Ali Asghar Nazari Shirehjini, Member of the Board of Directors
Herbert Sterchi, Director, mobile: +41 79 448 31 28
Types of data processed
– Master data (e.g., personal master data, names or addresses).
– Contact details (e.g., e-mail, telephone numbers).
– Content data (e.g., text input, photographs, videos).
– Usage data (e.g., visited websites, interest in content, access times).
– Meta/communication data (e.g., device information, IP addresses).
Categories of data subjects
Visitors and users of our online content (hereinafter referred to collectively as “users”).
– Provision of the online content, their functions and contents.
– Responding to contact requests and communication with users.
– Security measures.
– Reach measurement/marketing
“Personal data” refers to all information relating to an identified or identifiable natural person (hereinafter a “data subject”); a natural person is regarded as identifiable, if they can be directly or indirectly identified, especially by means of association with an identifier such as a name, with an identification number, with location data, with an online ID (e.g. cookies) or with one or several special features reflecting the physical, physiological, genetic, psychic, economic, cultural or social identity of that natural person.
“Processing” means any operation or series of operations carried out with or without the aid of automated procedures relating to personal data. The term is broad and covers virtually every aspect of dealing with data.
“Pseudonymisation” means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or relocation of that natural person.
“Controller” refers to the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, authority, institution or other body processing personal data on behalf of the controller.
Primary legal bases
The legal basis for obtaining consent is Art. 6(1)(a) and Art. 7 GDPR;
the legal basis for processing associated with the performance of our services and performing contract-related activities, as well as for answering inquiries, is Art. 6(1)(b) GDPR;
the legal basis for processing to fulfil our legal obligations is Art. 6(1)(c) GDPR;
Art. 6(1)(d) GDPR serves as the legal basis in cases where processing personal data is necessary in order to protect the vital interests of the data subject or those of another natural person. The legal basis for performance of a task carried out in the public interest or in the exercise of official authority vested in the controller is Art. 6(1)(e) GDPR. The legal basis for processing in pursuit of our legitimate interests is Art. 6(1)(f) GDPR. Processing data for purposes other than those for which it was collected is governed by the provisions of Art. 6(4) GDPR. Processing special categories of data (according to Art. 9(1) GDPR) is governed by the provisions of Art. 9(2) GDPR.
We take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons, in accordance with applicable laws and regulations.
Such measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transmission, security of availability and its separation. Furthermore, we have established procedures that guarantee the exercise of data subjects’ rights, erasure of data and reaction to data risks. In addition, we take the protection of personal data into account as early as the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default.
Cooperation with processors, joint controllers and third parties
If we disclose data to other persons and companies (processors, joint controllers or third parties) within the scope of our processing, transmit the data to them or otherwise grant them access to the data, this shall only take place on the basis of statutory authority (e.g. if transmission of the data to third parties, such as payment service providers is necessary for performance of the contract), the respective user has consented, if a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
Insofar as we disclose, transmit or otherwise grant access to data to other companies within our group of affiliated companies, this is done for administrative purposes in particular in furtherance of a legitimate interest and beyond that on a basis corresponding to applicable laws and regulations.
Data transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation) or if this occurs in the context of the use of third-party services or disclosure or transfer of data to other persons or enterprises, this will only be done if it occurs for the fulfilment of our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to express consent or transfer as required by contract, we will only process or release the data in third countries in which a recognised level of data protection prevails, including US processors certified under the Privacy Shield, or on the basis of special guarantees, such contractual obligations in the form of so-called standard protection clauses of the EU Commission, the existence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, Information page of the EU Commission).
Rights of Data Subjects
Right of access: You have the right to request confirmation as to whether the data concerned is being processed and to request information about this data as well as further information and a copy of the data in accordance with applicable laws and regulations.
Right to rectification: In accordance with applicable laws and regulations, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.
Right to erasure and restriction of processing: In accordance with applicable laws and regulations, you have the right to demand that relevant data be erased without undue delay or, alternatively, to demand a restriction on the processing of such data.
Right to data portability: In accordance with applicable laws and regulations, you have the right to receive data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to request the transmission of such data to another controller.
