In this data protection declaration, Bayer Pension Fund Switzerland (hereinafter referred to as "the Fund"), as a registered occupational pension scheme, informs you how and for what purposes it collects, processes and uses personal data.

The Fund provides compulsory and supplementary occupational pension cover for employees of the companies Bayer (Schweiz) AG, Bayer Consumer Care AG and Bayer CropScience Schweiz AG.

The following definitions apply

• "personal data" means any data relating to an identified or identifiable natural person;

• "sensitive personal data (sensitive data)":

  1. data on religious, philosophical, political or trade union opinions or activities;

  2. data on health, intimacy or racial or ethnic origin;

  3. genetic data;

  4. biometric data uniquely identifying a natural person;

  5. data on criminal and administrative proceedings or sanctions;

  6. data on social assistance measures.

• "data subject" means the natural person whose personal data is processed;

• "processing" means any use of personal data, regardless of the means and procedures used, in particular the collection, recording, storage, use, modification, communication, archiving, erasure or destruction of data;

• "controller" means the private individual or federal body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

• "processor" means the private individual or federal body that processes personal data on behalf of the controller.

• "federal body" means the federal authority, federal service or person entrusted with a public task of the Confederation.

The processing of personal data in accordance with data protection legislation is the responsibility of the following two controllers (status of common controllers):

Bayer Pension Fund Switzerland

Uetlibergstrasse 132

8032 Zürich

Kessler Vorsorge AG
Avenue de la Gare 44
Postfach 950

1001 Lausanne

If you have any questions about how data is processed or about this data protection declaration, please contact Thomas Martin who is our Fund's internal data protection officer:

• By e-mail, to the following address: privacy_ch@bayer.com

  or

• By post, to the following address

  Thomas Martin
  Data protection officer

  Bayer Consumer Care AG

  Peter Merian-Strasse 84

  4052 Basel

Please indicate "Bayer Pension Fund Switzerland - Data protection" in the header of the e-mail or letter.

This data protection declaration applies to all persons whose data is processed by the Pension Fund ("data subjects"), regardless of the way in which they come into contact with the Pension Fund: for example, by telephone, post, e-mail, on a website, via an application or social network, at an event, etc.

It applies both to the processing of personal data that has already been collected and to data that will be collected in the future. It also applies to the processing of all personal data that the Fund handles in the context of occupational pension provision and related activities, as well as other activities such as residential and commercial property rental relationships.

The Fund's processing of personal data may concern the following categories of persons in particular:

• persons insured under compulsory, supplementary and optional occupational pension schemes;

• previous, current and future employers and their contacts; members of the employer's family and employees;

• relatives of insured persons (e.g. current and former spouses or partners, parents and children) and other beneficiaries;

• duly authorised persons (e.g. the legal representative);

• persons entitled to make claims, persons liable and other persons involved;

• members of the Fund's governing bodies;

• contacts with social and private insurers, other pensions, vested benefits and 3a pillar institutions, suppliers and partners, and the authorities;

• tenants and business contacts in connection with the letting of residential and commercial property;

• people who receive other services from the Fund;

• the people who visit its website;

• people who visit its premises;

• people who contact the Fund by other means.

The personal data processed by the Fund in accordance with this data protection declaration concerns insured persons, pensioners and other beneficiaries of benefits, as well as third parties. The Fund only processes sensitive personal data in connection with the provision of occupational benefits, in particular when dealing with cases of disability, and with the separate consent of the recipients concerned.

Basic data are the fundamental data relating to the persons concerned which the Fund needs to process its contractual and other commercial relations.

The basic data includes, for example:

For insured persons:

• title, forename, surname, gender, date of birth;

• address, e-mail address, telephone number and other contact details;

• marital status and, if applicable, the date of marriage or divorce or the date of registration or dissolution of the partnership;

• data from identification documents such as passports or identity cards;

• within the framework of the legal provisions, the AVS/AHV number, the contract, policy and insured numbers, as well as, if applicable, information concerning a previous pension or vested benefits institution, the date of joining and leaving the employer, the category of personnel, the degree of capacity for work, the rate of employment, the term of the employment relationship as well as the declared and insured annual salary and the BVG annual salary.

For potential tenants:

• data relating to the conclusion of the lease.

For employers and other co-contractors who are companies,

• data on the Fund's contact persons, e.g. names and addresses, titles, position in the company, qualifications and, where applicable, data on line managers and employees.

