Version dated May 1, 2023
As a company active in Switzerland, Kessler is generally subject to Swiss data protection provisions.
The specific Kessler affiliate (a “group affiliate”) that initiates the relevant data processing is responsible for the data processing, i.e., for example, the group affiliate that performs the service, or the one with which you have concluded a contract or maintain a business relationship, or the group affiliate whose contractual or business partner you are, or whose website you visit, etc. If you are unsure who the data controller is, you are welcome to use the following contact details to contact us at any time.
The contact for all data processing is Kessler & Co Inc., Forchstrasse 95, 8032 Zurich, registered office: Zurich. Should you have data privacy concerns, please contact us at the following address: Kessler & Co Inc., Forchstrasse 95, 8032 Zurich; email: firstname.lastname@example.org.
2. Duty to provide personal data
Within the scope of our business relationship, you must provide the personal data necessary to initiate and execute a business relationship and to fulfill the corresponding contractual duties (in general, you are not subject to a statutory duty to provide us with data). Generally speaking, we will not be able to conclude or process a policy with you (or an office or individual who represents you) without this data.
3. Collection and processing of personal data
We primarily process personal data that we receive within the scope of our business relationships with our customers and other business partners, either directly from these parties or from other involved individuals, or which we collect by operating our website, our online customer portal KesslerOnline and/or the corresponding app (see separate factsheet and GTC), our online business partner portal “Network Partner Interface” and further applications of their users. If permitted, we also obtain certain data from publicly accessible sources (such as debt collection registers, land registers, commercial registers, the press, the Internet) or from other companies within Kessler, from public authorities and from other third parties.
We gather the following categories of personal data:
- Contact details: e.g. address, email address, telephone/cell phone number, digital location data, IP addresses
- Bank details: e.g. account number, payment method, credit cards, credit rating, account balance
- Personal characteristics: e.g. name, date of birth, gender, language, nationality, vehicle license plate number, marital status, photos, hobbies/personal interests
- Health data: e.g. allergies/dietary restrictions
- Value judgments: e.g. training, qualifications
- Activity data: e.g. holding meetings, in-person meetings, participation in events
- Correspondence: e.g. emails, letters
- Project data: e.g. analyses, service offers, Kessler brochures
- Contract data: broker mandates with private customers including addenda, private customer policies including addenda
- Other data: In addition to the data you provide to us directly, the categories of personal data that we obtain about you from third parties in particular comprise data from public registers, information that we obtain in connection with official and legal proceedings, information in connection with your professional functions and activities, information about you in correspondence and meetings with third parties, credit reports, information about you which is provided to us by persons associated with you (family, advisors, legal representatives, suppliers, etc.) so that we may conclude or process contracts with your involvement or with you (such as references, your mailing address for correspondence, powers of attorney), information about compliance with legal requirements, information from banks, insurance companies or other contractual partners of ours for the utilization or provision of services by you (such as completed payments, information about you from the media and Internet, as far as this is indicated in the specific case, such as within the context of a job application, marketing, etc.), your residential or business addresses and, if applicable, interests and other sociodemographic data for the purpose of building new business relationships.
4. Purposes of data processing and legal bases
We mainly use the personal data we collect in order to execute contracts with our customers and business partners, for example, within the scope of risk, insurance and occupational pension advice and related activities with current or future business partners and in order to fulfill our statutory duties in Switzerland. If you work for one of these customers or business partners, your personal data may, of course, also be affected as a result of your function.
Moreover, we process personal data belonging to you and other individuals to the extent that this is permitted and appears appropriate to us, including for the following purposes in which we (and sometimes third parties) have a legitimate interest that corresponds with the purpose of data collection:
- The provision and further development of our risk, insurance and occupational pension advice and related activities;
- communication with third parties and the processing of their inquiries (such as applications, media inquiries);
- the review and optimization of requirements analysis processes for the purpose of contacting customers directly and the collection of personal data from publicly accessible sources for the purpose of acquiring customers;
- advertising and marketing (including the administration and the staging of events), provided you have not objected to the use of your data (if we send you advertising as an existing customer, you may object to this at any time and we shall place you on a blocked list to prevent further advertising mailings by regular mail and/or email);
- market and opinion research, media monitoring;
- asserting legal claims and defense in connection with legal disputes and regulatory proceedings;
- the prevention and resolution of criminal acts and other misconduct (such as the conducting of internal investigations, data analyses to fight fraud);
- warranties by our company, in particular by IT, our website and the online services offered through it and by other platforms;
- video monitoring to protect property rights and other measures for IT, building and equipment security and the protection of our employees and other individuals and the assets belonging or entrusted to us (such as access controls, visitor lists, network and e-mail scanners, telephone recordings);
- the purchase and sale of business divisions, companies or parts of companies and other transactions under company law and the related transfer of personal data as well as measures for business management and compliance with legal and regulatory obligations and the internal requirements of Kessler.
If you have given us permission to process your personal data for specific reasons, we shall process your personal data within the scope of and based on this consent. Once issued, consent may be withdrawn at any time, which, however, has no impact on data that has already been processed, but will apply exclusively to future data processing.
5. Cookies/tracking and social plug-ins in connection with the use of our website, KesslerOnline or the Network Partner Interface online platform: no personal data is transmitted.
