Version 09.2023 (Download as PDF)
I. General Information
With this data protection declaration, NRS Treuhand AG (hereinafter referred to as «NRS», «we» or «us») explains to its clients, users, business partners, applicants, authorities and other persons involved («you») how personal data is collected and processed in the company. Responsible handling of your personal data is very important to us.
We use the feminine and masculine form alternately in this data protection declaration. The respective designation also includes all other gender designations.
2. Person responsible for data protection issues
NRS Treuhand AG
Am Schanzengraben 23
Phone: +41 58 200 00 00
3. EU data protection representative
For natural persons with simple residence in countries of the European Economic Area (EEA) including the European Union (EU) and the Principality of Liechtenstein as well as for the country-specific supervisory authorities provided for under the GDPR, we designate the following person as EU Data Protection Representative pursuant to Art. 27 GDPR:
VGS Data Protection Partner GmbH
Am Kaiserkai 69
By way of introduction, we would like to clarify the most important terms used in the following for better understanding. In this regard, we generally adhere to the definitions from the Swiss Federal Act on Data Protection.
- Personal data: any information relating to an identified or identifiable natural person.
- Data subjects: natural persons about whom personal data are processed;
- Processing: any handling of personal data, regardless of the means and procedures used, in particular the acquisition, storage, retention, use, modification, disclosure, archiving, deletion or destruction of data.
- Responsible person: private person or federal body which alone or together with others decides on the purpose and means of processing.
- Data processor: private person or federal body that processes personal data on behalf of the data controller.
5. Legal basis of data processing
We comply with the applicable data protection regulations when processing personal data.
The processing of personal data must not unlawfully infringe the personality of the persons concerned. For this reason, such data processing must comply with the processing principles of data protection law and/or must be legitimised by a justification. In particular, we are legitimised to process personal data if the processing:
- is based on a legal basis
The processing of personal data may be required or legitimised by law (e.g. statutory retention obligations).
- is necessary for the performance of a contract with the data subject or for pre-contractual measures.
The essential part of the processing of personal data in our company is carried out within the framework of the fulfilment of contractual obligations (e.g. provision of services within the framework of our mandate relationships).
- is necessary for the exercise of legitimate interests on our part or on the part of third parties.
A legitimate interest on our part exists in particular if the processing of personal data is carried out within the scope of the processing referred to in para. 8 as well as the disclosure of data in accordance with para. 10 and the associated objectives.
- is based on consent
If the processing of personal data is based on your consent, we will inform you of this separately and transparently. You can revoke your consent with effect for the future at any time using the functions provided for this purpose (e.g. unsubscribe link for newsletters) or by notifying us in writing (cf. points of contact in the above sections). 2 and 3). Upon receipt of your revocation, we will cease the data processing affected by it, unless we can base the processing on another justification.
- is necessary to comply with domestic and foreign legal requirements.
6. Categories of personal data
Depending on the services you use and the respective relationship between you and us, we process the following categories of personal data in particular:
- Master data: e.g.: Salutation, surname, first name, gender, date of birth, address and contact data such as address, telephone numbers, e-mail addresses, company for which you work (incl. contact information and contact person), language, client numbers, user names, financial information, AHV numbers.
- Contractual data: e.g. information relating to the initiation, conclusion, processing, administration and termination of contracts between you and us, information in connection with job applications [cf. also the following item 16This includes, for example, information in connection with job applications [see also section 16 below], interaction history, financial and payment information such as creditworthiness, information in connection with the enforcement of claims, bank data.
- Communication data: e.g.: Master data, contract data, communication content from written, electronic and verbal correspondence (incl. social media posts and messages etc.), information from surveys, information on time, place, type etc. of communication, proof of identity, marginal data.
- Behavioural and transactional data: e.g. in connection with your use of our website, your visit to our sites, participation in events, competitions and surveys, use of electronic communication channels.
- Technical data: e.g. IP addresses, device IDs, details of the devices and applications you use and their settings, internet provider you use, user names, passwords [as hash values], information in connection with 2-factor authentication, log data, time and, if applicable, approximate location in the context of using our products and services.
- Marketing data: e.g. information on personal preferences and interests, subscriptions and unsubscriptions to newsletters, content of marketing correspondence).
- Image and sound recordings: e.g. recordings of telephone and video conference calls [only made after prior announcement and with your consent], recordings in connection with client and staff events.
