1 What is this Privacy Policy about?
Data protection is a matter of trust, and your trust is important to us. For that reason, this Privacy Policy is intended to inform you how and for what purpose we collect, process and use your personal data.
This Privacy Policy will tell you, among other things:
- what personal data we collect and process;
- the purposes for which we use your personal data;
- who has access to your personal data;
- what are the benefits of our data processing for you;
- for how long we process your personal data;
- what rights you have in relation to your personal data; and
- how you can contact us.
We have aligned this Privacy Policy with both the Swiss Federal Act on Data Protection and the European General Data Protection Regulation (GDPR). The GDPR has become established worldwide as the benchmark for strong data protection. However, whether and to what extent the GDPR is applicable depends on the individual case.
2 Who is responsible for data processing?
Under data protection law, responsibility for a particular data processing operation lies with the company that determines whether this processing is to take place and for what purposes, and how it is organised (controller). As a general principle, in each case it is one of the companies of the Sisag Group ("we" or "us") which is the controller in terms of data protection law for data processing in accordance with this Privacy Policy. As a rule, this is the company that drew your attention to this Privacy Policy.
Sisag Holding AG, Militärstrasse 3, 6467 Schattdorf (CHE-105.738.585) coordinates the activities of the Sisag Group and defines its strategy.
The Sisag Group includes the following companies, most of which are controllers for data processing:
- Sisag Holding AG (CHE-105.738.585)
- Sisag AG (CHE-490-116.653)
- Remec AG (CHE-115-4664-283)
- Sharecomm AG (CHE-105.658.549)
- SisCampus AG (CHE-266.167.011)
- Spillmann Informatik GmbH (CHE-106.323.376)
Several Sisag Group companies may also be jointly responsible for a specific data processing operation if they make joint decisions on the organisation or purpose of the relevant data processing.
3 For whom and for what purpose is this Privacy Policy intended?
This Privacy Policy applies to all persons whose data we process ("you"), regardless of how you contact us, e.g. at our business location, by telephone, on a website, via an app, via a social network, at an event, etc. It applies both to the processing of personal data that has already been collected and to personal data that will be collected in the future.
Insofar as we process personal data, our data processing may affect the following categories of persons in particular:
- Customers in our companies;
- Persons who use our services or who come into contact with our offers;
- Users of our products and services;
- Visitors to our websites;
- Visitors to our business premises;
- People who write to us or contact us in any other way;
- Recipients of information and marketing communications;
- Participants in customer events and public events;
- Participants in market research, opinion polls and customer surveys;
- Contact persons of our suppliers, customers and other business associates as well as organisations and authorities;
- Job applicants.
This Privacy Policy applies to the processing of personal data in all our business divisions and companies.
Please also consult the contractual terms and conditions for individual services (e.g. General Terms and Conditions, Terms of Use or Terms of Participation). These may contain additional information about data processing in our companies. For information on the collection and processing of personal data when using our websites, general software products, mobile apps and social media channels, in particular in connection with cookies and similar technologies, please also consult our cookie information.
4 What personal data do we process?
"Personal data" is information that can be linked to a specific person. We process various categories of such personal data.
- Master data
- Contract data
- Communications data
- Behavioural and transaction data
- Preference data
- Registration data
- Technical data
- Image and sound recordings
- Other data
For orientation, the most important categories are listed below. In individual cases, however, we may also process other personal data.
In section 5 you can find out more about the source of this data and in section 6 about the purposes for which we process this data.
4.1 Master data
Master data is the basic data about you, such as title, name, contact details or date of birth. However, we also collect master data, for example, when you register for a newsletter. We also collect master data for access controls to our events or office premises. We also collect master data about contacts and representatives of contractual partners, organisations and authorities.
The master data includes, for example
- Title, first name, surname, gender, date of birth;
- Address, e-mail address, telephone number and other contact details;
- Customer numbers;
- Payment information (e.g. stored means of payment, bank details, billing address);
- User name and profile photo;
- Information on the use of online services;
- Details of related websites, social media profiles etc.;
- Information about your relationship with us (customer, visitor, supplier, etc.);
- Information about related third parties (e.g. contacts, recipients of services or representatives);
- Settings regarding the receipt of advertising, subscribed newsletters, etc.
- Information about your status with us (inactivity or blocking of a user account etc.);
- Information on attendance at events;
- Official documents in which you appear (e.g. identity documents, extracts from the commercial register, authorisations, etc.);
- Information on titles and function in the company for contact persons and representatives of our business associates;
- Date and time of registrations.
