The controller for the purpose of the EU General Data Protection Regulation (hereinafter referred to as “GDPR”) and other national data protection laws of the Member States and also other applicable data protection regulations is:
8032 – Zürich
Tel.: +00 000 00 00 00
RO collects and uses personal data of users only as far as it is necessary to provide and maintain a functional website and the content and services on the platform. In general, the collection and use of the personal data of the users takes place only after consent of the user has been obtained, or if the processing of the data is already permitted by legal regulations.
Insofar as RO obtains the consent of the users for the processing of their personal data, Art. 6 (1) (a) GDPR serves as the legal basis.
In case the processing of personal data is required for the performance of a contract to which the user is a party, Art 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations in order to take steps at the request of the user prior to entering into a contract.
In the event, that the vital interests of the user or another natural person require the processing of personal data, Art 6 (1) (d) GDPR serves as the legal basis.
If processing is necessary for the protection of a legitimate interest of RO or a third party and the interests, fundamental rights and freedoms of the person concerned do not override the former interest, then Art 6 (1) (f) GDPR serves as the legal basis for the processing.
The personal data of the user will be deleted or blocked as soon as the purpose of storage ceases to apply. In addition, data may be stored if it has been provided for by European or national legislators in EU regulations, laws or other provisions to which RO is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
At each of our webpages, the webserver used by RO automatically collects data and information of the accessing computer.
The following data is collected:
(1) information about the type of browser and the version used
(2) operating system of the user
(3) internet service provider of the user
(4) IP address of the user
(5) location, date and time of access
This data is used for session handling and will also be saved in the log files on the server. The IP address is transmitted with each server request so that the server knows where to send the response. Every internet user is assigned an IP address by his Internet Service Provider (ISP) as soon as he connects to the Internet. The ISP can trace which IP address was assigned to which of its customers at which time. As long as the IP address is stored, the identity of the subscriber can theoretically be determined by the ISP. RO saves the complete IP Address only temporarily to log files for debugging purposes and threat protection. The complete IP address is deleted after three days, so that the recorded data is then anonymous and identification of the user is no longer possible.
The processing of this data serves to deliver the contents of the website, to guarantee the functionality of the information technology systems and to optimize the website. The data of the log files are stored separately from other personal data.
The legal basis for the temporary storage of data and log files is Art 6 (1) (f) GDPR.
The temporary storage of the IP address by the server is necessary to enable the website to be delivered to the user’s computer. For this the IP address of the user must remain stored for the duration of the session.
The storage in log files is done to ensure the functionality of the website. In addition, RO uses the data to optimize the website and to ensure the security of the IT systems.
RO’s legitimate interest in data processing pursuant to Art 6 (1) (f) GDPR lies in these purposes.
The data will be deleted as soon it is no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.
If the data is stored in log files, deletion occurs after seven days at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or alienated, so that assignment of the accessing client is no longer possible.
The collection of data for the provision of the website and the storage of data in log files is essential for the secure and data protection compliant operation of the website. There is consequently no opportunity to object on the part of the user.
Cookies are text files that are stored in or by the internet browser on the user’s computer system. If a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic character string that enables a unique identification of the browser when the website is accessed again.
The following data is stored and transmitted within the cookies:
To check if user is logged in
The user data collected in this way is pseudonymized by technical precautions. Therefore, it is no longer possible to assign the data to an accessing user. The data will not be stored together with other personal data of the users.
The Legal basis for processing personal data using technically necessary cookies is Art 6 (1) (f) GDPR.
The legal basis for processing personal data using cookies for analytical purposes, if the user has given his or her consent in this regard, is Art 6 (1) (a) GDPR, otherwise Art 6 (1) (a) GDPR.
The user data collected by technically necessary cookies are not used to create user profiles.
If personal data of the user is processed the user is affected within the meaning of the GDPR and the user is entitled to the following rights vis-à-vis RO:
1. Right to information
Users may request confirmation from RO whether personal data relating to the user is processed by RO.
Once such processing has taken place, users can request the following information from RO:
(1) The purposes for which the personal data is processed;
(2) The categories of personal data, which is being processed;
(3) The recipients or categories of recipients to whom the personal data relating to the user has been or is still being disclosed;
(4) The planned duration of storage of the user’s personal data or, in the case specific information on this is not possible, criteria for determining the storage period;
(5) The existence of a right to correction or deletion of personal data relating to the user, a right to restriction of processing by RO or a right to object to such processing;
(6) The existence of a right of appeal to a supervisory authority;
(7) Any available information on the origins of the data if the personal data is not collected from the user itself;
(8) The existence of automated decision-making, including profiling in accordance with article 22(1) and (4) GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the user.