Within the scope of application of the GDPR, this data is processed either for the purpose of initiating and fulfilling a contract (Art. 6 para. 1 lit. b GDPR) or based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in processing the enquiries addressed to us or based on your consent (Art. 6 para. 1 lit. a GDPR). The consent can be revoked at any time with effect for the future.
7. Origin of the data
To a large extent, we collect personal data directly from you as the data subject. This includes in particular master data, contractual data, communication data and marketing data. The collection of such personal data takes place in the context of the initiation and processing of business relationships and the use of our services. If you provide us with data on other persons (e.g. family members, business colleagues, employees), you must ensure that you are authorised to do so and that the data is correct. In addition, the persons concerned must be made aware of this data protection declaration in advance.
We may also collect personal data about you ourselves or automatically or derive it from existing data. This includes in particular behavioural and transaction data as well as technical data.
Finally, we also collect personal data from third parties to the extent permitted by law. Such third parties include, in particular, persons from your environment, business partners, employers, insurance companies, banks, authorities, official agencies, courts, parties and their legal representation in the context of legal disputes, etc. In addition, we may also collect personal data from public sources (e.g. credit agencies, social media).
8. Purpose of the data processing
We process the collected data in order to fulfil our legal and contractual obligations towards you and third parties. This includes, in particular, the initiation (incl. contact requests), administration and processing of contractual relationships.
We also process the data collected to ensure communication with you, to provide and improve the services you have requested, to manage your use of and access to our services, to maintain our business relationship with you, to carry out advertising and marketing activities (where we are authorised to do so, e.g. by obtaining your consent), to monitor and improve the performance of our services, to enforce or defend against legal claims, to identify, prevent or investigate illegal activities, to comply with laws and recommendations of domestic and foreign authorities and internal regulations («Compliance») and to manage risk. We use this data for the following purposes: to enforce or defend ourselves against legal claims, to detect, prevent or clarify illegal activities, to ensure compliance with laws and recommendations of domestic and foreign authorities as well as internal regulations («Compliance») and risk management, to generally guarantee our operations (in particular IT, website, etc.) and to ensure administrative processes (e.g. data archiving, accounting, master data maintenance, quality assurance).
9. Processing time for personal data
We process your personal data for as long as we are legally obliged to do so (e.g. storage and archiving obligations) or our legitimate business interests require this (e.g. enforcement or defense of claims, guaranteeing IT security) or as long as the purpose of the collection of your data makes it necessary or the storage is technically required. In the case of contracts, the data is generally stored for the duration of the contractual relationship as well as for the statutory retention periods beyond this (generally 10 years).
This may mean that your personal data or extracts thereof must be retained for several years after the contractual relationship between you and us has ended. If your personal data is no longer required for the above-mentioned purposes, it will be deleted or anonymised as far as possible.
In certain cases, based on your consent, we also keep your personal data for longer (e.g. job applications that we have pending).
10. Disclosure of personal data to third parties
To the extent legally permissible and necessary, we may also pass on certain personal data to third parties in the course of our business activities. These third parties process your personal data either on our behalf (order processor), under joint responsibility with us or on their own responsibility. These include, among others:
- Group companies
- our service providers, such as banks, insurance companies, IT providers, debt collection companies, credit agencies, cleaning companies, advertising service providers, lawyers, external consultants, auditors etc.
- Business partner
- Domestic and foreign authorities, offices and courts
- Other parties in administrative and judicial proceedings
- Parties involved in transactions under company law (e.g. purchase, sale or mergers of companies, business units, etc.)
- Other third parties who are necessary to achieve the purpose of the respective data processing
Where necessary, we have concluded corresponding order processing contracts with our service providers. In these contracts, they undertake to comply with data protection and data security regulations. Furthermore, they may only process personal data in accordance with our instructions. They also grant us comprehensive auditing and control rights as well as the right to information, correction and deletion.
11. Disclosure of personal data abroad
We generally process and store personal data in Switzerland and the European Economic Area (EEA). In certain cases, however, we may also disclose personal data to service providers and recipients who are located outside this area or process personal data outside this area, in principle in any country in the world. In particular, you must expect personal data to be disclosed to all countries in which the service providers we use and their subcontractors (especially the USA) and group companies are located.
