Data Protection Policy for Websites
PULSE understands that your privacy is important to you and that you care about how your personal data is used and shared online. We respect and value the privacy of everyone who visits this website: www.pulse.ch or any other website operated by P (“Website”) and (subject to the limited exceptions in section 4, below) we do not collect personal data about you unless you contact us (see section 5, below). Any personal data we do collect will only be used as permitted by law.
Please read this Data Protection Policy for Websites (“Policy”) carefully and ensure that you understand it. Your acceptance of the Policy is deemed to occur upon your first use of the Website. If you do not accept and agree with this Policy, you must stop using the Website immediately.
1. Definitions and Interpretation
In this Policy, the following terms shall have the following meanings:
“PULSE” and “we/us/our”
Property Investment AG
2. What does this Policy cover?
This Policy applies only to your use of the Website. The Website may contain links to other websites. Please note that we have no control over how your data is collected, stored, or used by other websites and we advise you to check the privacy policies of any such websites before providing any data to them.
3. Your Rights
- As a data subject, you have the following rights under the DPA and/or GDPR:
- The right to be informed about our collection and use of personal data;
- The right of access to the personal data we hold about you (see section 4);
- The right to rectification if any personal data we hold about you is inaccurate or incomplete (please contact us using the details in section 8);
- The right to be forgotten – i.e. the right to ask us to delete any personal data we hold about you;
- The right to restrict (i.e. prevent) the processing of your personal data;
- The right to data portability (obtaining a copy of your personal data to re-use with another service or organisation);
- The right to object to us using your personal data for particular purposes; and
- Rights with respect to automated decision making and profiling.
- If you have any cause for complaint about our use of your personal data, please contact us using the details provided in section 8 and we will do our best to solve the problem for you. If we are unable to help, you also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Officer (“FDPIC”) and/or any competent EU supervisory authority (as the case may be).
4. What data do we collect?
- If you send us an email or visit our Website, we may collect your name, your email address, IP address and any other information which you choose to give us.
5. How do we use your Personal Data?
- If we do collect any personal data, it will be processed and stored securely, for no longer than is necessary in light of the reason(s) for which it was first collected. We will comply with our obligations and safeguard your rights under the DPA and/or GDPR at all times. For more details on security see section 4, below.
- As noted above, we do not generally collect any personal data. If you contact us and we obtain your personal details from your email, we may use them to reply to your email and/or to comply with our data retention obligations.
- You have the right to withdraw your consent to us using your personal data at any time, and to request that we delete it.
- In certain instances we will share any of your data with third parties IT providers.
6. How and where do we store your Personal Data?
- We only keep your personal data for as long as we need to in order to use it as described above in section 5, for as long as we have your permission to keep it and/or to comply with our data retention obligations.
- Your data will generally be stored in the Switzerland.
- In certain cases however, some or all of your data may be stored outside of Switzerland. These are the following countries: Switzerland, EU, U.S., U.K., Israel. If we do store data outside of Switzerland, we will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within Switzerland and under the DPA and/or GDPR including Standard Contractual Clauses.]
- Data security is very important to us, and to protect your data we have taken suitable measures to safeguard and secure any data we hold about you (even if it is only your email address).
7. How can you access your Personal Data?
You have the right to ask for a copy of any of your personal data held by us (where such data is held). Please contact us for more details at firstname.lastname@example.org.
8. Contacting us
If you have any questions about the Website or this Policy, please contact us by email at email@example.com. Please ensure that your query is clear, particularly if it is a request for information about the data we hold about you.
9. Changes to our Policy
We may change this Policy from time to time (for example, if the law changes). Any changes will be immediately posted on the Website and you will be deemed to have accepted the terms of the Policy on your first use of the Website following the alterations. We recommend that you check this page regularly to keep up-to-date.
10. Entry into Force
This Policy will enter into force on 1 September 2023.
Data Protection Policy for Business Partners
1. Scope and purpose
This Policy sets out the obligations of the Firm regarding data protection and the rights of the Partners in respect of their personal data under the Swiss Data Protection Act (“DPA”) and General Data Protection Regulation (“GDPR”), as amended from time to time (collectively “Regulation”).
