Home/ Data protection

Data protection

General data protection statement for the Swiss DPA and the RGPD

1             What is this data protection declaration about?

The Metafor Sàrl Group (hereinafter also referred to as “we”, “us” or “our”) collects and processes personal data about you and other persons (“third parties”). We use the term “data” interchangeably with “personal data”.

If you communicate data to us or share data with us concerning other persons, we assume that you are authorized to do so and that the data concerned is accurate. When you share data about other people with us, you confirm the above. Please ensure that they have been informed of this data protection declaration.

This data protection declaration is aligned with the EU General Data Protection Regulation (“GDPR”), the Federal Data Protection Act (“DPA”) and the new Federal Data Protection Act (“nLPD”). However, the concrete application of these laws depends on the individual case.

2             Who is responsible for processing your data?

Metafor Sàrl, Route de l’Ancienne Papeterie 220, 1723 Marly (“Company”) is the data controller of Metafor Sàrl under this data protection declaration, unless we indicate otherwise in a particular case.

You can contact us for data protection issues and to exercise your rights under Section 6 as follows: Metafor Sàrl, route de l’Ancienne Papeterie 220, 1723 Marly

dataprotection@meta-for.ch

3             What data do we process?

We process different categories of data about you. The main categories are as follows:

-Technical data: When you use our website or other online offers, we collect the IP address of the device you are using (terminal) and other technical data in order to ensure the functionality and security of these offers. This data includes the usage logs of our systems. We generally store technical data for 6 months. To ensure the functionality of these offers, we may also assign an individual code to you or your terminal (e.g. in the form of a cookie, see section 6). Technical data as such does not allow us to draw any conclusions about your identity. However, technical data may be linked to other categories of data (and potentially to your person) in the context of user accounts, registration, access control or contract performance.

Registration data: Some offers and services can only be used with a user account or after registration, which can be done directly with us or via our third-party connection service providers. In this context, you must provide us with certain data and we collect data on the use of the offer or service. Access controls to certain facilities may require registration data and, depending on the control system, biometric data. We generally retain registration   data for 12 months from the end of use of the service or closure of the user account.

-Communication data: When you contact us via the contact form, e-mail, telephone, post or any other means of communication, we collect the data you exchange with us, including your contact details and the metadata of the communication. If we need to determine your identity, we collect data that enables us to identify you (e.g. a copy of an identity document). We generally keep this data for 12 months from the last time we communicate with you. This period may be longer if necessary for evidential purposes, to comply with legal or contractual requirements, or for technical reasons. E-mails in personal inboxes and written correspondence are generally kept for at least 10 years.

-Basic data: By basic data we mean the basic data that we need, in addition to contractual data (see below), for the performance of our contractual and other business relationships or for marketing and promotional purposes, such as your name and contact details, as well as information concerning, for example, your role and function, bank details, date of birth, customer history, powers of attorney, signature authorizations and declarations of consent. We process your master data if you are a customer or other business contact or if you work for one of them (e.g. as the business partner’s contact person), or because we wish to contact you for our own purposes or those of a contractual partner (e.g. in connection with marketing and advertising,). We receive basic data from you (e.g. when you make a purchase or as part of a registration), from people you work for or from third parties such as contractual partners, associations and address brokers, as well as from public sources such as public registers or the Internet (websites, social networks, etc.). We generally retain basic data for 10 years from our last exchange with you or the end of the contract. This period may be longer if necessary for evidential purposes, to comply with legal or contractual requirements, or for technical reasons. For contacts used solely for marketing and advertising purposes, the retention period is in principle much shorter, generally no more than 2 years from the last contact.

-Contractual data: This is data collected in connection with the conclusion or performance of a contract, such as information on contracts and services provided or to be provided, as well as data relating to the period prior to the conclusion of a contract, information required or used for the performance of a contract, and customer feedback. We generally collect this data from you, contractual partners and third parties involved in the performance of the contract, but also from third-party sources (e.g. credit information providers) and public sources. We generally retain this data for 10 years from the last contractual activity or the end of the contract. This period may be longer where necessary for evidential purposes, to comply with legal or contractual requirements, or for technical reasons.

-Behavioral and preference data: Depending on the relationship we have with you, we try to get to know you better and tailor our products, services and offers to your needs. To this end, we collect and process data about your behavior and preferences. We do this by evaluating information about your behavior in our domain, and we may also supplement this information with information from third parties, including public sources. On the basis of this data, we can, for example, determine the likelihood that you will use certain services or behave in a certain way. The data processed for this purpose is either already known to us (e.g. where and when you use our services), or we collect it by recording your behavior (e.g. how you browse our website). We anonymize or delete this data when it is no longer relevant to the purposes for which it was collected, i.e. – depending on the type of data – between 2-3 weeks (for movement profiles) and 24 months (for product and service preferences). This period may be longer where necessary for evidential purposes, to comply with legal or contractual requirements, or for technical reasons. We describe how online tracking works on our website in section 6.