By taking appropriate measures, we ensure compliance with the legal requirements. Specifically, an adequacy decision by the competent authority is available. In the absence of such a decision, the personal data is transferred on the basis of appropriate safeguards (in particular standard contractual clauses approved by the European Commission and the Federal Data Protection and Information Commissioner [FDPIC]) or there are exceptions for certain situations (contract execution, law enforcement abroad, etc.) or we obtain your express consent.
12. Data security
To secure your data, we maintain technical and organisational security measures in accordance with the current state of the art.
Communication via our website is encrypted using the SSL/TLS encryption protocol. However, we would like to point out that even encrypted data transmission on the Internet always involves security risks. Complete protection of data against access by third parties cannot be guaranteed.
13. Your rights as a data subject
Provided that the requirements of the applicable data protection law are met and no legal exceptions apply, you generally have the following rights in connection with the processing of your personal data:
- to receive, upon request and free of charge, information on whether and, if so, which personal data we process about you
- on the correction of incorrect or incomplete personal data
- to the restriction of the processing of your personal data
- on blocking your personal data
- to have your personal data deleted or made anonymous
- on data portability
- revoke consent given for the processing of your personal data with effect for the future
- object to the processing of your personal data.
Please note that these rights may be restricted or excluded in specific individual cases (e.g. to protect third parties or business secrets).
For the purpose of asserting your data subject rights or if you have any questions regarding this data protection declaration and the processing procedures described therein, you can contact the data protection officers mentioned in the previous sections. 2 and 3 above.
If you believe that your data has been processed unlawfully, we would be grateful if you could contact us directly. Alternatively, you can file a complaint with the supervisory authority responsible for you. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC). In the EU, the complaint must be submitted to the respective national data protection authority.
II. Supplementary information in connection with selected data processing operations
14. Data processing in connection with the use of our website
14.1. Hosting and log files
We host our website with a Swiss hosting provider based in Switzerland. With each visit to our website, the hosting provider automatically collects and stores information (server log files) that your browser transmits. This includes the name and URL of the file accessed, date and time, amount of data, web browser and web browser version, operating system, the domain name of your internet provider, the so-called referrer URL (the page from which you accessed our offer) and the IP address. This usage data is used to detect technical problems, to ensure security and to statistically evaluate the use of our website and thus also to further develop our offer.
The above data will be processed by us for the following purposes:
- Ensuring a smooth connection of the website,
- Ensuring a comfortable use of our website,
- Evaluation of system security and stability, and
- for other administrative purposes and in the event of unlawful use of our website or services.
Within the scope of application of the GDPR, the processing of this data is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in accordance with the purposes listed above or your consent (Art. 6 para. 1 lit. a GDPR). The consent can be revoked at any time with effect for the future.
14.3. Links to other websites
Our website contains hyperlinks to third-party websites that are not operated or controlled by us. We are not responsible for their content or data protection practices.
Our website uses Google Analytics, Google Maps and Google Fonts from Google Inc. For the European area, the company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services (hereinafter «Google»).
In addition to the following explanations, you will find further information on data protection at Google in the Google data protection declaration: https://policies.google.com/privacy
We have concluded an order processing contract with Google.
Within the scope of application of the GDPR, the processing of this data is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in an appealing internet presence as well as in increasing our reach or based on your consent (Art. 6 para. 1 lit. a GDPR). Consent can be revoked at any time with effect for the future.
We use functions of the web analysis service Google Analytics on our website. Google Analytics uses so-called «cookies», i.e. text files that are stored on your computer and enable an analysis of your use of the website (cf. the above explanations under para. 14.2). The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. However, due to the activation of IP anonymisation on these websites, your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area as well as Switzerland. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
The purposes of the data processing are to evaluate the use of the website and to compile reports on activities on the website. Other related services are then to be provided based on the use of the website and the internet.
In addition or as an alternative to the browser add-on, you can prevent tracking by Google Analytics on our pages by clicking on this link. This will install an opt-out cookie on your device. This will prevent the collection by Google Analytics for this website and for this browser in the future, as long as the cookie remains installed in your browser.
We use Google Maps on our website to display interactive maps and to create directions. When you call up a web page on our website that has Google Maps integrated, your browser establishes a connection with the Google servers. In addition, Google Maps sets cookies (cf. the above explanations under para. 14.2). By using Google Maps, various information (e.g. IP address, addresses entered, date and time of the website visit) can be transmitted to Google servers in the USA.
You can find more information about data processing by Google here: https://policies.google.com/privacy?hl=de. There you can also change your personal privacy settings in the privacy centre. Detailed instructions on managing your own data in connection with Google products can be found here.
