I. General

Data protection is one of the core competencies of our expertise – and the protection of the data we process about you is therefore important to us.

In this Data Protection Declaration, we inform you comprehensively about our handling of your personal data as our user of our Website, Web Shop such as our newsletter subscriber.

We explain to you your rights in connection with the processing of personal data in our company. The processing of personal data of our employees and customers outside of our web store is regulated exclusively within the framework of our employee or mandate contracts.

A. Scope of Application

This data protection declaration applies to all processing activities that are related to personal data regarding:

  • Visit of our website
  • Orders in our web shop
  • Newsletter
  • Applications

Depending on personal data processing, in addition to applicable Swiss law (Federal Act on Data Protection (FADP) of 19 June 1992, SR 235.1), European data protection law (Regulation (EU) 2016/679 (GDPR)) may also or exclusively apply.

B. Controller

HÄRTING Rechtsanwälte AG
Landis + Gyr-Strasse 1
6300 Zug
Tel. 041 710 28 50

C. Data Protection Advisor

Nicole Beranek Zanon

HÄRTING Rechtsanwälte AG
Landis + Gyr-Strasse 1
6300 Zug
Tel. 041 710 28 50

D. Contact Details of the Swiss Supervisory Authority

Office of the Federal Data Protection and Information Commissioner
Feldeggweg 1
CH – 3003 Bern
Tel. +41 58 462 43 95

II. Processing Activities

Depending on how you relate to us, we process different personal data about you for different purposes and based on different legal bases.

A. Visit of our Website

Processing

When you visit our Website, the browser used on your terminal device automatically sends information to the server of our website. This information is temporarily stored in a so-called log file.

Personal Data

The following data is recorded without your intervention and collected until they are automatically deleted:

  • IP address of the requesting computer
  • Date and time of access
  • Name and URL of the retrieved file
  • Website from which access is made (referrer URL)
  • Browser type and browser version as well as other information transmitted by the browser, such as the operating system of your computer, the name of your access provider, your geographical origin, language setting, etc.

Purpose

The mentioned data will be processed for the following purposes:

  • Ensuring a smooth connection of the Website
  • Ensuring a comfortable use of our Website
  • Evaluation of system safety and stability

Legal Basis

The legal basis for this data processing lies in our private interest according to art. 13 para. 1 FADP and art. 6 para. 1 s. 1 lit. f GDPR. This data is collected and evaluated for statistical purposes and to improve the quality of the website. Under no circumstances do we use the collected data to draw conclusions about your person or to create user profiles with the help of this data.

Necessity

This information is necessary for the functioning of the website.

Period

At the end of your session, the session cookies are deleted, but we keep the log according to the legal requirements.

B. Contact Form

Processing

If you have any questions, we offer you the possibility to contact us via a form provided on the website.

Personal Data

The following information must be provided:

  • Valid e-mail address
  • First names and surnames
  • Company name (optional)
  • Address (optional)
  • Phone number (optional)

Purpose

The mentioned data will be processed for the following purposes:

  • Answering your request
  • Contacting

Legal Basis

Data processing is based on contractual or pre-contractual measures pursuant to art. 13 para. 2 lit. a FADP or art. 6 para. 1 s. 1 lit. b GDPR.

C. Visit of our Web Shop

Processing

You have the possibility to order various products on our web shop.

Personal Data

The following information must be provided:

  • Valid e-mail address
  • First names and surnames
  • Company name (optional)
  • Address
  • Phone number (optional)
  • Credit card information such as customer- or provider-related identification number

For the design and placement of our products in our web shop, we use the E-Commerce-System of WooCommerce. The provider of this service is Aut O’Mattic A8C Ireland Ltd. Business Centre, No.1 Lower Mayor Street, International Financial Services Centre Dublin 1, Ireland (hereinafter referred to as “Aut O’Mattic”).

If Aut O’Mattic processes your personal data outside of the European Economic Area (EEA) (e.g., through other members of its group of companies or through processors), Automattic Inc. will respond appropriately to protect your personal data in accordance with applicable law. In the case of data processing by a company located outside the EEA, Aut O’Mattic will ensure that appropriate safeguards are provided (e.g., the standard contractual clauses approved by the European Commission) and that enforceable rights and effective legal remedies are available to the data subject. Further details can be found in WooCommerce’s privacy policy at: https://automattic.com/privacy/.

To process your online payment, we use the payment platform of Stripe Inc., 510 Townsend Street, San Francisco, CA 94103, USA (hereinafter referred to as “Stripe”). The payment data collected for this purpose will be forwarded to Stripe and to the credit institution responsible for the payment. In some cases, the selected payment service providers also collect this data themselves if you create an account there. The data protection declaration of the respective payment service provider shall apply.

