Data privacy statement

Version dated 1 July 2018

In this Privacy Policy we, Heggli & Gubler AG, describe how we collect and process personal data. This description is not exhaustive; in some cases, other privacy policies or general terms and conditions, terms and conditions of participation or similar documents might contain provisions that apply under specific circumstances. All information relating to an identified or identifiable person is personal data.

When you provide us with the personal data of other people (e.g. family members or colleagues), please ensure that these people are aware of this Privacy Policy and only share their personal data with us if you are permitted to do so and if the personal data is accurate.

This Privacy Policy is based on the European Union’s General Data Protection Regulation (GDPR). Although the GDPR is a European Union regulation, it is of relevance to us. The Swiss Federal Act on Data Protection (FADP) is heavily influenced by EU legislation, and companies outside of the European Union or EEA are required to comply with the GDPR under certain circumstances.

1. Controller
Unless indicated otherwise, Heggli & Gubler AG is the controller responsible for the data processing as described in this Privacy Policy. If you have any questions concerning data protection, you can contact us at the address below: Heggli & Gubler AG, Gotthardstrasse 1, 5630 Muri, Switzerland, info@heggli-gubler.ch, tel. +41 56 675 40 80

2. Collection and processing of personal data
The personal data we process comes primarily from our customers, business partners and other related parties as part of our business relationships with them, or is collected from users of our websites, apps and other applications.

Where permitted, we also retrieve certain data from public sources or from other companies, authorities and other third parties. In addition to the data relating to you that you share with us directly, the categories of personal data relating to you that we obtain from third parties include, in particular, information from public registers, information we receive in connection with official and judicial proceedings, information in connection with your professional roles and information about you in correspondence and discussions with third parties, information pertaining to creditworthiness (where we enter into transactions with you personally), information about you that we are given by people connected with you (e.g. family, advisors or legal representatives) which allows us to enter into and execute contracts with or involving you (e.g. references, your delivery address, power of attorney, information relating to compliance with statutory regulations such as money laundering prevention and export restrictions, information from banks, insurance companies or our distribution and other contractual partners that allows you to use or provide services, e.g. payments and purchases), information about you from media and the Internet (where appropriate in each case, e.g. for the purposes of an application, press review, marketing or sales), your addresses and potentially interests and other socio-demographic data (for marketing) and data in connection with your use of the website (e.g. your IP address, the MAC address of your smartphone or computer, information about your device and settings, cookies, the date and time of your visit, the pages and content you accessed, the features you used, the referrer URL and location information).

3. Purposes of data processing and legal basis
First and foremost, we use the personal data we collect to enter into and perform contracts with our customers and business partners, especially in connection with the provision of our services for our customers and the procurement of products and services from our suppliers and subcontractors, as well as the fulfilment of our statutory obligations in Switzerland and abroad. If you work for such a customer or business partner, your personal data might also be affected in connection with this role.

Furthermore, where admissible and where we deem it appropriate, we process your personal data and the personal data of other people for the following purposes in which we (and sometimes also third parties) have a legitimate interest that is consistent with the purpose:

The provision and development of our products, services, websites, apps and other platforms on which we are present;
communication with third parties and processing of their enquiries (e.g. applications and media enquiries);
examination and optimisation of methods of analysing demand for the purposes of contacting customers directly and collecting personal data from public sources for the purposes of customer acquisition;
advertising and marketing (including events) unless you have objected to the use of your data (if you are an existing customer and we send you promotional material, you can object at any time, in which case we will remove your name from our mailing lists);
market and opinion research,
media monitoring;
filing of legal claims and defence in connection with legal disputes and official proceedings;
prevention and investigation of crimes and other misconduct (e.g. internal investigations and data analysis for fraud prevention);
to ensure that we remain operational, especially with regard to our IT, websites, apps and other platforms;
CCTV to ensure compliance with building regulations, other IT, building and facility security measures and measures designed to protect our staff and other personnel and assets belonging or entrusted to us (e.g. controlled access systems, visitor lists, network and email scanners, telephone recordings);
to purchase and sell business units, companies or parts of companies and other company law transactions and the related transmission of personal data, as well as business management measures and in order to comply with statutory and regulatory obligations and internal regulations of Heggli & Gubler AG.

Where you have provided us with your consent to the processing of your personal data for certain purposes (e.g. requesting receipt of newsletters during your registration, or for background checks), we will process your personal data within the scope and on the basis of that consent unless we have any other legal basis and require this. The consent can be withdrawn at any time, although this has no effect on data processed up to that point.

4. Cookies, tracking and other technology in connection with the use of our website
Our website normally uses cookies and similar methods to identify your browser or device. A cookie is a small file that is sent to your computer and automatically stored on your computer or mobile device by your browser when you visit our website or install our app. If you visit this website repeatedly, we will be able to recognise you even if we do not know who you are. In addition to cookies that are merely used during a session and then erased after you leave the website (session cookies), we can also use cookies (permanent cookies) to store user settings and other information for a certain period of time (e.g. two years). However, you can set your browser to block cookies, to only store cookies for the session or to otherwise delete them prematurely. Most browsers accept cookies by default. Some of the cookies are used by us and some by our contractual partners. If you block cookies, certain features may no longer work properly. By using our websites, you consent to the use of these methods. Otherwise, you will have to change the settings in your browser to prevent it.

