Version 06.2021 (Download as PDF)
1. General information
Within the scope of our business activities, we are subject to Swiss data protection law, in particular the Swiss Federal Data Protection Act (FADP) and, where applicable, foreign data protection law, in particular the General Data Protection Regulation (GDPR) of the European Union (EU). The latter is only applicable to natural persons resident in an EU state. The EU recognises that Swiss data protection law ensures adequate data protection.
By using our services and our website, you consent to the processing of the data collected about you in the manner and for the purposes described below. You may only disclose personal data of third parties to us if you are authorised to do so and the personal data is correct. You shall, in particular, fulfill your associated duties to provide information to data subjects and obtain any necessary consents in advance. These must be submitted to us if required.
2. Primarily responsible for data protection interests
NRS Treuhand AG, Badenerstrasse 141, 8004 Zurich, Switzerland, firstname.lastname@example.org Phone: +41 44 533 69 00, is responsible for the content of this data protection declaration and for the data processing described.
For data privacy concerns, please contact the controller mentioned hereinabove.
3. EU data protection representative
For natural persons with residence in countries of the European Economic Area (EEA) including the European Union (EU) and the Principality of Liechtenstein, as well as for the country-specific supervisory authorities provided for under the GDPR, we designate the following person as EU data protection representative pursuant to Art. 27 GDPR:
VGS Datenschutzpartner UG
Am Kaiserkai 69
For a better understanding, we would like to start by clarifying the most important terms used in the following. In this regard, we adhere to the definitions of terms from the Swiss Federal Act on Data Protection Act (Art. 3 FADP).
- Personal data: all information relating to an identified or identifiable person;
- Data subjects: natural or legal persons about whom data are processed;
- processing: any handling of personal data, irrespective of the means and procedures used, in particular the acquisition, storage, use, alteration, disclosure, archiving or destruction of data.
5. Collection and processing of personal data
We process personal data which we receive from our clients, business partners, employees, authorities and other persons involved in the course of our business activities or which we collect from users in the course of operating our website and other applications. In addition, we also collect publicly accessible data (e.g. from public registers, the internet, the press, social media, etc.) if necessary and permissible for the fulfilment of our business activities.
6. Purpose of data processing
We process the collected data in order to fulfil our legal and contractual obligations towards our clients, business partners, employees, authorities and other persons involved.
We also process the data collected in order to be able to improve the products and services you have requested, to manage your use of and access to our services and information, to maintain our business relationship with you, to carry out advertising and marketing measures (insofar as you have consented to the use of your personal data in this respect), to monitor and improve the performance of our offers, to enforce legal claims or defend ourselves against them, to identify, prevent or clarify illegal activities and to generally guarantee our operations (in particular IT, website, etc.). We only collect, use, and disclose your personal data if this is permitted or required by law or if you have consented to the collection of the data.
7. Legal basis for data processing
We process personal data in accordance with Swiss data protection law pursuant to Art. 4 ff. FADP. Provided that a justification is required for the processing of your personal data, this is either based on your consent or a legal basis in accordance with Art. 13 Para. 1 FADP or in our mainly private interest in the data processing in accordance with Art. 13 Para. 2a FADP.
In other respects, we process personal data – insofar as and to the extent that the GDPR is applicable – in accordance with the following legal bases in connection with Art. 6 para. 1 GDPR:
- The data subject has given his/her consent to the processing of personal data relating to him/her for one or more specific purposes (Art. 6 para. 1 lit. a GDPR) or;
- the processing is necessary for the performance of a contract to which the data subject is party to or for the implementation of pre-contractual measures taken at the data subject’s request (Art. 6 (1) lit. b GDPR) or;
- processing is necessary for compliance with a legal obligation to which we are subject to as controller (Art. 6 (1) (c) GDPR); or
- the processing is necessary to protect the vital interests of the data subject or another natural person (Art. 6 (1) (d) GDPR) or;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us as controller (Art. 6(1)(e) GDPR) or;
- processing is necessary for the purposes of protecting our legitimate interests as data controller or those of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular if the data subject is a child (Art. 6(1)(f) GDPR).
8. Processing time of personal data
We will process your personal data for as long as we are legally obliged to do so or for as long as our legitimate business interests require it or as long as the purpose of collecting your data makes it necessary. The associated retention periods may mean that your personal data or extracts thereof must be retained for several years after the end of the contractual relationship between you and us. If your personal data is no longer required for the above-mentioned purposes, it will be deleted or made anonymous as far as possible.