These are:

• information relating to the affiliation contract with the employer (e.g. the type and date of conclusion of the contract, as well as its execution and management, including data relating to complaints and contract adjustments);

• data relating to the processing of pension cases (e.g. the declaration of the occurrence of the pension case, the claim number, data on the reason for the pension case such as the cause, accident or illness, and the date of the event, information relating to the examination of the pension case, information on other insurance companies and insurers and information on third parties such as persons involved, as well as sensitive personal data (e.g. health data) and data on third parties (e.g. on persons involved at the time of the incapacity for work or death);

• details of the termination benefit, e.g. its amount and possible and completed purchases;

• in the case of other benefits, e.g. data relating to the payment of the termination benefit (e.g. the reason for the payment, but also data on accounts and vested benefits institutions and, where applicable, the spouse's consent) or data relating to a change in marital status (date of divorce or dissolution of a registered partnership, vested termination benefits, advance payments or disability pensions received and related court rulings);

• data relating to the conclusion and performance of residential or commercial lease contracts (mainly personal data and information on financial situation).

This is personal data relating to the financial situation, payments and debt collection. This includes data relating to payments and bank details, e.g. employer contribution payments and debt collection, for insured persons, salary data, occupational pension scheme purchases and payments of termination benefits and pensions. The Fund also processes financial data relating to beneficiaries, e.g. concerning pensions paid to surviving spouses and (registered) partners, children and other beneficiaries.

When a data subject contacts or is contacted by the Fund, the Fund processes the content of the communications exchanged and information on the type, time and place of the communication.

Communication data includes, for example, name and contact details such as postal address, e-mail address and telephone number; the content of e-mails, written correspondence, telephone conversations, video conferences, etc.; information relating to the type, time and, if applicable, location of the communication; and evidence requested by the Fund to identify the persons concerned.

When data subjects use the Fund's website, any of its applications, its Wi-Fi networks or other electronic services, the Fund collects certain technical data, such as the IP address or an identifier for the device used by the data subject. The technical data also includes the log files in which the cache register records the use of its systems (log data). The cache register may also assign a unique identifier (ID) to the device (tablet, PC, smartphone, etc.) of the data subject, e.g. through cookies or similar technologies, in order to be able to recognise the device.

The technical data collected includes, among other things:

• the IP address and other identifiers of the data subject's device;

• identifiers associated with the device via cookies and similar technologies;

• information relating to the data subject's device and its configuration, for example the operating system and language settings;

• information about the browser used by the data subject to access the electronic service and its configuration;

• information relating to the data subject's movements and actions on the Fund's website and applications;

• information about the data subject's Internet service provider;

• the approximate location of the person concerned and the time of use of the electronic services;

• system records of accesses and other processes (log data).

This technical data, taken separately, does not usually allow the Fund to deduce the identity of the data subject. It may, however, be associated with other categories of data and, where appropriate, with the data subject, in the context of his or her user accounts or records.

Using the MyPension Cockpit online platform

When they use the online platform, the Fund collects the information they provide. This includes general personal data such as name and contact details, personal information that they or other users enter, download, generate, store and process, and technical data such as the IP address or an identifier for the device used by the person concerned.

Note on the use of cookies:

Cookies, beacons and similar technologies on the website are used to provide the best possible user experience. Cookies are text files that are downloaded to terminals (computers or mobile devices) when a website is visited or an application is used.

Some cookies used in the online platform are necessary to provide certain functions.

Further information on cookies and similar technologies can be found in the appendix to this declaration.

It is generally the data subject who provides the Fund with his or her personal data, for example when sending data to the Fund or communicating with it. This may be the case on a portal for insured persons or through other channels. When renting accommodation or commercial premises, it is also the person concerned who provides the data.

The Fund receives personal data in connection with the provision of occupational benefits, mainly from current or former employers. Employers are obliged by law to provide the Fund with all the data required for the provision of occupational benefits. The Fund may also receive information about the person concerned from third parties such as:

• people close to them (family members, legal representatives, etc.);

• Swiss Post and public services;

• credit institutions;

• banks and other financial service providers, private and social insurers, pension and vested benefits institutions and Pillar 3a schemes;

• experts, doctors and other service providers, from whom the Fund also receives health data for the purposes of granting benefits, possibly by concluding a separate declaration waiving professional secrecy;

• service providers;

• authorities and courts as well as parties and other third parties in connection with administrative and legal proceedings;

• public registers, such as the debt enforcement register or the commercial register, public bodies such as the Federal Statistical Office, the media or the Internet.

