1. General

With this data protection declaration, PRÜFAG Audit Ltd, PRÜFAG Advisory Ltd and PRÜFAG Lohnbuchkontrollen AG (hereinafter PRÜFAG, “we” or “us”) explain to their customers, users, business partners, applicants, authorities and other persons involved (“you”) how personal data is collected and processed in the company. Responsible handling of your personal data is very important to us.

You may only disclose personal data of third parties to us if you are authorized to do so and the personal data is correct. We ask you to ensure that the persons concerned are aware of this privacy policy.

In this privacy policy, we alternate between the masculine and feminine form. All other gender designations are also to be understood under the respective designation.

We may amend this privacy policy at any time and without prior notice. The current version published on our website applies in each case.

2. Person responsible for data protection matters

The responsibility for the content of this privacy policy and for the data processing described lies with:

PRÜFAG Advisory Ltd
Badenerstrasse 144
CH-8004 Zurich
Phone: +41 58 733 00 60
E-mail advisory@pruefag.ch

PRÜFAG Audit Ltd
Badenerstrasse 144
CH-8004 Zurich
Phone: +41 58 733 00 60
E-mail audit@pruefag.ch

PRÜFAG Lohnbuchkontrollen AG
Badenerstrasse 144
CH-8004 Zurich
Phone: +41 58 733 00 50
E-mail lbk@pruefag.ch

3. EU data protection representative

For natural persons with a simple residence in countries of the European Economic Area (EEA) including the European Union (EU) and the Principality of Liechtenstein as well as for the country-specific supervisory authorities provided for in the GDPR, we designate the following person as EU data protection representative in accordance with Art. 27 GDPR:

VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
E-mail: info@datenschutzpartner.eu

4. Terminology

By way of introduction, we clarify the most important terms used below for better understanding. In this respect, we generally adhere to the definitions of the Swiss Data Protection Act.

• Personal data: all information relating to an identified or identifiable natural person.
• Data subjects: natural persons about whom personal data is processed;
• Processing: any handling of personal data, regardless of the means and procedures used, in particular the collection, storage, retention, use, modification, disclosure, archiving, deletion or destruction of data.
• Controller: private individual or federal body that decides, alone or together with others, on the purposes and means of processing.
• Processor: private person or federal body that processes personal data on behalf of the controller.

5. Legal basis for data processing

This Privacy Policy complies with the requirements of the Swiss Federal Act on Data Protection (“FADP”) and the associated Ordinance (“DPO”) as well as the General Data Protection Regulation of the European Union (“GDPR”). The type and scope of the applicable legislation depends on the individual case. Foreign data protection law is only applied insofar as this is mandatory under the applicable law and only for the data processing processes and persons affected.

We comply with the applicable data protection regulations when processing personal data.

The processing of personal data must not unlawfully violate the personality of the persons concerned. For this reason, such data processing must comply with the processing principles of data protection law and/or must be legitimized by a justification. In particular, we are legitimized to process personal data if the processing:

• based on a legal basis. The processing of personal data may be required or legitimized by law (e.g. statutory retention obligations).
• is necessary for the performance of a contract with the data subject or for pre-contractual measures. The majority of the processing of personal data in our company is carried out as part of the fulfillment of contractual obligations (e.g. provision of services as part of our client relationships).
• is necessary for the purposes of the legitimate interests pursued by us or by third parties. A legitimate interest on our part exists in particular if the processing of personal data takes place within the scope of the purposes mentioned in Section 8 as well as the disclosure of data in accordance with Section 10 and the associated objectives.
• is based on consent. Insofar as the processing of personal data is based on your consent, we will inform you of this separately and transparently. You can revoke your consent at any time with effect for the future using the functions provided for this purpose (e.g. unsubscribe link for newsletters) or by sending us a written message (see contact points in sections 2 and 3 above). Upon receipt of your revocation, we will cease the data processing concerned, unless we can base the processing on another justification.
• is necessary to comply with domestic and foreign legal regulations.

