Preamble
With the following data protection declaration, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes and to what extent. The data protection declaration applies to all processing of personal data carried out by us, both as part of the provision of our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").
The terms used are not gender-specific.
Status: 31 August 2023
Table of contents
- Preamble
- Responsible
- Overview of the processing
- Relevant legal bases
- Transmission of personal data
- International data transfers
- Rights of the data subjects
- Performance of duties according to statutes or rules of procedure
- Business services
- Providers and services used in the course of business
- Registration, login and user account
- Community functions
- Contact and enquiry management
- Surveys and polls
- Web analysis, monitoring and optimisation
- Presence in social networks (social media)
- Plugins and embedded functions and content
Responsible
Swiss Society of Hypertension
Dufourstrasse 30
CH-3005 Bern
Switzerland
T. +41 (0)31 388 80 78
info@swisshypertension.ch
www.swisshypertension.ch
Authorised representative
Grégoire Wuerzner, President
Relevant legal bases
Relevant legal basis according to the Swiss Data Protection Act:
If you are in Switzerland, we process your data on the basis of the Federal Data Protection Act (in short "Swiss DPA"). This also applies if our processing of your data otherwise concerns you in Switzerland and you are affected by the processing. In principle, the Swiss FADP does not stipulate (unlike the GDPR, for example) that a legal basis must be stated for the processing of personal data. We only process personal data if the processing is lawful, is carried out in good faith and is proportionate (Art. 6 para. 1 and 2 of the Swiss DPA). Furthermore, personal data is only obtained by us for a specific purpose that is identifiable to the data subject and is only processed in a way that is compatible with those purposes (Art. 6 para. 3 of the Swiss FADP).
Overview of the processing
The following overview summarises the types of data processed and the purposes of their processing and refers to the data subjects.
Types of data processed
- Inventory data.
- Payment details.
- Location data.
- Contact details.
- Content data.
- Contract data.
- Usage data.
- Meta, communication and procedural data.
Categories of persons concerned
- Customers.
- Interested parties.
- Communication partner.
- Users.
- Members.
- Business and contractual partners.
- Pupils/ Students/ Participants.
- Participants.
Purposes of the processing
- Provision of contractual services and fulfilment of contractual obligations.
- Contact requests and communication.
- Safety measures.
- Reach measurement.
- Office and organisational procedures.
- Managing and responding to enquiries.
- Feedback.
- Marketing.
- Profiles with user-related information.
- Provision of our online offer and user-friendliness.
Transmission of personal data
In the course of our processing of personal data, the data may be transferred to or disclosed to other bodies, companies, legally independent organisational units or persons. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.
Transfer of data within the organisation: We may transfer or provide access to personal data to other entities within our organisation. Where this transfer is for administrative purposes, the transfer of data is based on our legitimate corporate and business interests or is made where it is necessary for the performance of our contract-related obligations or where there is consent from the data subjects or legal permission.
International data transfers
Disclosure of personal data abroad: In accordance with the Swiss Data Protection Act (DPA), we only disclose personal data abroad if adequate protection of the data subjects is guaranteed (Art. 16 Swiss DPA). If the Federal Council has not determined adequate protection (list:
https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we take alternative security measures. These may include international agreements, specific guarantees, data protection clauses in contracts, standard data protection clauses approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC) or internal company data protection regulations recognised in advance by the FDPIC or a competent data protection authority in another country.
According to Art. 16 of the Swiss FADP, exceptions may be allowed for the disclosure of data abroad if certain conditions are met, including consent of the data subject, performance of a contract, public interest, protection of life or physical integrity, data made public or data from a register provided for by law. These disclosures are always made in accordance with legal requirements.
Rights of the data subjects
Rights of data subjects under the Swiss DPA:
As a data subject, you are entitled to the following rights in accordance with the provisions of the Swiss Data Protection Act:
- Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed and to receive the information necessary to enable you to exercise your rights under this law and to ensure transparent data processing.
- Right to data release or transfer: You have the right to request the release of your personal data that you have disclosed to us in a commonly used electronic format.