Other data and social network pages: We also collect data about you in other situations. For example, we process data that may concern you (such as files, evidence, etc.) as part of administrative or legal proceedings. The length of time we keep this data depends on the purpose of the processing and is limited to what is necessary. It ranges from a few days to a few weeks for contact tracing and screening and for visitor data, which is generally kept for 3 months, to several years or more for event reports containing images. Most of the data mentioned in this section 3 is provided to us directly by you. If you wish to enter into contracts with us or use our services, you must also provide us with certain data, including master data, contract data and registration data, as part of your contractual obligations under the relevant contract. Furthermore, it is not possible to avoid the processing of technical data when using our website. If you require access to certain systems or buildings, you must also provide us with registration data. However, in the case of behavioral and preference data, you generally have the option of objecting or withholding your consent.

Insofar as this is not illegal, we also collect data from public sources (e.g. debt collection registers, land registers, commercial registers, the media or the Internet, including social networks) or receive data from other companies in our group, public authorities and other third parties (such as credit agencies, address brokers, associations, contractual partners, Internet analysis services, etc.).

For what purposes do we process your data?

We process your data for the purpose of communicating with you, in particular to respond to your requests and exercise your rights (section 6) and to enable us to contact you in the event of queries. For this purpose, we use, among other things, communication and master data, as well as registration data in connection with the offers and services you use. We store this data to document our communication with you, and for training, quality assurance and follow-up purposes.

We process data for the conclusion, administration and execution of contractual relations.

We process data for marketing and relationship management purposes, for example to send our customers and other contractual partners personalized advertising for products and services offered by us or by third parties (e.g. advertising partners). This may take the form of newsletters and other regular contacts (by electronic means, e-mail or telephone), through other channels for which we have your contact details, but also as part of marketing campaigns (e.g. events, competitions, etc.) and may also include free services (e.g. invitations, vouchers, etc.), for example. You may object to such contact at any time (see the end of this section 4) or refuse or withdraw your consent for us to contact you for marketing purposes. With your consent, we can target our online advertising on the Internet more specifically to you (see section 6).

We also process your data for market research purposes, to improve our services and business activities, and for product development.

We may also process your data for security and access control purposes.

We process personal data to comply with laws, directives and recommendations of authorities and internal regulations (“compliance with legal requirements”).

We also process data as part of our risk management and corporate governance, including business organization and development.

We may process your data for other purposes, for example as part of our internal processes and administration. On what basis do we process your data?

When we ask for your consent to certain processing activities, we inform you separately of the processing purposes concerned. You may withdraw your consent at any time with effect for the future by sending us written notification (by post) or, unless otherwise indicated or agreed, by sending us an e-mail; you will find our contact details in section 2. To withdraw your consent to online tracking, see section 6. Where you have a user account, you may also withdraw your consent or contact us via the website or service in question. Once we have received notification of withdrawal of consent, we will no longer process your information for the purpose(s) to which you consented, unless we have another legal basis to do so. Withdrawal of consent does not, however, affect the lawfulness of processing based on consent prior to withdrawal.

Where we do not seek consent for processing, the processing of your personal data is based on the necessity of the processing to initiate or perform a contract with you (or the entity you represent) or on our legitimate interest or that of a third party in the processing in question, in particular in the pursuit of the purposes and objectives set out in section 4 and in the implementation of measures relating thereto. Our legitimate interests also include compliance with legal regulations, insofar as this is not already recognized as a legal basis by applicable data protection legislation (e.g., in the case of the RGPD, laws in the EEA and, in the case of the LPD, Swiss law). This also includes the marketing of our products and services, the desire to better understand our markets and to manage and develop our business, including its activities, safely and efficiently.

Where we receive sensitive personal data (e.g. biometric data for the purpose of uniquely identifying a natural person), we may process your data on the basis of other legal grounds; for example, in the event of litigation, for the purposes of potential litigation or for the enforcement or defense of legal claims. In some cases, other legal bases may apply and, if so, we will inform you separately.

 

4             What rules apply in the case of profiling and automated individual decisions?

We may automatically assess personal aspects about you (“profiling”) on the basis of your data (section 3) for the purposes set out in section 4, where we wish to establish preference data, as well as to detect misuse and security risks, to carry out statistical analyses and for business planning. We may also create profiles for these purposes, which means that we may combine behavioral and preference data, as well as basic, contractual and technical data about you to better understand you as a person – with your different interests and other characteristics.

