1.1 The data held by the company is of great value to the company. This data must therefore be protected against unauthorised access and other threats.
1.2 The company's customers, partners and employees expect the data entrusted to the company to be specially protected and handled with care.
1.3 If you have any questions about data protection or the handling of personal data, please contact the Data Protection Officer Jacqueline Gähler, jg@halbeisenag or 061 901 81 81.
2. Aim of the Data Protection Policy
2.1 The aim of this Data Protection Policy is to create uniform standards for data protection within the company.
2.2 By complying with the standards defined in this Data Protection Policy, the company fulfils its obligations under data protection law and ensures that the interests and rights of the persons concerned are adequately taken into account.
2.3 Compliance with this Data Protection Policy is a prerequisite for the secure exchange of personal data within the company and with third parties.
3.2 The data protection guideline also describes, substantiates and supplements legal requirements, namely those from the Swiss Data Protection Act (DSG).
4.1 For the purposes of this Corporate Directive, personal data means any information relating to an identified or identifiable natural person.
4.2 Data subjects are those natural persons about whom personal data is processed.
4.3 Controller is a private person who alone or together with others decides on the purpose and means of processing.
4.4 A processor is a third party who processes personal data on behalf of the controller.
II. basic rules of data processing
5.1 Personal data must be processed lawfully. Processing is only lawful if it is justified by (a) the consent of the data subject, (b) an overriding private or public interest or (c) the law.
6.1 Data must be processed in such a way that the data subject is aware of it.
7.1 The principle of proportionality must be observed when processing personal data. According to this principle, only such data may be collected as is necessary and appropriate for the corresponding purpose.
7.2 Furthermore, personal data may only be stored for as long as is necessary for the purpose.
8. purpose limitation
8.1 Personal data may only be obtained for a specific purpose that is recognisable to the person concerned; it may only be processed in such a way that it is compatible with this purpose.
8.2 If the personal data is no longer required for the purpose of processing, it must be destroyed or made anonymous.
9.1 All employees must ensure that personal data is accurate and kept up to date.
9.2 All reasonable steps must be taken to correct or destroy inaccurate or incomplete data.
10. Data security
10.1 It is of great importance to the company that the security of the data is guaranteed at all times. Against this background, personal data must be protected by technical and organisational measures against loss, unauthorised access and other dangers.
10.2 The specific protective measures for the individual data processing procedures must be documented and checked for their appropriateness.
10.3 The IT officers may issue further specifications in the interest of data security, in particular with regard to the use of IT systems in the company.
11. Consent and objection
11.1 The consent of the data subject to data processing by a company is generally not required, even in the case of personal data requiring special protection.
11.2 If, on the other hand, the data subject expressly objects to data processing, this is only justified if the interests of the data controller are overriding or if there is a legal basis for doing so.
12. Duty to inform
12.1 Data subjects must be informed as far as possible in advance of the purpose for which personal data about them is being collected and processed. If the data is not obtained directly from the data subject, the data subject shall be informed within one month of receipt of the data.
12.2 If the data subject makes his/her personal data available to the data controller of his/her own accord, he/she shall be deemed to have been informed.
13. Order Processing
13.1 If the company's service providers process personal data on its behalf (so-called data processors), it should be noted that the same due diligence requirements that apply to the responsible company also apply to the data processor. In particular, the purpose limitation and data security must be ensured.
14. Transfer of personal data abroad
14.1 The transfer of personal data abroad is only permitted in countries in which the Federal Council has established a similarly high level of data protection as in Switzerland. Compliance with the Swiss data protection standard can also be achieved by concluding additional contractual agreements, among other things.
III. Internal processes
15. Requirements for employees
15.1 All employees of the company are committed to data protection. They are informed by name that it is prohibited to use personal data for private purposes, to transmit it to unauthorised persons or to make it accessible to unauthorised persons. The obligation to maintain confidentiality applies beyond the end of the employment.
15.2 Care must also be taken within the company to ensure that only those employees are given access to personal data that they need to carry out their duties for the company.
15.3 All employees shall be trained and made aware of data protection issues at the beginning of their employment and on a regular basis thereafter.
16. register of processing activities
16.1 The company shall maintain a register of processing activities relating to personal data. This must contain the following information The identity of the data controller or processor, the purpose of the processing, a description of the categories of data subjects and the categories of personal data processed, the categories of recipients, the retention period or criteria for determining the retention period, a description of the data security measures, if possible, and the countries of destination, if the data is transferred abroad.
17. Data protection through technology, data protection-friendly default settings and data protection impact assessment
17.1 Systems used to process personal data must be designed from the outset in such a way that data protection can be complied with. In particular, the technical and organisational measures must be appropriate to the state of the art, the nature and extent of the data processing and the risk that the processing entails for the personality or fundamental rights of the data subjects (privacy by design).
17.2 The data controller must select the default settings on the device or software in such a way that the processing of personal data is limited to the minimum necessary for the intended purpose, unless the data subject specifies otherwise. This applies, for example, to the acceptance of cookies on the website.
17.3 A data protection impact assessment (DIA) must be carried out and documented, particularly if a planned data protection processing involves a high risk to the privacy and fundamental rights of data subjects.
IV. Rights of data subjects
18. Right to information
18.1 Upon request, a data subject must be informed whether the company is processing personal data about him or her. If this is the case, the data subject has a right to information about the relevant personal data. The right to information is about finding out whether personal data is being processed and, if so, which data, so that the data subject can assert his or her further rights. In addition to the personal data processed as such, this includes information on the identity of the controller, the purpose of processing, the retention period, the origin of the data and, if applicable, information on automated individual decisions and the recipients (also as categories).
18.2 When providing information, it must be ensured that the identity of the data subject is verified. It must also be ensured that no personal data of third parties is disclosed in the course of providing information. As a rule, the information must be provided free of charge and within 30 days.
19. Data portability / right to data release and data transfer
19.1 Data subjects may request that the data they have provided to the company be transferred to them in a commonly used electronic format if the data is processed automatically and the data subject has consented to the processing or the processing is carried out under a relevant contract.
20. Right of rectification
20.1 Pursuant to Art. 32 para. 1 FADP, a data subject may request that inaccurate personal data be corrected.
21. Right to data deletion
21.1 If personal data are processed contrary to the express will of the data subject and there is no legal basis and no overriding private interest of a third party, the data subject may request the deletion of his or her personal data.
22.1 The employees who are entrusted with data processing are primarily responsible for compliance with the provisions of this Data Protection Policy.
22.2 All employees of the company must ensure compliance with this Data Protection Policy and in this way contribute to the establishment of uniformly high data protection standards throughout the company.
23. Breach Notification and Cooperation with Regulatory Authorities
23.1 Employees shall immediately report to their supervisor or the Data Protection Officer if they become aware of a breach of this Data Protection Policy or of any legal provisions relating to the protection of personal data.
23.2 Data security breaches (e.g. disclosure to unauthorised persons, data loss, cyber-attack, etc.) that result in a high risk to the data subjects' personality or fundamental rights must be reported by the company to the FDPIC "as soon as possible", i.e. promptly.
VI. further provisions
24.1 This Corporate Directive must be made available to all employees of the company in an appropriate manner.
25.2 At regular intervals, the extent to which technological changes make it necessary to adapt this company policy shall also be examined.