Privacy Policy

1. Who is responsible for data processing?

Meret Sagoo and Jeanne-Françoise Weber ctrl-data GmbH Maneggstrasse 95
8041 Zurich
datenschutz@ctrl-data.ch
+41 77 460 96 01

ctrl-data GmbH ("ctrl-data") wants you to feel secure regarding your personal data and to be informed when your personal data is processed, which data is processed and for what purpose it is processed before, during and after conducting business with us or visiting and interacting with our website. Other data protection declarations, general terms and conditions, etc. may regulate specific matters. Our service relates exclusively to the Swiss market, which is why we process your personal data in accordance with Swiss data protection regulations and other legal provisions. ctrl-data reserves the right to modify this privacy policy from time to time where necessary. You will find the current, binding version here.

2. Terms

Personal data is any information relating to an identified or identifiable natural person (for example, a name, contact details, date of birth or email address). Processing includes any handling of personal data, such as storing, disclosing, collecting, deleting, storing, modifying or destroying.

3. Do we process personal data?

3.1. General

Your data is a matter of trust for us. For ctrl-data it goes without saying, that we only collect and process personal data that we absolutely need for our business operations or to fulfil our contractual agreement or to provide the website. We collect and record your data when you interact with us or when you visit our website. We also collect or compile personal data as part of our service offerings and when we obtain personal data from other publicly available sources. Your data will only be processed for this specific purpose. It will not be used for any other purpose and will not be shared with third parties for their own processing purposes. We do not create a data profile of you or send you personalised advertising. The data we store is carefully managed and protected from misuse of any kind.

If you provide us with any data about third parties (such as students, teachers or colleagues), please ensure that you only provide us with personal data that you are authorised to, and the persons concerned have been informed in advance about the disclosure and our privacy policy. We make a point of only working with selected third-party service providers who meet our high data protection requirements. We have ensured this contractually. We ensure that third parties we collaborate with only receive personal data on a need to know basis. All electronic communications are encrypted end-to-end as far as possible and that the selected processing environment is protected with adequate, state-ot-the-art security and protection measures. It is also important for us to work with local providers. Therefore, our partners are primarily from Switzerland or otherwise the EU. Our partners help us with the storage of our documents, data security (e.g. through anti-virus programmes and firewalls) or through encrypted programmes such as our e- mail and telephony. If you have any concerns or would like to know more about our processing, you can find more information below. You are also welcome to contact us so that we can give you information personally.

3.2. Website

In order to be able to process your enquiry properly via the contact form, e-mail or telephone, we need some information about you, such as your name and e-mail address. Mandatory fields are only marked if the relevant information is required to offer our services. On our website we refer to websites of third parties. We make sure that third parties do not receive any data from you when you browse and interact with our website. Data is only transferred when you click on these links and are redirected to the corresponding website of the third party. In this case the privacy policy of the third party comes into effect and is no longer within our control. Our website was built and developed from the ground up and does not use cookies or plugins.

3.3. Categories of personal data

We process the following categories of personal data:

  • Contact details

  • Information about your company

  • Information about the position, title of your employees

  • Information about the relationship between you and a person and other basic information

  • Identification and background information

  • Financial information

  • Information disclosed to us (by third parties)

  • Information we create for our services to you

  • Information you provide us with

  • Information via log files

4. When and for what purposes do we process your personal data?

We or third parties process personal data as follows:

  • For the operation of our website.

  • Communication: In the context of our communication, we process your personal data as well as the personal data of your employees and third parties in a relevant relationship with you.

  • Background check: For our due diligence, we can conduct a background check during the initial communication and negotiation phase.

  • Contract negotiations: In order to determine our services, we may already have access to the personal data available to you and information about you, your customers, service providers or other categories of persons who have a relevant relationship with you.

  • Services: We process personal data in order to provide our agreed services and to create information for you.

  • Business relationship: To be able to manage the business relationship with you.

  • Maintaining our operations: We process personal data for our internal business infrastructure.

  • Sending information and events: We process your data to send you updates, invitations to events, information about changes that are relevant to you, etc. We also process your personal data to send you information about our products and services

  • Billing: For billing purposes, we process financial information such as payment information.

  • Data security: We process your data for system security and stability, especially of our website.

  • Prevention and investigation of criminal offences and other misconduct (e.g. conducting internal investigations, data analyses to combat fraud)

  • Retention: We will retain the information you provide and the information we create as part of our service for no longer than the retention periods applicable to us.

  • Legal requirements: To comply with our legal and regulatory obligations.

  • Legal cases: For the possible enforcement as well as the defence of legal claims.

5. On what legal basis do we process personal data?

We process personal data for the purposes set out in section 4 on the basis of the following: to fulfil our (pre- )contractual obligations and provide our services, to protect legitimate interests including the interests mentioned and listed above (in order to be able to carry out our activities and in particular the website in a user-friendly, secure and reliable manner and to be able to communicate about it, to ensure information security and protection against misuse as well as to assert, implement or defend legal claims or (in) legal proceedings), to comply with legal and regulatory obligations and/or based on consent.