Complaints to supervisory authorities In accordance with applicable laws and regulations, you have a right to lodge a complaint with a supervisory authority.
Right of withdrawal
You have the right to withdraw any consent you have previously granted with effect for the future.
Right to object
Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling, to the extent that it is related to such direct marketing.
Cookies and right to object to direct marketing
Cookies refer to small files that are stored on the user’s computer. Different data can be stored within the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after their visit to a website. Temporary cookies, or session cookies or transient cookies, are cookies that are deleted after a user leaves a website and closes their browser. For example, the content of a shopping cart in an online shop or the login status can be stored in a cookie of this nature. Cookies are referred to as permanent or persistent if they remain saved even after the browser is closed. For example, the login status can be saved if users visit a site even after several days have passed. Likewise, interests expressed by users may be stored in such a cookie for purposes of reach measurement or marketing purposes. Third-party cookies are cookies that are offered by providers other than the controller who operates the online offering (otherwise, if the only cookies are run by the controller, they are referred to as first-party cookies).
Erasure of data
If data is not erased because it is necessary for other, legally permissible purposes, its processing will be restricted. In this case, the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons.
In addition, we process
– contract data (e.g., subject matter of contract, duration, customer category). – payment data (e.g. bank details, payment history) from our customers, prospective customers and business partners for the purpose of providing contractual services, other services and customer care, marketing, advertising and market research.
We process data from our customers within the scope of our contractual services, whereby such services include conceptual and strategic consulting, campaign planning, software and design development / consulting or maintenance, implementation of campaigns and processes / handling, server administration, data analysis / consulting services and training services.
In this context, we process master data (e.g., customer master data, such as names or addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g., text entries, photographs, videos), contract data (e.g., subject matter of contract, term), payment data (e.g., bank details, payment history), usage and metadata (e.g., within the scope of evaluating and measuring the success of marketing measures). As a rule, we do not process special categories of personal data unless such data comprise components are included within the scope of commissioned processing. Data subjects include our customers, prospective customers and their customers, users, website visitors or employees as well as third parties. The purpose of the processing is to provide contractual services, perform billing and provide our customer service. The legal basis for such processing is derived from Art. 6(1)(b) GDPR (contractual services) and Art. 6(1)(f) GDPR (analysis, statistics, optimisation, security measures). We process data that is necessary for purposes of creating and performing a contractual relationship and note the necessity of providing such data. This data is only disclosed to third parties if necessary within the scope of a contract. When processing the data provided to us within the scope of a contract, we shall act in accordance with the instructions of the customer and the statutory requirements for commissioned data processing pursuant to Art. 28 GDPR and shall not process the data for any purposes other than those specified in the contract.
We delete such data after expiration of legal warranty and comparable obligations. The need to retain such data is reviewed every three years. If retention is mandated by statutory archiving obligations, the respective data is deleted upon expiry of the relevant periods (six years pursuant to section 257 (1) German Commercial Code (HGB); ten years pursuant to section 147 (1) German Fiscal Code (AO)). In the case of data provided to us by a client within the scope of a contract, we delete such data as provided in the contract; as a rule, this is at the end of the respective contract.
Users can create a user account. As part of registration, mandatory data will be communicated to the users and processed on the basis of Art. 6(1)(b) GDPR for the purpose of providing a user account. Without limitation, processed data includes login details (name, password and an e-mail address). Data entered during registration will be used for the purpose of using the user account and its associated purposes.
Users may be informed by e-mail of information relevant to their user account, such as technical changes. If users have terminated their user account, their data related to the user account will be deleted, subject to any statutory retention obligation. It is the responsibility of the users to back-up their data before the end of the contract in the event of termination. We are entitled to irretrievably delete any and all user data stored during the term of the contract.
We store the IP address and the time of the respective user action as part of our registration process, when using the login functions and when using the user account. Such storage is based on our legitimate interest as well as that of the user’s, in protecting against abuse and other unauthorized use. As a rule, no data is shared with third parties unless necessary for the enforcement of our rights or there is a legal obligation requiring disclosure pursuant to Art. 6(1)(c) GDPR. IP addresses are anonymized or deleted after no later than 7 days.