You may be able to log in to individual online tools using the login from a third-party provider (e.g. Apple, Google, Microsoft or Facebook). In that case, we will receive access to certain data stored with the relevant provider, e.g. your user name, your profile picture, your date of birth, your gender and other details, the scope of which you can usually determine. Information on this can be found in the privacy policy of the provider in question.
4.2 Contract data
Contract data is personal data that arises in connection with the conclusion or performance of the contract, e.g. information on the conclusion of the contract, acquired claims and receivables or information on customer satisfaction. We primarily conclude contracts with customers, business partners and job applicants. If you use offers from us on the basis of a contract, e.g. by purchasing goods or using services, we also frequently collect behavioural and transaction data (see section 4.4).
The contract data includes details such as information
- on the initiation and conclusion of contracts, e.g. date on which the contract was concluded, information from the application process and information on the contract in question (e.g. type and duration);
- on the processing and administration of contracts (e.g. contact details, delivery addresses, successful or failed deliveries and information on the means of payment indicated);
- in connection with customer service and support for technical matters;
- about our interactions with you (possibly a customer history with corresponding entries);
- on receivables and acquired claims and benefits;
- about defects and complaints as well as amendments to a contract;
- on customer satisfaction, which we may collect through surveys;
- on financial matters such as ascertaining creditworthiness (i.e. information that allows conclusions to be drawn about the probability that receivables will be paid), reminders, debt collection and the enforcement of claims;
- in connection with a job application, e.g. CV, references, qualifications, certificates, interview notes, etc. (which may also contain personal data of third parties);
- on interactions with you as a contact or representative of a business partner;
- in connection with security checks and other checks with a view to entering into a business relationship.
4.3 Communications data
If you are in contact with us or we are in contact with you, e.g. if you contact customer service or if you write or call us, we will process the information exchanged with you in the course of our communications as well as information about the type, time and location of the communication. In certain situations, we may also ask you for proof of your identity for identification purposes.
Communications data includes e.g.
- name and contact details such as postal address, e-mail address and telephone number;
- content of e-mails, written correspondence, chat messages, social media posts, comments on a website, telephone conversations, video conferences, etc;
- responses to customer and satisfaction surveys;
- information on the type and time of the communication and potentially the place at which it occurred;
- proof of identity, e.g. copies of official identity documents;
- metadata from the communication.
Telephone and video conference calls with us may be recorded; we will inform you of this at the beginning of each call. If you do not want us to record such conversations, you have the option of terminating the conversation at any time and contacting us by another means (e.g. by e-mail).
4.4 Behavioural and transaction data
When you purchase products from us, avail yourself of our offers and infrastructure or make use of our services, we often collect data about this use and about your behaviour in general. This is the case, for example, when you use our websites and software products.
Behavioural and transaction data includes, for example, the following information, insofar as it is specific to you and is available to us:
- about your purchasing behaviour (e.g. where you buy goods and services, how often, what goods and services you buy and at what price, as well as the type of payment method and the delivery method chosen);
- about attendance at events (e.g. date, location and type of event);
- about your behaviour on websites;
- on your installation and use of mobile apps;
- about your use of electronic communications (e.g. whether you have opened an e-mail or clicked on a link and if so, when);
- about your use of our Wi-Fi networks (e.g. date, time and duration of the connection, location of the Wi-Fi network and data volume).
You can also use many of our services anonymously.
4.5 Preference data
We want to optimally tailor our offers and services to our customers’ needs and preferences. We may therefore also process data relating to your interests and preferences. For this purpose, we can link behavioural and transaction data with other data and evaluate this data on a personalised or a non-personalised basis. This allows us to draw conclusions about characteristics, preferences and likely behaviour.
In particular, we can create segments (permanent groupings or relating to a specific case), i.e. groups of people who have similarities with regard to certain characteristics. Preference data can be used on a personalised basis, but also on a non-personalised basis (e.g. for market research or product development).
We do not carry out profiling.
4.6 Technical data
When you use our websites, our software products, our Wi-Fi networks or other electronic services, we collect certain technical data such as your IP address or a device ID. The technical data also includes the logs in which we record the use of our systems (log data). In some cases, we can also assign a unique identification number (an ID) to your end device (tablet, PC, smartphone, etc.), for example by using cookies or similar technologies, so that we can recognise it. You can find more information on this in our cookie information.
On the basis of technical data, behavioural data in particular can also be collected, i.e. information on your use of websites and software products (see section 4.4). As a rule, however, we cannot infer who you are from technical data unless, for example, you create a customer account or register. In that case, we can link technical data with master data, thus enabling us to identify you personally.