- Right to rectification: You have the right to request the rectification of inaccurate personal data concerning you.
- Right to object, erasure and destruction: You have the right to object to the processing of your data and to request that the personal data concerning you be erased or destroyed.
Performance of duties according to the statutes or rules of procedure
We process the data of our members, supporters, interested parties, business partners or other persons (collectively "data subjects") if we have a membership or other business relationship with them and perform our tasks and are recipients of services and benefits. In addition, we process the data of data subjects on the basis of our legitimate interests, e.g. when it concerns administrative tasks or public relations work.
The data processed in this context, the type, scope and purpose and the necessity of its processing are determined by the underlying membership or contractual relationship, which also determines the necessity of any data disclosures (we also refer to required data).
We delete data that is no longer required to fulfil our statutory and business purposes. This is determined according to the respective tasks and contractual relationships. We retain the data for as long as they may be relevant for the processing of the business, as well as with regard to any warranty or liability obligations on the basis of our legitimate interest in their regulation. The necessity of retaining the data is reviewed regularly; in all other respects, the statutory retention obligations apply.
- Types of data processed: inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contact data (e.g. e-mail, telephone numbers). Contract data (e.g. subject matter of the contract, term, customer category).
- Data subjects: Users (e.g. website visitors, users of online services); members. Business and contractual partners.
- Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; contact requests and communication. Administration and response to requests.
- Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO). Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).
Business services
We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as "contractual partners") in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractual), e.g. to answer enquiries.
We process this data in order to fulfil our contractual obligations. These include, in particular, the obligations to provide the agreed services, any update obligations and remedies in the event of warranty and other service disruptions. Furthermore, we process the data to safeguard our rights and for the purpose of the administrative tasks associated with these obligations as well as the company organisation. Furthermore, we process the data on the basis of our legitimate interests in proper and business management as well as security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g. for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we only disclose the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfil legal obligations. Contractual partners will be informed about further forms of processing, e.g. for marketing purposes, within the framework of this data protection declaration.
We inform the contractual partners of the data required for the above-mentioned purposes before or in the course of data collection, e.g. in online forms, by means of special labelling (e.g. colours) or symbols (e.g. asterisks or similar), or in person.
We delete the data after the expiry of statutory warranty and comparable obligations, i.e., in principle after 4 years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal archiving reasons. The statutory retention period for documents relevant under tax law as well as for commercial books, inventories, opening balances, annual financial statements, the work instructions required to understand these documents and other organisational documents and accounting vouchers is ten years and for received commercial and business letters and reproductions of sent commercial and business letters six years. The period shall begin at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual accounts or the management report was drawn up, the commercial or business letter was received or sent or the accounting document was created, furthermore the recording was made or the other documents were created.
Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.
- Types of data processed: inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contact data (e.g. e-mail, telephone numbers); contract data (e.g. subject matter of contract, term, customer category); usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).
- Affected persons: Customers; Interested parties; Business and contractual partners. Pupils/ students/ participants.
- Purposes of processing: provision of contractual services and fulfilment of contractual obligations; security measures; contact requests and communication; office and organisational procedures. Administration and response to requests.
- Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO); Legal obligation (Art. 6 para. 1 p. 1 lit. c) DSGVO). Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).
Further guidance on processing operations, procedures and services:
- Shop and e-commerce: We process the data of our customers in order to enable them to select, purchase or order the selected products, goods and associated services, as well as their payment and delivery or execution. If necessary for the execution of an order, we use service providers, in particular postal, forwarding and shipping companies, to carry out the delivery or execution for our customers. For the processing of payment transactions, we use the services of banks and payment service providers. The required information is identified as such in the context of the order or comparable purchase process and includes the information required for delivery or provision and billing as well as contact information in order to be able to contact you; legal basis: contract performance and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO).
