Employees

Every data processing operation is performed on one or more of the following legal grounds:

1. processing is necessary for the performance of a contract (EU GDPR Art. 6 (1)(b)), e.g., your personal data was transferred to us in connection with your employment contract and is necessary for the performance of your employment contract and the resulting obligations (e.g., we need your bank account details in order to pay you your salary);
2. there is a legal obligation within the meaning of EU GDPR Article 6 (1)(c) to which Valora is subject (e.g., the company is required to disclose your insurance data to the social security agencies);
3. processing of your personal data is necessary to safeguard legitimate interests of Valora or of a third party under EU GDPR Article 6(1)(f), so long as they are not outweighed by the interests or fundamental rights and freedoms of the Data Subject, which require the protection of personal data (e.g., Valora is required to take appropriate IT (Information Technology) security measures);
4. processing is based on a collective agreement (works agreement) within the meaning of EU GDPR Article 88;
5. processing is necessary in order to protect your vital interests or those of another natural person (e.g., in case of an industrial accident).

We may request your Consent in certain special cases in which none of the above legal grounds applies (EU GDPR Art. 6 (1)(a)). In such cases you will be asked to grant your Consent on a purely voluntary basis so that we can process your personal data.

Subject to the statutory requirements, Valora may also process sensitive categories of your personal data (so-called “sensitive data”) for the following purposes, namely for the administration of:

Criminal records data: information from the criminal records where it is required in the recruitment process for selected positions, to the extent necessary and permitted by the laws of the relevant country.

Information about equal treatment and diversity: information about race, religious opinions and sexuality, to the extent necessary and permitted by the laws of the relevant country and providing that the requested information was supplied  by the Data Subject voluntarily.

Health data: for payroll accounting and to meet the occupational reintegration obligations: information about health-related absences, especially certificates attesting inability to work, reintegration forms, doctors certifications and attestations concerning stays in rehabilitation centres and hospitals and the information contained therein.

Whenever we process your personal data, we do so with the objective of using it for a legitimate purpose.

We process the personal data mentioned in Chapter 10 for the following purposes, in particular:

• in the context of your employment relationship, to draw up and update your employee records and to manage the routine aspects of your employment; such aspects may include, for example, managing your letters of reference and other certificates concerning your career or your working hours, disbursement of your pay, administration of the social benefits to our employees (such as sports and health offers, as well as occupational pensions), keeping of a file of occupational accidents or of certificates/diplomas obtained for internal or external training during your employment with us, assessment of your job performance or of your complaints or, to the extent necessary in the specific case, to conduct a disciplinary procedure in case of criminal offences or other misconduct, subject to the statutory requirements;
• in order to perform the tasks related to the termination of your employment or to draw up a letter of reference for you, to the extent required and permitted by law, or at your express request;
• in order to assess your suitability for your current job or another job within the Valora Group and to plan your further career, including information about staffing and succession planning;
• in order to perform tasks necessary for the payment of your salary, employee benefits and pension/retirement benefits;
• to manage your business trips and travel expenses;
• in order to manage occupational health and safety and to report occupational accidents to the relevant departments and external institutions; in order to set up and manage the access rights to the IT resources deployed by Valora (including the business telephone number, the business email-address and internet access);
• in order to set up your security clearance to enter the company grounds and buildings and to manage the video surveillance recordings, subject to the statutory requirements, especially under EU GDPR articles 12 et seqq.;
• for your activities related to using department-specific IT resources or our social networks for exchanges in groups with your managers and colleagues worldwide;
• in order to monitor the use of ICT resources according to the principle of proportionality. That is all done in accordance with the Valora Group policies (to the extent they comply with the laws of the relevant country) and according to the applicable data protection and telecommunications laws in certain cases (e.g., in case of suspicions of criminal offences or other relevant misconduct or for the sake of ensuring IT security), or to the extent that it is necessary to safeguard legitimate interests of Valora or of third parties, providing that they are not outweighed by the legitimate rights and liberties of the employees, or if there are other appropriate legal grounds;
• in order to enable the implementation of corporate transactions such as mergers, sales, restructuring, transfers of Valoras assets or companies, acquisition of a company, insolvency or similar events.

We process the following categories of personal data related to our employees:

Personal details: your first and last names, grade/form of address, date and place of birth, sex, nationality, social security number, work permit, residence permit, personal contact details and marital status; information about your dependent family members and their citizenship may be included, provided that they have consented thereto in a legally valid manner.

