General Privacy Policy KIBAG

General Privacy Policy KIBAG

1. What is this privacy policy about?

KIBAG Holding AG, Bächaustrasse 73, 8806 Bäch, and its group companies process personal data relating to you or other persons in different ways and for different purposes. A list of the group companies can be found at https://www.kibag.ch/de/standorte.html. Where we refer below to “KIBECO”, “KIBAG”, “we” or “us”, this refers in each case to the group company responsible for the respective data processing activity (see below). “Personal data” means all information that can be associated with a specific person, and “processing” means any handling of such data, such as collection, use and disclosure.

This privacy policy explains how we process such data (hereinafter personal data or data) if

For ease of reading, this privacy policy does not refer to multiple genders. However, we always mean persons of all genders.

Please take the time to read this privacy policy to learn how and why KIBAG processes your personal data, how KIBAG protects your personal data and what rights you have in this regard. If you have any questions or require further information about our data processing, please do not hesitate to contact us (section 2).

 

2. Who is responsible for processing your data?


The “controller” for the data processing activities under this privacy policy, i.e. the body primarily responsible under data protection law that determines the purpose and essential framework conditions of data processing, is the company responsible for the respective processing activity. This is often the following company:

KIBAG Holding AG
Bächaustrasse 73
8806 Bäch
Switzerland

If you are in contact with another group company, for example because you or your company obtain a service from that company or because you correspond directly with that company, the relevant company is the controller.

If you have any questions about data protection, you are welcome to contact the following address so that we can process your request as quickly as possible:

KIBAG Dienstleistungen AG
Data Protection
Seestrasse 404
8038 Zurich

datenschutz@kibag.ch

 

3. What personal data do we process?


We process different categories of personal data depending on the occasion and purpose. The most important categories are listed below, although this list is not exhaustive.

In the case of contractual partners that are companies, we process less personal data, because the applicable data protection law generally only covers data relating to natural persons, i.e. human beings (in Switzerland, the revised data protection law since September 2023). However, we process data relating to the contact persons with whom we are in contact, such as names, contact details, professional information and information from communications, as well as information about management persons etc. as part of the general information about companies with which we work.

You provide many of the data mentioned in this section to us yourself, for example via forms, in the context of communication with us, in connection with contracts, when using the website, etc. You are not obliged to do so, subject to individual cases. However, if you wish to conclude contracts with us or make use of services, you must provide us with data within the scope of your contractual obligations under the relevant contract, in particular master data and contractual data.

If you transmit or disclose data about other persons to us, for example information about family members or work colleagues, we assume that you are authorised to do so and that this data is correct. By transmitting data about third parties, you confirm this. Please also ensure that these third parties have been informed about this privacy policy, for example by referring them to this privacy policy.

 

3.1. Master data


We use the term master data to refer to the basic data that we require for handling our business relationships or for marketing and advertising purposes and that relates directly to you and your characteristics. For example, we process the following master data:

  • form of address, surname and first name, gender
  • address, contact details such as email address, telephone number and mobile phone number
  • information about language preferences
  • information about professional profile and employment, such as employment relationship, employer and start of employment
  • in the case of contact persons at companies, also relationships with the company for which you work
  • customer history

We generally obtain this master data from you yourself, but in some cases also from other persons who work for your company. We may also obtain personal data from third parties, for example from organisations for which you work, from third parties such as our contractual partners, associations and address brokers, and from publicly accessible sources such as public registers or the internet (websites, social media, etc.).

 

3.2. Contractual data


Contractual data is information that arises in connection with the conclusion or performance of a contract, for example information about contracts and the services to be provided or already provided, as well as data from the period before a contract is concluded, information about the conclusion of the contract itself, such as the date of conclusion and the subject matter of the contract, and the information required or used for performance. For example, we process the following contractual data:

  • date, application process, information about the type, duration and conditions of the relevant contract, data relating to the termination of the contract
  • contact details and delivery addresses
  • information about the use of services
  • information about payments and payment terms, invoices, mutual claims, contact with customer service, complaints, defects, returns, information about customer satisfaction, complaints, feedback, etc.

