subject to the Swiss Federal Act on Data Protection and the GDPR
gfs.bern (hereinafter also referred to as ‘we’, ‘us’) obtains and processes personal data that concerns both you and other people (so-called ‘third parties’). We use the term ‘data’ as a synonym for ‘personal data’.
2. Who is responsible for processing your data?
Controller for the processing of personal data:
We shall make it clear if a different controller is responsible for processing personal data in a specific case.
2.1 Data Protection Officer
The following data protection officer is our point of contact for data subjects and au-thorities for enquiries relating to data protection:
2.2. Data protection representative in the European Economic Area (EEA)
Our data protection representative pursuant to Article 27 GDPR is as follows:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
The data protection representative is as an additionalpoint of contact for data subjects and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) for enquiries in connection with the GDPR.
3. What data do we process?
We process various categories of personal data. The main categories are as follows:
3a.) Interview participant data
We collect various pieces of information within surveys that help support statistical decision-making. Our aim is to analyse behaviours, opinions and attitudes. We do not consider individual personal data in this process. Instead, we evaluate summarised information from groups of people. This data is not used for automated decision-making processes or for profiling purposes.
If we record or listen to phone calls or video conferences for reasons such as training or quality assurance, we will specifically draw your attention to this. These recordings are exclusively made in accordance with our internal guidelines and are used accordingly. You will always be notified in advance, for example at the start of a phone call, if and when such recordings are made. If you object to this recording, please let us know or end the call. If you only object to video recording, please turn your camera off.
3b) Customers’, suppliers’ and partners’ data
- Master data: we consider master data to be the basic data that we need – in addition to the contract data (see below) – to process our contractual and other business relationships or for marketing and promotional purposes. This includes your name, contact details and information about your role and function, for example, your bank details, customer history, powers of attorney, signature rights and declarations of consent. We process your master data if you are a customer or other business contact or work for one of these (e.g. as a business partner’s contact person), or because we want to contact you for our own purposes or those of a contractual partner (e.g. for marketing and advertising, event invitations, newsletters, etc.). We obtain master data from you yourself (e.g. when you make a purchase or register with us), from your employer, or from third parties such as our contractual partners, associations and address brokers, for example, and from publicly accessible sources such as public registers or the internet (websites, social media, etc.), for example. We usually retain this data for ten years from our last contact with you and at least from the end of the contract. This period may be longer if this is necessary or technically required for the sake of evidence or to comply with statutory or contractual requirements.
- Contract data: this is data that is generated in connection with concluding and/or processing a contract, e.g. information about contracts and the services that will be or have already been provided, as well as data in the run-up to concluding a contract, the information required or used for processing and response information. We usually collect this data from you, from contractual partners and from third parties involved in executing the contract, as well as from third-party sources (e.g. credit history providers) and from publicly accessible sources. We normally retain this data for ten years from the last contractual activity and at least from the end of the contract. This period may be longer if this is necessary or technically required for the sake of evidence or to comply with statutory or contractual requirements.
- Applications: we process applicants’ personal data to the extent necessary for assessing their suitability for an employment relationship or for the subsequent implementation of an employment contract. The necessary personal data is generated, in particular, from the information requested, for example in the context of a job advertisement. We also process personal data that applicants voluntarily provide or publish, in particular as part of cover letters, CVs and other application documents, as well as online profiles.
3c) Other contacts
- Technical data: when you use our website or other electronic services, we collect the IP address of your device and other technical data to ensure the functionality and security of these services. This data also includes logs that record the use of our systems. We usually retain technical data for six months. To ensure the functionality of these services, we may also assign you and/or your device a unique code (e.g. in the form of a cookie, see number 12). It is not possible to draw any conclusions about your identity from the technical data itself.
- Registration data: certain products and services (e.g. newsletter distribution, etc.) can only be accessed with a user account or registration. This can be undertaken directly with us or via our external log-in providers. You will need to provide us with certain information and we will collect data about your use of the product or service. We usually retain registration data for twelve months after you stop using the service or close your user account.
- Communication data: when you get in touch with us using the contact form, via email, phone or chat, by letter or other means of communication, we collect the data exchanged between you and us, including your contact details and marginal data relating to the communication. If we want or need to determine your identity, e.g. if you request information from us, we collect data to identify you (e.g. a copy of your ID). We usually retain this data for twelve months from our last contact with you. This period may be longer if this is necessary or technically required for the sake of evidence or to comply with statutory or contractual requirements. Emails in personal inboxes and written correspondence are normally retained for at least ten years. (Video) conference recordings are usually retained for 24 months. Chats are generally retained for two years.