The Regulation defines “personal data” as any information relating to an identified or identifiable natural person (a Partner); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This Policy sets out the procedures that are to be followed when dealing with personal data of Partners.
2. How to contact us?
Please contact us if you have any questions relating to this Policy or the personal data we hold about you. Either contact us by e-mail firstname.lastname@example.org or write to the Portfolio Director, Philipp Küchler, at: Data Protection Officer, EPiC TWENTY-THREE Property Investment AG, Seefeldstrasse 5a, 8008 Zurich.
3. Why do we process your personal data and on what legal basis?
We process your personal data in order to perform our obligations under the respective contract concluded with you or to be concluded with you in the future, or for the purpose of other legitimate interests, or in order to comply with a legal duty imposed on the Firm in connection with the respective contract.
4. What information do we collect about you?
The following personal data may be collected, held, and processed by the Firm: your name, ID or passport, telephone number(s), mailing address, email address, social security number, bank details, tax declaration, salary information, debt register extract, marital status and any other information relating to you which you have provided us.
5. How do we collect personal data about you?
Generally, the Firm may collect your personal data in the following ways:
- when you submit forms, applications or contracts to us;
- when you submit requests to us;
- when you ask to be included in an email or other mailing list;
- when you respond to our initiatives; and
- when you submit your personal data to us for any other reason.
6. The Data Protection Principles
This Policy aims to ensure compliance with the Regulation. The Regulation sets out the following principles with which any party handling personal data must comply. All personal data must be:
- processed lawfully, fairly, and in a transparent manner in relation to the Partner;
- collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay;
- kept in a form which permits identification of the Partner for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the Regulation in order to safeguard the rights and freedoms of the Partner;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
7. Privacy Impact Assessments
The Firm shall carry out Privacy Impact Assessments as defined in the Regulation when and as required under the Regulation. Privacy Impact Assessments shall be overseen by the Firm’s data protection officer and shall address the following areas of importance:
- the purpose(s) for which personal data is being processed and the processing operations to be carried out on that data;
- details of the legitimate interests being pursued by the Firm;
- an assessment of the necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;
- an assessment of the risks posed to the individual Partner; and
- details of the measures in place to minimize and handle risks including safeguards, data security, and other measures and mechanisms to ensure the protection of personal data, sufficient to demonstrate compliance with the Regulation.
8. What are your Rights?
Under the Regulation you have the following rights:
8.1 Right to be Informed
The Firm generally provides the following information to Partners when personal data is collected (non-exhaustive list):
- details of the Firm;
- the purpose(s) for which the personal data is being collected and will be processed and the legal basis justifying that collection and processing;
- where applicable, the legitimate interests upon which the Firm is justifying its collection and processing of the personal data;
- where the personal data is not obtained directly from the Partner, the categories of personal data collected and processed;
- where the personal data is to be transferred to one or more third parties, details of those parties;
- where the personal data is to be transferred to a country that is located outside of Switzerland, the name of the country and the safeguards put into place;
- details of the length of time the personal data will be held by the Firm (or, where there is no predetermined period, details of how that length of time will be determined);
- details of the Partner’s rights under the Regulation;
- details of the Partner’s right to withdraw their consent to the Firm’s processing of their personal data at any time;
- details of the Partner’s right to complain to the Swiss Federal Data Protection and Information Officer (“FDPIC”) or “supervisory authority” under the GDPR;
- where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it;
- (where applicable) details of any automated decision-making that will take place using the personal data (including but not limited to profiling), including information on how decisions will be made, the significance of those decisions and any consequences.
As far as the Partner does not already have the information, the information set out above in section 8.1 shall be provided to the Partner at the following applicable time:
- where the personal data is obtained from the Partner directly, at the time of collection;
- where the personal data is not obtained from the Partner directly (i.e. from another party):
- if the personal data is used to communicate with the Partner, at the time of the first communication; or
- if the personal data is to be disclosed to another party, before the personal data is disclosed; or
- in any event, not more than one month after the time at which the Firm obtains the personal data.
