WEBSTON AG (hereinafter also referred to as "we", "us") obtains and processes personal data relating to you or other persons (so-called "third parties"). We use the term "data" here synonymously with "personal data" or "personal data".
Personal data" refers to data relating to specific or identifiable persons, i.e. conclusions about their identity are possible based on the data itself or with corresponding additional data. "Particularly sensitive personal data" is a category of personal data that is particularly protected by the applicable data protection law. Personal data requiring special protection include, for example, data revealing racial and ethnic origin, health data, information on religious or philosophical beliefs, biometric data for identification purposes and information on trade union membership. Section 3 provides details of the data we process for the purposes of this privacy notice. "Processing" means any handling of personal data, such as obtaining, storing, using, adapting, disclosing and deleting it.
In this Privacy Policy, we describe what we do with your data when you use www.webston.ch, other of our websites or our apps (collectively, the "Website"), obtain our services or products, otherwise interact with us under a contract, communicate with us or otherwise deal with us. Where appropriate, we will provide you with timely written notice of additional processing activities not mentioned in this Privacy Policy. In addition, we may inform you separately about the processing of your data, e.g. in consent forms, contract terms, additional privacy statements, forms and notices.
If you transmit or disclose data to us about other persons such as family members, work colleagues, etc., we assume that you are authorised to do so and that this data is correct. By submitting data about third parties, you confirm this. Please also ensure that these third parties have been informed of this privacy policy.
This privacy statement is designed to meet the requirements of the EU General Data Protection Regulation ("GDPR"), the Swiss Data Protection Act ("DPA") and the revised Swiss Data Protection Act ("revDSG"). However, whether and to what extent these laws are applicable depends on the individual case.
Webston AG, Greppen (the "Webston AG") is responsible for the data processing of Webston AG described in this data protection declaration, unless otherwise communicated in individual cases, e.g. in further data protection declarations, on forms or in contracts.
For each data processing there are one or more offices which are responsible for ensuring that the processing complies with the requirements of data protection law. This body is called the data controller. It is responsible, for example, for responding to requests for information (section 11) or for ensuring that personal data is secured and not used in an unauthorised manner.
Other bodies may also be jointly responsible for the data processing described in this data protection declaration if they have a say in the purpose or design. All group companies are eligible. If you would like details of the individual persons responsible for a particular data processing, you are welcome to request information from us within the framework of the right to information (point 11). WEBSTON AG remains your primary contact, even if other co-responsible parties exist.
In section 3, section 7 and section 12 you will find further information on third parties with whom we cooperate and who are responsible for their processing. If you have any questions or wish to exercise your rights vis-à-vis these third parties, please contact them directly.
You can contact us for your data protection concerns and to exercise your rights in accordance with section 11 as follows:
Webston AG
Erich Steiner
Kleinrieden 26
6404 Greppen
Switzerland
contact@webston.ch
We process different categories of data about you. The main categories are as follows:
Technical data: When you use our website or other electronic offerings, we collect the IP address of your terminal device and other technical data to ensure the functionality and security of these offerings. This data also includes logs recording the use of our systems. We retain technical data for 6 months. To ensure the functionality of these offers, we may also assign an individual code to you or your end device (e.g. in the form of a cookie, see section 12). The technical data does not allow any conclusions to be drawn about your identity. However, in the context of user accounts, registrations, access controls or the processing of contracts, they can be linked to other data categories (and thus possibly to your person).
Technical data includes, among other things, the IP address and details of the operating system of your terminal device, the date, region and time of use and the type of browser you use to access our electronic offerings. This can help us to provide the correct formatting of the website or to show you a website adapted for your region, for example. Based on the IP address, we know which provider you use to access our offers (and thus also the region), but we cannot usually deduce who you are from this. This changes when you create a user account, for example, because personal data can then be linked to technical data (e.g. we can see which browser you use to access an account via our website). Examples of technical data also include logs ("logs") that occur in our systems (e.g. the log of user logins to our website).
Registration data: Certain offers, e.g. of competitions and services (e.g. login areas of our website, newsletter dispatch, free WLAN access, etc.) can only be used with a user account or registration, which can take place directly with us or via our external login service providers. In doing so, you must provide us with certain data and we collect data on the use of the offer or service. Access controls to certain facilities may generate registration data; depending on the control system, biometric data may also be generated. We retain registration data for 12 months after the end of the use of the service or the termination of the user account.
Registration data includes, among other things, the information you provide when you create an account on our website (e.g. user name, password, name, e-mail). However, registration data also includes the data that we may require from you before you can use certain free services such as the redemption of vouchers, in which case: name, address, contact details, time of redemption. You must also register if you wish to subscribe to our newsletter. In the context of access controls, we may have to register you with your data (access codes in badges, biometric data for identification) (cf. the category "other data").
