Controller and data protection officer:
Types of data processed:
Processing of special categories of data (Art.
Categories of data subjects affected by the processing:
In the rest of the policy we also refer to data subjects collectively as “users”.
Purpose of the processing:
Last revised: 16.12.2020
We take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying probability and severity of the risk to the rights and freedoms of natural persons; the principal measures include safeguarding the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access to, input, disclosure, safeguarding of availability and segregation of the data. We have also established procedures to ensure data subjects’ rights can be exercised, data erased and a response can be taken if data is compromised. We also already take the protection of personal data into account when developing and selecting hardware, software and processes, in accordance with the principle of data protection through technology design and through data protection-friendly default settings (Art. 25 GDPR).
The main security measures include the encrypted transmission of data between your browser and our server. As with any connection to a web server, the server of our web hosting provider cyon in Basel, Switzerland, logs and stores certain technical data. This data includes the IP address and the operating system of your device, the data, the access time, the type of browser and the browser request including the origin of the request (referrer). This is necessary for technical reasons so we can make our website available to you. cyon protects this data from unauthorised access by a variety of technical and organisational measures and does not pass the data on to third parties. Where we process personal data in this context, we do so based on our interest in providing you with the best possible user experience and to safeguard the security and stability of our systems.
4.1 If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit it to them or otherwise grant them access to the data, we will do so only if this is legally permissible (e.g. if the transmission of the data to third parties, such as to payment service providers, is necessary to perform the contract pursuant to Art. 6(1)(b) GDPR), you have consented, or a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
4.2. If we appoint third parties to process data on the basis of a “processing agreement”, we will only do so pursuant to Art. 28 GDPR.
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or do so in the context of using third-party services or disclosing, or transmitting data to third parties, we will do so only if this is done to fulfil our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permission, we will process or permit the processing of data in a third country only if the special requirements of Art. 44 et seq. GDPR apply. This means that processing is carried out, for example, on the basis of special guarantees, such as official acknowledgement that the level of data protection corresponds to that of the EU (e.g. in the case of the USA through the “Privacy Shield”) or compliance with officially recognised special contractual obligations (“standard contractual clauses”).
6.1 You have the right to request confirmation as to whether the data in question is being processed, to access this data, and to obtain further information and a copy of the data under Art. 15 GDPR.
6.2. You have the right under Art. 16 GDPR to request that your data is completed or that any errors in your data are rectified.
6.3. Under Art. 17 GDPR, you have the right to obtain the erasure of the data in question without delay or, alternatively, to demand restriction of the processing of the data under Art. 18 GDPR.
6.4. You have the right to request to receive the data concerning you that you have provided to us under Art. 20 GDPR and to request its transmission to other data controllers.
6.5. You also have the right to lodge a complaint with the competent supervisory authority under Art. 77 GDPR.
You have the right to withdraw consent granted in accordance with Art. 7 (3) GDPR with effect for the future.
You may object at any time to the future processing of your data under Art. 21 GDPR. The objection can be made in particular with respect to processing of your data for the purpose of direct advertising.
10.2. In accordance with legal requirements, all bookkeeping and business correspondence is kept for 10 years pursuant to Art. 957 to 963 of the Swiss Code of Obligations. (commercial ledgers, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, books, records, management reports, accounting documents, commercial and business letters, electronic data traffic, documents relevant for taxation, etc.).
11.1. We process base data (e.g. names and addresses and contact data of users) and contract data (e.g. services used, names of contact persons and payment information) for the purpose of fulfilling our contractual obligations and services under Art. 6(1)(b) GDPR. The fields marked as mandatory in online forms are required for the contract to be entered into.
Users may at their discretion create a user account in which they can view their orders and perform other functions. During the registration process, users are provided with the required mandatory information. The user accounts are not public and cannot be indexed by search engines. If users have cancelled their user account, their data relating to the user account will be deleted, subject to mandatory retention for the purposes of commercial or tax law in accordance with Art. 6(1)(c) GDPR. It is the responsibility of the users to back up their data prior to the end of the contract where notice of termination has been given. We may irretrievably delete all of the user’s data stored during the term of the contract.