8.2 Data Subject Access
A Partner may make a subject access request (“SAR”) at any time to find out more about the personal data which the Firm holds about them. The Firm is normally required to respond to SARs within one month of receipt (this can be extended by up to two months in the case of complex and/or numerous requests, and in such cases the Partner shall be informed of the need for the extension).
All subject access requests received must be forwarded to email@example.com, the Firm’s data protection officer.
The Firm does not charge a fee for the handling of normal SARs. The Firm reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a Partner, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.
8.3 Rectification of Personal Data
If a Partner informs the Firm that personal data held by the Firm is inaccurate or incomplete, requesting that it be rectified, the personal data in question shall be rectified, and the Partner informed of that rectification, within one month of receipt the Partner’s notice (this can be extended by up to two months in the case of complex requests, and in such cases the Partner shall be informed of the need for the extension).
In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification of that personal data (unless it is impossible or would require disproportionate effort to do so).
8.4 Erasure of Personal Data
Partners may request that the Firm erases the personal data it holds about them in the following circumstances:
- it is no longer necessary for the Firm to hold that personal data with respect to the purpose for which it was originally collected or processed;
- the Partner wishes to withdraw their consent to the Firm holding and processing their personal data;
- the Partner objects to the Firm holding and processing their personal data (and there is no overriding legitimate interest to allow the Firm to continue doing so);
- the personal data has been processed unlawfully;
- the personal data needs to be erased in order for the Firm to comply with a particular legal obligation.
Unless the Firm has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the Partner informed of the erasure, within one month of receipt of the Partner’s request (this can be extended by up to two months in the case of complex requests, and in such cases the Partner shall be informed of the need for the extension).
In the event that any personal data that is to be erased in response to a Partner request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
8.5 Restriction of Personal Data Processing
Partners may request that the Firm ceases processing the personal data it holds about them. If a Partner makes such a request, the Firm shall retain only the amount of personal data pertaining to that Partner that is necessary to ensure that no further processing of their personal data takes place.
In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).
8.6 Data Portability
The Partner has the legal right under the Regulation to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers, e.g. other organizations).
To facilitate the right of data portability, the Firm shall make available all applicable personal data to the Partner in the appropriate format.
Where technically feasible, if requested by a Partner, personal data shall be sent directly to another data controller.
All requests for copies of personal data shall be complied within one month of the Partner’s request (this can be extended by up to two months in the case of complex requests or numerous requests, and in such cases the Partner shall be informed of the need for the extension).
8.7 Objections to Personal Data Processing
Partners have the right to object to the Firm processing their personal data based on legitimate interests (including profiling), direct marketing (including profiling).
Where a Partner objects to the Firm processing their personal data based on its legitimate interests, the Firm shall cease such processing forthwith, unless it can be demonstrated that the Firm’s legitimate grounds for such processing override the Partner’s interests, rights and freedoms; or the processing is necessary for the conduct of legal claims.
8.8 Automated Decision-Making
In the event that the Firm uses personal data for the purposes of automated decision-making and those decisions have a legal (or similarly significant effect) on the Partner, the Partner have the right to challenge to such decisions under the Regulation, requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision from the Firm.
Where the Firm uses personal data for profiling purposes, the following shall apply:
- clear information explaining the profiling will be provided, including its significance and the likely consequences;
- appropriate mathematical or statistical procedures will be used;
- technical and organizational measures necessary to minimize the risk of errors and to enable such errors to be easily corrected shall be implemented; and
- all personal data processed for profiling purposes shall be secured in order to prevent discriminatory effects arising out of profiling.
10. Data Protection Measures
The Firm shall ensure that all its employees working on its behalf comply with the appropriate and necessary technical and organizational data protection measures when working with personal data.
11. Transferring personal data to a country outside of Switzerland
- The Firm may from time to time transfer (“transfer” includes making available remotely) personal data to countries outside of Switzerland. These countries are the following ones: the USA when using US providers (e.g. Dropbox, Microsoft etc.), Israel and to all countries in which the Firm has subsidiaries or affiliated companies.