Stripe is a company based in the USA that processes personal data outside the EEA or Switzerland, including in the USA. Stripe complies with applicable laws to provide an adequate level of data protection for the transfer of your personal data to the USA. Where applicable law requires that a data transfer legal mechanism, Stripe use one or more of the following: EU Standard Contractual Clauses with a data recipient outside the EEA or the UK, verification that the recipient has implemented Binding Corporate Rules, or other legal method available to us under applicable law.

Further details on Stripe’s data processing can be found in their privacy policy at: https://stripe.com/de-ch/privacy.

Note: Your data will be processed by Aut O’Mattic and Stripe Inc. in the USA. The USA is a so-called unsafe third country (see also section IV). Your data is therefore not subject to a level of data protection in the USA that is comparable to that in Switzerland or the EU.

If you consent to the processing by Aut O’Mattic and Stripe Inc., you therefore consent at the same time to your data being transferred to the USA in accordance with Art. 17 nFADP (new data protection law, comes into force in 2022) or Art. 49 para. 1 lit. a GDPR.

Purpose

The mentioned data will be processed for the following purposes:

  • Processing of the purchase
  • Creation of a receipt
  • Contacting
  • Lead generation for marketing purposes

Legal Basis

This data processing is carried out on the basis of contractual or pre-contractual measures in accordance with art. 13 para. 2 lit. a FADP or art. 6 para. 1 s. 1 lit. b GDPR.

D. Cookies

1. General

Processing

We use cookies on our website. Cookies are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our website. A cookie does not always mean that we can identify you.

Personal Data

A cookie does not always mean that we can identify you.

Purpose

We use cookies to statistically store the use of our website and to evaluate it for the purpose of optimization and user friendliness.

Legal Basis

We process technically necessary cookies based on our overriding legitimate private interest. We only process technically non-essential cookies if you voluntarily have granted your consent in accordance with art. 13 para. 1 FADP and art. 6 para. 1 s. 1 lit. a GDPR.

Necessity

In the basic setting of most internet browsers, cookies are automatically accepted. If you do not wish to have cookies from our websites stored in your device, you can configure your browser settings so that you receive a warning before certain cookies are stored.

Please note that the partial or complete deactivation of cookies may mean that you will not be able to use all functions of our websites.

Period

Cookies have different retention periods. If they are cookies from third party manufacturers, we have no influence on the period of storage.

1.   Technically necessary Cookies

Processing

In order to store your personal user settings regarding cookies and language selection on our websites, we use a logging cookie.

Personal Data

No personal data is processed. Only the current status of your selected cookie and language settings will be saved.

Purpose

The processing is done to re-identify your personal cookie settings on our websites.

Legal Basis

The processing is based on our overriding interest in accordance with art. 6 para. 1 s. 1 lit. f GDPR und art. 13 para. 1 FADP.

Necessity

This cookie is necessary for the functioning of our websites.

Period

The cookie is automatically deleted from your system after one month.

3.   Google Analytics

Processing

Our websites use the web analysis service Google Analytics from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA („Google Analytics“).
Google Analytics uses cookies (see Cookies). The information generated by cookies about your use of this website is usually transferred to a Google server in the USA and stored there.

Personal Data

In relation to the web analysis service of Google Analytics, the following data concerning you will be processed:

  • Masked IP addresses
  • In exceptional cases IP addresses

Three permanent Google Analytics cookies are used for this purpose (_gat, _gid, _ga), which are automatically deleted after a defined period of time. Thanks to our plugin Google Analytics Germanised, cookies are only used after your consent.

We would like to point out that on this website Google Analytics was extended by the code “gat._anonymizeIp();” in order to guarantee an anonymous recording of IP addresses (so-called IP masking). If anonymization is active, Google Analytics shortens IP addresses within member states of the European Union or in other states party to the Agreement on the EEA, which means that no conclusions can be drawn about your identity. Only in exceptional cases, the full IP address is transmitted to a Google server in the USA and shortened there.

More information on the handling of user data at Google Analytics can be found in Google’s Data Protection Declaration.

Note: Your data will be processed by Google in the USA. The USA is a so-called unsafe third country (see also section IV). Your data in the USA is therefore not subject to a level of data protection comparable to that in Switzerland or the EU.

If you consent to processing by Google, you therefore consent at the same time to your data being transferred to the USA in accordance with Art. 17 nFADP (new Data Protection Act, comes into force in 2022) or Art. 49 (1) a GDPR.

Purpose

We use Google Analytics to constantly improve the offer on our websites.

