Version dated 1 July 2018
2. Collection and processing of personal data
The personal data we process comes primarily from our customers, business partners and other related parties as part of our business relationships with them, or is collected from users of our websites, apps and other applications.
Where permitted, we also retrieve certain data from public sources or from other companies, authorities and other third parties. In addition to the data relating to you that you share with us directly, the categories of personal data relating to you that we obtain from third parties include, in particular, information from public registers, information we receive in connection with official and judicial proceedings, information in connection with your professional roles and information about you in correspondence and discussions with third parties, information pertaining to creditworthiness (where we enter into transactions with you personally), information about you that we are given by people connected with you (e.g. family, advisors or legal representatives) which allows us to enter into and execute contracts with or involving you (e.g. references, your delivery address, power of attorney, information relating to compliance with statutory regulations such as money laundering prevention and export restrictions, information from banks, insurance companies or our distribution and other contractual partners that allows you to use or provide services, e.g. payments and purchases), information about you from media and the Internet (where appropriate in each case, e.g. for the purposes of an application, press review, marketing or sales), your addresses and potentially interests and other socio-demographic data (for marketing) and data in connection with your use of the website (e.g. your IP address, the MAC address of your smartphone or computer, information about your device and settings, cookies, the date and time of your visit, the pages and content you accessed, the features you used, the referrer URL and location information).
3. Purposes of data processing and legal basis
First and foremost, we use the personal data we collect to enter into and perform contracts with our customers and business partners, especially in connection with the provision of our services for our customers and the procurement of products and services from our suppliers and subcontractors, as well as the fulfilment of our statutory obligations in Switzerland and abroad. If you work for such a customer or business partner, your personal data might also be affected in connection with this role.
Furthermore, where admissible and where we deem it appropriate, we process your personal data and the personal data of other people for the following purposes in which we (and sometimes also third parties) have a legitimate interest that is consistent with the purpose:
The provision and development of our products, services, websites, apps and other platforms on which we are present;
communication with third parties and processing of their enquiries (e.g. applications and media enquiries);
examination and optimisation of methods of analysing demand for the purposes of contacting customers directly and collecting personal data from public sources for the purposes of customer acquisition;
advertising and marketing (including events) unless you have objected to the use of your data (if you are an existing customer and we send you promotional material, you can object at any time, in which case we will remove your name from our mailing lists);
market and opinion research,
filing of legal claims and defence in connection with legal disputes and official proceedings;
prevention and investigation of crimes and other misconduct (e.g. internal investigations and data analysis for fraud prevention);
to ensure that we remain operational, especially with regard to our IT, websites, apps and other platforms;
CCTV to ensure compliance with building regulations, other IT, building and facility security measures and measures designed to protect our staff and other personnel and assets belonging or entrusted to us (e.g. controlled access systems, visitor lists, network and email scanners, telephone recordings);
to purchase and sell business units, companies or parts of companies and other company law transactions and the related transmission of personal data, as well as business management measures and in order to comply with statutory and regulatory obligations and internal regulations of Heggli & Gubler AG.
Where you have provided us with your consent to the processing of your personal data for certain purposes (e.g. requesting receipt of newsletters during your registration, or for background checks), we will process your personal data within the scope and on the basis of that consent unless we have any other legal basis and require this. The consent can be withdrawn at any time, although this has no effect on data processed up to that point.
4. Cookies, tracking and other technology in connection with the use of our website
5. Sharing of data and transmission of data abroad
Where admissible and where we deem it appropriate, we share data with third parties as part of our business activities and for the purposes described in section 3 because they process the data for us or because they want to use the data for their own purposes. The third parties might be the following in particular:
Our service providers such as banks and insurers, including processors such as IT providers;
retailers, suppliers, subcontractors and other business partners;
national and international authorities, offices or courts;
media and the public, including visitors to websites and users of social media;
competitors, industrial organisations, associations, organisations and other bodies;
other parties in potential or actual legal proceedings;
all hereinafter referred to collectively as ‘Recipients’.
Some of these Recipients are in Switzerland but others might be in any country in the world. In particular, the data can be transmitted to any country in which our customers, their affiliated companies or business partners, service providers or experts reside. Where we transmit data to a country that does not provide an adequate level of data protection, we comply with the statutory regulations by using data protection contracts (based on the standard contractual clauses of the European Commission) or binding corporate rules to ensure an adequate level of data protection, or we rely on the statutory exceptions of consent, contract execution, the establishment, exercise or enforcement of legal claims, overriding public interests or published personal data or because it is necessary to protect the integrity of the data subjects. If not already available via the link below, a copy of the aforementioned contractual guarantees is available from the representative named in section 1. However, we reserve the right to redact copies or only provide excerpts for reasons of data protection or confidentiality.
6. Duration of retention of personal data
We process your personal data for as long as necessary to fulfil our contractual and statutory obligations or other purposes for which we are processing the data, i.e. for the term of the entire business relationship (from the initiation to the performance and termination of a contract), as well as in line with the statutory regulations on retention and documentation. It is possible that personal data may be retained for the period of time in which claims can be filed against our company and where we are otherwise legally obliged to do so or if our legitimate interests require it (e.g. for the purposes of evidence and documentation). Where possible, your personal data will be entirely erased or anonymised as soon as it is no longer required for the purposes outlined above. Operational data such as system logs and log files are generally subject to shorter retention periods of twelve months or less.
7. Data security
To protect your personal data from being accessed and misused, we have taken reasonable technical and organisational security precautions including issuing instructions, providing training, installing IT and network security solutions, implementing controlled and restricted access, encrypting data storage media and transmissions and performing pseudonymisation and checks.
8. Duty to make personal data available
As part of our business relationship, you are required to provide the personal data necessary for the initiation and execution of a business relationship and for the fulfilment of the related contractual obligations (you are not normally legally obliged to provide us with data). Without such data, we will generally be unable to enter into or execute a contract with you (or the body or person you represent). It may also be impossible to use the website if certain information is not disclosed for the purposes of securing the transmission of data (e.g. your IP address).
9. Rights of the data subject
As a rule, exercising such rights requires you to provide unequivocal evidence of your identity (e.g. by providing a copy of your personal identification if your identity is not otherwise clear and cannot be verified). You can contact us at the address provided in section 1 in order to exercise your rights.
Furthermore, every data subject has the right to enforce their claims in a court of law and to lodge a complaint with a supervisory authority. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC) (www.edoeb.admin.ch).
Based on DSAT.ch