Communication data: If you are in contact with us via the contact form, by email, telephone or chat, by letter or by any other means of communication, we collect the data exchanged between you and us, including your contact details and the boundary data of the communication. If we record or listen to telephone conversations or video conferences, e.g. for training and quality assurance purposes, we will specifically draw your attention to this. Such recordings may only be made and used in accordance with our internal guidelines. You will be informed when such recordings take place, e.g. by a display during the video conference in question. If you do not wish to be recorded, please inform us or end your participation. If you simply do not want your image to be recorded, please turn off your camera. If we want or need to establish your identity, e.g. in the case of a request for information submitted by you, a request for media access, etc., we collect data to identify you (e.g. a copy of an ID card). We usually keep this data for 12 months from the last exchange with you. This period may be longer where this is necessary for reasons of proof or to comply with legal or contractual requirements or for technical reasons. E-mails in personal mailboxes and written correspondence are kept for at least 10 years. Recordings of (video) conferences are kept for 24 months. Chats are usually kept for 2 years.
Communication data are your name and contact details, the manner and place and time of communication and usually also its content (i.e. the content of e-mails, letters, chats, etc.). This data may also include details of third parties. For identification purposes, we may also process your ID number or a password set by you or your press card. For secure identification, the following mandatory information must be provided for media enquiries: Publisher, name of publication, title, first name, surname, postal address, e-mail address and telephone number of the reporting person.
Master data: We use the term master data to refer to the basic data that we require in addition to the contractual data (see below) for the processing of our contractual and other business relationships or for marketing and advertising purposes, such as name, contact details and information e.g. about your role and function, your bank account(s), your date of birth, customer history, powers of attorney, signature authorisations and declarations of consent. We process your master data if you are a customer or other business contact or work for one (e.g. as a contact person of the business partner), or because we want to address you for our own purposes or the purposes of a contractual partner (e.g. as part of marketing and advertising, with invitations to events, with vouchers, with newsletters etc.). We receive master data from you yourself (e.g. when making a purchase or as part of a registration), from bodies for which you work or from third parties such as our contractual partners, associations
Master data is not collected comprehensively for all contacts. Which data we collect in detail depends on the purpose of the processing.
Contract data: This is data that arises in connection with the conclusion or processing of a contract, e.g. information about contracts and the services to be provided or provided, as well as data from the run-up to the conclusion of a contract, the information required or used for processing and information about reactions (e.g. complaints or information about satisfaction, etc.). This also includes health data and information about third parties, e.g. hereditary diseases in the family. We collect this data from you, from contractual partners and from third parties involved in the processing of the contract, but also from third party sources (e.g. providers of creditworthiness data) and from publicly accessible sources. We keep this data for 10 years from the last contractual activity, but at least from the end of the contract. This period may be longer if this is necessary for reasons of evidence or to comply with legal or contractual requirements or for technical reasons.
Contractual data includes information about the conclusion of the contract, about your contracts, e.g. type and date of conclusion of the contract, information from the application process (such as an application for our products or services) and information about the contract in question (e.g. its duration) and the processing and administration of the contracts (e.g. information relating to invoicing, customer service, assistance with technical matters and the enforcement of contractual claims). Contract data also includes information about defects, complaints and adjustments to a contract, as well as information about customer satisfaction that we may collect, for example, through surveys. Contractual data also includes financial data such as information about creditworthiness (i.e. information that allows conclusions to be drawn about the likelihood that debts will be paid), about reminders and about debt collection. We receive this data partly from you (e.g. when you make payments), but also from credit agencies and debt collection companies and from publicly accessible sources (e.g. a commercial register).
Behavioural and preference data: Depending on the relationship we have with you, we try to get to know you and better tailor our products, services and offers to you. To do this, we collect and use data about your behaviour and preferences. We do this by evaluating information about your behaviour in our area, and we may also supplement this information with information from third parties, including publicly available sources. Based on this, we can calculate, for example, the probability that you will use certain services or behave in a certain way. Some of the data processed for this purpose is already known to us (e.g. when you use our services), or we obtain this data by recording your behaviour (e.g. how you navigate on our website or by determining your movement profile using your mobile phone, for example). We anonymise or delete this data when it is no longer meaningful for the purposes pursued, which may be between 2-3 weeks (for movement profiles) and 24 months (for product and service preferences) depending on the nature of the data. This period may be longer where this is necessary for evidential purposes or to comply with legal or contractual requirements, or for technical reasons. We describe how tracking works on our website in section 12.
Behavioural data is information about certain actions, e.g. your response to electronic communications (e.g. whether and when you opened an email) or your location, as well as your interaction with our social media profiles and your participation in sweepstakes, contests and similar events. We may collect your location data, for example, wirelessly through unique codes sent by your mobile phone or when you use our website. We will inform you about the collection of anonymous movement profiles by appropriate signs at the relevant locations; we will only create a personalised movement profile with your consent.
Preference data tells us what your needs are, what products or services might be of interest to you, or when and how you are likely to respond to messages from us. We obtain this information from the analysis of existing data, such as behavioural data, so that we can get to know you better, tailor our advice and offers more precisely to you and improve our offers. In order to improve the quality of our analyses, we may combine this data with other data that we also obtain from third parties such as address dealers, public offices and publicly accessible sources such as the Internet, e.g. with details of your household size, income bracket and purchasing power, shopping behaviour and contact details of relatives and anonymous information from statistical offices.