- The transfer of personal data to a country outside of Switzerland shall take place only if one or more of the following applies:
- the transfer is to a country, territory, or one or more specific sectors in that country (or an international organization), that the Swiss Federal Council or the European Commission has determined ensures an adequate level of protection for personal data;
- the transfer is to a country (or international organization) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the Regulation); contractual clauses agreed and authorized by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorized by the competent supervisory authority;
- the transfer is made with the informed consent of the relevant Partner(s);
12. Data Breach Notification
- All personal data breaches must be reported immediately to the Firm’s data protection officer.
- If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of the Partner (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the data protection officer must ensure that the FDPIC and where applicable the Information Commissioner’s Office is informed of the breach as soon as possible, and in any event, within 72 hours after having become aware of it.
- In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of the Partner, the data protection officer must ensure that all affected Partners are informed of the breach directly and without undue delay.
13. Withdrawal of Consent
In the event a consent was given, Partners have the right to withdraw such consent given at any time by sending a written notice or e-mail to the Firm’s data protection officer.
14. Entry into Force
This Policy shall enter into force on 1 September 2023.
Video Monitoring Policy
1. Purpose and Scope of Application
This policy governs the video monitoring by EPiC TWENTY-THREE Property Investment AG (“PULSE”) in PULSE real estate premises (“Premises”) with the purpose of preventing material damage, theft and facilitating the prosecution thereof. Video monitoring also serves to protect the employees of the customer, its own customers and visitors as well as any other users of the Premises from criminal acts in the monitored areas. If PULSE’s tenants themselves conduct video monitoring, it is their responsibility to comply with the applicable laws.
2. Monitored Areas and Periods
Video monitoring can be installed in public areas of the Premises and shall, as far as possible, not cover other parts of the Premises, in particular no workplaces and sanitary facilities.
3. Video Monitoring Systems and Collected Data
When selecting and setting up the video monitoring system PULSE must comply with all applicable laws.
4. Information Board
The users of the Premises must be made aware of the video monitoring system by means of the information board provided (e.g. a pictogram with a camera on it). The information board or, if necessary, several information boards must be placed clearly visible in the entry areas of the Premises.
5. Evaluation of and Processing of Recordings
The monitoring can be carried out in real time or delayed by the employees or persons designated by PULSE (“PULSE Staff“). Monitoring shall be carried out on a random basis and is not directed towards specific individuals.
In case of suspicion of actions which violate Clause 1 of this Policy, the relevant recordings must be evaluated on an individual basis within seven days. If the suspicion is not confirmed, the relevant recordings must be deleted immediately. All recordings that are not evaluated on the basis of a suspicion shall be irrevocably deleted after two months.
In the event that an infringement of Clause 1 of this Policy is found, the recordings evaluated by the PULSE Staff will be stored securely for evidence purposes until the specific case has been clarified/prosecuted.
The access to any recordings and/or to the technical monitoring system should be limited to a few authorized PULSE Staff-members which are entitled to: (i) view and evaluate recordings retrospectively; (ii) view and evaluate recordings in real time; (iii) delete recordings; and (iv) access the technical surveillance system.
If external bodies (agents/appointees) are assigned with the technical maintenance, a data protection agreement (including, if applicable, a data processing agreement) must be concluded.
6. Concealed Monitoring
Video monitoring, as a rule, does not involve concealed monitoring. In exceptional cases, PULSE may use concealed monitoring in which video cameras are used independently of the video monitoring system, subject to the following conditions.
- Concealed monitoring may only be used to locate persons who repeatedly gain unauthorised access to the Premises, commit thefts or other serious breaches of security regulations.
- Concealed monitoring must be strictly limited in time.
- The locations of concealed monitoring must be precisely determined.
- Before starting with concealed monitoring, the privacy officer of PULSE must be consulted. The privacy officer undertakes a data protection impact assessment with regards to the rights and freedoms of the person concerned.