The technical data includes
- the IP address of your device and other device IDs (e.g. MAC address);
- identification numbers assigned to your device by cookies and similar technologies (e.g. pixel tags);
- information about your device and its configuration, e.g. operating system or language settings;
- information on the browser you are using to access the website and its configuration;
- information about your navigation and actions on our websites and in our apps;
- information about your internet provider;
- your approximate location and the time of use;
- automatic logging of access events and other processes (log data).
This technical data does not, on its own, usually allow us to draw any inferences about your identity.
Please also note our cookie information with respect to the processing of technical data.
4.7 Image and sound recordings
We regularly produce photos, videos and audio recordings in which you may appear, e.g. when you take part in an event, are in contact with our customer service or are in an infrastructure monitored by us. We also make video recordings on our premises and in our monitored infrastructures for security and evidentiary purposes. In doing so, we may receive information about your behaviour in those areas. The use of video surveillance systems is limited to specific areas and signposted.
5 Where does the personal data come from?
5.1 Data provided
You often provide us with personal data yourself, e.g. when you transmit data to us or communicate with us. In particular, it is usually you yourself who provides us with master data, contract data and communication data. You also often provide us with preference data yourself.
The provision of personal data is generally voluntary, i.e. you are usually not obliged to disclose personal data to us. However, we must collect and process the personal data that is necessary for the execution of a contractual relationship and for the performance of associated obligations required or prescribed by law, e.g. mandatory master data and contract data. Otherwise we will not be able to conclude or continue the contract in question.
If you provide us with data about other persons, we assume that you are authorised to do so and that such data is correct. Please also ensure that those other persons have been informed about this Privacy Policy.
In certain cases, we receive data from other persons (e.g. if your employer provides us with contact data in connection with the performance of a contract).
5.2 Data collected
We may also collect personal data about you ourselves or automatically, e.g. when you avail yourself of our offers or make use of our services. This often involves behavioural and transaction data as well as technical data.
We collect personal data about you independently in the following cases, for example:
- you visit one of our websites or use one of our software products;
- you click on a link in one of our newsletters or otherwise interact through one of our electronic advertising messages.
We can also derive personal data from existing personal data, e.g. by evaluating behavioural and transaction data. Such derived personal data is often preference data.
5.3 Data received
We may also receive information about you from other third parties, e.g. from companies we work with, from people who communicate with us or from public sources.
For example, we may receive information about you from the following third parties:
- from your employer and work colleagues in connection with a job application and their job functions;
- from third parties, where correspondence and discussions relate to you;
- from people with whom you regularly interact personally, e.g. your address for deliveries, references or authorisations;
- from credit agencies, e.g. when we obtain credit reports;
- from Swiss Post and address dealers, e.g. for address updates;
- from banks, insurance companies, sales and other contractual partners for purchases and payments;
- from providers of online services, e.g. providers of internet analysis services;
- from information service providers, for compliance with legal requirements such as anti-money laundering law and export restrictions;
- from authorities, parties and other third-party sources in connection with official and court proceedings;
- from media monitoring companies in connection with articles and reports in which you appear;
- from public registers such as the debt enforcement register or commercial register, from public bodies such as the Federal Statistical Office, from the media or from the internet.
6 For what purposes do we process personal data?
6.1 Communication
We would like to stay in contact with you and respond to your individual concerns. For this reason, we process personal data in order to communicate with you, e.g. to respond to enquiries and for customer care. In particular, we use communication and master data and, if the communication relates to a contract, also contract data. We may also personalise the content and timing of messages based on behavioural, transactional, preference and other data.
The purpose of our communication includes in particular
- responding to enquiries;
- contacting you in the event of any questions;
- providing customer service and customer care;
- for authentication, e.g. when you use our software products;
- for quality assurance and training;
- for all other processing purposes, insofar as we communicate with you for this purpose (e.g. contract handling, information and direct advertising).
6.2 Contract handling
We want to offer you the best possible service. We therefore process personal data in connection with the initiation, administration and handling of contractual relationships, e.g. to deliver an order or provide a service. Contract handling also includes any personalisation of services we may agree to provide to you. In particular, we use master data, contract data, communication data, behavioural and transaction data, and preference data.
The purpose of contract handling generally includes everything that is necessary or expedient to conclude, perform and, if necessary, enforce a contract.
This includes, for example, processing data:
- to make decisions as to whether and how (e.g. using what payment options) we enter into a contract with you (including the credit check);
- to provide contractually agreed services, e.g. to deliver goods, provide services and functionalities (including personalised service components);
- to provide customer services and measure customer satisfaction;
- to invoice you for our services and for our bookkeeping in general;
- to plan and prepare for the provision of our services, e.g. scheduling our employees;
- to verify the suitability of job applicants and, if necessary, to prepare and conclude the employment contract;
- to ascertain whether we wish to and are able to work with a company and to monitor and assess its performance;
- to prepare and carry out corporate transactions, e.g. company acquisitions, sales and mergers;
- to enforce legal claims arising from contracts (debt collection, legal proceedings, etc.);
- to manage and administer our IT and other resources;
- to store data within the scope of our data retention obligations;
- to give notice of termination of contracts and to bring them to an end.