- Other data: we also collect data from you in other situations. Data (such as files, evidence, etc.) that may relate to you is generated in connection with official or judicial proceedings, for instance. We may also collect data for health and safety reasons (e.g. as part of protection concepts). We may receive or produce photos, videos and audio recordings in which you may be recognisable (e.g. at events, via security cameras, etc.). In addition, we may collect data about who enters certain buildings and when, or has the necessary access rights (including access control based on registration data or visitor lists, etc.), who takes part in events or promotions (e.g. competitions) and when, or who uses our infrastructure and systems and when. The retention period for this data depends on its purpose and is kept to a minimum. This ranges from a few days for many of the security cameras and typically a few weeks for contact tracing data, through to visitor data that is usually retained for three months and event reports and photos that may be retained for a few years or more.
Much of the data mentioned in Point 3 is provided by you. You are not obliged to do so, conditional on specific cases, e.g. as part of binding protection concepts (statutory obligations). If you want to conclude contracts with us or use our services, you must also provide us with data, especially master, contract and registration data, as part of your contractual obligation in accordance with the relevant contract. It is unavoidable that technical data will be processed when you use our website.
Provided we are permitted to do so, we also take data from publicly accessible sources (e.g. debt collection registers, land registers, commercial registers, the media or the internet, including social media) or receive data from authorities and other third parties (such as credit agencies, address brokers, associations, contractual partners, internet analysis services, etc.).
4. For what purposes do we process your data?
We process your data for the purposes explained below. More information regarding online operations is available in number 12 and 13. These purposes and/or the goals on which they are based represent our legitimate interests and possibly those of third parties. You can find more information about the legal basis of our processing in Point 5.
We process your data for purposes related to communicating with you, especially replying to queries and asserting your rights (Point 10) and to contact you if you have any questions. To do this, we use communication and master data, in particular. We retain this data in order to document our communication with you and to answer your questions.
4a) Interview participant data
Market, social and opinion research observes, measures and describes behaviours, attitudes, opinions and so on. We record and collect information from you to provide companies, associations and authorities with statistically-based decision-making assistance. This does not involve your personal data. Rather, this relates to aggregated values for a group of people. Your data may be collected in various ways (online, by phone, in writing or face-to-face during an interview).
4b) Customers’, suppliers’, partners’ & other contacts’ data
We process data to establish, manage and handle contractual relationships.
We process data for marketing purposes and to maintain relationships, e.g. to send our customers and other contractual partners personalised adverts for our products and services. This can occur, for example, in the form of newsletters and other regular contacts (electronically, by post, by phone), via other channels for which we have your contact information, as well as for specific marketing campaigns (e.g. events, competitions, etc.) and may also include free services (e.g. invitations, vouchers, etc.). You can decline such contacts at any time (see the end of Point 4) and/or revoke or withdraw your consent to be contacted for advertising purposes.
We also process your data for market research, to improve our services and our operations and for product development.
We may also process your data for security purposes and for access control.
We process personal data to comply with legislation, directives and recommendations from authorities and internal regulations (compliance).
We also process data for our risk management purposes and within the context of prudent corporate governance, including operational organisation and corporate development.
We may process your data for other purposes, e.g. as part of our internal procedures and administration.
5. On what basis do we process your data?
To the extent that the General Data Protection Regulation (GDPR) applies, we process personal data on at least one of the following legal grounds:
- Point (b) of Article 6(1) GDPR serves as the legal grounds if the processing of personal data is necessary for the performance of a contract with the data subject and in order to take steps prior to entering into a contract.
- Point (f) of Article 6(1) GDPR serves as the legal grounds if the processing of personal data is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. In particular, legitimate interests are our interest in being able to carry out our activities and operations in a permanent, user-friendly, secure and reliable manner and being able to communicate these, ensuring information security and protection against misuse, enforcing our legal claims and complying with Swiss law.
- Point (c) of Article 6(1) GDPR serves as the legal grounds for the processing of personal data where processing is necessary for compliance with a legal obligation to which we are subject in accordance with any applicable law of a member state of the European Economic Area (EEA).
- Point (e) of Article 6(1) GDPR serves as the legal grounds for the processing of personal data where processing is necessary for the performance of a task carried out in the public interest.
- When the data subject has provided consent, point (a) of Article 6(1) GDPR serves as the legal grounds for the processing of personal data.
- Point (d) of Article 6(1) GDPR serves as the legal grounds if it is necessary to process personal data in order to protect the vital interests of the data subject or the vital interests of another natural person.