Legal Basis

We only use Google Analytics with your explicit consent in accordance with art. 6 para. 1 s. 1 lit. a GDPR.

Period

Session cookies are automatically deleted when the session is terminated. Permanent cookies are deleted after two years at the latest.

4.   IFrame of Google maps

Processing

We use an IFrame from Google maps from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Personal Data

An IFrame is used to structure our website and to place other web content on our website. By clicking on the IFrame, the user is redirected to the provider’s website. We have no influence on the processing of personal data on the websites of third persons.

Purpose

An IFrame is used to structure our website and to place other web content on our website. By clicking on the IFrame, the user is redirected to the provider’s website. We have no influence on the processing of personal data on the websites of third persons.

Legal Basis

Data processing in connection with plug-ins and IFrames is based on our legitimate interests pursuant to art. 13 para. 1 FADP and art. 6 para. 1 s. 1 lit. f GDPR. They override, because otherwise we could not provide an interactive map on our website.

Necessity

The mentioned data are not necessary in the context of the website functionality.

E. Newsletter

Processing

You have the possibility to subscribe to our newsletter, in which we inform you about important news around technology and its legal effects.

For your consent to our newsletter dispatch we use a double opt-in procedure, i.e. we only send you a newsletter by e-mail if you have expressly confirmed this to us before. You will receive a notification e-mail in which you will be asked to confirm the link contained in the e-mail.

We use the services of Sendinblue to send out the newsletter. The provider of this service is Sendinblue GmbH, Köpernicker Str. 126, 10179 Berlin.

Personal Data

When you register for the newsletter, we collect the following data from you:

  • E-Mail address
  • First names and surnames (optional)

We then process data with which it can be determined whether a newsletter message has been opened and what links have been clicked on. In addition, technical information may be collected, for example:

  • Time of access
  • IP Address
  • Browser type
  • Operating System

Purpose

The mentioned data are processed for the following purposes:

  • Dispatch of the newsletter
  • Analysis of the newsletter campaign

Sendinblue’s analysis of the newsletter campaign enables us to determine whether a newsletter message has been opened and what links have been clicked on. This information is used exclusively for statistical analysis of newsletter campaigns.

Legal Basis

We only store your personal data for sending the newsletter if you have voluntarily given us your consent in accordance with art. 13 para. 1 FADP or art. 6 para. 1 s. 1 lit. a GDPR.

Necessity

The processing is necessary for the dispatch of our newsletter and the statistical evaluation.
If you do not want Sendinblue to analyse your data, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. You can also unsubscribe directly via our website.

Period

The data stored for the purpose of the newsletter subscription will be stored by us until you unsubscribe from the newsletter. After you have unsubscribed from the newsletter, your data will be deleted from our servers and from Sendingblue’s servers. Data stored by us for other purposes (e.g. e-mail addresses for events or course registrations, etc.) remain unaffected by this.

Further details can be found in Sendinblue’s privacy policy.

F. Application

Processing

You have the possibility to apply via e-mail. In these cases, we will process all the data you send us with your application dossier.

If it does not come to a direct employment and another applicant should cancel, we would take the liberty of contacting you again and keeping your documents for this purpose.

Personal Data

Depending on the data actually transmitted, these are usually:

  • Contact details of the applicant and reference persons
  • Letter of application
  • Application photo or video
  • Certificates of performance
  • Curriculum Vitae
  • Criminal record extract (only where expressly requested)
  • AHV number

Purpose

We process this data for checking your suitability for the position applied for or for handling the application process.

Legal Basis

This processing operation is necessary to carry out pre-contractual measures based on your request (art. 13 para. 2 lit. a FADP or art. 6 para. 1 lit. b GDPR).

Necessity

The mentioned data are not necessary for the website functionality.

Period

At the latest 6 months after announcement of the cancellation, your data will be automatically deleted. If you expressly agree to your data being stored in our database of interest parties, we will delete the data at a later date at an agreed time

III. Transfer of Data to Third Parties

Processing

Your personal data will not be transferred to third parties for purposes other than those listed and to contractors other than those listed and their sub-contractors.

Third parties are technology providers for the optimal operation of websites and social media sites and for the provision of the services listed above.

IV. Cross-border Transfer in Third Countries without Adequate Level of Data Protection

Processing

There is no disclosure in third countries without an adequate level of data protection or only under the contractual obligation to maintain an adequate level of data protection (EU standard clauses)

A transfer of personal data to third countries only takes place if the data protection requirements of Art. 6 FADP or Art. 44 et seq. GDPR are given.

