Data protection declaration Pension Fund of Karl Bubenhofer AG

1. General Notice
2. Who is the Data Controller?
3. What Data Do We Collect?
4. For What Purposes Do We Process Data?
5. Disclosure and Transfer of Data to Third Parties
6. Duration of Data Storagen
7. Protection, Processing, and Use of Personal Data
8. What Rights Do You Have?
9. Competent Data Protection Authority
10. Changes

In the course of its business activities, the Pension Fund of Karl Bubenhofer AG (hereinafter referred to as the "Foundation") collects and processes information about natural and legal persons (referred to as "personal data"), including information about our current, former, and future customers (referred to as "you"). The Foundation takes data protection seriously and processes personal data in accordance with the principles of the Swiss Data Protection Act (DSG).

This privacy statement describes how the Foundation collects and uses the personal data you provide to us. Additionally, it outlines the rights available to you regarding the use of your personal data.

If you have any questions or comments regarding the management of your personal data, please contact our data protection advisor.

For general inquiries regarding data protection and the processing of your data, please contact:

Thomas Thym
c/o Karl Bubenhofer AG
Hirschenstrasse 26
9200 Gossau

The data protection advisor for the Foundation is:

Thomas Thym
c/o Karl Bubenhofer AG
Hirschenstrasse 26
9200 Gossau
privacy@kabe-farben.ch

We process personal data that we receive in the course of our business relationship with our customers.

Relevant personal data include, but are not limited to:

• Identification data (e.g., name, date of birth, title, social security number)
• Contact details (e.g., home address, email, telephone number)
• Financial information (e.g., payment details, tax information)
• Data related to the pension relationship (e.g., salary, employment status, information about balances, contributions, benefits)
• Performance information from other social insurances (e.g., disability, accident, and sickness daily allowance insurance)
• Particularly sensitive personal data (e.g., health data according to Art. 5 of the Swiss Data Protection Act)
• Privacy information (e.g., marital status)

The personal data processed by the Foundation come from the following sources:

• From the insured person or pension recipient themselves (e.g., reporting of a pension event)
• From the employer (e.g., employee identification and contact information)
• From the Foundation itself (e.g., information generated in the context of the pension relationship)
• From third parties (e.g., brokers, communications from courts, social insurance or other pension institutions)

When you contact us (e.g., via a contact form, email, or telephone calls), we store your information for the purpose of processing the request in case follow-up questions arise, for quality assurance purposes, or for other purposes described in this policy.

We only store and use this personal data if it is legally permissible. For special cases, we request a separate consent from you. Unless specifically stated otherwise, we only retain personal data for as long as necessary and permissible to fulfill the purposes pursued.

The Foundation processes the personal data listed above for the following purposes:

• For the initiation of insurance and pension transactions
• For the execution and administration of insurance and pension transactions, especially for the assessment of benefit claims, calculation, and payment of old-age, disability, and survivor pensions
• For the settlement of benefits with third parties, particularly social insurances (e.g., benefit coordination).
• To comply with regulatory requirements regarding the insurance relationship (e.g., calculation and certification of retirement assets)
• For statistical purposes (e.g., actuarial assessments, obligation evaluations, tendering)
• To ensure compliance with legal obligations

The personal data may be disclosed to the following recipients:

• The insured's employer
• Authorized representatives (e.g., treating physicians, lawyers, beneficiaries)
• Health insurance and accident insurance companies
• Reinsurers
• Pension institutions

DFurthermore, the Foundation may disclose your data to authorities or public bodies (e.g., social insurance, tax authorities, debt enforcement offices, courts, etc.) to the extent that:

• it complies with applicable laws, regulations, court orders, or official requirements;
• it meets any requirements of supervisory or other authorities, or guidelines issued by them.

The data disclosure is carried out only in accordance with the Foundation's guidelines or upon a request for disclosure in accordance with these guidelines.

The Foundation processes and retains personal data for as long as necessary to fulfill contractual and legal obligations. The legal retention period is typically ten years after the termination of the obligation to provide benefits or the payment of the exit benefit, with longer periods possible in individual cases.

If personal data is no longer needed to fulfill contractual or legal obligations, it will be regularly deleted, to the extent that this is technically possible unless further processing of the data is necessary for the overriding interests of the Foundation. For more detailed information about retention periods, we invite you to contact our data protection advisor.

The obligation to delete data is waived if this data is required for the assertion/defense of the Foundation's own rights and claims; in this case, the Foundation is authorized, while maintaining all required security measures and respecting the principles of lawful data processing, to retain copies of this data to the extent and for the duration necessary for the assertion/defense of its rights and claims.

We restrict access to your personal data to employees, agents, and other parties who need to know this data in order to provide you with services. When it comes to protecting your personal data, we implement appropriate technical and organizational security measures. This includes the use of firewalls, personal passwords, as well as encryption and authentication technologies. The use and disclosure of your data are done exclusively in accordance with this privacy policy, except in cases where we have your consent or when disclosure is legally permissible.

You have the right to:

• Information
• Correction
• Deletion
• Limitation of processing
• Objection to processing
• Data portability

of the data collected about you by us. In these cases, please contact our data protection advisor.

You can file a complaint with a supervisory authority at any time. The Federal Data Protection and Transparency Officer (FDP&T Officer) is the data protection and freedom of information authority for Switzerland, headquartered in Bern.

We may amend this privacy statement at any time without prior notice. The current version published on our website will prevail.

Date: 01.09.2023