We use the services of Google Analytics on our website, with Google Ireland acting as our data processor and Google LLC in the USA acting as its subprocessor. We use Google Analytics to measure and analyze the usage of the website. Google uses performance cookies for this purpose to track the use of our website and visitors’ actions on our website, for example, the period spent on a certain page, the number of page retrievals, geographic origin of the access, etc. and creates reports on this basis regarding the usage of our website. We ask for your consent before we use such cookies. Performance cookies that we use in this context have an expiration period of up to 24 months.
We have configured Google Analytics in such a way that the IP addresses of visitors from Google in Europe are truncated before transmission to the USA, so they cannot be traced back. We have disabled the “data transmission” and “signals” settings. Even though we can assume that the information we share with Google is not personal data to Google, it is possible that Google can use this data to identity the visitors for its own purpose, create personalized profiles and attribute this data to the Google accounts of these persons. If you agree with the use of Google Analytics, you explicitly consent to such processing, which also includes the transmission of personal data (in particular, usage data relating to the website and the app, device information and personal IDs) to the USA and other countries. You can find information from Google Analytics about data privacy here [https://support.google.com/analytics/answer/6004245].
6. Forwarding of data and data transfer abroad
Within the scope of our business activities and the purposes listed in section 4, provided it is permitted and we deem it to be appropriate, we also share personal data with third parties, either because they process this data for us or because they wish to use the data for their own purposes.
In particular, this includes the following entities:
- Our internal and external service providers (such as insurance companies, pension schemes, banks, consulting firms, law firms), including providers that process orders (such as IT providers);
- network partners such as Marsh and Mercer, suppliers, sub-contractors and other business partners in the course of the performance of our contractual duties toward you;
- customers and their legal representatives or contact persons;
- domestic and foreign authorities, agencies or courts;
- the public, including the visitors of websites and social media;
- competitors, in case of transfers of mandates, industry groups, associations, organizations and other bodies;
- buyers or potential buyers of business divisions, companies or other parts of Kessler;
- other parties in potential or actual legal proceedings;
(hereinafter referred to jointly as the Recipients).
These Recipients are in some cases domestic, but may also be located abroad. In particular, they must expect their personal data to be transferred to our subsidiary Kessler & Co Inc. in Liechtenstein and our network partner Marsh, Mercer or other brokers abroad. If we transfer data to a country without suitable statutory data protection, we shall, as provided for by the law, ensure an appropriate level of data security through the use of the corresponding contracts (in particular on the basis of the standard contractual clauses of the European Commission), or we shall rely on the statutory exceptions for consent, the processing of contracts, the identification, exercise or assertion of legal claims, overriding public interest and the disclosed personal data, because it is necessary to protect the integrity of the affected individuals or the affected individual has made the data generally accessible and has not expressly prohibited the data from being processed. You may obtain a copy of the aforementioned contractual guarantees at any time from the contact person stipulated in section 1. However, for reasons of data protection law or confidentiality, we reserve the right to redact or only provide excerpts of copies. For the purpose of completeness, we would like to note that as a broker licensed in Switzerland, we exclusively serve Swiss customers. In order to fulfill our contractual duties toward you, in exceptional cases the personal data of natural persons domiciled in Switzerland may be transmitted to the US in connection with the fostering of business relationships of our globally active customers (e.g. email addresses, email signatures). Moreover, please note that under US legislation, US authorities may undertake surveillance activities which allow for the general storage of all data transmitted from Switzerland to the US. This takes place without differentiation, restriction or exception on the basis of the stated aim and without objective criteria that would enable US authorities to limit access to personal data and their subsequent use to specific, strictly limited purposes which justify access to these data.
Furthermore, we would like to point out that there are no legal remedies in the US for affected individuals from Switzerland which would enable them to access, correct or delete the data related to them and that there is no effective legal protection against the general access rights of the US authorities. we are expressly notifying you of the law and facts in this situation so that you can make an informed decision about consenting to the use of your data if you grant consent to data processing involving the transmission of data to the USA whereupon we consequently transmit your data on this basis.
7. Retention period for personal data
We process and store your personal data as long as is required to meet our contractual and legal duties or the intended purposes of the data processing, which means for the duration of the business relationship (from the initiation, processing and through to the termination of a policy) and beyond in accordance with statutory retention and documentation duties. In the process, it is possible that personal data is stored for the period in which claims can be asserted against our company and in the event that we are otherwise legally obligated to do so or legitimate business interests require it (such as for evidence and documentation purposes).
8. Data security
We implement suitable technical and organizational security measures to protect your personal data from unauthorized access and misuse, for example, physical and digital access controls and restrictions, the encryption of data carriers and transfers, guidelines for handling personal and business data, guidelines for using mobile devices, data protection and compliance training and the ongoing monitoring of these measures.
Kessler does not conduct profiling.
10. Rights of the affected individual
You have the right within the scope of the data protection law applicable to you – and where provided for thereunder – to receive information as to which data about you is processed by us and for what purpose, the right to rectification and erasure of your personal data, and the right to the restriction of the data processing, as well as the right of data portability regarding certain personal data. You can furthermore object to data processing at any time, in particular as regards direct marketing measures. Please note that the exercise of these rights may conflict with contractual agreements and this may result in early termination of the policy or costs. We shall notify you in advance whenever this has not been regulated in a contract.
The exercise of such rights usually requires that you provide clear proof of your identity (such as a copy of your ID, if your identity is otherwise not clear or cannot be verified) when it is still unknown to us. You may contact us at the address stated under section 1 in order to assert your rights.