Data protection

Preamble

With the following privacy policy, we would like to explain to you what types of your personal data (hereinafter also referred to as “data” for short) we process for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offer”).

The terms used are not gender-specific.

Status: August 6, 2024

Table of contents

  • Preamble
  • Person responsible
  • Contact data protection officer
  • Overview of processing
  • Relevant legal bases
  • Safety measures
  • General information on data storage and deletion
  • Rights of data subjects
  • Business services
  • Business processes and procedures
  • Credit check
  • Provision of online services and web hosting
  • Use of cookies
  • Special notes about applications (apps)
  • Purchase of applications via app stores
  • Contact and request management
  • Communication via messenger
  • Artificial intelligence (AI)
  • Video conferences, online meetings, webinars, and screen sharing
  • cloud services
  • Web analysis, monitoring and optimization
  • Customer reviews and evaluation procedures
  • Presences on social networks (social media)
  • Plug-ins and embedded features and content
  • Processing of data in the context of employment relationships
  • Application process

Person responsible

BWO Systems AG
Parkstraße 1b
6214 Schenkon
Switzerland
E-Mail: info@bwo.ch

Contact data protection consultant

For questions about data protection, we contact the following data protection consultant:

PlanSec
Sinserstraße 67
6330 Cham
https://www.plansec.ch

Overview of processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the persons concerned.

Types of data processed

  • inventory data
  • Employment data.
  • payment details.
  • contact details.
  • Content data.
  • Contract data.
  • usage data.
  • Meta, communication and procedural data.
  • social data.
  • Applicant data.
  • Image and/or video recordings.
  • sound recordings.
  • log data.
  • Performance and behavioral data.
  • Working time data.
  • credit rating data.
  • Salary data.

Special categories of data

  • Health data.
  • Religious or ideological beliefs.
  • trade union membership.

Categories of affected persons

  • Service recipient and client.
  • employees.
  • interested parties.
  • communication partner.
  • user.
  • Applicant.
  • Business and contract partners.
  • People pictured.
  • Third people.
  • customers.

Purposes of processing

  • Provision of contractual services and fulfilment of contractual obligations.
  • communication.
  • safety measures.
  • direct marketing.
  • Range measurement.
  • Office and organizational procedures.
  • organizational and administrative procedures.
  • application process.
  • feedback.
  • marketing.
  • Profiles with user-related information.
  • Provision of our online offering and user-friendliness.
  • Assessment of creditworthiness and creditworthiness.
  • Establishment and implementation of employment relationships.
  • Information technology infrastructure.
  • Financial and payment management.
  • public relations.
  • sales promotion.
  • business processes and business procedures.
  • Artificial intelligence (AI).

Automated decisions on a case-by-case basis

  • credit report.

Relevant legal bases

Relevant legal bases under the GDPR: The following is an overview of the legal bases of the GDPR, on the basis of which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection requirements may apply in your or our country of residence or place of residence. Should more specific legal bases also apply in individual cases, we will inform you of these in the privacy policy.

  • Consent (Article 6 (1) (a) GDPR) — The data subject has given consent to the processing of personal data concerning him or her for a specific purpose or several specific purposes.
  • Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR) — Processing is necessary for the performance of a contract to which the data subject is a party or to carry out pre-contractual measures taken at the request of the data subject.
  • Legal obligation (Art. 6 (1) (c) GDPR) — Processing is necessary to fulfill a legal obligation to which the person responsible is subject.
  • Legitimate interests (Art. 6 (1) (f) GDPR) — processing is necessary to protect the legitimate interests of the controller or of a third party, provided that the interests, fundamental rights and freedoms of the data subject, which require the protection of personal data, do not prevail.
  • Application process as a pre-contractual or contractual relationship (Art. 6 (1) (b) GDPR) — If, as part of the application process, special categories of personal data within the meaning of Article 9 (1) GDPR (e.g. health data, such as status of severely disabled persons or ethnic origin) are requested from applicants so that the person responsible or the data subject can exercise the rights conferred on him or her under employment law and social security and social protection law and fulfill his or her obligations in this regard, their processing is carried out in accordance with Article 9 (2) lit. b. GDPR, in case of protection vital interests of applicants or other persons in accordance with Art. 9 para. 2 lit. c. GDPR or for health care or occupational medicine purposes, for the assessment of the employee's ability to work, for medical diagnostics, care or treatment in the health or social sector or for the administration of systems and services in the health or social sector in accordance with Art. 9 para. 2 lit. h. GDPR. In the case of communication of special categories of data based on voluntary consent, their processing is carried out on the basis of Article 9 (2) lit. a. GDPR.
  • Processing of special categories of personal data relating to healthcare, work and social security (Art. 9 para. 2 lit. h) GDPR) — Processing is necessary for health care or occupational medicine purposes, for the assessment of the employee's ability to work, for medical diagnostics, health or social care or for the administration of systems and services in the health or social sector on the basis of Union law or the law of a Member State or on the basis of a contract with a health professional.

Relevant legal bases under Swiss Data Protection Act: If you are in Switzerland, we process your data on the basis of the Federal Data Protection Act (“Swiss DSG” for short). Unlike, for example, the GDPR, the Swiss DSG does not in principle require that a legal basis for the processing of personal data be provided and that the processing of personal data is carried out in good faith, is lawful and proportionate (Article 6 (1) and (2) of the Swiss DSG). In addition, personal data is only obtained by us for a specific purpose that is identifiable to the data subject and only processed in a way that is compatible with this purpose (Article 6 (3) of the Swiss DSG).

Note on the validity of the GDPR and Swiss DSG: This data protection notice is intended both to provide information in accordance with the Swiss DSG and the General Data Protection Regulation (GDPR). For this reason, please note that the terms of the GDPR are used due to the wider geographical application and comprehensibility. In particular, instead of the terms “processing” of “personal data”, “overriding interest” and “particularly sensitive personal data” used in the Swiss DSG, the terms “processing” of “personal data” as well as “legitimate interest” and “special categories of data” are used. However, within the scope of the Swiss DSG, the legal meaning of the terms continues to be determined in accordance with the Swiss DSG.

Safety measures

In accordance with legal requirements, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.

The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the access, input, transfer, availability and separation of data relating to it. We have also set up procedures that ensure the exercise of data subject rights, the deletion of data and responses to the data being compromised. In addition, we take the protection of personal data into account when developing or selecting hardware, software and processes in accordance with the principle of data protection, through technology design and through privacy-friendly default settings.

Securing online connections using TLS/SSL encryption technology (HTTPS): In order to protect user data transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSl) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information that is transferred between the website or app and the user's browser (or between two servers), which protects the data from unauthorized access. TLS, as the more advanced and secure version of SSl, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is signaled by the display of HTTPS in the URL. This serves as an indicator for users that their data is transmitted securely and encrypted.

General information on data storage and deletion

We delete personal data that we process in accordance with legal provisions as soon as the underlying consent is withdrawn or there is no further legal basis for processing. This applies to cases in which the original purpose of processing no longer applies or the data is no longer required. There are exceptions to this regulation when legal obligations or special interests require the data to be stored or archived for a longer period of time.

In particular, data that must be stored for commercial or tax reasons or whose storage is necessary to prosecute or protect the rights of other natural or legal persons must be archived accordingly.

Our privacy policy contains additional information on the storage and deletion of data that applies specifically to specific processing processes.

If there is more information about the storage period or deletion periods of a date, the longest period is always decisive.

If a period does not expressly start on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the deadline occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the deadline is the effective date of the termination or other termination of the legal relationship.

We process data that is no longer stored for the originally intended purpose, but due to legal requirements or other reasons, exclusively for the reasons that justify their storage.

Further information on processing processes, procedures and services:

Retention and deletion of data: The following general deadlines apply for storage and archiving under German law:

  • 10 years — Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheet and the work instructions and other organizational documents, accounting documents and invoices required for their understanding (Section 147 para. 3 in conjunction with Paragraph 1 No. 1, 4 and 4a AO, Section 14b Paragraph 1 No. 1 and 4 HGB).
  • 6 years — Other business documents: commercial or business letters received, reproductions of the sent commercial or business letters, other documents insofar as they are relevant for taxation, e.g. hourly pay slips, operating statement sheets, calculation documents, price awards, but also payroll documents, insofar as they are not already accounting documents and cash strips (Section 147 (3) in conjunction with Paragraph 1 No. 2, 3, 5 AO, Section 257 Paragraph 1 No. 2 and 3, Paragraph 4 HGB).
  • 3 years — Data necessary to consider potential warranty and compensation claims or similar contractual claims and rights and to process related inquiries, based on previous business experience and usual industry practices, is stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Retention and deletion of data: The following general deadlines apply for storage and archiving in accordance with Swiss law:

  • 10 years — Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting documents and invoices as well as all necessary work instructions and other organizational documents (Art. 958f of the Swiss Code of Obligations (OR)).
  • 10 years — Data necessary to consider potential claims for damages or similar contractual claims and rights, as well as to process related inquiries, based on previous business experience and standard industry practices, will be stored for the period of the statutory limitation period of ten years, unless a shorter period of five years is relevant in certain cases (Art. 127, 130 OR). At the end of five years, claims for rent, lease and capital interest and other periodic benefits, from the delivery of food, for food and for economic debt, as well as from handicraft work, retail sale of goods, medical care, professional work by lawyers, legal agents, procurators and notaries and from the employment relationship of employees (Art. 128 OR) expire.

