 1.

Please note that these rights are subject to prerequisites, exceptions or limitations under applicable data protection law (e.g. for the protection of third parties or trade secrets). We will inform you accordingly if necessary.

If you do not agree with our handling of your rights or data protection, you can contact us at the address provided in section 1.

This privacy policy is part of our HR policy. However, we may change this privacy policy at any time. You can access the latest version on our website under Job vacancies or on the Kessler intranet.