6. Will your personal data be disclosed to third parties or abroad?

We try to avoid disclosing your personal data to third parties or abroad. Insofar as it is permitted and appropriate within the scope of our business activities and for the purposes described in section 4 (e.g. through the fulfilment of a contract or overriding private interest), you have given your consent or we are obliged to do so by law or by enforceable official or court orders, we may disclose your personal data. This may involve the following recipients:

  • Our service providers (e.g. banks, accounting, insurance, event organisers, audio and video conferencing platforms, e-mail and IT providers, storage solution)

  • Recipients individually defined by you (e.g. your partner company or subsidiary)

  • domestic and foreign authorities, agencies, courts or other parties in potential or actual legal proceedings

  • Third parties in potential or actual legal proceedings

If you would like to know which specific companies we work with, we will be happy to provide you with more detailed information. You can reach us at the contact details listed in section 1. Our recipients are generally within Switzerland, but can also be in the EU/EEA or anywhere in the world. However, we make a point of outsourcing as little as possible or passing on data to non-EU/EEA countries. Third parties commissioned by us to process data may only process personal data in accordance with our instructions.

If, exceptionally, a recipient is located in a country without adequate legal data protection, the recipient will be contractually obliged to comply with the applicable data protection law. This is done via standard contractual clauses of the European Commission, with the necessary adaptations for Switzerland, which can be called up here, insofar as the recipient is not already subject to a legally recognised set of rules to ensure data protection and no exemption provision applies. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the performance of a contract requires such disclosure, if you have given your consent or if it is data that you have made generally accessible and you have not objected to its processing.

The personal data that you provide to us via the contact form will not be disclosed to third parties or abroad. The transmission of the data is also end-to-end encrypted.

7. Retention period of personal data

We process and store your personal data only as long as it is necessary for the operation and provision of our website, for contract negotiations, the services offered (or contact options) and for the fulfilment of our contractual and legal obligations or otherwise for the purposes pursued with the processing, i.e. for example for communication with you.

In addition, we keep your personal data in accordance with the applicable legal obligations such as retention periods (usually for a maximum of 10 years) or as long as claims can be asserted against us (evidentiary purposes). As soon as your personal data is no longer necessary for our purposes, it will be deleted or anonymised as far as possible. For operational data (e.g. system protocols, logs), shorter retention periods of twelve months or less generally apply. Our log files are kept for a maximum of 1 month.

8. Data security

We take appropriate technical and organisational security measures to protect your personal data from unauthorised access, use, disclosure, alteration or destruction. Appropriate measures include, for example, the issuance of directives, training, IT and network security solutions, access controls and restrictions, encryption of data media and transmission and other controls and pseudonymisation. Wherever possible, we use encrypted data communication based on HTTPS/TLS in conjunction with the highest level of encryption. In relation to our website, we have no control over external sites to which we link, nor over external sites that link to our website. With respect to such sites, we cannot guarantee that the information contained therein is accurate or that they are free of malware (such as viruses). Information and services provided by linked websites or web services are entirely the responsibility of the relevant third party. We disclaim any responsibility for such websites or web services.

9. Obligation to provide personal data

Generally, you have no legal obligation to provide us with your personal data. However, we need certain personal data from you for the business relationship with us. This is the only way we can get in touch with you and provide you with the best possible service. Without this personal data, we will generally not be in a position to respond to your requests or to conclude a contract with you (or the body/person you represent) or to fulfil our contractual obligations. In order for you to visit our website, we also need certain data from you (e.g. IP address).

10. Profiling

We do not use profiling to inform you about our services or to send you advertising.

11. What are your rights?

11.1. Right to information

You can request information from us about whether personal data about you is being processed, who is responsible, what personal data is being processed, what the purpose of the processing is, how long the retention period is or the criteria for determining this period, where the personal data originates and whether it is transferred to third parties in a third country, whether automated individual decisions exist and the underlying logic and the recipients or category of recipients to whom personal data is disclosed.

11.2. Right to rectification, erasure or restriction of data processing

You have the right to ask us to disclose certain personal data:

  • be corrected if they are incomplete or incorrect;

  • deleted without delay if this data is no longer necessary for the purposes for which it was collected or processed and other legal provisions do not prevent deletion, or

  • that they are only processed to a limited extent.

11.3. Right to data portability and transfer data

Subject to Art. 28 nDSG, you can request that we hand over or forward your personal data that you have disclosed to us in a standard electronic format.

11.4. Revocation of your consent and right to object

You can withdraw your consent to processing or object to processing at any time and without giving reasons, in particular for the purposes of direct marketing, profiling carried out for this purpose and other overriding private interests in processing. However, we do not do direct marketing or profiling. The revocation applies to all future processing of the personal data concerned. However, we may no longer be able to carry out your order if your personal data is indispensable for this purpose.

Please also note that we reserve the right to enforce the restrictions prescribed by law, for example if we are obliged to retain or process certain data, have an overriding legitimate interest in doing so or require it for the assertion of claims.

Exercising such a right usually requires that you can clearly prove your identity (for example, by means of a copy of your ID card, where your identity cannot otherwise be verified).

You also have the right to enforce your claims in court or to file a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (https://www.edoeb.admin.ch).

12. How can you exercise your rights?

You can exercise your rights at any time electronically via datenschutz@ctrl-data.ch, +41774609601 or by post to ctrl-data GmbH, Maneggstrasse 95, 8041 Zurich. We are happy to provide you with information and suggestions on the subject of data protection.