6.3 Information and marketing
We want to make you attractive offers. We thus process personal data to maintain relationships and for marketing purposes, e.g. to send you written and electronic messages and offers and to carry out marketing campaigns. These may be our own offers or those of advertising partners. Messages and offers can also be personalised in order to send you only information that is likely to be of interest to you. Specifically, we use master data, contract data, communication data, behavioural data, transaction data and preference data, as well as image and sound recordings for this purpose.
This may involve the following messages and offers, for example:
- newsletters, promotional e-mails, in-app messages and other electronic messages;
- advertising brochures, magazines and other printed material;
- advertising messages and advertising spots on screens and other advertising spaces;
- invitations to events.
Where we have not separately asked for your consent to contact you for marketing purposes, you can refuse such contact at any time (see section 14). In the case of newsletters and other electronic communications, you can usually unsubscribe from the service in question via an unsubscribe link integrated within the message.
The personalisation of our communications enables us to tailor information to your individual needs and interests and, where possible, provide you only with offers that are relevant to you.
6.4 Market research and product development
We want to continuously improve our offers and make them more attractive to you. We therefore process personal data for market research and product development purposes. In particular, we process master data, behavioural data, transaction data and preference data, as well as communications data and information from customer surveys, polls and studies and other data, e.g. from the media, the internet and other public sources. As far as possible, we use pseudonymised or anonymised data for these purposes.
Market research and product development include, in particular:
- conducting customer surveys, polls and studies;
- further development of the products and services we offer;
- assessing and improving the acceptance of the products and services we offer and our communication in connection with those offers;
- optimising and improving the user-friendliness of websites and apps;
- reviewing and improving our internal processes;
- training and continuing education of our employees;
- carrying out statistical analyses, e.g. to evaluate information about our customers' interactions with us on a non-person-specific basis;
- assessment of the situation in terms of available products and services in a particular market and the behaviour of our competitors;
- market observation, e.g. to understand and react to current developments and trends.
6.5 Security and fraud prevention
We want to ensure your and our security and prevent misuse. We therefore also process personal data for security purposes, to ensure IT security, to prevent theft, fraud and misuse, and for evidentiary purposes. This may relate to all categories of personal data referred to in section 4, in particular behavioural and transaction data as well as image and sound recordings. We may collect, analyse and store this data for the purposes referred to.
The purpose of security and prevention of fraud includes, for example
- analysing automatically created logs on the use of our systems (log data);
- the prevention, defence against and detection of cyberattacks and malware attacks;
- analyses and testing of our networks and IT infrastructures as well as system and error checks;
- control of access to electronic systems (e.g. logins to user accounts);
- physical access controls (e.g. access to office premises)
- documentation purposes and creation of backup copies.
6.6 Compliance with legal requirements
We want to establish the conditions that will allow us to comply with legal requirements. We therefore also process personal data in order to comply with legal obligations and to prevent and detect offences. This includes, for example, the receipt and processing of complaints and other reports, compliance with orders from a court or public authority and measures to detect and investigate misuse. This may relate to all of the categories of personal data mentioned in section 4.
Compliance with legal requirements includes in particular:
- investigations relating to business partners;
- receipt and processing of complaints and other reports;
- conducting internal investigations;
- ensuring compliance and risk management;
- the disclosure of information and documents to authorities if we have an objective reason or a legal obligation to do so;
- co-operation in external investigations, e.g. by a law enforcement or supervisory authority;
- safeguarding data security as required by law;
- compliance with disclosure, information or reporting obligations, e.g. in connection with supervisory and tax law obligations, e.g. archiving obligations and for the prevention, detection and investigation of criminal offences and other violations;
- combatting money laundering and terrorist financing, as prescribed by law.
In all cases, this may involve Swiss law, but also foreign law to which we are subject, as well as self-regulation, industry and other standards, our own corporate governance or official directives.
6.7 Enforcement of rights
We want to be able to assert our claims and defend ourselves against the claims of others. We therefore also process personal data for purposes of our own legal defence, e.g. to enforce claims in court, pre-proceedings or outside of court proceedings and before authorities in Switzerland and abroad, or to defend ourselves against claims. Depending on the specific case, we process various kinds of personal data, e.g. contact details and information about processes that have given or could give rise to a dispute.