In both cases, we ensure the proportionality and reliability of the results and take measures against the misuse of these profiles or profiling. If these automated individual decisions could have legal consequences for you or otherwise affect you in a significant way, we ensure in principle that the decision is controlled by a human being.

5             Who do we share your data with?

In connection with our contracts, the website, our products and services, our legal obligations, the protection of our legitimate interests, and the other purposes set out in section 4, we may disclose your personal data to third parties, including the following categories of recipients:

-Service providers: We work with service providers in Switzerland and abroad who process your data on our behalf or as joint data controllers with us, or who receive your data from us as independent data controllers.

-Contractual partners, including customers: These are customers and our other contractual partners, insofar as the communication of data derives from these contracts. If you work for one of these contractual partners, we may also pass on your data to them. These recipients also include the contractual partners with whom we cooperate

-Authorities: We may disclose personal data to agencies, courts and other authorities in Switzerland and abroad if we are legally obliged or entitled to make such disclosures or if it appears necessary to protect our interests.

-Other persons: These are other cases in which interactions with third parties fall within the scope of the purposes set out in section 4. All these categories of recipients may involve third parties, so your data may also be communicated to them. We may restrict processing by certain third parties (e.g. IT suppliers), but not by others (e.g. authorities, banks, etc.).

6             What are your rights?

Applicable data protection laws give you the right to object to the processing of your data in certain circumstances, including processing for direct marketing purposes, profiling for direct marketing purposes and other legitimate interests in processing.

To help you control the processing of your personal data, you have the following rights with respect to our processing of your data, in accordance with applicable data protection legislation:

-The right to ask us for information about whether we process data about you and, if so, which data;

-The right to request that we correct inaccurate data;

-The right to request the deletion of data;

-The right to request that we provide certain personal data in a commonly used electronic format or transfer them to another data controller;

-The right to withdraw your consent, where our processing is based on your consent;

-The right to receive, on request, other information relevant to the exercise of these rights;

If you wish to exercise the aforementioned rights towards us, you can contact us in writing at our address or, unless otherwise indicated or agreed, by e-mail; you will find our contact details in section 2. In order to prevent misuse, we need to identify you (e.g. by means of a copy of your identity card, if identification is not otherwise possible).

Please note that conditions, exceptions and restrictions may apply to the exercise of these rights in accordance with applicable data protection legislation (e.g. to protect third parties or trade secrets). We will inform you of any such restrictions.

If you do not agree with the way we respond to the exercise of your rights or with our data protection practices, you can let us know (section 2). If you are located in the EEA, the UK or Switzerland, you also have the right to lodge a complaint with the relevant data protection supervisory authority in your country.

Do we use online tracking and online advertising?

We use various techniques on our website that enable us – and the third parties we engage – to recognize you when you use our website, and possibly to track you over several visits. This section provides information on this subject.

In essence, we wish to distinguish between your access (via your system) and access by other users, in order to ensure the functionality of the website and to carry out analysis and customization. It is not our intention to determine your identity, although it may be possible for us or third parties engaged by us to identify you by linking to registration data. However, even in the absence of registration data, the technologies we use are designed to recognize you as an individual visitor each time you access the website, for example our server (or third-party servers) assigning a specific identification number to you or your browser (called a “cookie”).

We use these technologies on our website and may authorize certain third parties to do so as well. You can also configure your browser to block or deceive certain types of cookies or alternative technologies, or to delete existing cookies. You can also add software to your browser to block certain third-party tracking. Further information can be found on your browser’s help pages (usually with the keyword “data protection”) or on the websites of the third parties listed below.

We distinguish the following categories of “cookies” (including technologies that work in the same way, such as fingerprints):

-Necessary cookies: Some cookies are necessary for the operation of the website or for certain functionalities. For example, they ensure that you can move from one page to another without losing the information you have entered in a form. They also ensure that you stay connected. These cookies exist only temporarily (“session cookies”). If you block them, the website may not function properly. Other cookies are needed by the server to store options or information (which you have entered) beyond one session (i.e. one visit to the website) if you use this function (e.g. language settings, consents, automatic login functionality, etc.). These cookies have an expiry date of up to 24 months.

-Performance cookies: In order to optimize our website and related offers and better tailor them to users’ needs, we use cookies to record and analyze the use of our website, potentially beyond a single session. We use third-party analysis services for this purpose. These are listed below. Performance cookies also have an expiry date of up to 24 months. Details can be found on the websites of third-party suppliers.

7             Can we update this privacy statement?

This data protection declaration does not form part of a contract with you. We may amend this data protection declaration at any time. The version published on this website is the current version.

Last update: July 1, 2023