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

  • Right of objection: For reasons arising from your particular situation, you have the right to object at any time to the processing of personal data concerning you, which is carried out on the basis of Article 6 (1) (e) or f GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is associated with such direct marketing.
  • Right of withdrawal in case of consent: You have the right to withdraw your consent at any time.
  • Right to information: You have the right to request confirmation as to whether the relevant data is being processed and for information about this data as well as further information and a copy of the data in accordance with legal requirements.
  • Right to rectification: In accordance with legal requirements, you have the right to request the completion of the data concerning you or the correction of incorrect data concerning you.
  • Right to delete and restrict processing: In accordance with legal requirements, you have the right to request that data concerning you be deleted immediately or, alternatively, to request that the processing of the data be restricted in accordance with legal requirements.
  • Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, common and machine-readable format in accordance with legal requirements or to request that it be transmitted to another person responsible.
  • Complaint to supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State in which you habitually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you believe that the processing of personal data relating to you is contrary to the GDPR.

Rights of data subjects under the Swiss DSG:

As a data subject, you have the following rights in accordance with the requirements of the Swiss DSG:

  • Right to information: You have the right to request confirmation as to whether personal data concerning you is being processed and to receive the information necessary to assert your rights under this Act and to ensure transparent data processing.
  • Right to release or transfer data: You have the right to request the release of your personal data, which you have provided to us, in a common electronic format.
  • Right to rectification: You have the right to request that incorrect personal data concerning you be corrected.
  • Right to object, delete and destroy: You have the right to object to the processing of your data and to request that the personal data relating to you be deleted or destroyed.

Business services

We process data from our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contractual partners”), within the framework of contractual and comparable legal relationships and related measures and with regard to communication with the contractual partners (or pre-contractual), for example to answer inquiries.

We use this information to fulfill our contractual obligations. This includes in particular the obligations to provide the agreed services, any update obligations and remedies in the event of warranty and other performance problems. In addition, we use the data to protect our rights and for the purpose of administrative tasks associated with these obligations and corporate organization. In addition, we process the data on the basis of our legitimate interests both in proper and business management and in security measures to protect our contractual partners and our business operations from misuse, risk of their data, secrets, information and rights (e.g. to involve telecommunications, transport and other assistance services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we only pass on the data of contractual partners to third parties to the extent necessary for the above purposes or to fulfill legal obligations. Contractual partners will be informed about other forms of processing, such as for marketing purposes, as part of this privacy policy.

We will inform the contractual partners which data is required for the above purposes before or as part of data collection, e.g. in online forms, through special identification (e.g. colors) or symbols (e.g. asterisks, etc.), or personally.

We delete the data after expiry of legal warranty and comparable obligations, i.e. in principle after four years, unless the data is stored in a customer account, e.g. as long as it must be kept for archiving legal reasons (e.g. for tax purposes, usually ten years). We delete data that has been disclosed to us as part of an order by the contractual partner in accordance with the requirements and generally after the end of the order.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact details (e.g. postal and e-mail addresses or telephone numbers). Contract data (e.g. subject matter of contract, duration, customer category).
  • Affected persons: Service recipients and clients; interested parties. Business and contract partners.
  • Purposes of processing: Provision of contractual services and performance of contractual obligations; communication; office and organizational procedures; organizational and administrative procedures. business processes and business procedures.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR); legal obligation (Art. 6 para. 1 p. 1 lit. c) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • Construction industry: We process the data of our customers and clients to enable them to plan, implement and complete construction projects and related services. The required information includes the information required for project implementation and billing as well as contact information for necessary reconciliations. Insofar as we obtain access to information from end customers, employees or other persons, we process this in accordance with legal and contractual requirements; Legal bases: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f) GDPR).
  • IT services: We process the data of our customers and clients to enable them to plan, implement and support IT solutions and related services. The required information is marked as such in the context of the conclusion of an order, project or comparable contract and includes the information required for service provision and billing as well as contact information in order to be able to hold any consultations. Insofar as we obtain access to information from end customers, employees or other persons, we process it in accordance with legal and contractual requirements.
    The processing processes include project management and documentation, which include all phases from the initial requirements analysis to the completion of the project. This includes creating and managing project timelines, budgets, and resource allocations. Data processing also supports change management, which documents and tracks changes in the project process to ensure compliance and transparency. Another process is customer relationship management (CRM), which includes recording and analyzing customer interactions and feedback in order to improve service quality and efficiently address individual customer needs. In addition, the processing process includes technical support and trouble shooting, which includes the recording and processing of support requests, troubleshooting and regular maintenance. Reporting and performance analysis are also carried out, which collect and evaluate performance indicators in order to evaluate and continuously optimize the effectiveness of the IT solutions provided. All of these processes are designed to ensure a high level of customer satisfaction and compliance with all relevant requirements; Legal bases: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f) GDPR).
  • Project and development services: We process the data of our customers and clients (hereinafter uniformly referred to as “customers”) to enable them to select, purchase or commission the selected services or works as well as related activities as well as their payment and provision, execution or provision. The required information is marked as such in the context of the conclusion of an order, order or comparable contract and includes the information required for service provision and billing as well as contact information to to be able to make any consultations. Insofar as we obtain access to information from end customers, employees or other persons, we process this in accordance with legal and contractual requirements; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR).
  • Offering software and platform services: We process the data of our users, registered users and any test users (hereinafter uniformly referred to as “users”) in order to be able to provide them with our contractual services and on the basis of legitimate interests to ensure the security of our offer and to be able to further develop it. The required information is marked as such in the context of the conclusion of an order, order or comparable contract and includes the information required for service provision and billing as well as contact information in order to be able to hold any consultations; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR).
  • Rental services: We process the data of our tenants and prospective tenants in accordance with the underlying rental agreement. We may also process information about the characteristics and circumstances of persons or property belonging to them if this is necessary as part of the rental agreement. This may include information on personal circumstances, mobile or immobile property and the financial situation as well as the use of ancillary services (such as water or energy supply). As part of our assignment, it may be necessary for us to process special categories of data within the meaning of Article 9 (1) GDPR, in particular information about a person's health. The processing is carried out in order to be able to protect the health interests of tenants and otherwise only with the consent of the tenants.
  • If required for contract performance or by law or approved by tenants or based on our legitimate interests, we disclose or transfer tenants' data as part of coverage requests, conclusion and settlement of contracts, e.g. to financial service providers, credit institutions, suppliers (e.g. electricity) or authorities. We also process tenants' data if this is necessary to fulfill legal obligations (e.g. for information requirements in connection with ancillary services and additional costs); Legal bases: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR).

Business processes and procedures

Personal data of service recipients and clients — including customers, clients or, in special cases, clients, patients or business partners as well as other third parties — is processed within the framework of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business processes in areas such as customer management, sales, payments, accounting and project management.

The collected data is used to fulfill contractual obligations and to make operational processes efficient. This includes processing business transactions, managing customer relationships, optimizing sales strategies, and ensuring internal billing and financial processes. In addition, the data supports the protection of the rights of the person responsible and promotes administrative tasks and the organization of the company.

Personal data may be passed on to third parties if this is necessary to fulfill the stated purposes or legal obligations. After expiry of legal retention periods or when the purpose of processing no longer applies, the data will be deleted. This also includes data that must be stored longer due to tax and legal documentation requirements.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact details (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or pictorial messages and contributions and the information relating to them, such as information on authorship or time of creation); contract data (e.g. contract subject, duration, customer category); protocol data (e.g. log files relating to logins or the retrieval of data, or Access times.); usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); credit rating data (e.g. credit score received, estimated failure probability, risk rating based on this, historical payment behavior); meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved). Employment data (information about employees and other persons in an employment relationship).
  • Affected persons: Service recipients and clients; interested parties; communication partners; business and contract partners; third parties; users (e.g. website visitors, users of online services); employees (e.g. employees, applicants, temporary workers and other employees). customers.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; office and organizational procedures; business processes and business procedures; communication; marketing; sales promotion; public relations; assessment of creditworthiness and creditworthiness; financial and payment management; security measures. Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.).).
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR); legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR). Legal obligation (Art. 6 (1) (c) GDPR).