Basic information about the employment: business contact details (business email-address and phone number), employee number, photo, job title, job description, department, reporting lines, main workplace, working hours, job status and job requirements.

Professional qualifications: letters of reference, other certificates related to professional development and proficiency in foreign languages.

Information about the hiring and selection process: personal data from your curriculum vitae, letters of application, job references, minutes of your job interview and notes on the interview, documentation from the selection and application process as well as information from the Debt Collection Register (where necessary for recruitment).

Information about presence/absence at the workplace: time sheet data and information about your holidays and family-related or other absences from work (e.g., unpaid leave).

Subject to the statutory requirements, information about disciplinary and appellate proceedings in case of criminal offences or other misconduct: personal data from the records with information about accusations, investigations, proceedings and the outcomes.

Information about claims by other employees, complaints and disclosure of personal data to third parties: personal data from records of labour-related court proceedings and complaints; personal data from records of the participation of employees in the reporting of relevant incidents (potential violations of the law, accidents, etc.).

Information about the termination of your employment: e.g., the date of termination of employment as well as the reasons, the conditions of termination and the details of any possible payments (severance pay, wage payments and the like), the content of the interview of termination or dismissal, as well as information from the letter of reference.

Information from surveys: information from your job satisfaction surveys (information such as your job title, first and last names of your line manager, working atmosphere, company, etc.).

Information about your job performance: For example, feedback from your colleagues and line manager, awards, scores in talent programs, information from formal and informal assessments of your job performance.

Personal development data: information about your further career plans, e.g., appropriate duties and advanced training measures, development and follow-up plans, estimates of your skills and abilities, including assessment scores.

Information about training courses: information about training the seminars and courses that you have completed or are still required to complete.

Information about your pay and employee benefits: information about your salary and employee benefit payments (including occupational pension), your pay, expenses, bonus and possible premiums for years of service, the relevant currency, bank account details, cost centre, company credit card data, tax information and third-party payees, where applicable (e.g., in case of garnishments).

Information about your entries on social networks: information about your personal identity (first and last names, email address, job title) and membership in certain subject-specific groups and the content entered there, e.g., your contributions on certain topics, communications with line managers and colleagues in the Valora Group, photos or videos, to the extent that such content can be entered according to the applicable terms of use of the social networks and the relevant statutory provisions.

Information about the use of department-specific IT technology for the performance of your duties: information about your personal identity (first and last names, business email address, job title, login data, login and access logs, keyboard input) in those systems to exercise the department-specific activity (e.g., assertion of claims, invoices, releases and audits of certain materials, storage and/or retention of documents).

Data from video surveillance: images from video surveillance recordings that make it possible to identify the individuals shown; login data about system logins, access data that enables entering the buildings, login and access logs, materials downloaded off the internet and printed out, recordings of telephone conversations, information from materials that were blocked by IT security programs and filters.

Photographic data related to training courses or company events: photographic and video recordings related to training courses or company events at which you were present.

Other data: Subject to the statutory requirements, Valora may also process other personal data that you disclose to the company in the course of your employment relationship, whether orally or in writing (e.g., in business email messages).

If you have reason to assume that Valora is not processing your personal data in compliance with the applicable laws and regulations and/or if you are dissatisfied with the way in which your query about the exercise of your rights was handled (see Chapter 7), Valora hereby reminds you of your right to lodge a complaint with a supervisory authority (usually the supervisory authority of your habitual residence, place of work or our registered office).

An overview of the appropriate data protection authorities in Valora countries may be found in Annex 2.

If you have any questions about the processing of your personal data or need information on that subject, please use a secure and confidential means to contact your local Data Protection Officer at any time. The Data Protection Officers are listed in Annex 1.

Alternatively (or if there is no local Data Protection Officer in your country), you can send an e-mail to the Valoras Group Data Protection Officer in Muttenz at the following email address: dataprivacy@valora.com

If you have any questions about this Data Protection Policy or would like to learn the extent to which the current laws enable you to:

• access your personal data, or
• have your personal data corrected or deleted, restrict the processing of your personal data or object to the processing of your personal data (especially in cases in which such processing is based on our legitimate interests or those of third parties);
• receive your personal data in a structured, accessible and machine-readable format or have it sent directly to another Controller (to the extent technically feasible and permitted by law); please contact us (see Chapter 8).