Other data: We also collect data from you in other situations. In connection with official or legal proceedings, for example, data is collected (such as files, evidence, etc.) which may also relate to you. We may also collect data for health protection reasons (e.g. in the context of protection concepts). We may obtain or make photographs, videos and sound recordings in which you may be identifiable (e.g. at events, through security cameras etc.). We may also collect data on who enters certain buildings when or has corresponding access rights (incl. in the case of access controls, based on registration data or visitor lists, etc.), who participates in events or campaigns (e.g. competitions) and when, or who uses our infrastructure and systems. Finally, we collect and process data about our shareholders and other investors; in addition to master data, this includes information for the relevant registers, regarding the exercise of their rights and the holding of events (e.g. general meetings). The retention period for this data depends on the purpose and is limited to what is necessary. This ranges from a few days for many of the security cameras and usually a few weeks for contact tracing data to visitor data, which is usually kept for 3 months, to reports on events with pictures, which can be kept for several years or longer. Data about you as a shareholder or other investor will be retained in accordance with company law, but in any case for as long as you are invested.
Much of the data mentioned in this section 3 is provided by you (e.g. via forms, during communication with us, in connection with contracts, when using the website, etc.). You are not obliged to do so, subject to individual cases, e.g. within the framework of binding protection concepts (legal obligations). If you wish to conclude contracts with us or claim services, you must also provide us with data, in particular master data, contract data and registration data, as part of your contractual obligation under the relevant contract. When using our website, the processing of technical data is unavoidable. If you wish to gain access to certain systems or buildings, you will need to provide us with registration data. In the case of behavioural and preference data, however, you have the option of objecting or not giving your consent.
We only provide certain services to you if you provide us with registration data because we or our contractual partners want to know who is using our services or has accepted an invitation to an event, because it is technically necessary or because we want to communicate with you. If you or a person you represent (e.g. your employer) want to conclude or fulfil a contract with us, we must collect corresponding master, contract and communication data from you, and we process technical data if you want to use our website or other electronic offers for this purpose. If you do not provide us with the data required for the conclusion and performance of the contract, you must expect that we will refuse to conclude the contract, that you will commit a breach of contract or that we will not perform the contract. Similarly, we can only send you a response to an enquiry from you if we process the relevant communication data and, if you communicate with us online, technical data where applicable. It is also not possible to use our website without us receiving technical data.
Unless this is inadmissible, we also take data from publicly accessible sources (e.g. debt enforcement registers, land registers, commercial registers, the media or the internet incl. social media) or receive data from other companies within our group, from public authorities and from other third parties (such as credit agencies, address dealers, associations, contractual partners, internet analysis services etc.).
The categories of personal data that we receive about you from third parties include, in particular, information from public registers, information that we learn in connection with official and legal proceedings, information in connection with your professional functions and activities (so that we can, e.g. (e.g. so that we can conclude and process transactions with your employer with your help), information about you in correspondence and meetings with third parties, creditworthiness information (insofar as we process transactions with you personally), information about you which people close to you (family, advisors, legal representatives, etc.) give us so that we can conclude or process contracts with you or involving you (e.g. references, your address for deliveries, full details of your creditworthiness). (e.g. references, your address for deliveries, powers of attorney, information on compliance with legal requirements such as those relating to combating fraud, money laundering and terrorism and export restrictions, information from banks, insurance companies and sales and other contractual partners of ours on the utilisation or provision of services by you (e.g. payments, purchases etc.), information from the media and the Internet on the use of our services, etc.). ), personal data from the media and the Internet (if this is appropriate in a specific case, e.g. in the context of an application, marketing/sales, press review, etc.), your address and, if applicable, interests and other socio-demographic data (especially for marketing and research) and data in connection with the use of third-party websites and online offers where this use can be attributed to you.
We process your data for the purposes we explain below. You will find further information for the online area in sections 12 and 13. These purposes or the objectives on which they are based represent legitimate interests on our part and, where applicable, on the part of third parties. You will find further information on the legal basis for our processing in section 5. We process your data for purposes relating to communication with you, to answer enquiries and assert your rights (section 11) and to contact you in the event of queries. For this purpose, we use communication data and master data and, in connection with offers and services used by you, also registration data. We keep this data to document our communication with you, for training purposes, for quality assurance and for enquiries.
This is for all purposes in connection with which you and we communicate, whether in customer service or consultation, authentication in the event of use of the website or for training and quality assurance (e.g. in customer service). We further process communication data so that we can communicate with you by email and telephone, as well as messenger services, chat, social media, letter and fax. Communication with you is usually in connection with other processing purposes, e.g. so that we can provide services or respond to a request for information. Our data processing also serves to provide evidence of the communication and its content.
We process data for the purpose of establishing, managing and processing contractual relationships.
We conclude contracts of various kinds with our business and private customers, with suppliers, subcontractors or other contractual partners such as partners in projects or with parties in legal disputes. In this context, we process master data, contract data and communication data and, depending on the circumstances, also registration data of the customer or the persons to whom the customer procures a service. This includes, for example, the recipients of our products or services who receive vouchers and invitations from our customers for this purpose and who may in turn become our customers when they redeem them. In this case, we process data for the processing of the contract with these recipients, but also with the contractual partners who have invited them.