- The video cameras used for the concealed monitoring may be used only for the duration of the repeated offences and/or until the purpose of the concealed monitoring is reached. The video cameras are to be removed immediately afterwards.
- The location of the video equipment shall be chosen so that the expected repeated offences are recorded. The monitoring of areas in which protection of privacy can be expected (e.g. toilets) is excluded.
- The privacy officer of PULSE must be consulted as to whether the concealed monitoring is to be notified in advance to the competent data protection authority.
- When conducting concealed monitoring, it must always be ensured that the level of interference with the rights of privacy of the data subject is kept to a minimum.
7. Rights of the Data Subject and how to deal with Requests
Persons identified within personal evaluation are made individually aware of:
- the fact that they have been identified within the video monitoring system, provided that the identity of the identified person is recorded in writing or electronically;
- where appropriate, that recordings will be used against the identified person, including the purpose of use;
- the period for which the recordings is likely to be retained;
- the fact, that the recordings and other related personal data, if any, of the identified person may be transferred to other parties outside PULSE’s security department;
- that the identified persons have rights in accordance with the applicable data protection law.
The notification shall take place within a reasonable period of time, unless the information would make it impossible or considerably more difficult to prevent, investigate or establish and prosecute criminal offences or acts which contradict the purpose of this Policy according to Clause 1. If the notification to the identified person is not to be provided as a temporary measure, the PULSE privacy officer must be consulted, in particular to ensure that the rights of the identified person are respected.
Identified persons must be made aware of their rights under the privacy law applicable to them, in particular the rights related to:
- Rectification (if incomplete or incorrect);
- The right to restrict use and erasure;
- The right to receive a copy of the recordings or other personal data collected;
- The right to lodge a complaint with the competent data protection authority;
- The contact address at which the rights may be exercised.
The identified person who intends to exercise any of the above rights must identify himself/herself. Actions necessary for the exercise of these rights shall be free of charge, unless the number and nature of the requests are high and contrary to the principle of good faith.
The rights of the identified person may be restricted if the prevention, investigation or establishment and prosecution of criminal offences or acts which are contrary to the purpose of this Policy according to Clause 1 are rendered impossible or considerably impeded thereby or if it is necessary for the protection of rights of privacy of other persons.
8. Transfer of Recordings
Recordings and other personal data of an identified person may only be transferred to the competent authorities or to insurance companies within the reporting of a criminal offence or as part of the assertion of civil law claims.
Before a possible transfer a profound analysis of the necessity as well as the compliance with the purpose of monitoring and this Policy must be carried out. The transfer of recordings to other persons outside PULSE is excluded, except in cases in which the external person has a legal claim.
Each transfer of recordings and other personal data of an identified person outside the security department of PULSE is to be documented in an appropriate manner.
The privacy officer of PULSE must be consulted prior to any transfer.
PULSE Staff shall be trained in relevant aspects of privacy law. New employees and if necessary assigned persons are to be trained systematically before or with the beginning of their activity in connection with the monitoring.
Each two years PULSE carries out a work shop for the PULSE Staff with a focus on compliance with privacy law.
10. Data Security
PULSE protects all data collected in connection with video monitoring through appropriate technical and organizational measures, in particular with the following.
- The servers, on which the recordings are stored, are protected by physical safety measures (e.g. by locking the room concerned);
- The IT systems are protected by firewalls;
- All persons involved in the monitoring process sign a confidentiality agreement;
- The respective PULSE Staff receives only those access rights which are absolutely necessary for the fulfilment of the task assigned to them (need-to-know principle);
- Access rights can only be granted by the designated administrator;
- A list of all authorised persons and their access authorization (scope) is maintained.
11. Internal Audit
PULSE’s privacy officer carries out an internal audit at least every two years and assesses whether the measures taken and this Policy are still sufficient and whether a less restrictive alternative is available from a data protection point of view (adequacy audit). Also, compliance with this Policy in practice shall be audited (conformity audit).
12. Entry into Force
This Policy shall enter into force on 1 September 2023.