The primary purpose of processing personal data is to provide occupational benefits, for example:

• the conclusion and execution of affiliation contracts with the employer(s) affiliated to the Fund, the exercise of legal claims arising from the said contracts, accounting and the termination of contracts. To this end, the Fund processes in particular the personal data of insured persons, data relating to contracts, pension cases and benefits, as well as financial and communication data;

• admission of insured persons. To this end, the Fund processes basic data in particular. For each insured person, it keeps one or more retirement savings accounts, for which it processes data on amounts, purchases, retirement savings and payments;

• examining and processing pension cases, including coordination with other insurers such as disability insurance, and exercising recourse claims. In this context, the Fund processes in particular data relating to contracts, cases and benefits of insured persons and their family members and beneficiaries, as well as health data and data from third parties such as experts and external service providers;

• The conclusion and execution of tenancy agreements and of mortgage lending.

• Operation of the publicly accessible website and the insured person portal.

The legal basis for data processing is the legislation on occupational benefits, in particular the Federal Law on Occupational Retirement, Survivors' and Disability Pension Plans (BVG) and the Federal Law on Vesting in Occupational Pension Plans (FZG) and the related ordinances. As a federal body, the Fund processes the personal data of the recipients concerned in this area within the scope of its legal powers to do so (cf. art. 85a et seq. BVG). In the area of supplementary pension schemes, the Fund's data processing is subject exclusively to those of the Data Protection Act (DPA). The DPA also applies to the processing of personal data in connection with the letting of residential and commercial property.

The Fund collects and processes personal data only for the purposes described in this data protection declaration and only to the extent necessary for that purpose and within the framework of the applicable legal provisions.

Furthermore, personal data will not be passed on, sold or communicated in any way whatsoever to third parties, unless this is necessary for the fulfilment of legal or contractual obligations or unless the person concerned has expressly consented thereto. In addition, data may be passed on to third parties insofar as the Fund is legally obliged to do so by an enforceable administrative or judicial decision.

It is not only pension funds that are involved in organising occupational pension provision, but also other services: employers, vested benefits institutions, other insurance companies, healthcare providers, etc. As a result, personal data is not only processed by the Fund, but also by third parties, including:

• when a pension case arises : the Fund may exchange data as part of the notification and occurrence of a pension case and in connection with other services, such as a bank transfer or payment of termination benefits. This may be the case, for example, with vested benefits institutions, other pension schemes, public authorities and services (e.g. social insurances such as disability insurance or social services), other insurance companies, healthcare providers and medical experts, banks and lenders, courts and external lawyers. As part of the processing of pension cases and the corresponding clarifications, the Fund may collect data from third parties and pass it on to them, for example to doctors and other health care providers, experts, authorities, courts, information providers and lawyers. For example, the Fund informs other social and private insurers of certain pension cases in order to coordinate benefit obligations and to clarify and exercise rights of recourse. The Fund forwards personal data to the courts and other pension and vested benefits institutions, particularly in the event of divorce and disputes between heirs;

• authorities and public services : the Fund may transmit personal data to authorities, bodies, courts and other public services if it is required or authorised to do so by law or if this is necessary to safeguard its interests, for example in the context of administrative, judicial and extra-judicial proceedings and as part of the obligations to provide information and cooperate prescribed by law. Recipients include, for example, prosecution offices, criminal courts and criminal investigation authorities, tax authorities or social insurance authorities. Data is also communicated when the Fund obtains information from public services, for example in connection with the processing of pension cases;

• other persons : where the purposes of processing involve third parties, data may also be communicated to other recipients, for example to persons involved in legal proceedings or authorities (e.g. in the event of recourse to third parties liable under civil law or their civil liability insurers). Other recipients may include payment recipients, agents, correspondent banks, other financial institutions and other services involved in a legal transaction;

• sub-contractors: the Fund may transmit personal data to companies when it uses their services. These service providers process personal data on behalf of the Fund as " subcontractors ". The Fund's subcontractors are obliged to process personal data only in accordance with its instructions and to take appropriate data security measures. Some service providers are also responsible jointly with the Fund or independently (e.g. collection companies). Through the selection of service providers and appropriate contractual agreements, the Fund guarantees the protection of personal data throughout the data processing process. This includes, for example, IT services (such as services in the areas of policyholder management, property management and data recording), the sending of newsletters by e-mail, data analysis and evaluation, etc. or consultancy services (provided by occupational benefits experts, lawyers, consultants, medical advisors, etc.).