We receive this data from you, but also from partners with whom we work. Again, this data may relate to your company, in which case it is not “personal data”, but it may also relate to you if you work for a company or if you obtain services from us yourself.

 

3.3. Communication data


Communication data is data connected with our communication with you, for example if you contact us via the contact form or via other means of communication. Communication data includes, for example:

  • name and contact details such as postal address, email address and telephone number
  • content of correspondence, such as emails, written correspondence, telephone conversations, chat messages, etc.
  • information about the type, time and, where applicable, place of communication and other metadata relating to the communication.

If we record telephone conversations, we will inform you at the beginning of the conversation. If you do not agree to the recording and storage of the conversation, you also have the option to end the conversation or contact us via other communication channels.

 

3.4. Technical data


Technical data is generated in connection with the use of our website. This includes, for example, the following data:

  • IP address of the end device and device ID
  • information about your device, the operating system of your end device or language settings
  • information about your internet service provider
  • content accessed or logs in which the use of our systems is recorded
  • date and time of access to the website as well as your approximate location

We may also assign an individual code to you or your end device, for example through a cookie; see section 5.1. This code is stored for a certain period, often only during your visit. As a rule, we cannot derive who you are from technical data unless, for example, you contact us via a contact form, such as on partyschiffzuerichsee.ch, or set up a job alert at www.kibag.ch. In this case, we may link technical data with master data and therefore with your person.

 

3.5. Behavioural data


In order to align our offers and services as effectively as possible with you or your company, we try to get to know you better and tailor our services more closely to your needs. For this purpose, we collect and use data about your behaviour. Behavioural data primarily includes information about your use of our website. It may also be collected on the basis of technical data. This includes, for example, information about your use of electronic messages, such as whether and when you opened an email or clicked on a link, especially when newsletters are sent. We may also use your other interactions with us as behavioural data, and we may link behavioural data with other data, such as anonymous information from statistical offices, and evaluate this data on a personal and non-personal basis.

 

3.6. Preference data


Preference data gives us information about the needs you are likely to have and which services may be of interest to you or your company. We therefore also process data about your interests and preferences. For this purpose, we may link behavioural data with other data and evaluate this data on a personal and non-personal basis. This allows us to draw conclusions about characteristics, preferences and expected behaviour.

 

3.7. Other data


We may also collect data from you in other situations. In connection with official or court proceedings, for example, data may be generated, such as files, evidence, etc., which may also relate to you. We may receive or produce photos, videos and audio recordings in which you may be identifiable, for example at events or through security cameras. We may also collect data about who enters certain buildings and when, or who has corresponding access rights, including in the case of access controls, based on registration data or visitor lists, etc., who attends events or promotions and when, or who uses our infrastructure and systems and when.

 

4. For what purposes do we process your personal data?


We primarily use the personal data we collect to process your orders and for the service planning of our customers. In addition, we process personal data relating to you, to the extent permitted and where we deem it appropriate, for further purposes in which we, and sometimes also third parties, have a legitimate interest corresponding to the purpose:

  • For communication purposes, i.e. to contact you and maintain contact with you. This includes answering enquiries and contacting you in the event of follow-up questions, for example by email. For this purpose, we process in particular your communication data and master data.
  • For customer care and marketing purposes, in order to inform you specifically about offers in line with your personal interests and preferences, for example through a newsletter and personalised advertising. For this purpose, we process in particular technical data, master data, communication data and behavioural data.
  • We also process data to improve our services and for product development.
  • To ensure IT security and for prevention: We process personal data to monitor the performance of our operations, in particular IT, our website, applications and other platforms, for security purposes, to ensure IT security, to prevent theft, fraud and misuse, and for evidentiary purposes. This includes, for example, evaluating system records of the use of our systems (log data), preventing, defending against and investigating cyberattacks and malware attacks, analyses and tests of our networks and IT infrastructures, and system and error checks.
  • To safeguard domiciliary rights and other measures relating to IT, building and facility security and to protect our employees and other persons as well as assets owned by us or entrusted to us, such as access controls, visitor lists, network and email scanners, and telephone recordings.
  • To protect legal rights: In certain circumstances, we also process personal data in order to enforce claims in court, before or outside court and before authorities in Switzerland and abroad, or to defend ourselves against claims. Master data and communication data may be processed for this purpose.
  • To comply with legal requirements: This includes, for example, processing complaints and other reports, complying with orders from a court or authority, measures to detect and investigate misuse, and generally measures to which we are obliged under applicable law, self-regulation or industry standards. For this purpose, we may process in particular your master data and communication data.
  • For administration and support: In order to make our internal processes efficient, we process data where necessary for IT administration, accounting or data archiving. For this purpose, communication data, behavioural data and technical data in particular may be processed.
  • We may also process data for other purposes. These include corporate management, including business organisation and corporate development, further internal processes and administrative purposes, such as master data management, accounting and archiving, training and education purposes, and the preparation and execution of the purchase and sale of business units, companies or parts of companies and other corporate transactions, including the related transfer of personal data, as well as measures for business management and the protection of further legitimate interests.

Where we ask for your consent for specific processing activities, we will inform you separately about the corresponding purposes of the processing. You may withdraw your consent at any time by notifying us in writing.

 

5. What online tracking and online advertising techniques do we use?


On our websites, we use various technologies that allow us and third parties engaged by us to recognise you during your use and, in some cases, to track you across several visits. The use of such technologies is specifically regulated. In this section, we provide information about this.

 

5.1. How and why do we use cookies and similar technologies?


For our websites, we use services from third parties in order to measure and improve the user-friendliness of the website and online advertising campaigns. For this purpose, we may integrate third-party components into our website, which may themselves use cookies. When we track you or use similar technologies, the core objective is to distinguish your access via your system from access by other users so that we can ensure the functionality of the website and carry out statistical evaluations. We do not seek to identify you. The technologies used are designed so that you are recognised as an individual visitor each time you access a page, for example by our server or the servers of third parties assigning a specific identification number to you or your browser, known as a “cookie”.

Cookies are files that your browser automatically stores on your end device when you visit our website. Cookies contain a unique identification number (an ID) that enables us to distinguish individual visitors from others, usually without identifying them. Depending on their purpose, cookies contain further information, for example about pages accessed and the duration of a visit to a page. We use session cookies, which are deleted again when the browser is closed, and persistent cookies, which remain stored for a certain period after the browser is closed and are used to recognise visitors on a later visit.

We use the following types of cookies and similar technologies:

  • Necessary cookies: Necessary cookies are required for the functionality of the websites, for example so that you can move between pages without information entered in a form being lost.
  • Performance cookies: These cookies collect information about the use of a website and enable analyses, for example which pages are most popular. They can thereby simplify visiting a website and improve user-friendliness.
  • Functional cookies: Functional cookies enable enhanced functions and may display personalised content.
  • Marketing cookies: Marketing cookies help us and our advertising partners to address you on our websites and on third-party websites with advertising for products or services that may be of interest to you, or to display our advertisements to you during your further internet use after you have visited our websites.

We use cookies in particular for the following purposes:

  • personalisation of content
  • display of personalised advertisements and offers
  • display of advertisements on third-party websites and measurement of success, i.e. whether you respond to these advertisements (remarketing)
  • storage of settings between your visits
  • determination of whether and how we can improve our website
  • collection of statistical data on the number of users and their usage habits, as well as improvement of the speed and performance of the website
  • We may process your contact details in order to address you with advertising on third-party platforms.

 

5.2. How can cookies and similar technologies be deactivated?


When accessing our website, you have the option to activate or deactivate certain categories of cookies. You can configure your browser in the settings so that it blocks certain cookies or similar technologies or deletes existing cookies and other data stored in the browser. You can also extend your browser with software, known as plug-ins, that blocks tracking by certain third parties. You can find more information on this in your browser’s help pages, usually under the keyword “data protection” or “privacy”. Please note that our website may no longer function fully if you block cookies and similar technologies.

