Personal Data Protection Policy
Last Modified: 2022-11-02
1. Introduction
Interogo Holding AG embraces the fundamental principle of respect for an individual’s right to privacy. We take this very seriously and protect all personal data entrusted to us, whether they relate to our co-workers, applicants, suppliers, business partners, clients, portfolio companies etc.
At Interogo Holding AG and our direct and indirect subsidiaries (the “Interogo Holding Group”) we commit to act in a careful and responsible way when it comes to Personal Data (as defined in point 4.3. below). We comply with data protection laws and applicable legislations in all countries where we operate. We collect, access or process personal data that is necessary to conducting our business and only for the purpose for which it is intended. We also ensure that such data is stored securely.
The mindful handling of Personal Data flows from of our core values, such as ‘caring for people and planet’, ‘simplicity’, ‘give and take responsibility’ and ‘lead by example’.
2. Scope
The present Policy outlines the main personal data protection terms and the guiding principles for the protection of personal data we should follow in our daily work.
This Personal Data Protection Policy applies to all companies which are directly or indirectly consolidated by Interogo Holding AG when handling Personal Data. The Policy does not apply to portfolio companies within our private equity, long-term equity and infrastructure strategies, as they are governed through their ownership structure and therefore only indirectly guided by the Interogo Holding AG Personal Data Protection Policy.
3. DATA PROTECTION PRINCIPLES
Flowing from our Interogo Holding Group core values and the applicable laws, we should ALWAYS keep in mind the personal data protection principles when we are dealing with Personal Data.
Personal Data.
3.1 Lawfulness, fairness, and transparency
Trust, respect, integrity and honesty are essential in the Interogo Holding Group.
These translate to our obligations to always act in a lawful manner, be fair about how we handle Personal Data and at all times be transparent to those whose Personal Data we process.
3.2 Purpose limitation
We do not use Personal Data for a purpose that is incompatible with the initial purpose for which it was collected.
For instance, if a CV is collected to assess an applicant’s eligibility, this CV cannot just be shared for another reason.
3.3 Data minimization
We take responsibility of the Personal Data we collect.
At Interogo Holding Group we only collect Personal Data that is adequate, relevant and not excessive in relation to the purpose for which the Personal Data is processed.
3.4 Storage limitation
We do not keep Personal Data for longer than is necessary for the purpose it was collected.
When Personal Data is no longer required, we always destroy it in a safe manner. We do not keep Personal Data “just in case it might come in handy in the future.
3.5 Integrity and confidentiality
Our core value ‘caring for people and planet’ means that we protect all Personal Data processed by any of the companies of the Interogo Holding Group.
We all take appropriate technical and organizational measures against unauthorised or unlawful Processing of Personal Data and against accidental loss or destruction of Personal Data.
Each co-worker has a responsibility to ensure that Personal Data held in the Interogo Holding Group does not end up in the wrong hands.
3.6 Accountability principle
We, as Co-workers in the Interogo Holding Group are, at all times, able to demonstrate that we have understood these principles and are able to act in a compliant manner.
4. MAIN PERSONAL DATA PROTECTON TERMS AND GUIDANCE (I/V)
The main terms for protection of Personal Data as per the applicable legal framework and some practical guidance are listed below.
4.1 Personal Data Protection Laws
The General Data Protection Regulation (GDPR) is EU legislation regulating the protection of Personal Data.
Its main goal is (i) to empower those whose Personal Data is used (data subjects) by giving them control to their data and (ii) to impose safeguards to ensure that such data is handled in a secure and transparent manner.
GDPR became applicable in the national legislation of all EU member states as of 25 May 2018.
The United Kingdom and Switzerland provide similar protection of personal data through their national laws (currently the UK Data Protection Act 2018 and the Swiss Data Protection Act 2020) and are considered equivalent jurisdictions.
GDPR, the national laws transposing GDPR in each EU country, the UK Data Protection Act 2018 and the Swiss Data Protection Act 2020 as applicable and any similar national legislation are referred to as the “Personal Data Protection laws”.
The Personal Data Protection laws mostly rely on definitions provided in the GDPR. These Personal Data Protection laws are applicable when Personal Data is processed.
Any breaches of the Personal Data Protection laws have to be investigated immediately and in some cases need to be reported to the national Data Protection Authority within 72h by the data controller.
4. MAIN PERSONAL DATA PROTECTON TERMS AND GUIDANCE (II/V)
4.2 Roles under the GDPR and the national Personal Data Protection Laws
“Data Subject” - individual whose personal data is collected and processed. Data subject retain certain rights with respect to their data which have to be safeguarded by the data controller.
“Controller” - the entity or person who determines the purposes and means of the Processing of Personal Data (or in other words: the “why” and “how”).
Controllers are responsible for the Personal Data Process, for example employee personal data or personal data regarding counterparties or customers.
The GDPR and the national Personal Data Protection laws impose extensive requirements on controllers, which include the requirement to implement different personal data protection policies and procedures.