- Education and training services: We process the data of the participants of our education and training offers (uniformly referred to as "trainees") in order to be able to provide them with our training services. The data processed in this context, the type, scope, purpose and necessity of their processing are determined by the underlying contractual and training relationship. The forms of processing also include the performance assessment and evaluation of our services and those of the teachers. In the course of our activities, we may also process special categories of data, in particular information on the health of students and trainees, as well as data revealing ethnic origin, political opinions, religious or philosophical beliefs. For this purpose, we obtain the explicit consent of the trainees, if required, and otherwise only process the special categories of data if it is necessary for the provision of the training services, for the purposes of preventive health care, social protection or the protection of vital interests of the trainees; legal basis: fulfilment of the contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) DSGVO).
- Project and development services: We process the data of our customers and clients (hereinafter uniformly referred to as "customers") in order to enable them to select, purchase or commission the selected services or works as well as associated activities and to pay for and make them available or execute or provide them.
The required information is identified as such in the context of the order, purchase order or comparable contract conclusion and includes the information required for the provision of services and billing as well as contact information in order to be able to hold any consultations. Insofar as we obtain access to information of the end customers, employees or other persons, we process this in accordance with the legal and contractual requirements;
Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO).
- Offer of software and platform services: We process the data of our users, registered users and any test users (hereinafter uniformly referred to as "users") in order to be able to provide our contractual services to them and on the basis of legitimate interests in order to ensure the security of our offer and to be able to develop it further. The required information is identified as such in the context of the order, purchase order or comparable contract conclusion and includes the information required for the provision of services and billing as well as contact information in order to be able to hold any consultations; legal basis: contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) DSGVO).
- Events: We process the data of the participants of the events and similar activities offered or organised by us (hereinafter uniformly referred to as "participants" and "events") in order to enable them to participate in the events and to take advantage of the services or promotions associated with participation.
If we process health-related data, religious, political or other special categories of data in this context, then this is done within the scope of disclosure (e.g. in the case of thematically oriented events or serves health care, safety or is done with the consent of the persons concerned).
The required information is identified as such in the context of the order, purchase order or comparable contract conclusion and includes the information required for the provision of services and billing as well as contact information in order to be able to hold any consultations. Insofar as we obtain access to information of the end customers, employees or other persons, we process this in accordance with the legal and contractual requirements;
Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO).
Providers and services used in the course of business
As part of our business activities, we use additional services, platforms, interfaces or plug-ins from third-party providers ("services" for short) in compliance with the legal requirements.
- Types of data processed: inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms). Contract data (e.g. subject matter of the contract, term, customer category).
- Data subjects: Customers; prospective customers; users (e.g. website visitors). Business and contractual partners.
- Purposes of processing: Provision of contractual services and fulfilment of contractual obligations. Office and organisational procedures.
- Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).
Registration, login and user account
Users can create a user account. As part of the registration process, users are provided with the required mandatory information and this information is processed for the purpose of providing the user account on the basis of contractual obligation fulfilment. The processed data includes in particular the login information (user name, password and an e-mail address).
Within the scope of the use of our registration and login functions as well as the use of the user account, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as those of the users in protection against misuse and other unauthorised use. As a matter of principle, this data is not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.
Users can be informed by e-mail about processes that are relevant to their user account, such as technical changes.
- Types of data processed: inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms). Meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; security measures; administration and response to enquiries. Provision of our online offer and user-friendliness.
- Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO). Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).
Community functions
The community functions provided by us allow users to enter into conversations or other exchanges with each other. Please note that the use of the community functions is only permitted in compliance with the applicable legal situation, our terms and guidelines and the rights of other users and third parties.
- Types of data processed: Usage data (e.g. web pages visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of processing: Provision of contractual services and fulfilment of contractual obligations. Security measures.
- Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO).
Contact and enquiry management
When contacting us (e.g. by post, contact form, email, telephone or via social media) as well as in the context of existing user and business relationships, the information of the enquiring persons is processed to the extent necessary to respond to the contact enquiries and any measures requested.
- Types of data processed: contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).
- Affected persons: Communication partner.
- Purposes of processing: contact requests and communication; managing and responding to requests; feedback (e.g. collecting feedback via online form). Provision of our online offer and user-friendliness.
- Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).
