Data Protection

The Privacy Notice describes how and for what purposes we collect, process and use personal data. Responsible handling of customer data has always been an important concern for us. We are continuously making adjustments in order to protect the personal data of our customers even better.

1. What Is This Privacy Notice About?

The protection of personal data is a matter of trust, and your trust is important to us. In this Privacy Notice, we inform you how and why we collect, process, and use your personal data.

In this Privacy Notice, you will learn, among other things:

what personal data we collect and process;
the purposes for which we use your personal data;
who has access to your personal data;
what benefits our data processing has for you;
for how long we process your personal data;
what rights you have with respect to your personal data; and
how you can contact us.

We have based this Privacy Notice on both the Swiss Data Protection Act and the European Union’s General Data Protection Regulation (GDPR). The GDPR has established itself globally as a standard for strong data protection. However, whether and to what extent the GDPR applies depends on each individual case.

2. Who Is Responsible for Data Processing?

Lilly Capital AG
Giessenstrasse 5b

8835 Feusisberg

datenschutz@lilly-capital.ch

3. For Whom Is This Privacy Notice Intended?

This Privacy Notice applies to all persons whose data we process (hereinafter referred to as “you”), regardless of which channel you use to contact us (e.g. by phone, on the website, via a social network, at an event, etc.). It applies to the processing of personal data that have already been collected and personal data that will be collected in the future.

Our data processing activities may, in particular, affect the following categories of persons if we process their personal data:

Visitors to our websites;
Individuals who write to us or contact us in any other way;
Recipients of information and marketing communications;
Participants in competitions and prize draws;
Participants in customer and public events;
Job applicants.

For information about the collection and processing of personal data when using our websites, mobile apps, and social media pages, particularly in connection with cookies and similar technologies, please also consult our Cookie Notice.

4. Which Personal Data Do We Process?

«Personal data» constitute information that can be associated with a specific person. We process various categories of such personal data. The key categories are set out below for your orientation. However, we may also process other personal data in individual cases.

You can find out more about the origin of these data in section 5 and about the purposes for which we process these data in section 6.

4.1 Communication Data

If you contact us or we contact you, or when you write to us, or call us, we process the exchanged communication contents and information about the type, time, and place of communication. In certain situations, we may also ask you to provide proof of identity.

Examples of communication data are:

name and contact details such as postal address, e-mail address, and telephone number;
content of e-mails, written correspondence, chat messages, social media posts, comments on a website, telephone conversations, video conferences, etc.;
responses to customer and satisfaction surveys;
details of the type, time, and in certain circumstances place of communication;
proofs of identity such as copies of official IDs;
marginal communication data.

Telephone conversations and video conferences with us may be recorded; we will inform you of this at the start of each conversation. If you do not want us to record such conversations, you may terminate the conversation at any time and contact us in another manner (e.g. by e-mail).

4.2 Technical Data

When you make use of our website, we collect certain technical data such as your IP address or device ID. Technical data also include the protocols in which we record the use of our systems (log files). In some cases, we may also assign a unique code number (an ID) to your end device (tablet, PC, smartphone, etc.), for example by using cookies or similar technologies, in order to be able to recognize it. Further details concerning this can be found in our Cookie Notice.

Technical data can in particular also be used to collect behavior data, that is, details about your use of our website. However, we are usually unable to derive who you are from technical data.

Technical data include:

the IP address of your device and further device IDs (e.g. MAC address);
code numbers assigned to your device by cookies and similar technologies (e.g. pixel tags);
details of your device and its configuration, such as operating system and language settings;
details about the browser with which you access the offer, and its configuration;
information about your movements and actions on our websites and in our apps;
details about your Internet provider;
your approximate location and the time of use;
system recordings of accesses and other events (log files).

These technical data alone generally do not allow us to draw any conclusions about your identity.

Concerning the processing of technical data, please also consult our Cookie Notice.

5. Where Do the Personal Data Come From?

You often disclose personal data to us yourself, for instance when sending us data or communicating with us. Master, contract, and communication data in particular are generally something you disclose to us yourself. You are in many cases also responsible for disclosing preference data to us.

