Privacy policy

Valid from 1 September 2023

SUISAG (hereinafter “SUISAG”, “we” or “us”) undertakes to process all personal data (hereinafter “Personal Data”) collected via the Portal in accordance with Swiss data protection law (hereinafter “DPA”) and the EU General Data Protection Regulation (hereinafter “GDPR”) and to take appropriate security measures to protect it from unauthorised access. Whether and to what extent these laws are applicable depends on the individual case. In this data protection declaration, we inform you in particular about which personal data is collected and processed in connection with the use of the portal, for what purposes it is used, to whom it may be passed on and what your rights are in connection with the use of your personal data by SUISAG. Personal data is all information relating to an identified or identifiable natural or legal person, e.g. surname, first name, address, e-mail address, date of birth or telephone number.

This privacy policy is an integral part of SUISAG’s GTC.

By accessing the online portal (hereinafter “portal” or “website”) and using the services and products we offer, you declare that you have read this privacy policy carefully and agree to the data processing described. Any questions in connection with this privacy policy can be sent at any time by e-mail to info@suisag.ch. If you do not agree with this declaration, you must refrain from accessing the portal and using our services and products.

 Contents

1. Who is responsible for your personal data
2. How we process personal data
3. Which personal data do we collect for which processing purposes
4. On what legal basis do we process personal data about you
5. To whom we pass on your personal data
6. Transfer of personal data to countries outside the EEA
7. How long we keep information about you
8. Cookies / tracking and other technologies in connection with the use of our website
9. E-mail communication and newsletters for advertising purposes
10. No automated decisions including profiling with legal effect
11. Data security
12. Data protection declarations of third-party providers
13. Children
14. What are your rights
15. Changes to our privacy policy

 1. Who is responsible for your personal data

The controller within the meaning of data protection legislation is SUISAG, Allmend 10, 6204 Sempach, Switzerland, +41 41 462 65 50, e-mail: datenschutz@suisag.ch.

SUISAG determines the purposes and means of the processing of your Personal Data and is therefore responsible for the processing and use of your Personal Data in accordance with this Privacy Policy. If you have any questions or concerns regarding this Privacy Policy or the processing of your Personal Data, please contact us at any time by sending an email to datenschutz@suisag.ch.

2. How we process personal data

All personal data collected via the website is processed in accordance with the Swiss Data Protection Act and the GDPR where applicable. We collect and process personal data carefully and for the purposes described in this Privacy Policy. In accordance with applicable law, we may also use your personal data in ways other than those described in this Privacy Policy. In this case, we will provide you with specific privacy statements or notices at the time of collection and, if necessary, obtain your consent. We will always make reasonable efforts to collect information in anonymised or pseudonymised form so that we cannot identify you.

3. Which personal data we collect for which processing purposes

3.1 Personal data transmitted automatically via the use of the portal

SUISAG collects and stores information that your browser automatically transmits to us in “server log files” when you visit our website. The data collection is based on your intention and interest in visiting our website and our legitimate interests in operating the website. This may include the following data:

• Browser type and browser version;
• Operating systems used;
• Referrer URL (the previously visited website);
• Host name of the accessing computer;
• Date and time of the server request;
• Internet Protocol address (IP address);
• Amount of data transferred;
• Other similar data and information used for security purposes in the event of attacks on our IT systems.

This personal data is not merged with other personal data and is stored separately from any other personal data transmitted by the user. It will be deleted by us after six months at the latest.

SUISAG uses the automatically collected personal data to fulfil the following purposes:

• to enable the display, operation and functionality of the portal
• ensure the stability and security of the system
• to improve and protect our services
  for statistical purposes in the event of attacks on the network infrastructure on which the website is provided

3.2 Personal data that the user transmits to us

SUISAG collects and processes personal data that the user voluntarily transmits to SUISAG by means of an online form directly on the portal, via our contact e-mail address, via any other applications linked to the portal, by telephone or in any other way. This information includes, for example, the following personal data:

• Surnames, first names, postal addresses, e-mail address, telephone number
• Your message or enquiry.