Surveys and polls
We conduct surveys and interviews in order to collect information for the respective communicated survey or interview purpose. The surveys and questionnaires we conduct (hereinafter "surveys") are evaluated anonymously. Personal data is only processed insofar as this is necessary for the provision and technical implementation of the surveys (e.g. processing of the IP address in order to display the survey in the user's browser or to enable the survey to be resumed with the aid of a cookie).
- Types of data processed: contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, consent status).
- Affected persons: Communication partner. Participants.
- Purposes of processing: Feedback (e.g. collecting feedback via online form).
- Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).
Web analysis, monitoring and optimisation
Web analytics (also referred to as "reach measurement") is used to evaluate the flow of visitors to our online offering and may include behaviour, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of the reach analysis, we can, for example, recognise at what time our online offer or its functions or content are most frequently used or invite re-use. Likewise, we can understand which areas need optimisation.
In addition to web analysis, we may also use testing procedures, e.g. to test and optimise different versions of our online offer or its components.
Unless otherwise stated below, profiles, i.e. data summarised for a usage process, can be created for these purposes and information can be stored in a browser or in a terminal device and read from it. The information collected includes, in particular, websites visited and elements used there as well as technical information such as the browser used, the computer system used and information on usage times. If users have agreed to the collection of their location data from us or from the providers of the services we use, location data may also be processed.
The IP addresses of the users are also stored. However, we use an IP masking procedure (i.e. pseudonymisation by shortening the IP address) to protect users. In general, no clear user data (such as e-mail addresses or names) is stored in the context of web analysis, A/B testing and optimisation, but pseudonyms. This means that we as well as the providers of the software used do not know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures.
- Types of data processed: Usage data (e.g. web pages visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors). Profiles with user-related information (creation of user profiles).
- Security measures: IP masking (pseudonymisation of the IP address).
Presence in social networks (social media)
We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to offer information about us.
We would like to point out that user data may be processed outside the European Union. This may result in risks for the users because, for example, it may be more difficult to enforce the rights of the users.
Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on the usage behaviour and resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users' computers, in which the usage behaviour and the interests of the users are stored. Furthermore, data independent of the devices used by the users may also be stored in the usage profiles (especially if the users are members of the respective platforms and are logged in to them).
For a detailed presentation of the respective forms of processing and the options to object (opt-out), we refer to the data protection declarations and information provided by the operators of the respective networks.
In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the users' data and can take appropriate measures and provide information directly. If you still need help, you can contact us.
- Types of data processed: contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of processing: contact requests and communication; feedback (e.g. collecting feedback via online form). Marketing.
- Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).
Further guidance on processing operations, procedures and services:
- LinkedIn: Social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Order processing agreement: https://legal.linkedin.com/dpa; Basis for third country transfer: Standard Contractual Clauses (https://legal.linkedin.com/dpa). Option to object (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
- X: Social network; Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO). Privacy policy: https://twitter.com/privacy, (Settings: https://twitter.com/personalization).
- YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO); Privacy policy: https://policies.google.com/privacy; Basis for third country transfer: EU-US Data Privacy Framework (DPF). Possibility to object (opt-out): https://adssettings.google.com/authenticated.
Plugins and embedded functions and content
We integrate functional and content elements into our online offer that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These can be, for example, graphics, videos or city maps (hereinafter uniformly referred to as "content").
The integration always requires that the third-party providers of this content process the IP address of the user, as without the IP address they would not be able to send the content to their browser. The IP address is thus required for the display of this content or function. We endeavour to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to analyse information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offering, as well as being linked to such information from other sources.
- Types of data processed: Usage data (e.g. web pages visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status). Location data (information on the geographical position of a device or person).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of the processing: Provision of our online offer and user-friendliness.
- Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).
Further guidance on processing operations, procedures and services:
- Google Maps: We integrate the maps of the "Google Maps" service of the provider Google. The data processed may include, in particular, IP addresses and user location data; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO); Website: https://mapsplatform.google.com/; Privacy policy: https://policies.google.com/privacy. Basis for third country transfers: EU-US Data Privacy Framework (DPF).
Created with free Datenschutz-Generator.de by Dr. Thomas Schwenke