 

5.3. Cookies from partners and third parties on our website


We use services from third parties in order to measure and improve the user-friendliness of the website and online advertising campaigns. Third-party providers may also be located outside Switzerland and the EU/EEA, provided that the protection of your personal data is adequately ensured. For example, we use analytics services so that we can optimise our website. The relevant third-party providers may record the use of the website for this purpose and combine their records with further information from other websites. This enables them to record the behaviour of users across multiple websites and end devices in order to provide us with statistical evaluations on this basis. These providers may also use this information for their own purposes, for example for personalised advertising on their own website or on other websites.

Two of the most important third-party providers are Google and Meta. Further information on these providers can be found below. Other third-party providers generally process personal and other data in a similar way.

  • Google Analytics, an analytics service of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA, USA) and Google Ireland Ltd. (Google Building Gordon House, Barrow St, Dublin 4, Ireland; together “Google”, with Google Ireland Ltd. being responsible for the processing of personal data). Google uses cookies and similar technologies to collect certain information about the behaviour of individual users on or within the relevant website and about the end device used for this purpose, such as tablet, PC or smartphone. Google collects information about users’ behaviour on the website and the end device used and provides us with evaluations on this basis, but also processes certain data for its own purposes. Information about data protection at Google Analytics can be found here. You can deactivate Google Analytics by installing a corresponding browser add-on.

 

6. How do we process data in connection with social media?


On some of our websites, we integrate “social media plugins” from Facebook, Instagram, LinkedIn, YouTube, XING and TikTok in order to include functions from these providers in our websites. These plugins are deactivated by default. As soon as you activate them, for example by clicking the button, the respective providers may determine that you are on our website. If you have an account with the social media provider, the provider may associate this information with you and thus track your use of online services.

To display content from the social media providers listed on our website, we use the Flockler service. When you interact with the respective content, a connection is established to Flockler’s servers. Flockler is responsible for operating this service in compliance with data protection law.

We are generally jointly responsible with the respective providers for the exchange of data that such provider collects via plugins or comparable functions, but not for the provider’s further processing. Where possible, we have concluded a corresponding supplementary agreement with the provider. You can address requests for information and other data subject requests in connection with joint responsibility directly to the relevant provider.

If you communicate with us via social media and our profiles there, for example on Facebook, Instagram, etc., or comment on or share content, we collect information in this regard, which we use primarily for communication with you, for marketing purposes and for statistical evaluations. Please note that when you visit our social media presences, the platform provider also collects and uses data itself, for example data relating to user behaviour, possibly together with other data known to the provider, for example for marketing purposes or to personalise platform content. Further information on data processing by social network providers can be found in the privacy policies of the respective social networks.

We value a constructive tone on our social media channels and hereby refer you to our netiquette. We reserve the right to delete comments without giving reasons in the event of violations of our guidelines and to block users from our channels in the event of repeated violations.

 

7. To whom do we disclose your personal data?


In connection with our processing activities (section 4), we also disclose your personal data to other recipients.

We may disclose personal data that we receive from you or from third-party sources in particular to other companies of the KIBAG Group (see section 2). Such disclosure may serve group-internal administration or support for the relevant group companies and their own processing purposes, for example for the personalisation of marketing activities or the development and improvement of services.

We also disclose the personal data required for their services to service providers. This concerns in particular IT service providers, but also consulting companies, analytics service providers, debt collection service providers, credit agencies, marketing service providers, etc. Where service providers process personal data as processors, they are obliged to process personal data exclusively in accordance with our instructions and to take measures to ensure data security.

Data may also be disclosed to other recipients, for example to courts and authorities in the context of proceedings and statutory information and cooperation obligations, to buyers of companies and assets, to financing companies in securitisations and to debt collection companies.

In individual cases, it is possible that we may also disclose personal data to other third parties for their own purposes, for example if you have given us your consent to do so or if we are legally obliged or authorised to disclose such data.