Further information on processing processes, procedures and services:

  • Customer Management and Customer Relationship Management (CRM): processes required as part of customer management and customer relationship management (CRM) (e.g. customer acquisition in compliance with data protection requirements, measures to promote customer loyalty and loyalty, effective customer communication, complaint management and customer service with regard to data protection, data management and analysis to support the customer relationship, administration of CRM systems, secure account management, customer segmentation and audience building); Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
  • Contact management and contact maintenance: procedures required as part of organizing, maintaining, and securing contact information (such as establishing and maintaining a central contact database, regular contact information updates, monitoring data integrity, implementing data protection measures, ensuring access controls, performing backups and restores of contact data, training employees to use contact management software effectively, regularly reviewing communication history, and adjusting contact strategies); Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
  • General payment transactions: procedures necessary for carrying out payment transactions, monitoring bank accounts and controlling cash flows (e.g. preparation and verification of transfers, processing direct debits, checking account statements, monitoring incoming and outgoing payments, chargeback management, account reconciliation, cash management); Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
  • Bookkeeping, Accounts Payable, Accounts Receivable: procedures required for recording, processing and controlling transactions in the area of accounts payable and receivable accounting (e.g. preparation and verification of incoming and outgoing invoices, monitoring and administration of outstanding items, carrying out payment transactions, processing dunning, account reconciliation in the context of receivables and liabilities, accounts payable and accounts receivable); Legal bases: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f) GDPR).
  • Financial accounting and taxes: procedures required for recording, managing and monitoring financially-relevant business transactions and for calculating, reporting and payment of taxes (e.g. account assignment and accounting of business transactions, preparation of quarterly and annual financial statements, execution of payment transactions, processing of dunning, account reconciliation, tax advice, preparation and submission of tax returns, handling tax matters); Legal bases: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f) GDPR).
  • Purchasing: procedures required in the procurement of goods, raw materials, or services (e.g. supplier selection and evaluation, price negotiations, order placement and monitoring, verification and control of deliveries, audit of invoices, administration of orders, inventory management, preparation and maintenance of purchasing policies); Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
  • Sales: procedures necessary for planning, implementing and controlling measures to market and sell products or services (e.g. customer acquisition, quotation preparation and tracking, order processing, customer advice and support, sales promotion, product training, sales controlling and analysis, management of sales channels); Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
  • Marketing, advertising and sales promotion: processes required in the context of marketing, advertising and sales promotion (e.g. market analysis and target group determination, development of marketing strategies, planning and execution of advertising campaigns, design and production of promotional materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programs, sales promotion measures, performance measurement and optimization of marketing activities, budget management and cost control); Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).
  • Public relations: procedures required in the context of public relations and public relations (e.g. development and implementation of communication strategies, planning and implementation of PR campaigns, preparation and distribution of press releases, maintenance of media contacts, monitoring and analysis of media feedback, organization of press conferences and public events, crisis communication, creation of content for social media and corporate websites, management of corporate branding); Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).
  • Guest WiFi: procedures required to set up, operate, maintain, and monitor a wireless network for guests (such as installing and configuring wireless access points, creating and managing guest accounts, monitoring network connectivity, ensuring network security, troubleshooting connectivity issues, updating network software, complying with data protection regulations); Legal bases: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f) GDPR).

Credit check

If we make advance payments or take on comparable economic risks (e.g. when ordering on account), we reserve the right to obtain identity and credit information from specialized service companies (credit agencies) in order to protect legitimate interests in order to assess credit risk based on mathematical-statistical methods.

We process the information received from credit agencies about the statistical probability of a payment default as part of an appropriate discretionary decision on the establishment, implementation and termination of the contractual relationship. In the event of a negative result of the credit check, we reserve the right to refuse payment on account or any other advance payment.

In accordance with legal requirements, the decision as to whether we will make advance payments is made solely on the basis of an automated decision in individual cases, which our software makes on the basis of information provided by the credit agency.

If we obtain express consent from contractual partners, the legal basis for the credit report and the transmission of the customer's data to the credit agencies is consent. If consent is not obtained, the credit report is made on the basis of our legitimate interests in ensuring the reliability of our payment claims.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and e-mail addresses or telephone numbers); contract data (e.g. contract subject, duration, customer category). Credit rating data (e.g. credit score received, estimated default probability, risk rating based on this, historical payment history).
  • Affected persons: Service recipients and clients; interested parties. Business and contract partners.
  • Purposes of processing: Assessment of creditworthiness and creditworthiness.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Consent (Art. 6 (1) (a) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).
  • Automated decisions in individual cases: Credit report (decision based on a credit check).

Provision of online services and web hosting

We process user data in order to be able to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transfer the content and functions of our online services to the user's browser or device.

  • Types of data processed: Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time information, identification numbers, involved persons); log data (e.g. log files relating to logins or retrieval of data or access times.). Content data (such as textual or pictorial messages and contributions and information relating to them, such as information on authorship or when they were created).
  • Affected persons: users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.).). safety measures.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • Provision of online services on rented storage space: To provide our online service, we use storage space, computing capacity and software, which we rent or otherwise obtain from an appropriate server provider (also known as a “web host”); Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).
  • Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files”. The server log files may include the address and name of the retrieved websites and files, date and time of retrieval, amount of data transferred, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used, on the one hand, for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks), and on the other hand to ensure the workload of the servers and their stability; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is necessary for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.
  • Email delivery and hosting: The web hosting services we use also include sending, receiving and storing emails. For these purposes, the addresses of the recipients and senders as well as other information regarding email delivery (e.g. the providers involved) and the content of the respective emails are processed. The above data may also be processed for the purpose of detecting SPAM. Please note that emails on the Internet are generally not sent in encrypted form. As a rule, emails are encrypted during transport, but (unless a so-called end-to-end encryption method is used) not on the servers from which they are sent and received. We can therefore assume no responsibility for the transmission path of emails between the sender and receipt on our server; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).
  • Hostpoint: services in the area of providing information technology infrastructure and related services (e.g. storage and/or computing capacity); Service provider: Hostpoint AG, Neue Jonastrasse 60, 8640 Rapperswil-Jona, Switzerland; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://support.hostpoint.ch/de/; Privacy statement: https://www.hostpoint.ch/hostpoint/kontakt-agb.html#datenschutz. Basis for transfers to third countries: EU/EEA — adequacy decision (Switzerland).

Use of cookies

Cookies are small text files or other memory notes that store information on end devices and read from them. For example, to save the login status in a user account, shopping cart content in an e-shop, the content accessed or functions used on an online offer. Cookies can also be used to address various concerns, such as the functionality, security and convenience of online offerings and to analyse visitor flows.

Information on consent: We use cookies in accordance with legal regulations. We therefore obtain prior consent from users, unless this is not required by law. In particular, permission is not required if the storage and reading of information, including cookies, is absolutely necessary to provide users with a telemedia service (i.e. our online offering) that they have expressly requested. The revocable consent is clearly communicated to them and contains information on the respective use of cookies.

Information on legal bases of data protection law: The data protection basis on which we process users' personal data using cookies depends on whether we ask them for consent. If users accept, the legal basis for using their data is their given consent. Otherwise, the data processed using cookies will be processed on the basis of our legitimate interests (e.g. in operating our online offering and improving its usability) or, if this is done as part of fulfilling our contractual obligations, if the use of cookies is necessary to meet our contractual obligations. We will explain the purposes for which we use cookies in the course of this privacy policy or as part of our consent and processing processes.

Storage period: With regard to storage time, the following types of cookies are differentiated:

  • Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their device (e.g. browser or mobile application).
  • Persistent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved and preferred content displayed directly when the user visits a website again. User data collected using cookies can also be used to measure reach. Unless we provide users with explicit information about the type and storage period of cookies (e.g. when obtaining consent), they should assume that they are permanent and that the storage period can be up to two years.

General information on withdrawal and objection (opt-out): Users can withdraw their consent at any time and also declare an objection to processing in accordance with legal requirements, including using the privacy settings of their browser.

  • Types of data processed: Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: users (e.g. website visitors, users of online services).
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR). Consent (Art. 6 (1) (a) GDPR).

Further information on processing processes, procedures and services:

  • Processing of cookie data based on consent: We use a consent management solution that obtains users' consent to the use of cookies or to the procedures and providers mentioned as part of the consent management solution. This procedure is used to obtain, log, manage and withdraw consent, in particular with regard to the use of cookies and comparable technologies, which are used to store, read and process information on users' devices. As part of this procedure, users' consent is obtained for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management process. Users also have the option to manage and withdraw their consent. The declarations of consent are stored in order to avoid a new request and to be able to provide proof of consent in accordance with legal requirements. The data is stored on the server side and/or in a cookie (so-called opt-in cookie) or using comparable technologies in order to be able to assign consent to a specific user or their device. If there is no specific information about the providers of consent management services, the following general information applies: The period of storage of consent is up to two years. This creates a pseudonymous user identifier, which is stored together with the time of consent, information on the scope of consent (e.g. relevant categories of cookies and/or service providers) and information about the browser, the system and the device used; Legal bases: Consent (Art. 6 (1) (a) GDPR).

Special notes about applications (apps)

We process the data of users of our application to the extent necessary to provide users with the application and its functionalities, to monitor its security and to be able to further develop it. We may also contact users in compliance with legal requirements, provided that communication is necessary for administration or use of the application. In addition, with regard to the processing of user data, we refer to the data protection information in this privacy policy.