The provision of this personal data is expressly on a voluntary basis. Without this personal data, however, we will not be able to provide the services requested by the user in the desired quality or at all.

SUISAG uses the personal data that the user transmits to us to fulfil the following purposes:

• to provide, maintain, protect and optimise the services and information offered
• communicate with you and provide you with the best possible and personalised information you need from us (e.g. about our products and services)
• to offer you new services and information and, based on your profile, to suggest customised services and information that may be of interest to you
• to comply with legal or other regulatory requirements and internal regulations
• for the establishment, exercise and/or defence of actual or potential legal claims, investigations or similar proceedings
• for other legitimate purposes, if this processing is evident from the circumstances or was indicated at the time of collection

 4. On what legal basis do we process personal data about you

The processing of this personal data is based on the following legal bases:

• Your consent, which can be withdrawn at any time (e.g. when you sign up for our newsletter and other marketing communications)
• for the fulfilment of a contract with you or for the intention of concluding a contract with you (e.g. when purchasing a product)
• to fulfil a legal obligation (e.g. for tax reasons or for the purpose of legal investigations or proceedings) or
• to protect our legitimate interests (e.g. protection and security of our services, systems, assets; compliance with legal, regulatory and contractual obligations; assertion, exercise or defence of legal claims; maintenance and efficient organisation of business operations; improvement and development of our services and sale and marketing of our services)

If the processing is based on your consent or our legitimate interests, you can withdraw your consent or object to this processing at any time by contacting us directly at info@suisag.ch. Please note, however, that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.

5. To whom we pass on your personal data

SUISAG takes the necessary measures to ensure that only our authorised personnel and our auxiliary persons who have the necessary knowledge have access to your personal data in order to fulfil the purposes for which your personal data was collected.

We may disclose your personal data to the following possible categories of recipients in accordance with the purposes and legal bases of processing described above, insofar as this is necessary for the intended data processing:

• Other companies in the Group;
• Service providers who process the personal data on behalf of and on the instructions of SUISAG (so-called contract processors such as in the areas of IT, hosting and support)
• Customers, partners, suppliers and other business partners
• Media agencies, the public, including visitors to the Group’s websites and social media;
• Industry organisations, associations and other bodies;
• Acquirers or parties interested in acquiring business units, companies or other parts of the Group;
• Courts, arbitration bodies, law enforcement agencies, regulators, lawyers and other parties to potential or actual legal proceedings where necessary for compliance with the law or for the establishment, exercise or defence of legal rights or claims.

We select our partners and processors carefully and only if we have sufficient guarantees that they have suitable technical and organisational measures in place in accordance with the legal requirements. Our processors may only process personal data on our documented instructions. They are all subject to confidentiality requirements and may only use your personal data to the extent necessary to fulfil the purpose for which your personal data was collected, unless otherwise required by law.

6. Transfer of personal data to countries outside the EEA

The personal data collected via our website is stored in the EU. In addition, we may transfer, store and process your personal data at data locations around the world, e.g. where our third-party providers or partners are located. Therefore, we may transfer your personal data outside the European Economic Area (EEA) if this is necessary for the data processing described in this Privacy Policy in accordance with applicable law.

Where data is transferred to countries that do not ensure an adequate level of protection, we ensure an adequate level of data protection by putting in place appropriate safeguards, such as contractual safeguards (e.g. based on EU standard clauses), based on binding corporate rules, the transfer of data in accordance with your explicit consent, for the conclusion or fulfilment of a contract with you, or in connection with the establishment, exercise or enforcement of legal claims. For more information about our appropriate safeguards, please contact us by email at info@suisag.ch.

7. How long we keep information about you

In principle, personal data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected, unless longer storage is necessary to fulfil legal obligations (e.g. storage and documentation obligations), contractual or pre-contractual obligations or our legitimate business interests (e.g. to assert, exercise or defend legal claims).