 

8. Do we disclose personal data abroad?


Recipients of data are not only located in Switzerland. This particularly applies to certain service providers. Recipients may also be located outside the European Economic Area (EEA) and Switzerland, particularly in the USA, but also in other countries worldwide, for example Brazil and China due to the TikTok app. We may, for example, transmit data to authorities and other persons abroad if we are legally obliged to do so or, for example, in the context of a business sale or court proceedings. Not all of these countries currently guarantee a level of data protection equivalent to that under Swiss law. We compensate for the lower level of protection through appropriate contracts, in particular the standard contractual clauses issued by the European Commission and recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC). Further information on this and a copy of these clauses can be found at www.edoeb.admin.ch/edoeb/de/home/datenschutz/handel-und-wirtschaft/uebermittlung-ins-ausland.html.

In certain cases, we may also transfer data in accordance with data protection requirements without such contracts, for example if you have consented to the relevant disclosure or if the disclosure is necessary for the performance of a contract, for the establishment, exercise or enforcement of legal claims or for overriding public interests.

 

9. How long do we process personal data?


We store and process your personal data for as long as is necessary for the purpose of processing, in the case of contracts usually for the duration of the contractual relationship, for as long as we have a legitimate interest in storage, for example in order to enforce legal claims, for archiving or to ensure IT security, and for as long as data is subject to a statutory retention obligation, for example a ten-year retention period for certain data. If there are no legal or contractual obligations to the contrary, we delete or anonymise your data after expiry of the storage or processing period as part of our usual processes.

Master data is generally retained by us for 10 years from the last exchange with you, but at least from the end of the contract. This period may be longer where this is necessary for evidentiary reasons or to comply with legal or contractual requirements, or for technical reasons. In the case of purely marketing and advertising contacts, the period is normally significantly shorter, usually no more than 2 years since the last contact.

Contractual data is generally retained by us for 10 years from the last contractual activity, but at least from the end of the contract. This period may be longer where this is necessary for evidentiary reasons or to comply with legal or contractual requirements, or for technical reasons.

 

10. How do we protect your data?


We take appropriate security measures to preserve the confidentiality, integrity and availability of your personal data, to protect it against unauthorised or unlawful processing and to counter the risks of loss, accidental alteration, unwanted disclosure or unauthorised access. However, security risks can generally not be completely excluded; residual risks are unavoidable.

 

11. What rights do you have?


Under the applicable data protection law, you have certain rights that enable you to obtain further information about our data processing and to influence it. These are in particular the following rights:

  • Right of access: You may request further information about our data processing. We will be happy to assist you in this regard. You may also submit a formal access request if you would like further information and a copy of your data.
  • Objection: You may object to our data processing activities, for example processing for marketing purposes.
  • Rectification: You may have incorrect or incomplete personal data corrected or completed, or supplemented by a note of dispute.
  • Portability: You also have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format or to have it transferred to a third party, provided that the corresponding data processing is based on your consent or is necessary for the performance of a contract.
  • Withdrawal: Where we process data on the basis of your consent, you may withdraw your consent at any time. The withdrawal only applies to the future, and we reserve the right to continue processing data on another basis in the event of withdrawal.

Please note that these rights are subject to legal requirements and restrictions and are therefore not available in full in every case. In particular, we may have to continue processing and storing your personal data in order to perform a contract with you, to safeguard our own legitimate interests, such as the assertion, exercise or defence of legal claims, or to comply with legal obligations. To the extent permitted by law, in particular to protect the rights and freedoms of other data subjects and to safeguard legitimate interests, we may therefore also reject a data subject request in whole or in part, for example by redacting certain content relating to third parties or our trade secrets.

If you wish to exercise rights against us, please contact us in writing. Our contact details can be found in section 2. As a rule, we must verify your identity, for example by means of a copy of an identity document. You are also free to lodge a complaint against our processing of your data with the competent supervisory authority. The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).


Version of this privacy policy: 1 September 2023