Legal bases: The processing of data, which is necessary to provide the functionalities of the application, serves to fulfill contractual obligations. This also applies if the provision of the functions requires user authorization (e.g. approvals of device functions). If the processing of data is not necessary to provide the functionalities of the application but serves the security of the application or our business interests (e.g. collection of data for the purpose of optimising the application or security purposes), it is based on our legitimate interests. If users are expressly asked for their consent to process their data, the data covered by the consent is processed on the basis of consent.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; security measures. Provision of our online offering and user-friendliness.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • Storage of a universal and unique identifier (UUID): The application stores a so-called universal and unique identifier (UUID) for the purpose of analyzing the use and functionality of the application and saving user settings. This identifier is generated when this application is installed (but is not connected to the device, i.e. not a device ID in this sense), remains stored between the start of the application and its updates, and is deleted when users remove the application from their device.
  • Storage of a pseudonymous identifier: We use a pseudonymous identifier so that we can provide the application and ensure its functionality. The identification is a mathematical value (i.e. no clear data, such as names, is used) that is assigned to a device and/or to the installation of the application installed on it. This identifier is generated when this application is installed, is stored between the start of the application and its updates, and is deleted when users remove the application from the device.
  • Device permissions to access features and data: The use of our application or its functionalities may require users to access certain functions of the devices used or to the data stored on the devices or accessible with the help of the devices. By default, these permissions must be granted by users and can be revoked at any time in the settings of the respective devices. The exact process for controlling app permissions may depend on the user's device and software. If you need clarification, users can contact us. We would like to point out that the refusal or revocation of the respective authorizations may affect the functionality of our application.
  • No location history and no movement profiles: The location data is only used selectively and is not processed to create a location history or a movement profile of the devices used or their users.

Purchase of applications via app stores

Our application is purchased via special online platforms operated by other service providers (so-called “app stores”). In this context, in addition to our data protection notices, the privacy policies of the respective app stores apply. This applies in particular with regard to the methods used on the platforms for audience measurement and interest-based marketing, as well as any costs obligations.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact details (e.g. postal and e-mail addresses or telephone numbers); contract data (e.g. contract subject, duration, customer category); usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: Service recipient and client. users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; marketing. Provision of our online offering and user-friendliness.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

Contact and request management

When contacting us (e.g. by post, contact form, e-mail, telephone or via social media) and within the framework of existing user and business relationships, the information provided by the inquiring persons is processed insofar as this is necessary to answer the contact requests and any requested measures.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or visual messages and contributions and information relating to them, such as information on authorship or time of creation); usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: communication partner.
  • Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g. collecting feedback via online form). Provision of our online offering and user-friendliness.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR). Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR).

Further information on processing processes, procedures and services:

  • contact form: When you contact us via our contact form, by e-mail or other means of communication, we process the personal data provided to us to answer and process the respective request. This usually includes information such as name, contact information and, if applicable, other information that is provided to us and is necessary for appropriate processing. We use this data exclusively for the stated purpose of contacting and communicating; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).

Communication via messenger

We use messengers for communication purposes and therefore ask you to follow the following information on the functionality of the messengers, encryption, the use of communication metadata and your options for objection.

You can also contact us by alternative means, such as by telephone or e-mail. Please use the contact options provided to you or the contact options provided within our online offer.

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we would like to point out that the communication content (i.e. the content of the message and attached images) is encrypted from end to end. This means that the content of the messages is not visible, not even by the messenger providers themselves. You should always use a current version of the messengers with activated encryption to ensure that the message content is encrypted.

However, we would also like to point out to our communication partners that although the messenger providers do not view the content, they can find out that and when communication partners communicate with us and, depending on the settings of their device, also location information (so-called metadata) are processed.

Information on legal bases: If we ask communication partners for permission before communicating with them via Messenger, the legal basis for our processing of their data is their consent. In addition, unless we ask for consent and, for example, you contact us on your own initiative, we use Messenger in relation to our contractual partners and as part of contract initiation as a contractual measure and, in the case of other interested parties and communication partners, on the basis of our legitimate interests in communicating quickly and efficiently and meeting the needs of our communication partner in communicating via Messenger. We would also like to point out that we will not transfer the contact details provided to us to messengers for the first time without your consent.

Withdrawal, objection and deletion: You can withdraw your consent at any time and object to communication with us via Messenger at any time. In the case of communication via messenger, we delete the messages in accordance with our general deletion guidelines (i.e., as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that we have answered any information from the communication partners, if no reference to a previous conversation is to be expected and the deletion does not conflict with legal storage obligations.

Reservation of referrals to other means of communication: To ensure your safety, please understand that we may not be able to answer inquiries via Messenger for certain reasons. This applies to situations in which, for example, contract details must be kept particularly confidential or an answer via messenger does not meet the formal requirements. In these cases, we recommend that you use more appropriate communication channels.

  • Types of data processed: Contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and contributions and information relating to them, such as information about authorship or time of creation); usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: communication partner.
  • Purposes of processing: communication. Direct marketing (e.g. via email or post).
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Consent (Art. 6 para. 1 p. a) GDPR); contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • Apple iMessage: Send and receive text messages, voice messages, and video calls. Have group conversations. Share files, photos, videos, and locations. Securing communication through end-to-end encryption. synchronization of messages across multiple devices; Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, United States; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.apple.com/de/. Privacy statement: https://www.apple.com/legal/privacy/de-ww/.
  • Microsoft Teams: chat, audio and video conferencing, file sharing, integration with Office 365 applications, real-time document collaboration, calendar functions, task management, screen sharing, optional recording; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.microsoft.com/de-de/microsoft-365; Privacy statement: https://privacy.microsoft.com/de-de/privacystatement, safety instructions: https://www.microsoft.com/de-de/trustcenter. Basis for transfers to third countries: EU/EEA — Data Privacy Framework (DPF), Switzerland — Adequacy Decision (Ireland).
  • Threema: Encrypted messaging, voice and video calls, file and media sharing, surveys and polls, group chat functionality, contact verification using QR codes, no telephone number or email address requirement; Service provider: Threema GmbH, Churerstrasse 82, 8808 Pfäffikon SZ, Switzerland; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://threema.ch/en; Privacy statement: https://threema.ch/de/privacy. Basis for transfers to third countries: EU/EEA — adequacy decision (Switzerland).
  • WhatsApp: text messages, voice and video calls, sending pictures, videos and documents, group chat function, end-to-end encryption for increased security; Service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland ; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.whatsapp.com/; Privacy statement: https://www.whatsapp.com/legal. Basis for transfers to third countries: EU/EEA — Data Privacy Framework (DPF), Switzerland — Adequacy Decision (Ireland).

Artificial intelligence (AI)

We use artificial intelligence (AI), which processes personal data. The specific purposes and our interest in using AI are listed below. In accordance with the term “AI system” in accordance with Article 3 No. 1 of the AI Regulation, we understand AI to mean a machine-assisted system that is designed for variable autonomous operation, can be adaptable after its introduction and produces results such as predictions, content, recommendations or decisions from the inputs received, which can influence physical or virtual environments.

Our AI systems are used in strict compliance with legal requirements. These include specific regulations for artificial intelligence as well as data protection requirements. In particular, we comply with the principles of lawfulness, transparency, fairness, human control, purpose limitation, data minimization and integrity as well as confidentiality. We ensure that personal data is always processed on a legal basis. This can be either the consent of the persons concerned or a legal permission.

When using external AI systems, we carefully select their providers (hereinafter “AI providers”). In line with our legal obligations, we ensure that AI providers comply with applicable regulations. We also comply with our obligations when using or operating the purchased AI services. The processing of personal data by us and the AI providers is carried out exclusively on the basis of consent or legal authorization. In doing so, we attach particular importance to transparency, fairness and maintaining human control over AI-based decision-making processes.

We implement appropriate and robust technical and organizational measures to protect the processed data. These ensure the integrity and confidentiality of the processed data and minimize potential risks. Through regular reviews of AI providers and their services, we ensure continuous compliance with current legal and ethical standards.

  • Types of data processed: Content data (such as textual or pictorial messages and contributions and information relating to them, such as information on authorship or when they were created). Usage data (such as page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
  • Affected persons: users (e.g. website visitors, users of online services). Third people.
  • Purposes of processing: Artificial intelligence (AI).
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

Video conferences, online meetings, webinars, and screen sharing

We use platforms and applications from other providers (hereinafter referred to as “conference platforms”) for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (collectively referred to as “conference”). When selecting conference platforms and their services, we comply with legal requirements.