In the context of initiating business, personal data - in particular master data, contract data and communication data - is collected from potential customers or other contractual partners (e.g. in an order form or contract) or results from a communication. We also process data in connection with the conclusion of a contract to check creditworthiness and to open the customer relationship. In some cases, this information is checked for compliance with legal requirements. In the context of the processing of contractual relationships, we process data for the administration of the customer relationship, for the provision and collection of contractual services (which also includes the involvement of third parties, such as logistics companies, security services, advertising service providers, banks, insurance companies or credit reference agencies, which may then in turn provide us with data), for advice and for customer care. The enforcement of legal claims arising from contracts (debt collection, legal proceedings, etc.) is also part of the processing, as is accounting, termination of contracts and public communication.
We process data for marketing purposes and to maintain relationships, e.g. to send our customers and other contractual partners personalised advertising on products and services from us and from third parties (e.g. from advertising contractual partners). This may take the form of e.g. newsletters and other regular contacts (electronically, by post, by telephone), via other channels for which we have contact information from you, but also as part of individual marketing campaigns (e.g. events, competitions etc.) and may also include free benefits (e.g. invitations, vouchers etc.). You can refuse such contacts at any time (see at the end of this section 4) or refuse or revoke your consent to be contacted for advertising purposes. With your consent, we can target our online advertising on the Internet more specifically to you (see section 12). Finally, we also want to enable our contractual partners to contact our customers and other contractual partners for advertising purposes (see section 7).
For example, with your consent, we will send you information, advertising and product offers from us and from third parties within and outside the group (e.g. advertising contract partners), in printed form, electronically or by telephone. For this purpose, we process communication and registration data. Like most companies, we personalise communications so that we can provide you with individualised information and offers that meet your needs and interests. To do this, we combine data we process about you with preference data and use this data as the basis for personalisation (see section 3). We also process data in connection with competitions, prize draws and similar events. Relationship management also includes addressing existing customers and their contacts - personalised based on behavioural and preference data. In the context of relationship management, we may also operate a customer relationship management system ("CRM") in which we store the data on customers, suppliers and other business partners necessary for the relationship management, e.g. on contact persons, on the relationship history (e.g. on products and services purchased or supplied, interactions, etc.), interests, wishes, marketing measures (newsletters, invitations to events, etc.) and other information. All this processing is important for us not only to promote our offers as effectively as possible, but also to make our relationships with customers and other third parties more personal and positive, to focus on the most important relationships and to use our resources as efficiently as possible. We continue to process your data for market research, to improve our services and operations and for product development.
We strive to continuously improve our products and services (including our website) and to be able to react quickly to changing needs. We therefore analyse, for example, how you navigate through our website or which products are used by which groups of people and how new products and services can be designed (for further details see section 12). This gives us information about the market acceptance of existing products and services and the market potential of new products and services. To this end, we process master data, behavioural data and preference data, but also communication data and information from customer surveys, polls and studies and other information, e.g. from the media, from social media, from the Internet and from other public sources. Where possible, we use pseudonymised or anonymised information for these purposes. We may also use media monitoring services or conduct media monitoring ourselves and process personal data in the process to carry out media work or to understand and respond to current developments and trends. We use anonymised location data, for example, to make recommendations to our contractual partners on how to avoid rush hour. With your consent, we use non-anonymised location data to point you to interesting offers and products in the vicinity based on your position, to infer your interests from the location data (dwell time) and to tell you which products and services other contractual partners with similar interests have used. We may also process your data for security and access control purposes.
We continually review and improve the appropriate security of our IT and other infrastructure (e.g. buildings). Like all companies, we cannot rule out data security breaches with absolute certainty, but we do our best to reduce the risks. We therefore process data, for example, for monitoring, controls, analyses and tests of our networks and IT infrastructures, for system and error checks, for documentation purposes and as part of security copies. Access controls include, on the one hand, controlling access to electronic systems (e.g. logging into user accounts), but also physical access control (e.g. building access). For security purposes (preventive and to clarify incidents) we also keep access logs or visitor lists and use surveillance systems (e.g. security cameras). We draw your attention to surveillance systems at the relevant locations by means of appropriate signs. We process personal data to comply with laws, directives and recommendations from authorities and internal regulations ("compliance").
This includes, for example, the implementation of health and safety concepts or the legally regulated fight against money laundering and terrorist financing. In certain cases, we may be obliged to make certain inquiries about customers ("Know Your Customer") or to make reports to the authorities. The fulfilment of disclosure, information or reporting obligations, e.g. in connection with supervisory and tax obligations, also requires or entails data processing, e.g. the fulfilment of archiving obligations and the prevention, detection and clarification of criminal offences and other violations. This also includes the receipt and processing of complaints and other reports, the monitoring of communications, internal investigations or the disclosure of documents to an authority if we have sufficient reason to do so or are legally obliged to do so. We may also process personal data about you during external investigations, for example, by a law enforcement or regulatory authority or an appointed private body. Furthermore, we process data to serve our shareholders and other investors and to fulfil our obligations in this regard. For all these purposes, we process your master data, your contractual data and communication data, but may also process behavioural data and data from the category of other data. The legal obligations may be Swiss law, but also foreign regulations to which we are subject, as well as self-regulations, industry standards, our own "corporate governance" and official instructions and requests. We also process data for the purposes of our risk management and in the context of prudent corporate governance, including operational organisation and corporate development.