The provision of personal data is largely voluntary, which means that you are not generally obliged to disclose your personal data to us. However, we do have to collect and process the personal data that are required for processing contractual relationships and fulfilling associated obligations or that are prescribed by law, such as mandatory master and contract data, as we would otherwise be unable to conclude or continue the contract in question.

If you send us data about other persons (e.g. family members), we assume that you are authorized to do so and that these data are correct. Please also ensure that these other persons have been informed about this Privacy Notice.

6. For What Purposes Do We Process Personal Data?

6.1 Communication

We wish to remain in contact with you and address your individual requirements. We therefore process personal data for the communication with you, in order to answer inquiries, for instance. In particular, we make use of communication and master data for this, as well as contract data if the communication concerns a contract. We may also personalize the content and time of dispatch of messages on the basis of behavior, transaction, preference, and other data.

The purpose of communication particularly comprises:

responding to inquiries;
contacting you in the event of questions;

6.2 Information and Marketing

We wish to present you with attractive offers. We therefore process personal data for relationship management and marketing purposes, for example in order to send you written and electronic messages and offers and carry out marketing campaigns. For this purpose, we in particular make use of master data, contract data, communication data, transaction data, behavior data, and preference data.

Unless we separately ask for your consent to contact you for marketing purposes, you may decline such contacts at any time (see section 15). In the case of newsletters and other electronic messages, you can generally opt out of the corresponding service via an unsubscribe link integrated in the message.

The personalization of our messages enables us to tailor information to your individual needs and interests, and to only present you with offers that are likely to be relevant for you. You can find further information about this profiling in section 11.

6.3 Security and Prevention

We wish to guarantee your and our security and prevent misuse. We therefore also process personal data for security purposes, to guarantee IT security, to prevent theft, fraud, and misuse, and for evidentiary purposes. This can concern all the personal data categories listed in section 4, in particular also transaction and behavior data. We can acquire, analyze, and store these data for the purposes mentioned.

Examples of the purpose of security and prevention include:

the analysis of transaction and behavior data in order to detect suspicious behavior patterns and fraudulent activities;
the evaluation of system recordings of the use of our systems (log files);
the prevention, mitigation, and detection of cyber and malware attacks;
analyses and tests of our networks and IT infrastructures, and system and error checks;
physical access controls (e.g. access to office premises);
documentation purposes and creation of backups.

7. What Is the Legal Basis for Processing Personal Data?

Depending on the purpose of the data processing, our processing of personal data is based on different legal grounds. In particular, we may process personal data if

doing so is necessary to fulfill an agreement with the person concerned or for pre-contractual measures (e.g. to review a request for an agreement);
doing so is necessary to safeguard legitimate interests;
doing so is based on consent;
doing so is required for compliance with Swiss and foreign legal obligations.

In particular, we have a legitimate interest in processing for the purposes set out in section 6 above and the disclosure of data in accordance with section 8 and the associated objectives. These legitimate interests include our own interests and third-party interests.

8. To Whom Do We Disclose Personal Data?

We may disclose your personal data to companies if we make use of their services. These service providers generally process personal data on our behalf as so-called “contract processors”. Our contract processors are obliged to only process personal data in accordance with our instructions and to take suitable measures to ensure data security. Certain service providers are also responsible jointly with us or independently (e.g. collection agencies). We ensure through the selection of service providers and suitable contractual agreements that data protection is upheld during the entire processing of your personal data.

Examples include services in the following areas:

Advertising and marketing services, for example for the delivery of messages and information;
Corporate management services, for example accounting or asset management;
IT services, for example in the areas of data storage (hosting), cloud services, the delivery of e-mail newsletters, and data analysis and refinement;
Advisory services, for example the services of tax advisers, lawyers, management consultants, or advisers in the field of personnel recruitment and placement.

Please take note of our Cookie Notice concerning independent data collection by third-party providers whose tools we have integrated into our websites and apps.

9. How Do We Disclose Personal Data Abroad?

We process and store personal data mostly in Switzerland and the European Economic Area (EEA). In certain cases, however, we may also disclose personal data to service providers and other recipients (see section 8) who are located outside this area or who process personal data outside this area, in principle in any country in the world. The countries in question may not have laws that protect your personal data to the same extent as in Switzerland or the EEA. If we transfer your personal data to such a country, we will ensure the protection of your personal data in an appropriate manner.