Data processed through conference platforms: As part of participating in a conference, the conference platforms process the personal data of the participants mentioned below. The extent of processing depends, on the one hand, on which data is required as part of a specific conference (e.g. provision of login details or real names) and which optional information is provided by the participants. In addition to processing to carry out the conference, the participants' data can also be processed by the conference platforms for security purposes or service optimization. The processed data includes personal data (first name, last name), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, professional position/function information, the IP address of Internet access, information about the participants' terminal devices, their operating system, the browser and its technical and language settings, information about the content communication processes, i.e. inputs in chats and audio and video data, as well as the use of others for available Features (such as surveys). The content of communications is encrypted to the extent technically provided by the conference providers. If the participants are registered as users on the conference platforms, then further data can be processed in accordance with the agreement with the respective conference provider.

Logging and recording: If text entries, participation results (e.g. from surveys) and video or audio recordings are logged, this is transparently notified to the participants in advance and they are asked — if necessary — for consent.

Participants' data protection measures: Please note the details of the processing of your data by the conference platforms in their privacy policies and, as part of the settings for the conference platforms, choose the optimal security and data protection settings for you. Please also ensure data and privacy protection in the background of your recording for the duration of a video conference (e.g. by notifying roommates, locking doors and using, as far as technically possible, the function to obscure the background). Links to the conference rooms and access data must not be passed on to unauthorized third parties.

Information on legal bases: If, in addition to the conference platforms, we also process users' data and ask users for their consent to the use of the conference platforms or certain functions (e.g. consent to recording conferences), the legal basis for processing is this consent. Furthermore, our processing may be necessary to fulfill our contractual obligations (e.g. in lists of participants, in the case of processing of conversation results, etc.). In addition, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or visual messages and contributions and information relating to them, such as information on authorship or time of creation); usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); image and/or video recordings (e.g. Photographs or video recordings of a person); sound recordings. Log data (e.g. log files relating to logins or the retrieval of data or access times.).
  • Affected persons: Communication partner; users (e.g. website visitors, users of online services). People pictured.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; communication. Office and organizational procedures.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

Cloud services

We use software services accessible via the Internet and run on their providers' servers (so-called “cloud services”, also known as “software as a service”) to store and manage content (such as document storage and management, exchange of documents, content and information with specific recipients, or publication of content and information).

Within this framework, personal data may be processed and stored on the providers' servers, insofar as this is part of communication processes with us or is otherwise processed by us as set out in this privacy policy. This data may include, in particular, master data and contact details of users, data on processes, contracts, other processes and their content. Cloud service providers also process usage data and metadata, which are used by them for security purposes and service optimization.

If we use cloud services to provide forms or documents and content to other users or publicly accessible websites, the providers can store cookies on users' devices for web analysis purposes or to remember user settings (e.g. in the case of media control).

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or visual messages and contributions and information relating to them, such as information on authorship or time of creation). Usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
  • Affected persons: Interested parties; communication partners. Business and contract partners.
  • Purposes of processing: Office and organizational procedures. Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.).).
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • Nextcloud (hosting on own server): cloud storage service, which operates and stores the processed data on a server managed by us; Service provider: Nextcloud GmbH, Hauptmannsreute 44a, 70192 Stuttgart, Germany; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://nextcloud.com/de/; Privacy statement: https://nextcloud.com/de/privacy/. Basis for transfers to third countries: Switzerland — Adequacy Decision (Germany).

Web analysis, monitoring and optimization

Web analysis (also known as “reach measurement”) is used to evaluate the flow of visitors to our online offering and may include behavior, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, identify at what time our online offering or its functions or content are used most frequently, or invite them to be reused. It is also possible for us to understand which areas require optimization.

In addition to web analysis, we can also use test methods to test and optimize different versions of our online offering or its components, for example.

Unless otherwise stated below, profiles, i.e. data summarized for a usage process, can be created for these purposes and information stored in a browser or in a terminal device and then read out. The information collected includes in particular websites visited and elements used there as well as technical information, such as the browser used, the computer system used and information on usage times. If users have agreed to the collection of their location data with us or with the providers of the services we use, it is also possible to process location data.

In addition, the IP addresses of users are stored. However, we use an IP masking process (i.e. pseudonymization by shortening the IP address) to protect users. In general, as part of web analysis, A/B testing and optimization, no clear user data (such as email addresses or names) is stored, but pseudonyms. This means that we as well as the providers of the software used do not know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective processes.

Information on legal bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economic and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

  • Types of data processed: Usage data (such as page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: users (e.g. website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles). Provision of our online offering and user-friendliness.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section. Storage of cookies of up to 2 years (Unless otherwise stated, cookies and similar storage methods can be stored on users' devices for a period of two years).
  • Safety measures: IP masking (pseudonymization of the IP address).
  • Legal bases: Consent (Art. 6 (1) (a) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • Google Analytics: We use Google Analytics to measure and analyze the use of our online offering based on a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It is used to assign analysis information to a device in order to identify which content users have accessed during one or more usage processes, which search terms they have used, have accessed them again or have interacted with our online offering. The time of use and its duration are also stored, as well as the sources of users who refer to our online offering and technical aspects of their devices and browsers.
    Pseudonymous profiles of users are created with information from the use of various devices, and cookies can be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides rough geographic location data by deriving the following metadata from IP addresses: city (and the city's derived latitude and longitude), continent, country, region, subcontinent (and ID-based counterparts). In EU data traffic, the IP address data is used exclusively for this derivation of geolocation data before it is immediately deleted. They are not logged, are not accessible and are not used for further purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: consent (Article 6 (1) (a) GDPR); Site: https://marketingplatform.google.com/intl/de/about/analytics/; Safety measures: IP masking (pseudonymization of the IP address); Privacy statement: https://policies.google.com/privacy; Order processing contract: https://business.safety.google/adsprocessorterms/; Basis for transfers to third countries: EU/EEA — Data Privacy Framework (DPF), Switzerland — Adequacy Decision (Ireland); Objection option (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying advertisements: https://myadcenter.google.com/personalizationoff. More information: https://business.safety.google/adsservices/ (Types of processing and data processed).

Customer reviews and evaluation procedures

We participate in review and evaluation processes to evaluate, optimize and promote our services. If users rate us or otherwise provide feedback via the participating rating platforms or procedures, the providers' general terms of business or use and privacy policies also apply. As a rule, the evaluation also requires registration with the respective providers.

In order to ensure that the reviewers have actually used our services, we transfer the necessary data relating to the customer and the service used to the respective review platform (including name, e-mail address and order number or article number) with the consent of the customer. This data is used solely to verify the user's authenticity.

  • Types of data processed: Contract data (e.g. subject matter of contract, duration, customer category); usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: Service recipient and client. users (e.g. website visitors, users of online services).
  • Purposes of processing: Feedback (e.g. collecting feedback via an online form). marketing.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • Google customer reviews: service to obtain and/or present customer satisfaction and customer opinions; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.google.com/; Privacy statement: https://policies.google.com/privacy; Basis for transfers to third countries: EU/EEA — Data Privacy Framework (DPF), Switzerland — Adequacy Decision (Ireland); More information: As part of the collection of customer reviews, an identification number and time for the business transaction to be evaluated, in the case of review requests sent directly to customers, the customer's email address and their country of residence as well as the review details themselves are processed; further information on the types of processing and the data processed: https://business.safety.google/adsservices/. Data processing conditions for Google advertising products: Information about the services Data processing conditions between controllers and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.

Presences on social networks (social media)

We maintain online presences within social networks and process user data within this framework in order to communicate with users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This can result in risks for users because, for example, it could make it more difficult to enforce user rights.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and the resulting interests of users. The latter may in turn be used, for example, to place advertisements within and outside the networks that presumably match the interests of users. Therefore, cookies are usually stored on users' computers, in which the usage behavior and interests of the users are stored. In addition, data can also be stored in the user profiles regardless of the devices used by the users (in particular if they are members of the respective platforms and logged in there).

For a detailed description of the respective forms of processing and the options for objection (opt-out), we refer to the data protection declarations and information provided by the operators of the respective networks.

Even in the case of requests for information and the assertion of data subject rights, we would like to point out that these can be asserted most effectively with the providers. Only the latter have access to user data and can directly take appropriate measures and provide information. Should you still need help, you can contact us.