General information on Google Maps can be found at: https://www.google.com/intl/de/maps/about/#!/.
General information on Google Maps can be found at: https://www.google.com/intl/de/maps/about/#!/.
On our website, we use Google Fonts for the uniform display of fonts. The Google Fonts are installed locally. A connection to Google servers does not take place.
Further information on Google Web Fonts can be found at: https://developers.google.com/fonts/faq.
15. Processing of personal data in the context of the use of cloud service providers
In the following, we would like to inform you about the most important cloud service providers we have used:
- Microsoft 365 (incl. Exchange, SharePoint, Teams, OneDrive) and Microsoft Azure: The provider of these services is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland («Microsoft»). According to Microsoft, data storage on Microsoft Azure (file data) is carried out exclusively on servers located in Switzerland, while Microsoft Exchange, SharePoint, Teams and OneDrive are stored in Europe (see here). In addition to the information provided here, you will find further information on data protection in the Microsoft data protection declaration: https://privacy.microsoft.com/de-de/privacystatement.
- RMail: The provider is Suisse AG, Industriestrasse 33, 5242 Lupfig, Switzerland («RMail»). RMail is a service for the verifiable sending of e-mails and for services in the areas of encryption technology and electronic signatures. In addition to the present statements, you will find further information on data protection in the RPost data protection statement: https://rpost.com/legal-notices/privacy-notice/.
- JobCloud: The provider is JobCloud AG, Albisriederstrasse 253, 8047 Zurich («JobCloud»). JobCloud is a cloud-based recruitment solution. In addition to the present statements, you will find further information on data protection in the JobCloud data protection statement: https://www.jobcloud.ch/c/de-ch/datenschutzerklarung/.
16. Processing of personal data of applicants
We accept applications by e-mail, LinkedIn or JobCloud (cf. also the above para. 15). If necessary, we also work with other external partners (e.g. job portals and employment agencies). Please also note the data protection information of these partners.
We treat your data as strictly confidential. Your personal data will only be passed on within our company to persons who are entrusted with processing your application.
We process the personal data sent to us as part of your application and the personal data collected as part of the application process insofar as this is necessary to decide on the conclusion and implementation of an employment contract. This includes:
- Master data (surname, first name, address, contact details, date of birth, marital status, etc.)
- Information on your educational, professional and personal qualifications
- Information that we have collected as part of the application process (e.g. as part of assessments)
- Other information that you have provided to us in connection with your application.
We process your personal data in this regard for as long as is necessary for the decision on your application. They are deleted a maximum of six months after the end of the application process, unless longer storage is legally required or permitted or you have not consented to longer storage.
If an employment relationship is established following the application process, your application documents will be transferred to your personnel file.
17. Processing of personal data in the context of interaction with our social media channels
We maintain the publicly accessible profiles on social networks listed below. For this purpose, we may provide linked graphics to the respective networks on our website. By clicking on a corresponding graphic, you will be redirected to the selected social network. After the forwarding, the network collects and processes your information in the following framework.
By visiting our profiles on the social networks, personal data about you may be collected. For example, if you are logged into your accounts on the social networks and visit our profile at the same time, the portal operator may be able to assign this visit to your user account. However, even if you have logged out of your account or if you do not have an account with the respective portal, your personal data may be collected. Such data collection can occur, for example, through the setting of cookies. Based on the data collected in this way, the portal operators can create user profiles and show you interest-related advertising. You can find more information on this in the respective data protection declarations of the portal operators.
For the purpose and scope of the data collection and the further processing and use of the data by the respective social network, as well as your rights in this regard and setting options for protecting your privacy, please refer to the relevant data protection provisions of the respective social network.
Within the scope of the GDPR, the use of social networks is in the interest of an appealing presentation of our online offers, increasing our reach and promoting our products and services. This is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is based on Art. 6 para. 1 lit. a GDPR. The consent can be revoked at any time with effect for the future.
LinkedIn uses advertising cookies. If you would like to deactivate them, please follow this link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
17.4. Google My business
We use Google My business from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland («Google»).
When you visit and interact with our Google My Business listing, Google also collects your IP address and other information that is collected in the form of cookies on your terminal device. This information is collected for statistical purposes. The data collected about you in this context will be processed by Google and may also be transferred to the USA in the process. The use of Google My Business is your own responsibility.