A third country is defined as a country outside of Switzerland or the European Economic Area (EEA) in which Swiss data protection law or the European GDPR is not directly applicable. A third country is considered unsafe if, according to the FDPIC or the EU Commission, the country does not have an adequate level of data protection.

With the ECJ ruling of 16 July 2020 (C-311/18), the adequacy decision for the USA was declared invalid. The FDPIC has also withdrawn the adequacy from the USA. The USA is thus a so-called unsafe third country.

When personal data is transferred to the USA, there is a risk that US authorities may gain access to the personal data. Swiss citizens have no effective legal protection against such access in the USA.

In this data protection information, we inform you when and how we transfer personal data to the USA or other unsecure third countries.

V. Data Security

Processing

We take reasonable steps to ensure that your personal data cannot be accessed or removed by unauthorized third parties.
In particular, we ensure that only authorized persons have access to this data by means of appropriate technical (e.g. firewall, password protection, SSL encryption, etc.) and organizational (e.g. restriction of authorized persons, training of authorized persons, etc.) measures. Our data processing and security measures are continuously improved in line with technological developments.

Personal Data

Personal data is any information relating to an identified or identifiable natural person, including name, address, telephone number or e-mail or IP address.

Purpose

We use SSL encryption for reasons of security and to protect the transmission of confidential content, such as the requests you send to us as an investment operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

If SSL encryption is activated, third parties cannot read the data that you transmit to us.

VI. Storage Period

Processing

We will store your personal information for as long as we consider it necessary or appropriate to comply with applicable laws or for as long as it is necessary for the purposes for which it was collected. We delete your personal data as soon as they are no longer required and in any case after the maximum retention period of five or ten years required by law. Data that are no longer required and for which there is no legal obligation to retain them will be destroyed once the purpose and justification for doing so no longer apply.

Personal Data

In detail, we store your personal data for the following duration:

  • Data which we process by law is retained for the statutory period of retention, for example if required by labour law, social security law, tax law or the ordinance on account books;
  • Data that we need to fulfil a contract will be retained for at least the duration of the contract and for a maximum of ten years thereafter, unless we need the data to assert our rights;
  • Data that we process to protect our legitimate interests will be stored for a maximum of ten years after the end of the contractual relationship, unless we need the data to assert our rights;
  • If not employed, your application documents will be deleted, destroyed or returned to you after six months.

VII. Your Rights

As the person concerned, you may assert various claims against us in accordance with the applicable national and international law.
To meet these claims, we will process your personal data again.

Depending on the applicable law, data subjects may exercise the following rights:

  • You can request Information at any time on all data available in our data collection (art. 8 FADP or art. 15 GDPR) relating to you. In particular, you may request information about:
    • The purposes of the data processing
    • The category of personal data
    • The categories of recipients to whom your information has been or will be disclosed
    • The planned storage period
    • The existence of a right to rectification, deletion, restriction of or to object to data processing
    • The existence of a right to lodge a complaint
    • The origin of your data, if they have not been collected by us
    • The existence of automated decision-making, including profiling and, where appropriate, meaningful information on its details
  • You can immediately request the rectification of incorrect or incomplete personal data stored by us (art. 5 FADP or art. 16 GDPR)
  • You can request the restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful but you refuse to delete it, we no longer need the data but you need it to assert, exercise or defend legal claims or you have lodged a complaint to the processing pursuant to art. 21 GDPR (Art. 18 GDPR).
  • You can receive the personal data that you have provided to us, in a structured, common and machine-readable format or request its transmission to another controller (art. 20 GDPR).
  • You can request the deletion of your personal data, unless the processing is necessary for the exercise of the right to freedom of opinion and information, for the fulfilment of a legal obligation, for reasons of public interest or to assert exercise or defend legal claims (art. 5 FADP or art. 17 GDPR).
  • You can withdraw your consent to us at any time. As a result, we may no longer continue the data processing based on this consent in the future (art. 7 para. 3 GDPR).
  • If your personal data is processed on the basis of legitimate interests pursuant to art. 6 para. 1 s. 1 lit. f GDPR, you have the right to object to the processing of your personal data if there are reasons for doing so which arise from your particular situation or if the objection is to the direct advertising. In the latter case, you have a general right to object, which is implemented by us without stating a special situation (art. 21 GDPR).
  • You have the right to lodge a complaint with our data protection advisor or to a supervisory authority (see above) (art. 77 GDPR).

VIII. Actuality and Amendment of this Data Protection Declaration

We reserve the right to change this privacy policy at any time or to adapt it to new processing methods. The current data protection declaration can be accessed at any time at https://haerting.ch/en/privacy-policy/.