  • Types of data processed: Contact data (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or pictorial messages and contributions and information relating to them, such as information on authorship or time of creation). Usage data (such as page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
  • Affected persons: users (e.g. website visitors, users of online services).
  • Purposes of processing: Communication; feedback (e.g. collecting feedback via online form). public relations.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • Instagram: Social network, allows you to share photos and videos, comment on and favorite posts, send messages, subscribe to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.instagram.com; Privacy statement: https://privacycenter.instagram.com/policy/. Basis for transfers to third countries: EU/EEA — Data Privacy Framework (DPF), Switzerland — Adequacy Decision (Ireland).
  • Facebook pages: Profiles within the social network Facebook — Together with Meta Platforms Ireland Limited, we are responsible for collecting (but not further processing) data from visitors to our Facebook page (so-called “fan page”). This data includes information about the types of content that users view or interact with, or the actions they take (see “Things done and provided by you and others” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see “Device Information” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As described in the Facebook data policy under “How do we use this information?” Facebook also explains, collects and uses information to provide analytics services, so-called “page insights,” for site operators so that they obtain insights into how people interact with their pages and with the content associated with them. We have signed a special agreement with Facebook (“Page Insights Information,” https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must comply with and in which Facebook has agreed to fulfill the rights of data subjects (i.e. users can, for example, send information or deletion requests directly to Facebook). Users' rights (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “Information about page insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint responsibility is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with regard to the transfer of the data to the parent company Meta Platforms, Inc. in the USA; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.facebook.com; Privacy statement: https://www.facebook.com/privacy/policy/. Basis for transfers to third countries: EU/EEA — Data Privacy Framework (DPF), Switzerland — Adequacy Decision (Ireland).
  • LinkedIn: Social network — Together with LinkedIn Ireland Unlimited Company, we are responsible for collecting (but not further processing) visitor data that is created for the purpose of creating the “page insights” (statistics) of our LinkedIn profiles.
    This data includes information about the types of content that users view or interact with or the actions they take, as well as information about the devices used by users (such as IP addresses, operating system, browser type, language preferences, cookie data) and information from the users' profile, such as job function, country, industry, hierarchical level, company size, and employment status. Data protection information on the processing of user data by LinkedIn can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy
    We have signed a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum (the 'Addendum')” https://legal.linkedin.com/pages-joint-controller-addendum), which in particular regulates which security measures LinkedIn must comply with and in which LinkedIn has agreed to fulfill the rights of data subjects (i.e. users can, for example, send information or deletion requests directly to LinkedIn). Users' rights (in particular to information, deletion, objection and complaint with the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection of data by and transmission to Ireland Unlimited Company, a company based in the EU. The further processing of the data is the sole responsibility of Ireland Unlimited Company, in particular the transmission of the data to the parent company LinkedIn Corporation in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.linkedin.com; Privacy statement: https://www.linkedin.com/legal/privacy-policy; Basis for transfers to third countries: EU/EEA — Data Privacy Framework (DPF), Switzerland — Adequacy Decision (Ireland). Objection option (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • YouTube: social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Privacy statement: https://policies.google.com/privacy; Basis for transfers to third countries: EU/EEA — Data Privacy Framework (DPF), Switzerland — Adequacy Decision (Ireland). Objection option (opt-out): https://myadcenter.google.com/personalizationoff.

Plug-ins and embedded features and content

We integrate functional and content elements into our online offering, which are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos or city maps (hereinafter uniformly referred to as “content”).

Integration always requires that the third-party providers of this content process the users' IP addresses, as they could not send the content to their browsers without an IP address. The IP address is therefore required to display this content or functions. We make every effort to use only content whose respective providers only use the IP address to deliver the content. Third parties can also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information, such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on the user's device and include technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offering, but can also be linked to such information from other sources.

Information on legal bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is permission. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economic and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

  • Types of data processed: Usage data (such as page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness. Provision of contractual services and fulfilment of contractual obligations.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section. Storage of cookies of up to 2 years (Unless otherwise stated, cookies and similar storage methods can be stored on users' devices for a period of two years).
  • Legal bases: Consent (Art. 6 (1) (a) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • Google Fonts (retrieved from Google server): Purchase of fonts (and symbols) for the purpose of technically safe, maintenance-free and efficient use of fonts and symbols with regard to timeliness and loading times, their uniform presentation and taking into account possible licensing restrictions. The provider of the fonts is provided with the user's IP address so that the fonts can be made available in the user's browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) are transmitted, which are necessary to provide the fonts depending on the devices used and the technical environment. This data can be processed on a server operated by the font provider in the USA — When visiting our online offering, users' browsers send their browser HTTP requests to the Google Fonts Web API (i.e. a software interface for retrieving fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (Css) from Google Fonts and then the fonts specified in CCS. These HTTP requests include (1) the IP address used by the respective user to access the Internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of the website visitors, and the referral URL (i.e. the web page on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers and are not analyzed. The Google Fonts Web API logs details of HTTP requests (requested URL, user agent, and referral URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so that Google can determine how often a specific font family is requested. With the Google Fonts Web API, the user agent must adapt the font that is generated for the respective browser type. The user agent is primarily logged for debugging and used to generate aggregate usage statistics that measure the popularity of font families. These summarized usage statistics are published on the Google Fonts “Analytics” page. Finally, the referral URL is logged so that the data can be used to maintain production and generate an aggregate report on the top integrations based on the number of font requests. According to its own information, Google does not use any of the information collected by Google Fonts to create profiles of end users or to display targeted ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://fonts.google.com/; Privacy statement: https://policies.google.com/privacy; Basis for transfers to third countries: EU/EEA — Data Privacy Framework (DPF), Switzerland — Adequacy Decision (Ireland). More information: https://developers.google.com/fonts/faq/privacy?hl=de.
  • reCAPTCHA: We include the “reCAPTCHA” function to be able to recognize whether entries (e.g. in online forms) are made by people and not by automatically acting machines (so-called “bots”). The processed data may include IP addresses, information about operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, time spent on websites, previously visited websites, interactions with reCAPTCHA on other websites, possibly cookies and results of manual recognition processes (e.g. answering questions asked or selecting objects in images). Data processing is based on our legitimate interest in protecting our online offering from abusive automated crawling and spam; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.google.com/recaptcha/; Privacy statement: https://policies.google.com/privacy; Basis for transfers to third countries: EU/EEA — Data Privacy Framework (DPF), Switzerland — Adequacy Decision (Ireland). Objection option (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying advertisements: https://myadcenter.google.com/personalizationoff.

Processing of data in the context of employment relationships

As part of employment relationships, personal data is processed with the aim of effectively establishing, implementing and terminating such relationships. This data processing supports various operational and administrative functions that are required to manage employee relationships.

Data processing includes various aspects, ranging from contract initiation to contract termination. This includes the organization and administration of daily working hours, the administration of access rights and authorizations, and the handling of personnel development measures and employee appraisals. The processing is also used to bill and manage payroll payments, which represent critical aspects of contract execution.

In addition, data processing takes into account legitimate interests of the responsible employer, such as ensuring safety at work or recording performance data to evaluate and optimize operational processes. Data processing also includes the disclosure of employee data as part of external communication and publication processes, where this is necessary for operational or legal purposes.

This data is always processed in compliance with the applicable legal framework, with the aim always being to create and maintain a fair and efficient working environment. This also includes taking into account the data protection of affected employees, anonymizing or deleting data after the processing purpose has been fulfilled or in accordance with legal retention periods.

  • Types of data processed: Employee data (information about employees and other persons in an employment relationship); payment data (e.g. bank details, invoices, payment history); contract data (e.g. subject matter of contract, term, customer category); inventory data (e.g. full name, home address, contact information, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or pictorial messages and contributions and information relating to them, such as authorship information, or time of creation); social data (data subject to social secrecy and processed, for example, by social security institutions, social assistance providers or pension authorities.); log data (e.g. log files relating to logins or retrieval of data or access times.); performance and behavioral data (e.g. performance and behavioral aspects such as performance reviews, feedback from supervisors, training participation, compliance with company policies, self-assessments and conduct Evaluations.); working time data (e.g. start of working time, end of working time working hours, actual working hours, target working hours, breaks, overtime, vacation days, special vacation days, sick days, absences, home office days, business trips); salary data (e.g. base salary, bonus payments, bonuses, tax class information, supplements for night work/overtime, tax deductions, social security contributions, net payout amount); image and/or video recordings (e.g. photographs or video recordings a person); usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types used and operating systems, interactions with content and features). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Special categories of personal data: Health data; religious or ideological beliefs. trade union membership.
  • Affected persons: Employees (e.g. employees, applicants, temporary workers and other employees).
  • Purposes of processing: Establishment and implementation of employment relationships (processing of employee data as part of establishing and executing employment relationships); business processes and business procedures; security measures; provision of contractual services and fulfilment of contractual obligations; public relations. Office and organizational procedures.
  • Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR); legal obligation (Art. 6 para. 1 p. 1 lit. c) GDPR); legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR); processing of special categories of personal data relating to healthcare, occupational and social security (Art. 9 para. 2 lit. h) GDPR). Consent (Art. 6 (1) (a) GDPR).