The purpose of enforcing rights includes in particular:
- investigation and enforcement of our claims, which may also include claims by companies affiliated with us and our contractual and business partners;
- defending against claims raised against us, our employees, companies affiliated with us and against our contractual and business partners;
- investigation of litigation prospects and other legal, economic and other issues;
- participation in proceedings before courts and authorities in Switzerland and abroad. For example, we may secure evidence, investigate the prospects of success in litigation or submit documents to a public authority. The authorities may also require us to submit documents and data carriers containing personal data.
6.8 Internal Group administration and support
We want to organise our own internal processes efficiently. We therefore process personal data for purposes of our internal group administration. In particular, we process master data, contract data and technical data, as well as behavioural and transaction data and communication data.
Internal Group administration includes, in particular:
- management and administration of the register of members and of our own shareholders;
- management of our IT;
- accounting;
- archiving of data and management of our archives;
- training and education, e.g. if we analyse recordings from telephone, video or other communications;
- centralised storage and management of data used by multiple Sisag Group companies;
- forwarding enquiries to the relevant departments or companies, e.g. if you send an enquiry to a Sisag company that relates to another company;
- the sale of receivables, where we provide the purchaser with information about the reason for and amount of the receivable and, if applicable, the creditworthiness and behaviour of the debtor;
- generally reviewing and improving internal processes.
Like any group of companies, the Sisag Group has an overall interest in the success of business activities of the group companies, and our group companies in turn have an interest in their own activities and their own processing purposes. We may thus also disclose personal data to other companies of the Sisag Group in order to support their own processing purposes in accordance with this Privacy Policy, in the overall interests of the Sisag Group. Further information can be found in section 8.
7 On what legal basis do we process personal data?
Depending on the purpose of the data processing, our processing of personal data is undertaken on various legal bases. We may process personal data, in particular, if the processing:
- is necessary for performance of a contract with the data subject or for pre-contractual measures (e.g. to review a request to conclude a contract with us);
- is necessary for the protection of legitimate interests;
- is based on consent;
- is required to comply with domestic or foreign law.
In particular, we have a legitimate interest in processing data for the purposes described above in section 6 and in the disclosure of data in accordance with section 8 and the associated purposes. Legitimate interests include our own interests and those of third parties.
These legitimate interests include, for example, the interest
- in good customer service, maintaining contact and communicating with customers outside of a contract;
- in advertising and marketing activities;
- in getting to know our customers and other people better;
- in improving products and services and developing new ones;
- in intra-group administration and intra-group interaction, which is required in a group which involves a division of labour;
- in ensuring mutual support of the Group companies in their activities and objectives;
- in protecting customers, employees and other persons and data, secrets and assets of the Sisag Group;
- in ensuring IT security, especially in connection with the use of websites, apps and other IT infrastructure;
- in ensuring and organising business operations, including the operation and further development of websites and other systems;
- in the management and development of the company;
- in the sale or purchase of companies, parts of companies and other assets;
- in enforcing or defending against legal claims;
- in ensuring compliance with Swiss and foreign law as well as internal directives.
8 To whom do we disclose personal data?
8.1 Within the Sisag Group
We may pass on personal data that we receive from you or from third-party sources to other companies in the Sisag Group. Disclosure may be undertaken for internal group administration or to support the group companies in question and their own processing purposes (section 6), for example if we are providing support in personalising marketing activities, developing and improving products and services, performing credit checks or in efforts to prevent theft, fraud and abuse. The personal data received may also be compared and linked with existing personal data by the group companies in question.
This may involve the following data disclosures, for example:
- all categories of personal data mentioned in section 4 for administering and handling contractual relationships, in particular in connection with products and services that include services by several group companies;
- security-relevant information for security purposes and compliance with legal requirements;
- information needed for assistance in enforcing rights.
Further information on the companies belonging to the Sisag Group can be found in section 2.
8.2 Outside the Sisag Group
We may pass on your personal data to companies outside the Sisag Group if we make use of their services. Generally, these service providers process personal data on our behalf as "contract processors". Our contract processors are obliged to process personal data exclusively in accordance with our instructions and to take appropriate data security precautions. Certain service providers also become co-controllers together with us or they are themselves data controllers (e.g. collection agencies). We ensure that data protection is safeguarded throughout the processing of your personal data, by our selection of service providers and through suitable contractual agreements.
This involves services in the following areas, for example:
- forwarding and logistics, e.g. for the dispatch of ordered goods;
- advertising and marketing services, e.g. for sending communications and information;
- corporate administration, e.g. accounting or asset management;
- payment services;
- creditworthiness information;
- collection services;
- IT services, e.g. services in the areas of data storage (hosting), cloud services, sending of e-mail newsletters, data analysis and refinement, development, etc;
- consultancy services, e.g. services provided by tax consultants, lawyers, business consultants or consultants in the field of personnel recruitment and placement.