6. Categories of personal data

Depending on the services you use and the respective relationship between you and us, we process the following categories of personal data in particular:

• Master data: e.g.: Title, surname, first name, gender, date of birth, address and contact details such as address, telephone numbers, e-mail addresses, company for which you work (incl. contact information and contact person), language, customer numbers, user names, financial information, AHV numbers.
• Contract data: e.g. information relating to the initiation, conclusion, processing, administration and termination of contracts between you and us, information in connection with job applications [see also section 16 below], interaction history, financial and payment information such as creditworthiness, information in connection with the enforcement of claims, bank data.
• Communication data: e.g.: Master data, contract data, communication content from written, electronic and verbal correspondence (incl. social media posts and messages etc.), information from surveys, information on time, place, type etc. of communication, proof of identity, marginal data.
• Behavioral and transactional data: e.g. in connection with the use of our website, with your visit to our locations, participation in events, competitions and surveys, the use of electronic communication channels.
• Technical data: e.g. IP addresses, device IDs, details of the devices and applications you use and their settings, the internet provider you use, user names, passwords [as hash values], information in connection with 2-factor authentication, log data, time and, if applicable, approximate location when using our products and services.
• Marketing data: e.g. information on personal preferences and interests, subscriptions and unsubscriptions to newsletters, content of marketing correspondence).
• Image and sound recordings: e.g. recordings of telephone and video conference calls [only made with prior notice and with your consent], recordings in connection with customer and staff events.

Within the scope of application of the GDPR, this data is processed either for the purpose of initiating and fulfilling a contract (Art. 6 para. 1 lit. b GDPR) or on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in processing the inquiries addressed to us or based on your consent (Art. 6 para. 1 lit. a GDPR). Consent can be revoked at any time with effect for the future.

7. Origin of the data

To a large extent, we collect personal data directly from you as the data subject. In particular, this includes master data, contract data, communication data and marketing data. Such personal data is collected as part of the initiation and processing of business relationships and the use of our services. If you provide us with data on other persons (e.g. family members, business colleagues, employees), you must ensure that you are authorized to do so and that the data is correct. In addition, the persons concerned must be informed of this privacy policy in advance.

We may also collect personal data about you ourselves or automatically or derive it from existing data. This includes, in particular, behavioral and transaction data as well as technical data.

Finally, we also collect personal data from third parties insofar as this is permitted by law. Such third parties include, in particular, persons from your environment, business partners, employers, insurance companies, banks, authorities, official bodies, courts, parties and their legal representatives in the context of legal disputes, etc. We may also collect personal data from public sources (e.g. credit agencies, social media).

8 Purpose of data processing

We process the data collected in order to fulfill our legal and contractual obligations towards you and third parties. This includes in particular the initiation (including contact requests), administration and processing of contractual relationships.

We also process the data collected in order to ensure communication with you, to provide and improve the services you have requested, to manage your use of and access to our services, to maintain our business relationship with you, to carry out advertising and marketing measures (insofar as we are authorized to do so, e.g. with your consent), to monitor and improve the performance of our services, to enforce legal claims or defend ourselves against them, to detect, prevent or clarify illegal activities, to ensure compliance with laws, recommendations of domestic and foreign authorities and internal regulations (“compliance”) and to manage risks. to recognize, prevent or clarify illegal activities, to ensure compliance with laws and recommendations of domestic and foreign authorities as well as internal regulations (“compliance”) and risk management, to generally guarantee our operations (in particular IT, website, etc.) and to ensure administrative processes (e.g. data archiving, accounting, master data maintenance, quality assurance).

9. Processing time of personal data

We process your personal data for as long as we are legally obliged to do so (e.g. retention and archiving obligations) or our legitimate business interests require this (e.g. enforcement of or defense against claims, ensuring IT security) or as long as the purpose of collecting your data makes it necessary or the retention is technically required. In the case of contracts, data is generally stored for the duration of the contractual relationship and the statutory retention periods beyond this (generally 10 years).

This may result in your personal data or extracts thereof having to be stored for several years after the end of the contractual relationship between you and us. If your personal data is no longer required for the above-mentioned purposes, it will be deleted or anonymized as far as possible.

In certain cases, we may also store your personal data for longer – based on your consent (e.g. job applications that we have pending).

10. Disclosure of personal data to third parties

Where legally permissible and necessary, we may also pass on certain personal data to third parties as part of our business activities. These third parties process your personal data either on our behalf (processors), in joint responsibility with us or on their own responsibility. These include, among others:

• Group companies
• our service providers, such as banks, insurance companies, IT providers, debt collection agencies, credit agencies, cleaning companies, advertising service providers, lawyers, external consultants, auditors, etc.
• Business partner
• Domestic and foreign authorities, official bodies and courts
• Other parties in the context of administrative and court proceedings
• Parties involved in corporate transactions (e.g. purchase, sale or merger of companies, business units, etc.)
• Other third parties who are necessary to achieve the purpose of the respective data processing

Where necessary, we have concluded corresponding order processing contracts with our service providers. In these contracts, they undertake to comply with data protection and data security regulations. Furthermore, they may only process personal data in accordance with our instructions. They also grant us comprehensive rights of inspection and control as well as rights of access, rectification and erasure.