In its day-to-day activities, most of the companies of the Interogo Holding Group operate as a “controller”.
“Processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of a controller.
The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated.
4. MAIN PERSONAL DATA PROTECTON TERMS AND GUIDANCE (III/V)
4.3 Personal Data
‘Personal Data’ means any information relating to an identified or identifiable natural living person. An identifiable natural person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as:
| A name | Location data | Email address | Date of birth |
|---|---|---|---|
| An online identifier | Curriculum vitae | Emergency contact details | Nationality |
| CCTV records | Personal phone number | Annual leave details | Employment history |
| Criminal record information | A business email address | Business phone number | Payment or credit card details |
4.4 Special Categories of Personal Data
Under the GDPR and the national Personal Data Protection laws, Special Categories of Personal Data are granted additional protection because they are too sensitive. This is Personal Data that reveals for instance:
| Racial or ethnic origin | Political opinions | Religious or philosophical beliefs |
|---|---|---|
| Trade union membership | Health data | Data about sexual life |
| Genetic data | Biometric data | Data about sexual orientation |
As a general rule, Special Categories of Personal Data should not be collected.
- In most cases, it is only allowed to process Special Categories of Personal Data when legally required or upon explicit prior consent of the individual.
- In addition, it is only possible to collect these Special Categories of Personal Data if specific safeguards are in place.
- A Data Protection Impact Assessment (DPIA) might be needed to understand the exact legal obligations and appropriate safeguards for the collection of Special Categories of Personal Data
*Interogo Holding AG and its group of companies condemn all forms of discrimination.
4. MAIN PERSONAL DATA PROTECTON TERMS AND GUIDANCE (IV/V)
4.5 Processing
Almost anything that is done with Personal Data is considered ‘Processing’.
Processing of Personal Data usually starts with the collection and ends with deletion or anonymization of Personal Data.
4.6 Lawful basis
The GDPR and the national Personal Data Protection laws outline that Processing shall only be lawful if and to the extent that a legal basis is in place. These include:
- Processing is necessary for the performance of a contract to which the individual is party.
- Processing is necessary for compliance with a legal obligation.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
- Consent has been given by the individual in a free, specific, informed and an unambiguous way
4.7 Data sharing
If any Personal Data is shared, the following considerations should always be kept in mind and complied with:
- limit the data to what is strictly necessary
- ensure that the information is shared to the right person
- share the data securely (e.g. by protecting the data with a password)
- as a general rule, do not share data with anyone that is located outside the European Union, the UK, Switzerland or another country offering equivalent protection of personal data.
4. MAIN PERSONAL DATA PROTECTON TERMS AND GUIDANCE (V/V)
4.8 Rights of the Data Subjects
Data Subjects retain certain rights which the Data Controller has to guarantee. Data Subjects can exercise their rights at all times through a request to the Data Controller.
The request has to be handled without undue delay. These rights of the Data Subjects are:
- The right to be informed
- The right of access (“DSAR” = data subject access rights, response expected within 1 month)
- The right to rectification
- The right to erasure (“right to be forgotten”)
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
4.9 List of national data protection authorities:
EU and EFTA: https://edpb.europa.eu/about-edpb/about-edpb/members_en
UK - information commissioner’s office: https://ico.org.uk/
CH – Federal Data Protection and Information Commissioner and websites to the cantonal authorities: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/links/data-protection---switzerland.html
ORGANIZATIONAL RESPONSIBILITY
In order to ensure compliance with the applicable Personal Data Protection laws, respect In order to ensure compliance with the applicable Personal Data Protection laws, respect privacy standards and promote awareness, each company in the Interogo Holding Group is invited to appoint a Personal Data Protection Champion (Privacy Champion).
Personal Data Protection Champions act as first point of contact with respect to protection of Personal Data and shall report or escalate any issues to an appointed person at the level of their business unit or division. Personal Data Protection Champions receive dedicated training and guidance materials to help implement and live up to this Policy in each company of our Group.
The GDPR and the national Personal Data Protection laws impose extensive requirements on controllers, which include the requirement to implement different Personal Data Protection policies and procedures or specific contractual arrangements. Templates for such policies, procedures, agreements and assessments are contained in the Personal Data Protection Manual which is distributed to the Personal Data Protection Champions.
If the collection of Special Categories of Personal Data is necessary, it shall be done under the instructions and in collaboration with the relevant Personal Data Protection Champion.
Sharing data with anyone that is located outside the European Union, the UK, Switzerland or another country offering equivalent protection of personal data unless this has been discussed and agreed with the relevant Personal Data Protection Champion.
For further instructions, please lease with the Personal Data Protection Champion in your company. If necessary, each business unit or division can further direct the queries to [email protected]
5. Change history
Latest update: 11, 02, 2022
Addition of introductory summary and summaries of each paragraph. Review of text and revision of headlines. The updated Terms of Use will automatically enter into force for all existing users on MM, DD, 2022. Your continued use of our Website from that date will be subject to the new Terms of Use.