In individual cases, it is also possible that we may pass on personal data to other third parties, e.g. if you have given us your consent or if we are legally obliged or authorised to do so. In these cases, the recipient of the data is a separate controller under data protection law.
This includes, for example, the following cases:
- the transfer of receivables to other companies such as collection agencies;
- the review or implementation of transactions under corporate law, such as company acquisitions, sales and mergers;
- the disclosure of personal data to courts and authorities in Switzerland and abroad, e.g. to criminal prosecution authorities in the event of suspected criminal offences;
- the processing of personal data in order to comply with a court order or official order or to assert or defend against legal claims, or if we consider this necessary for other legal reasons. We may also disclose personal data to other parties involved in proceedings.
Please also note our cookie information on independent data collection by third-party providers whose tools we have integrated on our websites and apps.
9 How do we disclose personal data abroad?
We process and store personal data mostly in Switzerland and the European Economic Area (EEA). In certain cases, however, we may also disclose personal data to service providers and other recipients (see section 8) who are located outside those territories or who process personal data outside those territories, and who may in principle be located in any country in the world. The countries in question may not have laws that protect your personal data to the same extent as in Switzerland or the EEA. If we transfer your personal data to such a country, we will ensure the protection of your personal data in an appropriate manner.
One means of ensuring adequate data protection is, for example, the conclusion of data transfer agreements with the recipients of your personal data in third countries, which ensure the necessary level of data protection. These include agreements that have been approved, issued or recognised by the European Commission and the Swiss Federal Data Protection and Information Commissioner; referred to as standard contractual clauses. Please note that such contractual precautions can partially compensate for weaker or missing legal protection, but cannot completely eliminate all risks (e.g. government intervention abroad). In exceptional cases, the transfer to countries without adequate protection may also be permitted in other cases, e.g. based on consent, in connection with legal proceedings abroad or if the transfer is necessary for the performance of a contract.
10 How do we process sensitive personal data?
Certain types of personal data are considered “sensitive" under data protection law, e.g. information on health and biometric characteristics. Depending on the specific case, the categories of personal data mentioned in section 4 may also include such sensitive personal data. However, we generally only process sensitive personal data if this is necessary for the provision of a service, if you have provided us with this data yourself or if you have consented to the processing. We may also process sensitive personal data if this is necessary to uphold the law or comply with domestic or foreign legal provisions, if the data in question has obviously been publicly disclosed by the data subject or if the applicable law otherwise permits its processing.
11 Do we make automated individual decisions?
An "automated individual decision" is a decision that is made completely automatically, i.e. without human involvement, and that has legal consequences for the data subject or significantly affects them in some other way. As a rule, we do not do this, but we will inform you separately if we use automated individual decisions in individual cases. You will then have the option of having the decision reviewed by a human being if you do not agree with it.
12 How do we protect personal data?
We take appropriate security measures of a technical and organisational nature to protect the security of your personal data, to protect it against unauthorised or unlawful processing and to counteract the risk of loss, unintentional alteration, unwanted disclosure or unauthorised access. However, like all companies, we cannot rule out data security breaches with absolute certainty; certain residual risks are unavoidable.
Security measures of a technical nature include, for example, the encryption and pseudonymisation of data, logging, access restrictions and the creation of backup copies. Security measures of an organisational nature include, for example, instructions to our employees, confidentiality agreements and controls. We also oblige our contract processors to take appropriate technical and organisational security measures.
13 For how long do we process personal data?
We process and store your personal data for
- as long as it is necessary for the purpose of processing or for compatible purposes – in the case of contracts this is generally at least for the duration of the contractual relationship;
- as long as we have a legitimate interest in storing it. This may be the case in particular if we require personal data in order to enforce or defend against claims, for archiving purposes and to ensure IT security;
- for so long as the data is subject to a statutory retention obligation. For example, some data is subject to a ten-year retention period. For other data, shorter retention periods apply, e.g. for recordings from video surveillance or for records of certain processes on the internet (log data).
In certain cases, we will also ask for your consent if we wish to retain personal data for longer (e.g. for job applications that we wish to keep on file). We will erase or anonymise your personal data after the aforementioned periods have expired.
14 What rights do you have in connection with the processing of your personal data?
You have the right to object to data processing, especially if we process your personal data on the basis of a legitimate interest and the other applicable requirements are met. You can also object to data processing in connection with direct marketing (e.g. advertising e-mails) at any time.