11. Disclosure of personal data abroad

As a rule, we process and store personal data in Switzerland and the European Economic Area (EEA). In certain cases, however, we may also disclose personal data to service providers and recipients located outside this area or process personal data outside this area, in principle in any country in the world. In particular, you must expect personal data to be disclosed to all countries in which the service providers we use and their subcontractors (in particular the USA) and group companies are located.

By taking appropriate measures, we ensure compliance with the legal requirements. Specifically, there is an adequacy decision by the competent authority. In the absence of such a decision, the transfer of personal data takes place on the basis of suitable guarantees (in particular standard contractual clauses approved by the European Commission and the Federal Data Protection and Information Commissioner [FDPIC]) or there are exceptions for certain situations (contract processing, law enforcement abroad, etc.) or we obtain your express consent.

12. Data security

To secure your data, we maintain technical and organizational security measures in accordance with the current state of the art.

Communication via our website is encrypted using the SSL/TLS encryption protocol. However, we would like to point out that even encrypted data transmission on the Internet always involves security risks. Complete protection of data against access by third parties cannot be guaranteed.

13. Your rights as a data subject

Insofar as the requirements of the applicable data protection law are met and no statutory exceptions apply, you have the following rights in connection with the processing of your personal data:

• on request, to receive information free of charge about whether and, if so, which personal data we process about you
• Correction of incorrect or incomplete personal data
• to the restriction of the processing of your personal data
• to block your personal data
• for deletion or anonymization of your personal data
• on data portability
• to withdraw your consent to the processing of your personal data with effect for the future
• to object to the processing of your personal data.

Please note that these rights may be restricted or excluded in individual cases (e.g. to protect third parties or business secrets).

To assert your rights as a data subject or if you have any questions about this privacy policy and the processing procedures described therein, you can contact the offices listed in sections 2 and 3 above.

If you believe that your data has been processed unlawfully, we would be grateful if you could contact us directly. Alternatively, you can lodge a complaint with the supervisory authority responsible for you. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC). In the EU, the complaint must be submitted to the respective national data protection authority.

14.1. Hosting and log files

We host our website with a Swiss hosting provider based in Switzerland. Each time you visit our website, the hosting provider automatically collects and stores information (server log files) that your browser transmits. This includes the name and URL of the retrieved file, date and time, data volume, web browser and web browser version, operating system, the domain name of your internet provider, the so-called referrer URL (the page from which you accessed our website) and the IP address. This usage data is used to detect technical problems, to ensure security and to statistically evaluate the use of our website and thus also to further develop our offer.

We process the aforementioned data for the following purposes:

• Ensuring a smooth connection to the website,
• To ensure a comfortable use of our website,
• Evaluation of system security and stability and
• for other administrative purposes and in the event of unlawful use of our website or our services.

Within the scope of application of the GDPR, this data is processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in accordance with the purposes listed above or your consent (Art. 6 para. 1 lit. a GDPR). Consent can be revoked at any time with effect for the future.

14.2. Cookies

The cookies used on the website are

• Bootstrap CDN
• Google Fonts
• Google Maps

14.3. Links to other websites

Our website contains hyperlinks to third-party websites that are not operated or controlled by us. We are not responsible for their content or data protection practices.

14.4. Tracking

Our website uses Google Analytics, Google Maps and Google Fonts from Google Inc. For the European area, the company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services (hereinafter “Google”).

In addition to the following explanations, you will find further information on data protection at Google in the Google data protection declaration: https://policies.google.com/privacy.

We have concluded an order processing contract with Google.

Within the scope of application of the GDPR, this data is processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in an appealing website and in increasing our reach or based on your consent (Art. 6 para. 1 lit. a GDPR). Consent can be revoked at any time with effect for the future.

Google Analytics

We use functions of the web analysis service Google Analytics on our website. Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site (see section 14.2 above). The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. However, due to the activation of IP anonymization on these websites, your IP address will be shortened by Google beforehand within member states of the European Union or in other contracting states of the Agreement on the European Economic Area and Switzerland. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of this website for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

The purpose of the data processing is to evaluate the use of the website and to compile reports on activities on the website. Based on the use of the website and the Internet, further related services are then to be provided.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available under the following link: Browser Add On to deactivate Google Analytics.

In addition or as an alternative to the browser add-on, you can prevent tracking by Google Analytics on our pages by clicking on this link. This will install an opt-out cookie on your device. This will prevent Google Analytics from collecting data for this website and for this browser in the future as long as the cookie remains installed in your browser.