9. Data processing in connection with the use of our website
9.2. Website hosting provider
We host our website with a Swiss hosting provider based in Switzerland. With each visit to our website, the hosting provider automatically collects and stores information (server log files) that your browser transmits. This includes the name and URL of the file accessed, date and time, amount of data, web browser and web browser version, operating system, the domain name of your internet provider, the so-called referrer URL (the page from which you accessed our offer) and the IP address. This usage data is used to identify technical problems, to ensure security and to statistically evaluate the use of our website and thus also to further develop our offer.
The aforementioned data are processed by us for the following purposes:
- Ensuring a smooth connection set-up of the website,
- Ensuring a comfortable use of our website,
- evaluating system security and stability, and
- for other administrative purposes as well as in the event of unlawful use of our website or our services.
Within the scope of the GDPR, this data are processed on the basis of our legitimate interest in accordance with the purposes listed above or your consent.
9.3. Links to other websites
Our website contains hyperlinks to third-party websites that are not operated or controlled by us. We are not responsible for their content or data protection practices.
9.4. Google Inc.
Our website uses functions and services of Google Inc. Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services in Europe.
In addition to the following explanations, you will find further information on data protection at Google in the Google data protection declaration: https://policies.google.com/privacy.
Within the scope of the GDPR, this data is processed on the basis of our legitimate interest in an appealing website and in increasing our reach or based on your consent.
9.4.2. Services used by Google
On our website we use Google Maps for embedding maps. By using Google Maps, data is transmitted to Google and may also be stored on Google servers in the United States.
This site uses so-called web fonts provided by Google for the uniform display of fonts. The Google Fonts are installed locally. There is no connection to Google servers. Further information on Google Web Fonts can be found at: https://developers.google.com/fonts/faq.
9.4.3. Opt-out cookie
You can prevent the collection of your data by Google Analytics by clicking on the following link: https://tools.google.com/dlpage/gaoptout?hl=en-GB. An opt-out cookie will be set, which will prevent the collection of your data during future visits to this website.
9.4.4. IP anonymisation
We have activated the IP anonymisation function on our website. This means that your IP address is shortened by Google within member states of the EU or in other contracting states of the Agreement on the EEA before being transmitted to the United States. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and shortened there. Google uses this information to evaluate your use of the website, to compile reports on website activity and to provide us with other services related to website and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
9.4.5. Browser plugin
10. Further data processing
When you use our services or contact us, we collect and process – depending on the business case – the following general personal data about you:
- Personal details and contact data (inventory data)
- If applicable, information in connection with the company you work for
- verbal, written and electronic information provided by you in connection with your person and your request
- Information in connection with the underlying business case or legal relationship between you and us (mandate data, accounting data)
- payment data
Within the scope of the GDPR, this data is processed either for the purpose of initiating and fulfilling a contract or on the basis of our legitimate interest in processing requests addressed to us or based on your consent.
10.2. Forms of establishing contact
If you contact us outside our website (e.g. by e-mail, telephone, postal service), your enquiry including all related personal data will be stored and processed by us for the purpose of processing your request. We only pass this data on to third parties with your consent.
Within the scope of application of the GDPR, this data are processed either for the purpose of initiating and fulfilling a contract or on the basis of our legitimate interest in processing the enquiries addressed to us or based on your consent.
10.3. Mandate data
We accept data in connection with a mandate by physical or electronic means. We treat your data as strictly confidential.
We process the personal data sent to us in connection with your mandate as well as the personal data collected in connection with the processing of the mandate to the extent as that is necessary for the fulfilment of our mandate.
Within the scope of the GDPR, this data is processed either for the purpose of initiating and fulfilling a contract or on the basis of our legitimate interest in processing the mandate assigned to us or based on your consent.
10.4. Cloud service providers
For the purpose of storing and processing your personal data, we use the services of the following external cloud service providers:
- Microsoft 365 (incl. Exchange, SharePoint, Teams, OneDrive) and Microsoft Azure: the provider of these services is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (“Microsoft”). According to Microsoft, data storage on Microsoft Azure (file data) is carried out exclusively on servers located in Switzerland, while Microsoft Exchange, SharePoint, Teams and OneDrive are stored in Europe (see here). In addition to the information provided here, you will find further information on data protection in the Microsoft data protection declaration: https://privacy.microsoft.com/en-us/privacystatement
- RMail: The provider is Frama Suisse AG, Industriestrasse 33, 5242 Lupfig, Switzerland (“RMail”). RMail is a service for the verifiable sending of e-mails and for services in the field of encryption technology and electronic signatures. In addition to the information provided here, you will find further information on data protection in the RPost data protection declaration: https://rpost.com/legal-notices/privacy-notice/.