We use Google Analytics or similar services on our website. This is a service provided by third parties which can be situated in any country on Earth (in the case of Google Analytics, Google LLC is based in the USA, www.google.com) and with which we are able to measure and evaluate how our website is used (not personal data). Persistent cookies are used for these purposes and are installed by the service provider. The service provider receives no personal data from us (and does not store IP addresses), yet it is able to track your use of the website, merge that information with data from other websites that you have visited that are also being tracked by the service provider, and use those findings for its own purposes (e.g. management of advertisements). The service provider will know your identity if you have a user account with the service provider. In that case, the service provider processes your personal data on its own responsibility and in line with its own privacy policy. The service provider merely notifies us of how our website is used (no personal information about you is exchanged).

5. Sharing of data and transmission of data abroad
Where admissible and where we deem it appropriate, we share data with third parties as part of our business activities and for the purposes described in section 3 because they process the data for us or because they want to use the data for their own purposes. The third parties might be the following in particular:

Our service providers such as banks and insurers, including processors such as IT providers;
retailers, suppliers, subcontractors and other business partners;
customers;
national and international authorities, offices or courts;
media and the public, including visitors to websites and users of social media;
competitors, industrial organisations, associations, organisations and other bodies;
other parties in potential or actual legal proceedings;

all hereinafter referred to collectively as ‘Recipients’.

Some of these Recipients are in Switzerland but others might be in any country in the world. In particular, the data can be transmitted to any country in which our customers, their affiliated companies or business partners, service providers or experts reside. Where we transmit data to a country that does not provide an adequate level of data protection, we comply with the statutory regulations by using data protection contracts (based on the standard contractual clauses of the European Commission) or binding corporate rules to ensure an adequate level of data protection, or we rely on the statutory exceptions of consent, contract execution, the establishment, exercise or enforcement of legal claims, overriding public interests or published personal data or because it is necessary to protect the integrity of the data subjects. If not already available via the link below, a copy of the aforementioned contractual guarantees is available from the representative named in section 1. However, we reserve the right to redact copies or only provide excerpts for reasons of data protection or confidentiality.

6. Duration of retention of personal data
We process your personal data for as long as necessary to fulfil our contractual and statutory obligations or other purposes for which we are processing the data, i.e. for the term of the entire business relationship (from the initiation to the performance and termination of a contract), as well as in line with the statutory regulations on retention and documentation. It is possible that personal data may be retained for the period of time in which claims can be filed against our company and where we are otherwise legally obliged to do so or if our legitimate interests require it (e.g. for the purposes of evidence and documentation). Where possible, your personal data will be entirely erased or anonymised as soon as it is no longer required for the purposes outlined above. Operational data such as system logs and log files are generally subject to shorter retention periods of twelve months or less.

7. Data security
To protect your personal data from being accessed and misused, we have taken reasonable technical and organisational security precautions including issuing instructions, providing training, installing IT and network security solutions, implementing controlled and restricted access, encrypting data storage media and transmissions and performing pseudonymisation and checks.

8. Duty to make personal data available
As part of our business relationship, you are required to provide the personal data necessary for the initiation and execution of a business relationship and for the fulfilment of the related contractual obligations (you are not normally legally obliged to provide us with data). Without such data, we will generally be unable to enter into or execute a contract with you (or the body or person you represent). It may also be impossible to use the website if certain information is not disclosed for the purposes of securing the transmission of data (e.g. your IP address).

9. Rights of the data subject
Under the data protection legislation that applies to you and where provided for in this Privacy Policy (such as in cases in which the GDPR applies), you are entitled to access information, to rectification, to erasure, to restriction of processing, to object to the processing of data by us and to receive certain personal data for the purposes of transmitting it to another controller (data portability). However, please note that we reserve the right to utilise the statutory restrictions on our part if, for instance, we are obliged to retain or process certain data, have an overriding interest in doing so (provided that we are permitted to cite it) or need to do so in order to assert legal claims. We shall notify you in advance if you are liable for costs. We have already made you aware of your option to withdraw your consent in section 3. Please note that exercising these rights might conflict with contractual agreements and might have consequences such as the premature dissolution of the contract or additional costs. In this case, we shall notify you in advance unless this is already governed by contractual provisions.

As a rule, exercising such rights requires you to provide unequivocal evidence of your identity (e.g. by providing a copy of your personal identification if your identity is not otherwise clear and cannot be verified). You can contact us at the address provided in section 1 in order to exercise your rights.

Furthermore, every data subject has the right to enforce their claims in a court of law and to lodge a complaint with a supervisory authority. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC) (www.edoeb.admin.ch).

10. Amendments
We may amend this Privacy Policy at any time without providing prior notice. The current version published on our website is the valid version. If the Privacy Policy is a component of an agreement with you and is updated, we shall notify you of the amendments by email or in another appropriate manner.

Based on DSAT.ch