10. How Do We Process Sensitive Personal Data?

Certain types of personal data are considered under data protection law to be sensitive, such as details about health and biometric features. Depending on the circumstances, the categories of personal data listed in section 4 may also comprise such sensitive personal data. However, we generally only process sensitive personal data if this is necessary for the provision of a service, if you have voluntarily disclosed these data to us, or have consented to such processing.

11. How Do We Protect Personal Data?

We take appropriate technical and organizational security measures in order to safeguard your personal data, protect you against unauthorized or unlawful processing activities, and to address the risk of loss, unintentional changes, inadvertent disclosure, or unauthorized access. However, like all companies, we cannot completely rule out data security infringements; certain residual risks are unavoidable.

Security risks of a technical nature include the encryption and pseudonymization of data, record keeping, access restrictions, and the storage of data backups. Security measures of an organizational nature include instructions issued to our employees, confidentiality agreements, and audits. We also require our contract processors to take appropriate technical and organizational security measures.

12. For How Long Do We Process Personal Data?

e process and store your personal data

for as long as it is required for the purpose of processing and compatible purposes, in the case of contracts normally for at least the duration of the contractual relationship;
for as long as we have a legitimate interest in storing it. This may be the case, in particular, if we need personal data to enforce or defend claims, for archiving purposes, and to ensure IT security;
for as long as it is subject to a statutory retention requirement. For example, a ten-year retention period applies to certain data. Shorter retention periods apply for other data, for example for recordings from video surveillance or for recordings of certain online processes (log data).

In certain cases, we will also ask for your consent if we want to store your personal data for longer periods (e.g. for job applications that we wish to keep on file). At the end of the periods specified, we will erase or anonymize your personal data.

For example, we adhere to the following retention periods, although we may deviate from them in individual cases:

Contracts: We generally retain master and contract data for ten years as of the last contractual activity or contract expiry. However, this period may be longer if this is necessary for the provision of evidence, due to statutory or contractual provisions, or for technical reasons. Transaction data in connection with contracts are generally retained for ten years.
Technical data: We generally retain log files for six months. The storage period of cookies is normally between a few days and two years unless they are immediately deleted at the end of the session.
Communication data: E-mails, messages via the contact form and written correspondence are generally retained for ten years.
Job applications: We generally delete application data within six months following conclusion of the application process. We may keep your application on file with your consent with a view to potential recruitment at a later stage.

13. What Rights Do You Have in Connection With the Processing of Your Personal Data?

You have the right to object to data processing particularly if we process your personal data on the basis of a legitimate interest and the other applicable requirements are met. You can also object to data processing in connection with direct advertising (e.g. advertising e-mails) at any time.

Provided the applicable conditions are met and there are no applicable statutory exceptions, you also have the following rights:
the right to request information about your personal data stored by us;

the right to have inaccurate or incomplete personal data corrected;

the right to request the deletion or anonymization of your personal data;

the right to request that the processing of your personal data be restricted;

the right to receive certain personal data in a structured, commonly used and machine-readable format;

the right to revoke consent with effect for the future, insofar as processing is based on consent.

Please note that these rights may be restricted or excluded in individual cases, e.g. if there are doubts about the identity or if this is necessary to protect other persons, to safeguard interests worthy of protection or to comply with legal obligations.

14. How Can You Contact Us?

If you have any questions or concerns relating to this Privacy Notice or the processing of your personal data, please contact the company responsible using the contact details stated on its website.

You are also welcome to contact us as follows:

Lilly Capital
Giessenstrasse 5b
8835 Feusisberg
datenschutz@lilly-capital.ch

15. Changes to This Privacy Notice

This Privacy Notice may be updated over time, especially if we change our data processing activities or if new legal provisions become applicable. We will actively inform individuals whose contact details are registered with us of any material changes, provided that we can do this without disproportionate effort. In general, the version of the Privacy Notice in effect at the time at which the data processing activity in question commences is applicable.

Version 1.0