Further information on processing processes, procedures and services:

  • Working time recording: Methods for recording employees' working hours include both manual and automated methods, such as the use of time clocks, time recording software or mobile apps. Activities such as entering coming and going times, break times, overtime and absences are carried out. Checking and validating the recorded working hours includes reconciliation with work or shift schedules, checking absenteeism and approving overtime by supervisors. Reports and analyses are prepared on the basis of recorded working hours to provide time sheets, overtime reports and absence statistics for management and HR; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
  • Authorization management: procedures required to define, manage, and control access rights and user roles within a system or organization (e.g. creation of authorization profiles, role and access-based control, review and approval of access requests, regular review of access rights, tracking and auditing user activity, creating security policies and procedures); Legal bases: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f) GDPR).
  • Special categories of personal data: Special categories of personal data are processed as part of the employment relationship or to fulfill legal obligations. The special categories of personal data processed include data relating to the health, trade union membership or religious affiliation of employees. This data can, for example, be passed on to health insurance companies or processed to assess the working capacity of employees or for occupational health management or for information to the tax office; Legal bases: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f) GDPR).
  • Sources of processed data: Personal data received as part of the employees' application and/or employment relationship is processed. In addition, when required by law, personal data is collected from other sources. These may be tax authorities for tax-relevant information, the respective health insurance company for information about incapacity to work, third parties such as employment agencies or publicly available sources such as professional social networks as part of application processes; Legal bases: Legal obligation (Art. 6 para. 1 p. 1 lit. c) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
  • Video surveillance: Monitoring employees is for the safety of the company, the protection of property and the safety of employees. Various methods and data processing steps are carried out for this purpose.
    Security cameras are first installed and positioned, after a location analysis to identify safety-relevant areas. The cameras are then installed at suitable locations, where monitoring information can be provided by affixing signs or warnings.
    Regular checks are carried out to ensure that the cameras are working properly and that there are no outages that could affect safety.
    The actual monitoring is carried out by making video recordings to record and document potential security incidents. These images are then evaluated and analyzed to identify suspicious activity and respond to it in an appropriate manner.
    All recorded video data is archived in accordance with legal regulations and privacy policies. It should be noted that the data will be deleted after a maximum of 96 hours, unless there is a specific suspicion that requires longer storage in order to clarify the facts or to ensure the security of the company.
    In addition, data deletion measures are implemented as soon as the retention periods have expired or the data is no longer needed to comply with data protection guidelines and protect employee privacy; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).
  • Purposes of data processing: The personal data of employees is primarily processed to establish, implement and terminate the employment relationship. In addition, the processing of this data is necessary to fulfill legal obligations in the area of tax and social security law. In addition to these primary purposes, employee data is also used to meet regulatory and supervisory requirements, to optimize electronic data processing processes and to compile internal or cross-company data, possibly including statistical data. In addition, employees' data may be processed to assert legal claims and defend themselves in legal disputes; Legal bases: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f) GDPR).
  • Transfer of employee data to third countries: The transfer of employee data to third countries, i.e. countries outside the European Union (EU) and the European Economic Area (EEA), only takes place if this is necessary to fulfill the employment relationship, is required by law or if employees have given their consent to do so. Employees will be informed separately about the details, insofar as required by law; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).
  • Submission of employee data: Employee data is processed internally only by those bodies that need it to fulfill operational, contractual and legal obligations.
    Data will only be passed on to external recipients if this is required by law or if the employees concerned have given their consent. Possible scenarios for this may include requests for information from authorities or when wealth creation services are available. Furthermore, the person responsible may transfer personal data to other recipients insofar as this is necessary to fulfill his contractual and legal obligations as an employer. These recipients may include: a) Banks b) Health insurance companies, pension insurance institutions, pension providers and other social security institutions c) Authorities, courts (e.g. tax authorities, labor courts, other supervisory authorities in the context of fulfilling reporting and information requirements) d) Tax and legal advisors e) Third party debtors in the case of wage and salary attachments f) Other bodies to which legally binding declarations must be made.
    In addition, data may be passed on to third parties if this is necessary for communication with business partners, suppliers or other service providers. Examples include information in the sender area of emails or letterhead and the creation of profiles on external platforms; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
  • Business trips and travel expense report: procedures required for planning, carrying out and accounting for business trips (e.g. booking trips, arranging accommodation and transportation, managing travel expenses advances, filing and verifying travel expense reports, monitoring and recording expenses incurred, compliance with travel policies, handling travel expense management); Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legal obligation (Art. 6 para. 1 p. 1 lit. c) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR), processing of special categories of personal data relating to healthcare, occupational and social security (Art. 9 para. 2 lit. h) GDPR).
  • Payroll and payroll: procedures required for calculating, paying and documenting wages, salaries and other remuneration of employees (e.g. recording working hours, calculating deductions and surcharges, payment of taxes and social security contributions, preparation of payslips, management of payroll accounts, reporting to tax authorities and social security institutions); Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legal obligation (Art. 6 para. 1 p. 1 lit. c) GDPR).
  • Deletion of employee data: Employee data in Switzerland is deleted when it is no longer required for the purpose for which it was collected, unless it must remain stored or archived due to legal obligations or the interests of the employer. The following storage and archiving obligations are complied with:
    • 10 years — Retention period for books and records, annual financial statements, inventories, annual reports, opening balance sheets, accounting documents and invoices as well as all necessary work instructions and other organizational documents (Art. 958f of the Swiss Code of Obligations (OR)).
    • 10 years — Data necessary to consider potential compensation claims or similar contractual claims and rights, as well as to process related inquiries based on past business experience and standard industry practices, will be stored for the statutory limitation period of ten years, unless a shorter period of five years applies, which is relevant in certain cases (Art. 127, 130 OR). Claims expire after five years for rent, rent and capital interest payments and other periodic services, for the delivery of food, for catering and hospitality debts as well as from craft services, retail sale of goods, medical care, professional work by lawyers, legal agents, lawyers and notaries and from the employment relationship of employees (Art. 128 OR).
  • Personnel records management: procedures required for organizing, updating, and managing employee data and records (e.g. collection of personnel master data, retention of employment contracts, certificates and certificates, updating data when changes occur, compiling documentation for employee interviews, archiving personnel records, compliance with data protection regulations); Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legal obligation (Art. 6 para. 1 p. 1 lit. c) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR), processing of special categories of personal data relating to healthcare, occupational and social security (Art. 9 para. 2 lit. h) GDPR).
  • Staff development, performance evaluation and employee interviews: procedures required in the area of promoting and developing employees, evaluating their performance and as part of employee appraisals (e.g. needs analysis for continuing education, planning and implementation of training measures, preparation of performance evaluations, implementation of goal setting and feedback meetings, career planning and talent management, succession planning); Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legal obligation (Art. 6 para. 1 p. 1 lit. c) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR), processing of special categories of personal data relating to healthcare, occupational and social security (Art. 9 para. 2 lit. h) GDPR).
  • Obligation to provide data: The person responsible informs employees that it is necessary to provide their data. This is generally the case if the data is necessary to establish and implement the employment relationship or if its collection is required by law. The provision of data may also be necessary if employees assert claims or if employees are entitled to claims. The implementation of these measures or fulfilment of benefits is dependent on the provision of this data (for example, the provision of data for the purpose of receiving wages); Legal bases: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f) GDPR).
  • Publication and disclosure of employee data: Employee data is only published or disclosed to third parties if this is necessary, on the one hand, to perform work tasks in accordance with the employment contract. This applies, for example, if employees are named as contact persons in correspondence, on the website or in public registers after consultation or an agreed task description or if the task area contains representative functions. This may also be the case if, as part of the performance of tasks, there is a presentation or communication with the public, such as taking pictures as part of public relations work. Otherwise, employee data will only be published with their consent or on the basis of the employer's legitimate interests, for example when taking stage or group photos as part of a public event; Legal bases: Consent (Article 6 (1) (1) (a) GDPR), contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legitimate interests (Article 6 (1) (f) GDPR).

Application process

The application process requires that applicants provide us with the data necessary for their assessment and selection. What information is required is derived from the job description or, in the case of online forms, from the information provided there.

In principle, the required information includes personal information, such as the name, address, a contact option and evidence of the qualifications required for a position. On request, we are also happy to inform you which information is required.

If available, applicants are welcome to submit their applications via our online form, which is encrypted using the latest technology. Alternatively, it is also possible to send us applications by e-mail. However, we would like to point out that emails on the Internet are generally not sent in encrypted form. Although emails are usually encrypted during transport, this is not done on the servers from which they are sent and received. Therefore, we cannot assume any responsibility for the security of the application as it is transmitted between the sender and our server.

For purposes of searching for applicants, submitting applications and selecting applicants, we may use applicant management or recruitment software and platforms and services from third-party providers in compliance with legal requirements.

Applicants are welcome to contact us about how to submit their application or send us the application by post.

Processing of special categories of data: If, as part of the application process, special categories of personal data (Article 9 (1) GDPR, e.g. health data, such as status of severely disabled persons or ethnic origin) are requested from or provided by applicants, they are processed so that the person responsible or the data subject can exercise the rights arising from employment law and social security and social protection law and fulfill his or her obligations in this regard, in the event of protection of vital interests of applicants or other persons or for health care or occupational medicine purposes, for the assessment of the employee's ability to work, for medical diagnostics, for care or treatment in the health or social sector, or for the administration of systems and services in the health or social sector.

Deletion of data: In the event of a successful application, the data provided by applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to justified withdrawal by applicants, the deletion will take place no later than after the expiry of a period of six months so that we can answer any follow-up questions about the application and comply with our obligations to provide evidence under the rules on equal treatment of applicants. Invoices for any reimbursement of travel expenses are archived in accordance with tax requirements.