When users register, log back in or use our online services, we store the IP address and the time and date of the respective user action. We store this information based on our legitimate interests and those of the users to protect against misuse and other unauthorised use. This data is not passed on to third parties unless this is necessary for us to assert any claims that we may have or there is a legal obligation to do so under Art. 6(1)(c) GDPR.
We process usage data (e.g. the web pages of our online services visited or interest in our products) and content data (e.g. entries in the contact form or user profile) in a user profile for advertising purposes, e.g. in order to display product information to users based on the services they have used to date.
11.2. We delete this data after statutory warranty and comparable obligations expire. We review every three years the need to keep the data; in the case of statutory archiving obligations, we delete the data once these obligations expire (10 years); information is kept in the customer account until it is deleted.
12.1 When we are contacted (via the contact form or by email), the user’s details are processed for the purpose of dealing with the request for contact and its handling pursuant to Art. 6(1)(b) GDPR.
12.2 Users’ details may be stored in our customer relationship management system (“CRM system”) or comparable enquiry-handling system.
12.3 We use the “Gravity Forms” system provided by Rocket Genius, Inc. (1620 Centerville Turnpike, Suite 102, Virginia Beach VA 23464-6500, United States) on the basis of our legitimate interests (efficient and fast processing of user requests).
12.4 We delete the requests if they are no longer necessary. We review this necessity every two years; we permanently store requests from customers who have a customer account and refer the customer account details for deletion. Where statutory archiving obligations apply, we delete the data once these obligations expire (10 years).
13.1. We collect access data each time the server on which this service is located (server log files) is accessed and do so on the basis of our legitimate interests in accordance with Art. 6(1)(f) GDPR. The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification that the website has been successfully accessed, browser type and version, user’s operating system, referrer URL (page previously visited), IP address and the requesting provider.
13.2. Log file information is stored for security reasons (e.g. to clarify if misuse or fraud has occurred) for a maximum of seven days and then deleted. Data that needs to be stored for evidentiary purposes is exempt from deletion until the respective incident has been conclusively clarified.
17.1. Within our online services, we use the content or services of third-party providers on the basis of our legitimate interests (i.e. our interest in the analysis, optimisation and economically efficient operation of our online services in accordance with Art. 6(1)(f) GDPR) in order to integrate their content and services, such as videos or fonts (hereinafter uniformly “content”). This always presupposes that the third-party providers of this content are aware of the IP address of the users as without the IP address they would not be able to deliver the content to their browser. The IP address is thus required to display this content. We endeavour to only use content whose respective providers use the IP address solely to deliver the content. Third-party providers may also use pixel tags (invisible graphics, also known as web beacons) for statistical or marketing purposes. These pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. Pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, date and time of visit and other information about the use of our online services, and may also be linked to such information from other sources.
17.2. The following links provide an overview of third-party providers and their content, together with links to their privacy policies, which contain additional information on the processing of data and the opt-out rights, some of which have already been described here:
18.2. Google is certified under the Privacy Shield agreement and therefore provides a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
18.3. Google will use this information on our behalf to evaluate the use of our online services by users, to compile reports on the activities within these online services and to provide us with additional services related to the use of these online services and the use of the internet. Pseudonymous user profiles can be created from the processed data.
18.4. We use Google Analytics to display the ads placed within Google’s advertising services and those of its partners only to users who have also shown an interest in our online services or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited), which we transmit to Google (“remarketing”, or “Google Analytics audiences”). With the help of remarketing audiences, we also want to make sure our ads match the potential interest of the users and are not a nuisance.
18.5. We only use Google Analytics with IP anonymisation activated. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
18.6. The IP address transmitted by the user’s browser will not be combined with any other data held by Google. Users can prevent cookies from being stored by setting their browser software accordingly; users can also prevent the data generated by the cookie relating to their use of the online services from being collected and sent to and processed by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
18.7. You can find out more information about Google’s use of data, settings options and what the options to object are on the Google website: https://www.google.com/intl/de/policies/privacy/partners (“Data use by Google when you use our partners’ websites or apps”), https://policies.google.com/technologies/ads (“Data use for advertising purposes”), https://adssettings.google.com/authenticated (“Managing information Google uses to display ads to you”).