On this basis, we generally process personal data in compliance with the following rules and obligations:

• The personal data automatically transmitted by you through the use of our portal (see point 3.1.) for the purpose of displaying, operating and ensuring the functionality of the portal will be deleted within six months.
• The personal data you transmit to us in connection with the use of our services and products offered on our portal or which you otherwise transmit to us via the e-mail contact address (see point 3.2.) will generally be stored by us until you request us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your enquiry has been processed).
• For contract-related personal data (including business documents and communications), we store personal data for as long as the contractual relationship exists and thereafter for a further ten years after termination of the contractual relationship, unless (i) a shorter or longer statutory retention obligation applies in individual cases, (ii) retention is required for reasons of proof or for another valid reason under applicable law, or (iii) deletion of the data is required earlier (e.g. because the data is no longer required or we have to delete the corresponding data).

8. Ccookies / tracking and other technologies in connection with the use of our website

8.1 Cookies

We typically use “cookies” and similar technologies on our websites to identify your browser or device. A cookie is a small file that is sent to your computer or automatically stored on your computer or mobile device by the web browser you use when you visit our website. This enables us to recognise you when you visit this website again, even if we do not know who you are.

In addition to cookies that are only used during a session and are deleted after your visit to the website (“session cookies”), cookies can also be used to store user settings and other information for a certain period of time (e.g. two years) (“permanent cookies”). However, you can set your browser so that it rejects cookies, only saves them for one session or otherwise deletes them prematurely. Most browsers are preset to accept cookies. On the following pages you will find explanations of how you can configure the processing of cookies in the most common browsers.

• Mozilla Firefox
• Google Chrome for desktop
• Google Chrome for Mobile
• Apple Safari for desktop
• Apple Safari for Mobile

If you block cookies completely or partially, certain functionalities (such as language selection, shopping basket, ordering processes) may no longer work.

[borlabs-cookie type=”btn-cookie-preference” title=”Change cookie selection”/]

8.2 Matomo

This website uses the open source web analysis service Matomo. With the help of Matomo, we are able to collect and analyse data about the use of our website by website visitors. This enables us to find out, among other things, when which pages were accessed and from which region. We also record various log files (e.g. IP address, referrer, browser and operating system used) and can measure whether our website visitors perform certain actions (e.g. clicks, purchases, etc.). The website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising.

IP anonymisation

We use IP anonymisation for the analysis with Matomo. This means that your IP address is shortened before it is analysed so that it can no longer be clearly assigned to you.

Cookieless analysis

We have configured Matomo so that Matomo does not store any cookies in your browser.

Hosting

We host Matomo exclusively on our own servers so that all analysis data remains with us and is not passed on.

Opt-out complete; your visits to this website will not be recorded by the Web Analytics tool. Note that if you clear your cookies, delete the opt-out cookie, or if you change computers or Web browsers, you will need to perform the opt-out procedure again.

You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.

You are not opted out. Uncheck this box to opt-out. You are currently opted out. Check this box to opt-in.

The tracking opt-out feature requires cookies to be enabled.

8.3 EBJ

Cookie name	Framework	Description of the
JSESSIONID	JSF / Apache TomEE	Cookie is used for session management in Java EE web applications by our application server TomEE. Since HTTP is a stateless protocol, there is no way for the application server / web server to assign two separate requests from the same client. Session management is a process in which user sessions are tracked using various session management techniques such as cookies.
starting with: BNES_	Barracuda	Encrypted copy of a cookie created by the Barracuda Web Application Firewall (WAF). If a cookie is changed, the comparison with this cookie will generate an error at the WAF and the request will be blocked by the WAF.
AUTH_SESSION_ID	Keycloak IAM Server	Identity token for the current authentication process.
AUTH_SESSION_ID_LEGACY	Keycloak IAM Server	Identity token for the current authentication process. (Legacy token for older devices)
KEYCLOAK_IDENTITY	Keycloak IAM Server	Identity token from Keycloak. Used for SSO.
KEYCLOAK_IDENTITY_LEGACY	Keycloak IAM Server	Identity token from Keycloak. Used for SSO. (Legacy token for older devices)
KC_RESTART	Keycloak IAM Server	KC_RESTART is the cookie that is created at the start of the authentication process. It contains the client information encoded in the JWS token. The cookie is used when the root authentication session expires and to recreate the new authentication session using the client information contained in the cookie.
KEYCLOAK_LOCALE	Keycloak IAM Server	Saves the region and language settings of the user who logs in to Keycloak.