For these purposes, we process master data, contract data, registration data and technical data, but also behavioural and communication data. For example, we need to monitor our debtors and creditors as part of our financial management, and we need to avoid falling victim to crime and abuse, which may require us to analyse data for relevant patterns. We may also carry out profiling and create and process profiles for these purposes and for your and our protection against criminal or abusive activities (see also section 6). In the context of planning our resources and organising our operations, we need to evaluate and process data on the use of our services and other offers or exchange information on this with others (e.g. outsourcing partners), which may also include your data. The same applies about services provided to us by third parties. As part of the development of our business, we may sell or acquire businesses, parts of businesses or companies to or from others or enter partnerships, which may also result in the exchange and processing of data (including from you, e.g. as a customer or supplier or as a supplier representative).
We may process your data for other purposes, such as our internal operations and administration or for training and quality assurance purposes.
These additional purposes include, for example, training and education purposes, administrative purposes (such as master data management, accounting and data archiving and IT infrastructure testing, management and ongoing improvement), the protection of our rights (e.g. to enforce claims in or out of court and before authorities in Switzerland and abroad or to defend ourselves against claims, for example by preserving evidence, legal clarifications and participation in legal or official proceedings) and the evaluation and improvement of internal processes. We may use recordings of (video) conferences for training and quality assurance purposes. The protection of other legitimate interests is also one of the other purposes that cannot be named exhaustively.
As far as we ask you for your consent for certain processing (e.g. for the processing of particularly sensitive personal data, for marketing mailings, for the creation of personalised movement profiles and for advertising control and behavioural analysis on the website), we will inform you separately about the corresponding purposes of the processing. You may withdraw your consent at any time with future effect by notifying us in writing (by post) or, where not otherwise stated or agreed, by email; you will find our contact details in section 2. For withdrawal of your consent for online tracking, see section 12. Where you have a user account, withdrawal or contacting us may also be possible via the relevant website or other service. Once we have received notification that you have withdrawn your consent, we will no longer process your data for the purposes to which you originally consented, unless we have another legal basis for doing so. The revocation of your consent will not affect the lawfulness of the processing carried out based on the consent until the revocation.
Where we do not ask you for your consent for processing, we base the processing of your personal data on the fact that the processing is necessary for the initiation or execution of a contract with you (or the entity you represent) or that we or third parties have a legitimate interest in doing so, so in particular in order to pursue the purposes and related objectives described above under section 4 and to be able to implement appropriate measures. Our legitimate interests also include compliance with legal regulations, as far as this is not already recognised as a legal basis by the respective applicable data protection law (e.g. in the case of the GDPR, the law in the EEA and in Switzerland). However, this also includes the marketing of our products and services, the interest to better understand our markets and to safely and efficiently manage and develop our business, including operations.
If we receive sensitive data (e.g. health data, information on political, religious or ideological views or biometric data for identification purposes), we may also process your data on the basis of other legal grounds, e.g. in the event of disputes due to the need for processing for a possible lawsuit or the enforcement or defence of legal claims. In individual cases, other legal grounds may come into play, which we will communicate to you separately where necessary.
We may automatically assess ("profile") certain of your personal characteristics for the purposes mentioned in section 4 using your data (section 3), if we want to determine preference data, but also to determine abuse and security risks, to conduct statistical evaluations or for operational planning purposes. For the same purposes, we may also create profiles, i.e. we may combine behavioural and preference data, but also master and contract data and technical data assigned to you, to better understand you as a person with your different interests and other characteristics. We may also create anonymous and - with your consent - personalised movement profiles of you.
If you are a customer of ours, for example, we can use "profiling" to determine which other products you are likely to be interested in based on your purchases. However, we can also use this to check your creditworthiness before offering you a purchase on account. Automated analysis of data can also check, for your protection, the likelihood of a particular transaction being fraudulent. This allows us to stop the transaction for clarification. To be distinguished from this are "profiles". This refers to the linking of various data to gain clues about essential aspects of your personality from the totality of this data (e.g. what you like or how you behave in certain situations). Profiles can also be used for marketing, for example, but also for security purposes.
We use anonymous movement profiles in a non-personalised way, for example to make recommendations to our contractual partners on how to avoid rush hour. For personalised movement profiles, we use personal data, for example, to point out interesting offers and products in your vicinity, to infer your interests from the position data (dwell time) and to inform you of which products and services other contractual partners with similar interests have used or, for example, where health-related protection concepts stipulate contact tracing.
In both cases we pay attention to the proportionality and reliability of the results and take measures against misuse of these profiles or profiling. If these can have legal effects or significant disadvantages for you, we provide for a manual review.