Insofar as the applicable requirements are met and no statutory exceptions apply, you also have the following rights:
- the right to request information about your personal data stored by us;
- the right to have inaccurate or incomplete personal data rectified;
- the right to request the erasure or anonymisation of your personal data;
- the right to request the restriction of the processing of your personal data;
- the right to receive certain personal data in a structured, commonly used and machine-readable format;
- the right to withdraw consent with effect for the future, insofar as processing is based on consent.
Please note that these rights may be restricted or excluded in individual cases, e.g. if there are doubts about your identity or if this is necessary to protect other persons, to safeguard protectable interests or to comply with legal obligations.
You can unsubscribe from newsletters and other advertising e-mails by clicking on the corresponding link at the end of the e-mail. You can also contact us in accordance with section 15 if you wish to exercise one of your rights or if you have questions about the processing of your personal data.
You are also free to lodge a complaint with a competent supervisory authority if you have concerns as to whether the processing of your personal data complies with the law.
- The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
15 How can you contact us?
If you have any questions about this Privacy Policy or the processing of your personal data, you can contact the Group company acting as the controller for it by using the contact details provided on its website.
You can also contact us as follows:
Sisag Holding AG
Militärstrasse 3
6467 Schattdorf
This email address is being protected from spambots. You need JavaScript enabled to view it.
+41 41 875 07 11
You can also contact our data protection officer or our representative in the European Union or the European Economic Area:
- Data Protection Officer: Sisag Holding AG, Data Protection Officer, Militärstrasse 3, 6467 Schattdorf, This email address is being protected from spambots. You need JavaScript enabled to view it.
16 Amendments to this Privacy Policy and translation
This Privacy Policy may be amended over time, in particular if we change our data processing methods or if new legislation becomes applicable. We will actively inform persons and companies whose contact details are registered with us of any significant changes, if this is possible without disproportionate effort. In general, the current version of the Privacy Policy in force at the start of the relevant processing applies to data processing.
In case of doubt, the German version of this Privacy Policy applies.
17 Cookie information
What is this about?
This cookie information describes how and why we collect, process and use personal and other data when you use our websites and software products, particularly in connection with cookies and similar technologies. In the text below, for the sake of simplicity, we refer to websites in general, but we also mean mobile apps.
Who is responsible for data processing?
In principle, a single company of the Sisag Group ("we" or "us") is responsible under data protection law for the processing of personal data in accordance with this cookie information (controller). As a rule, this is the company that drew your attention to this cookie information. If you have any questions about this cookie information or the processing of your personal data, you can contact the Group company acting as the controller in each case.
What is log data?
For technical reasons, every time you use our website, certain data is automatically collected and temporarily saved in log files. For example, the following technical data is collected:
- IP address of the requesting end device,
- information about your internet service provider,
- information about the operating system of your end device (tablet, PC, smartphone, etc.),
- details of the referring URL,
- information on the browser used,
- date and time of access, and
- content accessed when visiting the website.
This data is processed for the purpose of enabling the use of our webpages (establishing a connection) and ensuring their functionality, guaranteeing system security and stability and enabling the optimisation of our website as well as for statistical purposes.
The IP address is also analysed together with the other log data and any other data we may have in the event of attacks on the IT infrastructure or other potentially unauthorised or abusive use of the website for investigative and protection purposes and, if necessary, used in the context of criminal proceedings for identification and for civil and criminal proceedings against the persons in question.
What are cookies and similar technologies?
Cookies are files that your browser automatically saves on your end device when you visit our website. Cookies contain a unique identification number (an ID) that allows us to distinguish individual visitors from others, but usually without identifying them. Depending on the purpose for which they are being used, cookies contain further information, e.g. about the pages accessed and the duration of the visit to a page. We use both session cookies, which are erased when the browser is closed, as well as persistent cookies, which remain stored for a certain period of time after the browser is closed (usually between a few days and two years) and are used to recognise visitors during a subsequent visit.
We may also use similar technologies such as pixel tags, fingerprints and other technologies to save data in the browser. Pixel tags are small, usually invisible images or programme code that are loaded by a server and thereby transmit certain information to the server operator, e.g. whether and when a website was visited. Fingerprints are information that is collected when you visit a website via the configuration of your end device or your browser and that make your end device distinguishable from other devices. Most browsers also support other technologies for storing data in the browser, similar to cookies, which we can also use (e.g. "web storage").
How can cookies and similar technologies be deactivated?
In some cases, you have the option of activating or deactivating certain categories of cookies via a button displayed in the browser when you access our website. You can also configure your browser settings to block certain cookies or similar technologies or to delete existing cookies and other data stored in the browser. You can also add software ( "plug-ins") to your browser that blocks tracking by certain third parties. You can find out more about this in the help pages of your browser (usually under the keyword "Privacy"). Please note that if you block cookies and similar technologies, our websites may no longer function to their full extent.