Users have the right to request information as to whether personal data relating to the user is transferred to a third country or to an international organization. In this context, users may request to be informed of the appropriate guarantees in accordance with art 46 GDPR in connection with the transmission.
2. Right to rectification
Users have the right to rectification and/or completion vis –a- vis RO if the processed personal data concerning the user is incorrect or incomplete. RO must make the correction without delay.
3. Right to restriction of processing
Users may request the restriction of the processing of personal data concerning the user under the following conditions:
(1) If the user contests the accuracy of the personal data the period of restriction can be extended allowing for RO to verify the accuracy of the personal data;
(2) The processing is unlawful and the user opposes the deletion of the personal data and requests the restriction of their use instead;
(3) RO no longer requires the personal data for the purposes of the processing, but they are required by the user for the establishment, exercise or defense of legal claims or
(4) If the user has objected to processing pursuant to article 21(1) pending the verification whether the legitimate grounds of RO override those of the user.
Where processing has been restricted, such data shall, with the exception of storage, only be processed with the user’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
If the processing of data has been restricted according to the above conditions, users will be informed by RO before the restriction is lifted.
4. Right to delete
a) Deletion obligation
Users have the right to obtain from RO the deletion of his personal data without undue delay and RO is obligated to delete this personal data without undue delay where one of the following grounds applies:
(1) The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
(2) The user withdraws consent on which the processing is based according to Art 6 (1) (a) or Art 9 (2) (a) GDPR and where there is no legal ground for the processing.
(3) User objects to the processing pursuant to Art 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the user objects to the processing pursuant to Art 21(2) GDPR.
(4) The personal data has been unlawfully processed.
(5) The personal data has to be erased for compliance with a legal obligation in Union or Member State law to which RO is subject.
(6) The personal data has been collected in relation to the offer of information society services referred to in art 8(1) GDPR.
b) Passing information to third parties
If RO has made public the personal data relating to the User and if RO is obliged to delete such data pursuant to Art 17(1) GDPR, RO shall take appropriate measures, including technical measures, considering the available technology and the implementation costs, to inform those responsible for data processing who process the personal data, that user as data subject has requested RO to delete all links to such personal data or copies or replications of such personal data.
The right to deletion does not exist insofar as the processing is necessary
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by the European Union or Member State law to which RO is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in RO;
(3) For the establishment, exercise or defense of legal claims.
If users have exercised the right to correct, delete or limit the processing vis-à-vis RO, RO is obliged to inform all recipients to whom the personal data relating to the user has been disclosed of this correction or deletion of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.
Users have the right vis-à-vis RO to be informed about these recipients. 5. Right to data transferability Users have the right to receive user-related personal data provided to users in a structured, common, and machine-readable format. In addition, users have the right to transfer this data to another person without hindrance by RO, provided that (1) Processing is based on consent pursuant to art 6(1) (a) GDPR or art 9 (2) (a) GDPR or on a contract pursuant to Art 6 (1) (b) GDPR and
(2) The processing is done by automated means.
In the exercise of this right, users also have the right to request that the personal data relating to the user is transmitted directly by a responsible person to another responsible person, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.
6. Right of objection
The users have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on art 6 (1) (e) or (f) including profiling based on those positions.
RO shall no longer process the personal data unless RO demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the user or for the establishment, exercise of defense of legal claims.
Where the user’s personal data is processed for direct marketing purposes, the user has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the user objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Users have the possibility in connection with the use of information society’s services- not withstanding Directive 2002/58/EC to exercise their right of objection by means of automated procedures using technical specifications.
7. Right to revoke consent with data protection relevance
Users have the right to revoke their data protection relevant consent at any time. The revocation of consent does not affect the legality of processing carried out based on the consent until revocation.
8. Automated individual decision-making, including profiling
The user has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This not applicable if the decision
(1) is necessary for entering into, or performance of, a contract between the user and RO,
(2) is authorized by European Union or Member State law to which RO is subject and which also lays down suitable measures to safeguard the User’s rights and freedoms and legitimate interests;
(3) is based on the user’s explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to Art 9 (1) GDPR, unless art 9 (2) (a) or (g) GDPR applies and appropriate measures have been taken to protect the user’s right and freedoms and the user’s legitimate interests.
9. Right to raise a complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy users have the right to raise a complaint at a supervisory authority, in particular in the member state of residence, place of work, or place of suspected infringement, if users consider that the processing of personal data relating to the user is in violation of the GDPR.
The supervisory authority at which the complaint has been raised shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under art 78 GDPR.