In certain situations, it may be necessary for reasons of efficiency and consistency of decision-making processes that we automate discretionary decisions affecting you with legal effects or significant disadvantages ("automated individual decisions"). In this case, we will inform you accordingly and provide for the measures required under applicable law.
An example of an automated individual decision is the automatic order acceptance by an online shop. Pure if-then decisions are not meant (e.g. if the computer lets you access your user account after checking your password), but discretionary decisions (e.g. the decision to conclude a contract). We will inform you in each individual case if an automated decision leads to negative legal consequences or a comparable significant impairment for you. If you do not agree with the result of such a decision, you will be able to communicate about it with a human being who will review the decision.
In connection with our contracts, the website, our services and products, our legal obligations or otherwise to protect our legitimate interests and the other purposes listed in section 4, we also disclose your personal data to third parties, to the following categories of recipients:
Service providers: we work with service providers in Switzerland and abroad who process data about you on our behalf or in joint responsibility with us or receive data about you from us in their own responsibility (e.g. IT providers, shipping companies, advertising service providers, login service providers, cleaning companies, security companies, banks, insurance companies, debt collection companies, credit reference agencies, or address checkers). This may also include health data. For information on the service providers used for the website, see section 12.
To provide our products and services efficiently and to be able to concentrate on our core competencies, we procure services from third parties in numerous areas. These services include, for example, IT services, the dispatch of information, marketing, sales, communication or printing services, facility management, security and cleaning, the organisation and holding of events and receptions, debt collection, credit agencies, address checkers (e.g. for updating address lists in the event of relocations), anti-fraud measures and services from consulting firms, lawyers, banks, insurers and telecom companies. We disclose to these service providers in each case the data required for their services, which may also concern you. These service providers may also use such data for their own purposes, e.g. information on outstanding debts and your payment history in the case of credit agencies or anonymised data to improve services. In addition, we enter contracts with these service providers that include provisions for the protection of data where such protection does not arise from the law. Our service providers may also process data on how their services are used and other data that arise while using their services as independent data controllers for their own legitimate interests (e.g. for statistical evaluations or billing). Service providers provide information about their independent data processing in their own data protection statements. More information on how Microsoft processes data can be found here: https://privacy.microsoft.com/de-de/privacystatement; for the use of Microsoft Teams in particular here https://docs.microsoft.com/de-de/microsoftteams/teams-privacy.
Contractual partners including customers: This initially refers to customers (e.g. service recipients) and other contractual partners of ours, because this data transfer arises from these contracts. For example, you will receive registration data on issued and redeemed vouchers, invitations, etc. If you work for such a contractual partner yourself, we may also transfer data about you to them in this context. This may also include health data. The recipients also include contractual partners with whom we cooperate or who advertise on our behalf and to whom we therefore transfer data about you for analysis and marketing purposes (these may again be service recipients, but also e.g. sponsors and providers of online advertising). We require these partners to only send you advertising or play it out based on your data if you have consented to this (for the online area, see point 12). Our online advertising partners are listed in section 12.
If you act as an employee for a company with which we have concluded a contract, the processing of this contract may result in us informing the company, for example, how you have used our service. Cooperation and advertising contract partners receive selected master, contract, behavioural and preference data from us so that, on the one hand, they can carry out non-personal evaluations in their area (e.g. about the number of our customers who have viewed their advertising) and, on the other hand, they can also use data for advertising purposes (including targeting you). For example, advertising contractors should be able to communicate with and send advertising to matching other customers of ours.
Government agencies: We may disclose personal data to offices, courts and other authorities in Switzerland and abroad if we are legally obliged or entitled to do so or if this appears necessary to protect our interests. This may also include health data. The authorities process data about you that they receive from us on their own responsibility.
Cases of application are, for example, criminal investigations, police measures (e.g. health protection concepts, combating violence, etc.), regulatory requirements and investigations, court proceedings, reporting obligations and pre- and extra-judicial proceedings as well as legal obligations to provide information and to cooperate. Data may also be disclosed if we wish to obtain information from public bodies, e.g. to justify an interest in information or because we need to say who we need information about (e.g. from a register).
Other persons: This refers to other cases where the inclusion of third parties arises from the purposes set out in section 4, e.g. service recipients, media and associations in which we participate or if you are part of one of our publications.
Other recipients are, for example, delivery addressees or third-party payees specified by you, other third parties also in the context of agency relationships (e.g. if we send your data to your lawyer or bank) or persons involved in official or legal proceedings. If we cooperate with the media and send them material (e.g. photos), you may also be affected by this under certain circumstances. The same applies when we publish content (e.g. photos, interviews, quotes etc.) for example on our website or in other publications. During business development, we may sell or acquire businesses, parts of businesses, assets or companies or enter into partnerships, which may also result in the disclosure of data (including data about you, e.g. as a customer or supplier or as a supplier representative) to the persons involved in these transactions. Communications with our competitors, industry organisations, associations and other bodies may also involve the exchange of data that also relates to you.