Inclusion in a pool of applicants: Admission to a pool of applicants, if offered, is based on consent. Applicants are informed that their consent to join the talent pool is voluntary, has no influence on the ongoing application process and that they can withdraw their consent at any time in the future.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or visual messages and contributions and information relating to them, such as information on authorship or time of creation). Applicant data (e.g. personal details, postal and contact addresses, the documents relating to the application and the information contained therein, such as a cover letter, curriculum vitae, certificates and other information provided voluntarily by applicants about their person or qualification in relation to a specific position or qualifications).
  • Affected persons: Applicant.
  • Purposes of processing: Application process (justification and possible subsequent implementation as well as possible subsequent termination of the employment relationship).
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Application process as a pre-contractual or contractual relationship (Art. 6 (1) (b) GDPR).

___

General

This privacy policy informs you how we handle your personal data (hereinafter also referred to as “your data”). We attach great importance to protecting the personal rights of users of our products, comply with the applicable data protection regulations and take the necessary measures to protect your data.

Websites from other providers that can be reached via our websites are not subject to the data protection regulations set out here. We assume no responsibility or liability for compliance with data protection by third-party websites.

Webflow

We host our website with Webflow. The provider is Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA (hereinafter: Webflow). When you visit our website, Webflow collects various log files, including your IP addresses.

Webflow is a tool for building and hosting websites. Webflow stores cookies or other recognition technologies that are necessary to display the page, to provide certain website functions and to ensure security (necessary cookies).

For details, see Webflow's privacy policy: EU & Swiss Privacy Policy | Webflow 133.

Webflow is used on the basis of legitimate interest. We have a legitimate interest in presenting our website as reliably as possible.

Data transmission to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: EU & Swiss Privacy Policy | Webflow 133.

Order processing

We have concluded an order processing contract (AVV) with the above-mentioned provider. This is a contract required by data protection law, which ensures that it only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR and the NdSG.

Usage

If you contact us by email, via the contact form or by post, we collect the appropriate personal data from your request. We process this personal data solely for the purpose of answering your request. This data is always kept confidential.

cookies

This website uses cookies. Cookies are text files that contain data from visited websites or domains and are stored by a browser on the user's computer. A cookie is primarily used to store information about a user during or after their visit to an online offer. The stored information can include, for example, the language settings on a website, the login status, a shopping cart or the location where a video was watched. The term “cookies” also includes other technologies that perform the same functions as cookies (e.g. when user information is stored using pseudonymous online identifiers, also known as “user IDs”).

The following types of cookies and functions are differentiated:

  • Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their browser.
  • Persistent cookies: Permanent cookies remain stored even after the browser is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. The interests of users, which are used to measure reach or for marketing purposes, can also be stored in such a cookie.
  • First-party cookies: First-party cookies are set by ourselves.
  • Third party cookies (also: third party cookies): Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
  • Necessary (also: essential or absolutely necessary) cookies: On the one hand, cookies may be absolutely necessary for the operation of a website (e.g. to save logins or other user inputs or for security reasons).
  • Statistics, marketing and personalization cookies: In addition, cookies are usually also used as part of audience measurement and when a user's interests or behavior (e.g. viewing certain content, using functions, etc.) are stored in a user profile on individual websites. Such profiles are used, for example, to show users content that matches their potential interests. This process is also known as “tracking”, i.e. tracking the potential interests of users. If we use cookies or “tracking” technologies, we will inform you separately in our privacy policy or when you obtain consent.

Information on legal bases: The legal basis on which we process your personal data using cookies depends on whether we ask you for consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is consent. Otherwise, the data processed using cookies will be processed on the basis of our legitimate interests (e.g. in operating our online offering and improving it) or if the use of cookies is necessary to fulfill our contractual obligations.

Storage period: Unless we provide you with explicit information about the storage period of permanent cookies (e.g. as part of a so-called cookie opt-in), please assume that the storage period can be up to two years.

General information on revocation and objection (opt-out): Depending on whether the processing is based on consent or legal permission, you have the option at any time to withdraw your consent or to object to the processing of your data using cookie technologies (collectively referred to as “opt-out”). You can first declare your objection using your browser settings, e.g. by deactivating the use of cookies (which may also restrict the functionality of our online offering). An objection to the use of cookies for online marketing purposes can also be declared using a variety of services, especially in the case of tracking, via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/. In addition, you may receive further objection notices as part of the information on the service providers and cookies used.

Retention period

We only use and keep your data for as long as is necessary in accordance with the processing purpose in question or as long as there is another legal basis for doing so, but for a maximum of ten years. We keep data that we have as a result of a contractual relationship with you for at least as long as the contractual relationship exists and there are limitation periods for possible claims made by us or there are legal or contractual storage obligations.

Contacting

When you contact us, your information will be used to process the contact request and process it as part of fulfilling pre-contractual rights and obligations. The processing of your data is necessary to process and answer your request, otherwise we cannot answer your request or can only answer it to a limited extent. The information can be stored in a customer and interested party database based on our legitimate interest in direct marketing.

We will delete your request and contact details provided that your request has been answered conclusively and the deletion does not conflict with any legal retention periods, e.g. as part of subsequent contract processing. This is usually the case when there has been no contact with you for a period of three years.

Third party services

Our digital offerings are linked to third-party functions and systems in a variety of ways. If you have a user account with these third parties, it may also be possible for these third parties to measure and evaluate your use of our digital offerings. In doing so, other personal data, such as IP address, personal browser settings and other parameters, may be transmitted to these third parties and stored there. We have no control over the use of personal data collected in this way by third parties and assume no responsibility or liability.

Transfer abroad

If necessary and appropriate for the data processing described in this privacy policy, we may also transfer your personal data to third parties abroad. If data protection does not have an adequate level of data protection in the country concerned, we will contractually ensure that the protection of your personal data is of such a level. We ensure this by concluding standard contractual clauses with the companies concerned. Where such a standard contractual clause cannot be obtained, we obtain the consent of users that they agree to the transfer of their data.

Google

This website uses the following Google services:

  • Google fonts for loading web fonts
  • Google Maps for embedding maps
  • Google Invisible reCAPTCHA for protection against bots and spam
  • YouTube for embedding videos

These services from the American company Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA use cookies, among other things, and as a result, information about the use of our sites (including your IP address) is transmitted to Google in the USA, although we assume that no personal tracking takes place solely through the use of our website.

Google is committed to ensuring adequate data protection in accordance with the American-European and American-Swiss Privacy Shield. In addition, the current standard contractual clauses (SCC) ensure that the protection of the transferred data is of an appropriate level.

Further information can be found in the Google's privacy policy.

Amazon Cloudfront

This website uses Amazon CloudFront Content Delivery Network (CDN) from Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg (AWS) to increase the security and delivery speed of our website. This is in our legitimate interest. A CDN is a network of servers distributed [worldwide] that is able to deliver optimized content to website users. For this purpose, personal data can be processed in AWS server log files. Please compare the information under “Hosting”. Your personal data is stored by AWS for as long as is necessary for the purposes described. For more information about objection and removal options against AWS, please visit: https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf

AWS has implemented compliance measures for international data transfers. These apply to all global activities in which AWS processes personal data from natural persons in the EU. These measures are based on EU Standard Contractual Clauses (SCCs). For more information, see: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

Rights of data subjects

Right to information and correction

You have the right to receive information from us at any time, free of charge, as to whether and which personal data we process about you. You can also request that we correct or complete incorrect data about you in our systems.

Right to delete and restrict

You have the right to request that we delete or restrict the processing of your personal data. Please note that even after your request to delete your personal data, we may have to retain it due to legal or contractual storage obligations (such as for billing purposes) and in this case only restrict or block your data as necessary. In addition, deleting your data may mean that you can no longer obtain or use the services you have registered.

Right to object

You have the right to object to the processing of your data, which you can assert with us.

Right to data portability

Where applicable, you can also assert your right to data portability.

Withdrawal of consent

You can withdraw your consent to data processing at any time, in principle with effect for the future. In the event of a withdrawal, we may no longer be able to provide you with personalized use of free and/or paid products.

Right to complain

Where applicable, you have the right to lodge a complaint with the competent supervisory authority regarding data processing. You can do this with the supervisory authority at your place of residence, place of work or the location of the suspected data breach.

Contact

If you have any questions or suggestions regarding this privacy statement, your personal data or data security, you can contact us as follows:

BWO Systems AG
Parkstraße 1b, 6210 SchenkonPhone +41 41 799 84 84Email info@bwo.ch
BWO Systems AG
Parkstrasse 1b
6210 SchenkonPhone +41 41 799 84 84E-Mail info@bwo.ch
Linkedin IconInstagram Icon
Support
BWO-QuickSupportBWO Status messages
Legal
ImprintData protectionTerms and conditionsLicense termsNotice and Takedown DENotice and Takedown EN
© BWO Systems AG