You can find more information on how Google Analytics handles user data in Google’s privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

Google Maps

We use Google Maps on our website to display interactive maps and to provide directions. When you access a web page on our website that has integrated Google Maps, your browser establishes a connection with the Google servers. In addition, Google Maps sets cookies (see section 14.2 above). By using Google Maps, various information (e.g. IP address, addresses entered, date and time of the website visit) can be transmitted to Google servers in the USA.

You can find more information about data processing by Google here: https://policies.google.com/privacy?hl=de. You can also change your personal data protection settings there in the data protection center. Detailed instructions on managing your own data in connection with Google products can be found here.

General information about Google Maps can be found at: https://www.google.com/intl/de/maps/about/#!/.

Google Fonts

We use Google Fonts on our website for the uniform display of fonts. Google Fonts are installed locally. There is no connection to Google servers.

Further information on Google Web Fonts can be found at: https://developers.google.com/fonts/faq.

15. Processing of personal data in the context of the use of cloud service providers

Below we would like to inform you about the most important cloud service providers that we use:

• Microsoft 365 (incl. Exchange, SharePoint, Teams, OneDrive) and Microsoft Azure: The provider of these services is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (“Microsoft”). According to Microsoft, data storage on Microsoft Azure (file data) takes place exclusively on servers located in Switzerland, while Microsoft Exchange, SharePoint, Teams and OneDrive are stored in Europe (see here). In addition to the information provided here, you can find further information on data protection in the Microsoft Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement.
• RMail: The provider is Suisse AG, Industriestrasse 33, 5242 Lupfig, Switzerland (“RMail”). RMail is a service for the verifiable sending of e-mails and for services in the areas of encryption technology and electronic signatures. In addition to the information provided here, you will find further information on data protection in the RPost privacy policy: https://rpost.com/legal-notices/privacy-notice/.
• JobCloud: The provider is JobCloud AG, Albisriederstrasse 253, 8047 Zurich (“JobCloud”). JobCloud is a cloud-based recruitment solution. In addition to the present statements, you will find further information on data protection in the JobCloud data protection declaration: https://www.jobcloud.ch/c/de-ch/datenschutzerklarung/

16. Processing of personal data of applicants

We accept applications by e-mail, LinkedIn or JobCloud (see also section 15 above). If necessary, we also work with other external partners (e.g. job portals and recruitment agencies). Please also note the data protection notices of these partners.

We treat your data as strictly confidential. Your personal data will only be passed on within our company to persons who are entrusted with processing your application.

We process the personal data sent to us as part of your application and the personal data collected as part of the application process, insofar as this is necessary for the decision on the conclusion and execution of an employment contract. This includes

• Master data (surname, first name, address, contact details, date of birth, marital status, etc.)
• Information on your educational, professional and personal qualifications
• Information that we have collected as part of the application process (e.g. as part of assessments)
• Other information that you have sent to us in connection with your application.

We process your personal data in this regard for as long as this is necessary for the decision on your application. They will be deleted a maximum of six months after the end of the application process, unless longer storage is legally required or permitted or you have not consented to longer storage.

If an employment relationship is established following the application process, your application documents will be transferred to your personnel file.

17.1. General information

We maintain the publicly accessible profiles in social networks listed below. For this purpose, we can provide linked graphics to the respective networks on our website. By clicking on a corresponding graphic, you will be redirected to the selected social network. After forwarding, the network collects and processes your information within the following framework.

When you visit our profiles on social networks, personal data may be collected about you. For example, if you are logged into your social network accounts and visit our profile at the same time, the portal operator may be able to assign this visit to your user account. However, even if you have logged out of your account or if you do not have an account with the respective portal, your personal data may be collected. Such data can be collected, for example, by setting cookies. Based on the data collected in this way, the portal operators can create user profiles and show you interest-based advertising. Further information on this can be found in the respective data protection declarations of the portal operators.

The purpose and scope of the data collection and the further processing and use of the data by the respective social network as well as your rights in this regard and setting options to protect your privacy can be found in the relevant data protection provisions of the respective social network.

Within the scope of the GDPR, social networks are used in the interest of an appealing presentation of our online offers, to increase our reach and to promote our products and services. This is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out on the basis of Art. 6 para. 1 lit. a GDPR. Consent can be revoked at any time with effect for the future.

17.2. XING

We maintain a profile on XING. The provider is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany. You can find more information on how Xing handles your personal data in their privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.

17.3. LinkedIn

We maintain a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. You can find more information on how LinkedIn handles your personal data in their privacy policy: https://www.linkedin.com/legal/privacy-policy.

LinkedIn uses advertising cookies. If you wish to disable them, please follow this link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.