- JobCloud: The provider is JobCloud AG, Albisriederstrasse 253, 8047 Zurich, Switzerland (“JobCloud”). JobCloud is a cloud-based recruitment solution. In addition to the present statements, you will find further information on data protection in the JobCloud data protection statement: https://www.jobcloud.ch/c/en/privacy-policy/
10.5. Applicant data
We accept job applications via email, LinkedIn or JobCloud. We treat your data strictly confidential. Your personal data will only be passed on within our company to persons who are entrusted with processing your application.
We process the personal data sent to us as part of your application and the personal data collected as part of the application process insofar as this is necessary to decide on the conclusion and implementation of an employment contract. If an employment contract is concluded, the data collected will be stored. If no employment contract is concluded, the data will be deleted after 6 months at the latest (unless you have consented to a longer retention period).
In the scope of application of the GDPR, the processing of this data takes place either for the purpose of initiating and fulfilling a contract or based on your consent.
11. Transfer of data to third parties
If necessary and to the extent permitted by law, we also pass on your personal data to third parties in the course of our business activities. These include, but are not limited to:
- Our service providers (incl. order processors), such as banks, IT providers etc.
- Business partners, in particular external consultants, experts, lawyers, auditors, etc.
- Authorities and courts
11.2. Order processing contracts
Where necessary, we have concluded corresponding order processing contracts with our data processors. In these contracts, the data processors undertake to comply with data protection and data security regulations. In addition, they grant us comprehensive audit and rights of scrutiny as well as the right of rectification and the right of deletion.
11.3. Indication on data transfer to the United States
Within the scope of the GDPR, this data transfer is based on your consent.
12. Social Networks (Social Media)
We maintain the publicly accessible profiles on social networks listed below. For this purpose, we may provide linked graphics to the respective networks on our website. By clicking on a corresponding graphic, you will be redirected to the selected social network. After the redirection, the network collects and processes your information in the following framework.
By visiting our profiles on social networks, personal data about you may be collected. For example, if you are logged in to your accounts on social networks and visit our profile at the same time, the portal operator may be able to assign this visit to your user account. However, even if you logged out of your account or if you do not have an account with the respective portal, your personal data may be collected. Such data collection can occur, for example, through the setting of cookies. Based on the data collected in this way, the portal operators can create user profiles and show you interest-related advertising. Further information on this can be found in the respective data protection declarations of the portal operators.
Within the scope of application of the GDPR, the use of social networks and the associated data processing is based on our legitimate interest. We particularly want to use it to present ourselves on the Internet and increase our reach..
LinkedIn uses advertising cookies. If you would like to deactivate them, please follow this link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
12.4. Google My business
We use Google My business from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland(“Google”). When you visit and interact with our Google My business entry, Google also collects your IP address and other information that is collected in the form of cookies on your terminal device. This information is collected for statistical purposes. The data collected about you in this context will be processed by Google and may also be transferred to the United States. The use of Google My Business is your own responsibility.
Further details can be found in the Google data protection declaration: https://policies.google.com/privacy?hl=en-GB
13. Your rights as a data subject
To the extent that the legal requirements are met, you as the data subject have the right:
- to receive, on request and free of charge, information about whether and, if so, which personal data we are processing about you
- to correct incorrect personal data
- to restrict the processing of your personal data
- to block your personal data
- the deletion of your personal data, to the extent as this does not conflict with a legal obligation to retain data
- data portability
- revoke consent to the processing of your personal data with effect for the future
- object to the processing of your personal data.
If you believe that your data has been processed unlawfully, you may lodge a complaint with the competent supervisory authority. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
If you wish to correct, block, delete or obtain information about the personal data stored about you, or if you have any questions regarding the collection, processing or use of your personal data, or if you wish to revoke any consent you have given, you can contact the data protection officer herein mentioned before at any time.
14. Data security
To secure your data, we maintain technical and organisational security measures in accordance with state-of-the-art technology.
Communication via our website is encrypted using the SSL/TLS encryption protocol. However, we would like to point out that even encrypted data transmission on the Internet always involves security risks. Complete protection of data against access by third parties cannot be guaranteed.