All these categories of recipients may in turn involve third parties, so that your data may also become accessible to them. We can restrict processing by certain third parties (e.g. IT providers), but not by other third parties (e.g. authorities, banks, etc.). We reserve the right to disclose such data even if it concerns secret data (unless we have expressly agreed with you that we will not disclose such data to certain third parties, unless we are legally obliged to do so). Notwithstanding the above, your data will continue to be subject to adequate data protection even after disclosure in Switzerland and the rest of Europe. If you do not want certain data to be disclosed, please let us know so that we can check whether and to what extent we can accommodate you (section 2).
In many cases, the disclosure of secret data is also necessary to process contracts or provide other services. Even non-disclosure agreements do not usually exclude such data disclosure, nor does disclosure to service providers. However, depending on the sensitivity of the data and other circumstances, we ensure that these third parties handle the data appropriately. We will not be able to comply with your objection to data disclosure where the data disclosures in question are necessary for our activities.
We also allow certain third parties to collect personal data from you on our website and at events organised by us (e.g. media photographers, providers of tools we have embedded on our website, etc.). As far as we are not decisively involved in these data collections, these third parties are solely responsible for them. If you have any concerns or wish to exercise your data protection rights, please contact these third parties directly. Cf. point 12 for the website.
As explained in section 7, we also disclose data to other bodies. These are not only located in Switzerland. Your data may therefore be processed both in Europe and in the USA; in exceptional cases, however, in any country in the world.
If a recipient is located in a country without adequate legal data protection, we contractually oblige the recipient to comply with the applicable data protection (for this purpose, we use the revised standard contractual clauses of the European Commission, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?), unless the recipient is already subject to a legally recognised set of rules to ensure data protection and we cannot rely on an exception. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the performance of a contract requires such disclosure, if you have consented or if the data in question has been made generally accessible by you and you have not objected to its processing.
Many countries outside of Switzerland or the EU and EEA do not currently have laws that guarantee an adequate level of data protection from the perspective of the DPA or the GDPR. With the contractual arrangements mentioned, this weaker or missing legal protection can be partially compensated for. However, contractual precautions cannot eliminate all risks (namely of state access abroad). You should be aware of these residual risks, even if the risk may be low in individual cases and we take further measures (e.g. pseudonymisation or anonymisation) to minimise it.
Please also note that data exchanged via the internet is often routed via third countries. Your data may therefore end up abroad even if the sender and recipient are in the same country.
We process your data for as long as our processing purposes, the legal retention periods and our legitimate interests in processing for documentation and evidence purposes require or storage is technically necessary. Further information on the respective storage and processing periods can be found for the individual data categories in section 3 and for the cookie categories in section 12. If there are no legal or contractual obligations to the contrary, we delete or anonymise your data after the storage or processing period has expired as part of our normal processes.
Documentation and evidence purposes include our interest in documenting processes, interactions and other facts in the event of legal claims, discrepancies, IT and infrastructure security purposes and evidence of good corporate governance and compliance. Retention may be technically necessary if certain data cannot be separated from other data and we therefore need to retain it with them (e.g. in the case of backups or document management systems).
We take appropriate security measures to maintain the confidentiality, integrity and availability of your personal data, to protect it against unauthorised or unlawful processing and to protect against the risks of loss, accidental alteration, unauthorised disclosure or access.
Security measures of a technical and organisational nature may include, for example, measures such as the encryption and pseudonymisation of data, logging, access restrictions, the storage of backup copies, instructions to our employees, confidentiality agreements and controls. We protect your data transmitted via our website in transit using appropriate encryption mechanisms. However, we can only secure areas that we control. We also oblige our contract processors to take appropriate security measures. However, security risks cannot be completely ruled out; residual risks are unavoidable.
Applicable data protection law grants you the right to object to the processing of your data in certain circumstances, for direct marketing purposes, profiling for direct marketing purposes and other legitimate interests in processing.
To help you control the processing of your personal data, you also have the following rights in connection with our data processing, depending on the applicable data protection law:
If you wish to exercise any of the above rights against us (or against any of our group companies), please contact us in writing, at our premises or, unless otherwise stated or agreed, by email; you will find our contact details in section 2. For us to be able to exclude abuse, we must identify you (e.g. with a copy of your identity card, unless otherwise possible).
You also have these rights vis-à-vis other bodies that cooperate with us on their own responsibility - please contact them directly if you wish to exercise rights in connection with their processing. You will find details of our important cooperation partners and service providers in section 7, and further details in section 12. Please note that conditions, exceptions or restrictions apply to these rights under the applicable data protection law (e.g. to protect third parties or business secrets). We will inform you accordingly if necessary.
We may need to process and store your personal data to fulfil a contract with you, to protect our own legitimate interests, such as the assertion, exercise or defence of legal claims, or to comply with legal obligations. To the extent legally permissible, to protect the rights and freedoms of other data subjects and to safeguard interests worthy of protection, we may therefore also reject a data subject request in whole or in part (e.g. by blacking out certain content relating to third parties or our trade secrets).