Valora takes the security of your personal data very seriously. To protect your data against unauthorised access, unauthorised use, unauthorised alteration or unauthorised disclosure, Valora uses a variety of security technologies and procedures providing levels of security suited to the degree of sensitivity of the relevant data.

To ensure the confidentiality and integrity of your personal data, Valora requires third parties to enter into contracts that oblige them to treat your personal data securely.

In general, Valora stores your personal data as long as necessary for the required purposes. In principle, Valora needs your personal data to perform duties arising out of your employment contract, usually during your period of employment with us. We may also have to store your personal data after termination of your employment relationship, however, when so required by certain statutory retention periods for personal data (e.g., under tax law or commercial law). For more detailed information, consult with your contact partner at Corporate Legal Services or Valoras Data Protection Officer (Chapter 8).

Regardless of the country in which your personal data is located or from which your data is accessed, Valora ensures that your data is processed in accordance with the provisions of the present Data Protection Policy and with the requirements under the applicable national laws and the EU GDPR.

In light of our worldwide business activities, we may share your personal data with Valora companies or third parties (e.g., service providers) that are located outside of Switzerland and the EU Member States. This means that your data may sometimes be processed in countries whose local laws do not provide the same degree of legal protection as in your home country (so-called "third countries").

Whenever Valora transfers personal data from countries of the European Economic Area or from Switzerland to third countries, we do so according to the provisions of the applicable European data protection laws. Firstly, this means that Valora protects your data in the same way at all times. Secondly, Valora selects only such service providers that protect your data in compliance with EU Standards. Valora sets up appropriate safeguards to that purpose, such as using standard contract clauses recommended by the EU Commission.

In Chapter 14, you can find further information about data transfers to third countries.

Personal data means information that:

1. relates to an identified person, i.e., a person who can be identified on the basis of the personal data,
2. or relates to an identifiable person, i.e., a person who can be identified on the basis of the personal data used in combination with other information about that person that is available to Valora (or that can be easily learned by Valora).

An identifiable person is one who can be adequately identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data means information that:

1. relates to an identified person, i.e., a person who can be identified on the basis of the personal data,
2. or relates to an identifiable person, i.e., a person who can be identified on the basis of the personal data used in combination with other information about that person that is available to Valora (or that can be easily learned by Valora).

An identifiable person is one who can be adequately identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Throughout your employment, Valora may disclose some of your data to third parties and forward it to the following recipients:

• Valora Group companies
• external service providers
• government agencies and authorities (e.g., tax or social security agencies)

In necessary cases, we may forward your personal data to the Valora Group companies in order to carry out global processes, to enable groupwide reporting, or to make recruitment or promotion decisions. Valora has entered into agreements on lawful data transfers (e.g., the standard contract clauses recommended by the European Commission) or taken other recognised measures that are applicable to all the Group companies and that legitimize crossborder transfers of your personal data.

To provide our services, we call upon numerous external service providers that may have access to your personal data or only store it, as commonly occurs under Valora's Policy on Commissioned Data Processing. Valora enters into written agreements with such Commissioned Data Processors requiring them to process personal data strictly according to Valora's instructions and the applicable data protection and data protection regulations, and to protect the data adequately against Personal Data Breaches.

Whenever Valora calls upon external service providers to process your personal data in third countries with a lower level of data protection and/or transfers your data to such a country (including the United States of America), Valora takes additional appropriate measures to ensure an appropriate level of protection for your personal data. Such measures include written agreements on data transfers to third countries (especially the standard contract clauses recommended by the European Commission) or certifications approved by the EU Commission or the approved binding rules of conduct of the data recipient.

Some external service providers to which Valora may forward personal data (e.g., health insurance companies providing health insurance services) act as independent Controllers for data processing. If you would like to learn how they use your personal data, it would be best to read the data protection policies and guidelines of those insurance providers.
We also have the right and/or obligation to disclose your personal data in the following cases:

• in the case of a judgement, decision or other order or request issued by a court, public administrative authority or other government agency or by a party to a judicial proceeding;
• in order to comply with legal obligations to inform, or
• in the context of litigation (e.g., if you are called upon to testify as a witness or are otherwise involved) in proceedings held before a court, public administrative authority or other government agencies.

• Germany: www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
• Switzerland: www.edoeb.admin.ch
• Austria: https://www.dsb.gv.at
• Liechtenstein: www.dss.llv.li
• Luxembourg: www.cnpd.lu/en
• Netherlands: www.cbpweb.nl