The above-mentioned data transfers are necessary for legal or operational reasons. Therefore, legal and contractual confidentiality obligations do not prevent these data transfers. The personal data of the persons concerned in connection with the mandatory occupational benefit scheme shall only be disclosed within the legal framework.

The Fund processes personal data exclusively in Switzerland.

The Fund shall process the personal data from the insured person administration for as long as it is necessary for the aforementioned processing purposes, there are legal retention periods, for as long as it has a justified interest in retaining the data for documentation or evidence purposes or the retention is of a technical nature (e.g. to ensure IT security).

The Fund takes appropriate technical and organisational security measures to ensure the security of personal data, to protect it against unjustified and unlawful processing and to combat the risk of loss, accidental alteration, unwanted disclosure or unauthorised access. However, the Fund cannot exclude with certainty any breach of data protection, as certain residual risks are unavoidable.

Technical security measures include data encryption and pseudonymisation, archiving, access restrictions and the recording of back-up copies. Organisational security measures include instructions to staff, confidentiality agreements and controls. The Fund also requires its subcontractors to take appropriate technical and organisational security measures.

No automated decisions are taken on personal data and no personality profiles are drawn up (no profiling).

Data subjects have the following rights with regard to their personal data:

• right to information whether personal data relating to them is being processed

• the right to have inaccurate or incomplete personal data corrected;

• the right to request the deletion or anonymisation of personal data if it is not (or is no longer) required for the purposes of occupational pension provision or the rental of residential or commercial property;

• the right to request the restriction of the processing of personal data insofar as the processing is not or is no longer necessary for the performance of the occupational pension scheme;

• the right to data portability, i.e. the right to receive personal data in a structured, commonly used and machine-readable format;

• the right to revoke consent with effect for the future, insofar as processing is based on separate express consent.

The above rights may be exercised by written request, accompanied by a perfectly legible copy of a valid official identity document (e.g. passport, identity card, driving licence).

If there is any doubt about identity or if it is necessary to protect other persons, safeguard legitimate interests or comply with legal obligations, the Fund may limit or exclude these rights.

Data subjects may also lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) if they are concerned that the processing of their personal data does not comply with the law, at the following address:

Federal Data Protection and Information Commissioner (FDPIC)

Feldeggweg 1

CH-3003 Bern

www.edoeb.admin.ch

Telephone: +41 58 462 43 95

The Fund reserves the right to amend this data protection declaration at any time without prior notice and without giving reasons. As a general rule, the data protection declaration applies to data processing operations in the current version published on its website at the start of the processing operation concerned.

This data protection declaration is dated 18.08.2023

Cookies are files that the browser automatically saves on the device of the person concerned when he/she visits the Fund's website. Cookies contain a unique identifier (ID) which enables the Fund to differentiate each visitor from the others, generally without identifying him or her. Depending on the purpose for which they are used, cookies contain other information which may relate in particular to the pages consulted and the time spent on the pages. The Fund uses both session cookies, which are deleted as soon as the browser is closed, and permanent cookies, which remain stored for a certain length of time after the browser is closed (generally between a few days and two years) and are used to recognise visitors on subsequent visits.

The Fund may also use similar technologies such as pixel tags, fingerprints and other technologies to record data in the browser. Pixel tags are small, generally invisible images or programme codes that are loaded from a server and transmit certain information to the server operator, for example if and when a website has been visited. Fingerprints are information about the configuration of the data subject's device or browser, collected when visiting the Fund's website and used to differentiate the data subject's device from other devices. Most browsers also use other data storage technologies in browsers, similar to cookies, which the Fund may also use (e.g. "Web Storage").

The Fund uses the following types of cookies and similar technologies:

• Necessary cookies: necessary cookies are essential for using the website and its functions. These cookies enable visitors, for example, to navigate from page to page without the information entered in a form disappearing.

• Functional cookies: functional cookies enable the Fund to offer advanced functions and display personalised content. These cookies enable the Fund, for example, to record information already provided (such as the choice of language).

This information on cookies may be adapted over time, in particular if the Fund modifies its data processing or if new legal provisions come into force. As a general rule, the version of the cookie information in force at the start of a data processing operation is the version that applies to that data processing operation.