If you do not agree with our handling of your rights or data protection, please let us or our data protection officers (section 2) know. If you are in the EEA, the UK or Switzerland, you also have the right to complain to the data protection supervisory authority in your country. A list of authorities in the EEA can be found here: https://edpb.europa.eu/about-edpb/board/members_de. You can reach the UK supervisory authority here: https://ico.org.uk/global/contact-us/. You can reach the Swiss supervisory authority here: https://www.edoeb.admin.ch/edoeb/de/home/der-edoeb/kontakt/adresse.html.
We use various techniques on our website that allow us and third parties we engage to recognise you when you use it and, in some circumstances, to track you across multiple visits. In this section we tell you about them. This is so that we can distinguish your access (via your system) from access by other users, so that we can ensure the functionality of the website and carry out evaluations and personalisations. In doing so, we do not want to infer your identity, even if we can do so as far as we or third parties engaged by us can identify you through a combination with registration data. Even without registration data, however, the technologies used are designed in such a way that you are recognised as an individual visitor each time you access the site, for example by our server (or the servers of third parties) assigning you or your browser a specific identification number (a so-called "cookie").
Cookies are individual codes (e.g. a serial number) which our server or a server of our service providers or advertising contract partners transmits to your system when you connect to our website and which your system (browser, mobile) accepts and stores until the programmed expiry time. With each subsequent access, your system transmits these codes to our server or the server of the third party. In this way, you are recognised even if your identity is unknown.
Other techniques may also be used to recognise you with a greater or lesser degree of probability (i.e. to distinguish you from other users), e.g. "fingerprinting". Fingerprinting combines your IP address, the browser you use, the screen resolution, the language choice and other information that your system communicates to each server), resulting in a unique fingerprint. In this way, cookies can be dispensed with.
So whenever you access a server (e.g. when using a website or an app, or because an image is visibly or invisibly integrated in an email), your visits can be "tracked" (traced). If we integrate offers from an advertising contractor or provider of an analysis tool on our website, they may track you in the same way, even if you cannot be identified in individual cases.
We use such techniques on our website and allow certain third parties to do so as well. However, depending on the purpose of these techniques, we may ask for your consent before they are used. You can program your browser to block or deceive certain cookies or alternative techniques, or to delete existing cookies. You can also enhance your browser with software that blocks tracking by certain third parties. You can find more information about this on the help pages of your browser (usually under the heading "Privacy") or on the websites of the third parties we list below.
A distinction is made between the following cookies (techniques with comparable functions such as fingerprinting are included here):
In addition to marketing cookies, we use other techniques to target online advertising on other websites to reduce wastage. For example, we may transmit the e-mail addresses of our users, customers and other persons to whom we want to display advertising to operators of advertising platforms (e.g. social media). If these persons are registered there with the same e-mail address (which the advertising platforms determine through a comparison), the operators show the advertising placed by us to these persons in a targeted manner. The operators do not receive personal e-mail addresses of persons who are not already known. In the case of known e-mail addresses, however, they learn that these persons are in contact with us and which content they have accessed.
We may also integrate other third-party offers on our website, from social media providers. These offers are deactivated by default. As soon as you activate them (e.g. by clicking a button), the corresponding providers can determine that you are on our website. If you have an account with the social media provider, they can assign this information to you and thus track your use of online offers. These social media providers process this data under their own responsibility.
We currently do not use any offers from service providers and advertising contract partners.
We may operate pages and other online presences ("fan pages", "channels", "profiles" etc.) on social networks and other platforms operated by third parties and collect the data about you described in section 3 and below there. We receive this data from you and the platforms when you meet us via our online presence (e.g. when you communicate with us, comment on our content or visit our presence). At the same time, the platforms evaluate your use of our online presences and link this data with other data about you known to the platforms (e.g. on your behaviour and preferences). They also process this data for their own purposes under their own responsibility, for marketing and market research purposes (e.g. to personalise advertising) and to control their platforms (e.g. what content they show you).
We process this data for the purposes described in section 4, for communication, marketing purposes (including advertising on these platforms, see section 12) and market research. You will find information on the relevant legal basis in section 5. Content published by you (e.g. comments on an announcement) may be disseminated by us (e.g. in our advertising on the platform or elsewhere). We or the platform operators may also delete or restrict content from or about you in accordance with the usage guidelines (e.g. inappropriate comments). For further details on the edits made by the operators of the platforms, please refer to the platforms' data protection notices. There you can also find out in which countries they process your data, which rights of access, deletion and other data subjects you have and how you can exercise these or obtain further information. We currently use the following platforms:
We can integrate YouTube videos into our online offer, which are stored on http://www.youtube.com and can be played directly from our website. In principle, when you call up a page with embedded videos, your IP address is already sent to YouTube/Google and cookies are installed on your computer. However, we have embedded our videos in "extended data protection mode", i.e. no data about you as a user will be transmitted to YouTube/Google if you do not play the videos. Only when you click on the video to play it will the following data be transmitted:
We have no influence on this data transmission.
By visiting our website and playing the videos, YouTube/Google receives the information that you have accessed the corresponding sub-page of our website. If you are logged in to Google, this data is directly assigned to your account. If you do not wish this to be associated with your YouTube profile, you must log out before activating the button. In addition, YouTube/Google also stores data if you do not have a Google user account, these are in particular: IP address, search queries, browser and operating system version.