When contacting us (e.g. by contact form, e-mail, telephone or via social media), the user’s details are stored for processing the contact enquiry and responding as appropriate pursuant to Art. 6(1)(b) (within the scope of contractual/pre-contractual relationships) and Art. 6(1)(f) GDPR (other inquiries). User information can be stored in a Customer Relationship Management System (“CRM System”) or comparable enquiry organisation system.
We delete enquiries once there is no further need for retention. We review such need every two years. statutory archiving obligations are additionally applicable.
The following is to inform you about our newsletter, its content and procedures regarding registration, distribution and statistical evaluation, as well as your rights to object. By subscribing to our newsletter, you agree to receive the newsletter and agree to the related procedures for its distribution, etc.
Newsletter content: We send newsletters, emails and other electronic notifications containing advertising information (hereinafter referred to as “newsletters”) only with the express consent of recipients or with statutory permission. If registration for the newsletter involves a specific description of its content, then this description is the basis on which users agree to receive newsletters. In addition, our newsletters contain information about our services and us.
Double opt-in and logging: Subscription to our newsletter takes place using a process known as double opt-in. This means that after registration you will receive an e-mail asking you to confirm your registration. The confirmation is required to ensure that no one else can subscribe using your email address. A record of subscriptions to the newsletter is kept to fulfil applicable legal requirements for recording the subscription process. The record contains the time of subscription and confirmation as well as the relevant IP address. Any changes to the data registered with the service provider sending the newsletter will also be recorded.
Registration data: To subscribe to the newsletter, simply enter your e-mail address. Optionally, we ask you to enter a name for the newsletter, so that we can address you personally.
The dispatch of the newsletter, and associated performance measurements, are based on the recipient’s consent pursuant to Art. 6(1)(a), Art. 7 GDPR in conjunction with section 7 (2) no. 3 Act against Unfair Competition (UWG) or, if consent is not required, on the basis of our legitimate interests in direct marketing pursuant to Art. 6(1)(f) GDPR in conjunction with section 7 (3) UWG.
The registration procedure is recorded on the basis of our legitimate interests pursuant to Art. 6 (1)(f) GDPR. Our interest lies in the use of a user-friendly and secure newsletter system, which serves both our business interests and the expectations of the users and also allows us to have verification of consent.
Cancellation/Revocation. You can cancel your subscription to our newsletter at any time by revoking your consent to receive it. You will find a link to unsubscribe at the end of each newsletter. We may store the e-mail addresses we have unsubscribed for up to three years on the basis of our legitimate interests before we delete them in order to be able to prove a previous grant of consent. Processing of this data is limited to the use in the defence against potential claims. An individual request for deletion can be submitted at any time, provided that, at the same time, the grant of prior consent is confirmed.
Newsletter – Performance measurement
The newsletters contain a so-called “web-beacon”, i.e. a file the size of a pixel, which is retrieved from our server when the newsletter is opened or, if we use a delivery service provider, from its server. Technical information such as information about the browser and your system, as well as your IP address and time of retrieval are collected when this data is retrieved.
This information is used for the technical improvement of services on the basis of technical data or target groups and their browsing behaviour on the basis of their retrieval points (which can be determined with the help of the IP address) or access times. Statistical surveys also include determining whether newsletters are opened, when they are opened and which links are clicked. It is possible on technical grounds to associate this information with individual newsletter recipients. It is, however, neither our desire nor, if used, that of the delivery service provider to monitor individual users. On the contrary, the evaluations aid in our recognition of the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
Unfortunately, it is not possible to separately revoke consent to these performance measurement efforts. If this is desired, the entire newsletter subscription must be cancelled.
Hosting and e-mail delivery
The hosting services we use are in furtherance of the provision of the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we use for the purpose of operating this online offering.
In this context we, or our hosting provider, process master data, contact data, content data, contract data, usage data, meta data and communications data from our customers, potential customers and visitors to our website in pursuit of our legitimate interest in the efficient and secure provision of website offerings in accordance with Art. 6(1)(f) GDPR in conjunction with Art. 28 GDPR (conclusion of a contract processing agreement).