Preference cookies
None

Statistics cookies
None

Marketing cookies
None

9. E-mail communication and newsletters for advertising purposes

If you register for our newsletter, we will use your e-mail address to send you information about our services and other commercial communications (e.g. announcements of events, competitions, promotions and surveys) that may be of interest to you. For security reasons, we use the so-called double opt-in procedure to register for the newsletter. After registration, we will send a confirmation e-mail to the e-mail address provided during registration with a link that you must click on to definitively confirm that you wish to receive the newsletter. You can unsubscribe from such newsletter e-mails at any time by clicking on the marked link “Unsubscribe from this list” at the end of each e-mail or by contacting us directly by e-mail at info@suisag.ch.

10. No automated decisions including profiling with legal effect

We will not make any decision about you that is based solely on automated processing – including profiling – and which produces legal effects concerning you or similarly significantly affects you. If we use such procedures in individual cases, we will inform you of this separately if this is required by law and inform you of the associated rights.

11. Data security

SUISAG has implemented organisational and technical measures to maintain the security of personal data and to protect it against unauthorised or unlawful processing, accidental loss, alteration, disclosure or access.

SUISAG may use third parties as data processors to collect and process your personal data. The data processors commissioned by us will only process your personal data in accordance with our instructions and are legally obliged to take strict security precautions when handling personal data.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. For this reason, you are always free to transmit your personal data to us by other means, e.g. by telephone. Once we have received your data, we apply strict procedures and stringent security measures to prevent unauthorised access.

12. Data protection declarations of third-party providers

Please note that if you click on the link to a third-party website (e.g. Google or social media or other websites), you will be redirected to a website that we do not control and our Privacy Policy will no longer apply. Your browsing and interaction on another website is subject to the terms of use and privacy policies and notices of those third party websites. Furthermore, we cannot guarantee the accuracy and timeliness of these links.
We recommend that you carefully read the terms of use and the privacy statements and notices of other websites before you submit any personal data via this website. We are not responsible or liable for the information content and data processing of such third-party websites.

13. Children

Our website is not intended for children and we do not knowingly collect personal data from children under the age of 16 unless we have the express consent of their parents. If we are notified or otherwise learn that personal information of a child under the age of 16 has been improperly collected, we will take all reasonable steps to delete that personal information.

14. What are your rights

You can request information from SUISAG about whether personal data about you is being processed, providing proof of your identity. In addition, you have the right to request the correction, deletion or restriction of personal data about yourself and to object to the processing of your personal data. If the processing is based on your consent or our legitimate interests, you can withdraw your consent or object to this processing at any time by contacting us directly by email at datenschutz@suisag.ch. In certain cases, you have the right to receive personal data generated when using online services in a structured, common and machine-readable format, so that further use and transmission to any third-party provider is possible.

Enquiries in this regard should be addressed to SUISAG via the following e-mail address: datenschutz@suisag.ch. SUISAG reserves the right to restrict your rights within the framework of applicable law and, for example, not to disclose comprehensive information or to delete personal data. Please note that even after a request to delete your personal data, we must retain all or part of it within the scope of the statutory and contractual retention obligations. The deletion of your personal data may mean that you can no longer use our services.

If we reject your request or you are not satisfied with our processing, you are also entitled to lodge a complaint with the competent supervisory authority and to appeal to the competent authority. The competent authority is the Federal Data Protection and Information Commissioner (FDPIC) in Bern (http://www.edoeb.admin.ch).

15. Changes to our privacy policy

SUISAG reserves the right to amend, supplement or otherwise change this privacy policy at any time and without giving reasons. The current personal data protection declaration as published on the portal shall apply.