Valora pension fund privacy policy

We collect and process personal information about you in order to perform our services, meet our statutory and contractual obligations, and manage our business activities. We process such personal information for the following purposes:

Performing services and other internal purposes

For the purpose of performing our services and meeting our statutory and contractual obligations as a pension fund (e.g. to identify the beneficiaries, or investigate or prevent violations of law), we manage your basic data, register/deregister you for our benefits as instructed by your employer and calculate your contributions and those of your employer, examine the health surveys completed by you, pay benefits, and manage your savings plan together with you.

Moreover, we process personal data to improve and further develop our services. We may process personal data as part of international assessments and audits, for which the relevant personal data will be anonymised as far as possible.

For the above purposes, we collect and store the following personal data:

• basic data (e.g. name, address, telephone number, e-mail address, gender, date of birth, marital status, occupation)

• business data (e.g. salary, employment data, salary data, former employers and pension funds)

• payment data (e.g. bank account details, reminders, invoices, incoming payments, benefits paid)

• social insurance data

• contract data (e.g. benefits statements, data from offers and applications, data from health surveys and medical reports, inquiries about economic background and beneficial owners, information about pension funds and vested-benefit accounts, process of registration/deregistration for our benefits, data related to claims)

• Communication data

Regarding employers affiliated to Valora Pension Fund, we particularly process the names and contact data of the persons in charge.

myVPK

As part of performing our services, we provide beneficiaries and employers with a central platform "myVPK". Information about data processing on myVPK is available here: https://www.valora.com/media/pk/infocenter/downloads/de/datenschutzerklaerung_myvpk_de.pdf.

Internal management

We process the above-mentioned personal data for purposes of internal management, such as archiving, compliance with statutory retention requirements, tax purposes, invoicing and accounting. Moreover, the above-mentioned personal data is edited for purposes such as risk assessment, abuse prevention, internal and external investigations and legal proceedings.

Business partner management

To update and manage our business partners, we process in particular basic personal information and contact data (e.g. name, postal address, telephone number, e-mail address, position).

Contact form and e-mails

You may use a contact form (subject to availability) in order to ask us questions about ourselves or our services. When using the contact form, you will be prompted to enter personal data such as your name, postal address, e-mail address, and a message that you would like to send us. You may also contact us directly by e-mail if we have given you a certain e-mail address. We may use such information to pursue our legitimate interests, for example to contact you or reply to your message.

Your personal data will generally be supplied to us by your employer and by yourself. To the extent necessary for the above purposes, certain personal data will be collected from publicly accessible registers or other services.

No automated decision-making or profiling is performed.

We may make your personal data available to the following categories of recipients for the following purposes:

• to our service providers and Valora Group companies in Switzerland (see https://www.valora.com/en/brands for further details), e.g. for bookkeeping, accounting, performance of services, telecommunications and IT, credit information, consulting, auditing;

• affiliated employers in order to meet our statutory and contractual obligations;

• at your express request;

• if disclosure is necessary in order to comply with a court ruling or an administrative obligation (e.g. to your employer, competent authorities and offices, compensation funds and other social insurance agencies); or

• if the sharing of such personal data is connected with the intended disposal, dissolution or other restructuring of our organisation, parts of our organisation or the assets of our organisation.

Our service providers and Valora Group companies in Switzerland are required by contract to process personal data only by our order and according to our instructions. We also require them to comply with technical and organizational measures for personal data protection and security. Our service providers and Valora Group companies in Switzerland shall use personal data only for the agreed purposes and neither sell nor otherwise commercialise such data to third parties.

Your personal data is generally processed and stored in Switzerland. Moreover, your personal data is transferred to our hosting service provider in Germany and stored there. No further transfers of your data take place for the purposes of this Privacy Policy.

In order to ensure the security and confidentiality of the recorded personal data, we use data networks protected by the usual firewalls and passwords in the industry. In dealing with your personal data, we take appropriate measures to protect such personal data against loss, misuse, unauthorised access, disclosure, alteration or destruction.

In the absence of applicable statutory retention rights or obligations, we generally process your personal data only as long as necessary to fulfil the relevant purpose. Once the relevant purpose is fulfilled, your personal data will generally be deleted.

Specifically, this may mean, for example:

• personal data from you that we process as part of our services will be processed for the duration of the beneficiaries’ insurance coverage and/or of the employer’s affiliation, after which it will be stored for ten years pursuant to our statutory retention obligations.

• The personal data that you enter during registration on myVPK will be stored for the life of your account. Upon termination of your account, your personal data will be stored for two more years.

You may exercise the following rights in connection with your personal data:

• If you have consented to the processing of your personal data, you may revoke your consent at any time.

• You have the right to object to the processing of your personal data if we have no justification for further processing (e.g. statutory obligation, performance of contract or any other legitimate interest of ours).

• You have the right to find out whether we are processing your personal data, to obtain information about individual aspects of the processing and, under certain circumstances, to receive a copy of the data.

• You have the right to check the accuracy of your personal data and demand an update or rectification.

• You have the right under certain circumstances to demand the erasure of your personal data.

• You have the right under certain circumstances to limit the processing of your personal data.

• You have the right under certain circumstances to receive your personal data in a structured, commonly used, and machine-readable format and, as far as technically feasible, to have such data transferred unhindered to another data controller.

If you believe that we are processing your personal data unlawfully or have violated your data protection rights under applicable data protection law, you have the right to submit a complaint to the competent supervisory authority, which, in Switzerland, is the Federal Data Protection and Information Commissioner.

If you wish to exercise your rights or have any other questions and concerns, please contact our Data Protection Officer (the contact information is in the first section of this Privacy Policy).

We review our Privacy Policy on a regular basis and may change it at any time. You will be informed of any such changes to our Privacy Policy in an appropriate manner.