What types of cookies and similar technologies do we use?
We use the following types of cookies and similar technologies:
- Necessary cookies: Necessary cookies are required for the use of the website and its functionalities. These cookies ensure, for example, that you can navigate between pages without losing the information entered in a form or the products placed in a shopping cart.
- Performance cookies: Performance cookies collect information about how a website is used and enable us to carry out analyses, e.g. which pages are the most popular and how visitors move around a website. These cookies are used to simplify and speed up your visit to the website and generally improve user-friendliness.
- Functional cookies: Functional cookies enable us to provide enhanced functionalities and display personalised content. These cookies allow us, for example, to save information you have already entered (e.g. language selection) or to show you products that you might also like based on the articles you have viewed.
- Marketing cookies: Marketing cookies help us and our advertising partners to display to you on our websites and on third-party websites adverts for products or services that may be of interest to you, or to display our adverts when you continue to use the internet after visiting our websites.
How do we use cookies and similar technologies from other companies?
The cookies and/or similar technologies we use may originate from us or from third-party companies, e.g. if we use functions provided by third parties. Such third-party providers may also be located outside Switzerland and the European Economic Area (EEA), provided that the protection of your personal data is ensured in an appropriate manner.
For example, we use analytics services to evaluate how you use our websites in order to optimise and personalise them. Cookies and similar technologies from third-party providers also enable those providers to target you with individualised advertising on our websites or on other websites and social networks that also collaborate with that third party and to measure how effective advertisements are (e.g. whether you have reached our website via an advertisement and what actions you then perform on our website).
Third-party providers can record the use of the website in question. Those recordings can be linked by the respective provider with similar information from other websites. The behaviour of certain users can thus be tracked across multiple websites and devices. The respective provider can often also use this data for its own purposes, e.g. for personalised advertising on its own website and on other websites that it supplies with advertising. If users are registered with the provider, the provider can attribute the usage data to the person in question. The processing of such personal data is carried out here by the provider as the controller and in accordance with its own data protection provisions.
Two of the most important third-party providers are Google and Facebook. You will find further information on these below. Other third-party providers generally process personal and other data in a similar way.
Google Analytics and Google Firebase
Many of our websites use Google Analytics, an analytics service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA, USA) and Google Ireland Ltd. (Google Building Gordon House, Barrow St, Dublin 4, Ireland; referred to in the aggregate as “Google”; please note that Google Ireland Ltd. is responsible for the processing of personal data). Google uses cookies and similar technologies to collect certain information about the behaviour of individual users on or in the relevant website and the end device used (tablet, PC, smartphone, etc.) (e.g. how often you have visited our website, how many purchases you have made or what you are interested in, as well as data about the end device you are using, such as the operating system). You can find further information under this link.
We have configured the service so that the IP addresses of visitors to the websites are truncated by Google within Europe before being forwarded to the USA, so that they cannot be traced back to those users. Google provides us with reports and in this sense can be regarded as a contract processor working on our behalf. However, Google also processes certain data for its own purposes. Google may be able to draw inferences about the identity of visitors to the websites based on the data collected and therefore create personal profiles and link the data obtained with any existing Google accounts of these persons. You can find information on data protection in Google Analytics here, and if you have a Google account yourself, you can find more information here.
How do we use social media?
We may operate our own pages on social media networks and similar third-party platforms (e.g. Facebook fan pages, Linkedin, Instagram). If you communicate with us via such websites or comment on or share content from us, we will collect the relevant information and process it in accordance with our Privacy Policy. We have the right, but not the obligation, to check content before or after its publication and to erase content without notification, insofar as this is technically possible, or to report it to the provider of the platform in question. In the event of a violation of the rules governing decency and conduct, we may also report the relevant user account to the platform provider for blocking or deletion.
When you visit our social media pages, data (e.g. on your user behaviour) may also be transmitted directly to the provider in question or collected by the provider and processed together with other data already known to it (e.g. for marketing and market research purposes and to personalise platform content). Insofar as we are deemed co-controllers together with the provider for certain processing operations, we will enter into a corresponding agreement with the provider, the essential content of which you can obtain from the provider. Further information on data processing by social media providers can be found in the privacy policies of the relevant social media.
Amendments to this cookie information
This cookie information may be amended over time, in particular if we change our data processing methods or if new legislation becomes applicable. In general, the version of the cookie information which is current at the start of the relevant processing applies to data processing.
We use the free open-source software Matomo (formerly Piwik) to statistically evaluate the use of our webpages without any reference to the identity of private individuals.