If we ask for your consent for specific instances of processing, we will provide information separately about the relevant purposes of that processing. You can withdraw your consent at any time by writing to us (by post) with future effect; our contact details are available in Point 2. Once we have received notification that you have withdrawn your consent, we will no longer process your data for the purposes to which you originally agreed, unless we have another legal basis for this. Withdrawing your consent will not affect the legitimacy of any processing undertaken based on your consent prior to its withdrawal.
If we do not ask for your consent to processing, we base the processing of your personal data on the fact that this processing is required to initiate or execute a contract with you (or the entity you represent) or that we or a third party have a legitimate interest, in particular to pursue the purposes and associated objectives described in Point 4 above and implement appropriate measures. Our legitimate interests also include complying with statutory requirements, unless this is already recognised as a legal basis by the applicable data protection legislation (e.g. under the GDPR, the law in the EEA and in Switzerland). They also include marketing our products and services, our interest in better understanding our markets and the secure and efficient management and ongoing development of our company, including our operational business.
6. To whom do we disclose your data?
With regard to our surveys, we use your personal information exclusively in accordance with the purposes described in Section 4 and share it with the third parties listed below, provided you have given your consent to the disclosure of your personal data to other third-party categories elsewhere. gfs-zürich takes reasonable steps to ensure that your personal data is processed, protected and transmitted in accordance with the applicable legislation.
- External service providers: if required, we commission other companies and individuals to perform certain tasks that contribute to our services, within the context of data processing agreements. We may, for example, disclose personal data to agents, contractual partners or suppliers that manage our databases and applications for the purpose of providing data processing services or communicating the information you have requested, or to call centres for the purposes of providing support services or conducting surveys as part of market research projects. We only disclose such data to external service providers or allow them to access it to the extent required for the purpose in question. This data may not be used by external service providers for other purposes, especially not for their own purposes or those of third parties. gfs.bern’s external service providers are contractually obliged to maintain the confidentiality of your personal data.
We also transmit your personal data to third parties in connection with our contracts, website, services and products, our statutory obligations or to otherwise protect our legitimate interests, as well as the other purposes listed in Point 4.This includes the following recipient categories, in particular:
- Service providers: we work with service providers within Switzerland and abroad that process data about you on our behalf, or who share our responsibility in this regard, or are themselves responsible for receiving data about you from us (e.g. IT providers, distribution companies, banks, insurers, debt collection agencies, credit agencies, or address checkers). For the service providers involved in our website, see Point 12.
- Contractual partners including customers: this primarily refers to our customers and other contractual partners, because their contracts result in this data transfer. If you work for a contractual partner of this nature, we may also transmit data about you to them in this context. Additional recipients include other contractual partners with whom we cooperate.
- Authorities: we may disclose personal data to officials, courts and other authorities within Switzerland and abroad if we are legally obliged or authorised do so or if this appears to be necessary to protect our interests. The authorities are responsible for processing data about you that they receive from us.
- Other parties: this refers to other cases where the purposes according to Point 4 result in the involvement of third parties.
All these recipient categories may in turn involve third parties at their end, meaning that your data may also be accessible to these third parties. We may restrict processing by certain third parties (e.g. IT providers), but not by other third parties (e.g. authorities, banks, etc.).
7. Is your personal data also transferred abroad?
As explained in Point 6, we also disclose data to third parties. They are not only located in Switzerland. Your data may therefore be processed both in Europe and in our survey lab in Kosovo. In exceptional cases, your data may be processed in any country in the world.
If a recipient is based in a country without adequate statutory data protection, we contractually oblige the recipient to comply with applicable data protection (we use the European Commission’s revised standard contractual clauses for this, which can be accessed here, unless they are already subject to a legally recognised data protection policy and we are able to rely on an exemption clause. Exemptions may apply in the case of legal proceedings abroad, in particular, as well as in cases of overriding public interest or if the execution of a contract requires such disclosure, if you have given your consent or if it concerns data that you have made generally accessible and whose processing you have not objected to.
Please also note that data exchanged over the internet is often routed via third countries. This means that your data may also be transferred abroad even if the sender and recipient are based in the same country.
8. For how long do we process your data?
We process your data for the duration required for our processing purposes, statutory retention periods and our legitimate interests in the processing for documentation and evidence purposes, or for the retention duration required for technical purposes. Further information about the relevant retention and processing period for the individual data categories is available in Point 3 and/or for cookie categories in Point 12. Provided there are no legal or contractual obligations to the contrary, we delete or anonymise your data at the end of the retention or processing period in line with our standard procedures.
9. How do we protect your data?
We take appropriate security measures to maintain the confidentiality, integrity and availability of your personal data, to protect it against unauthorised or illegal processing and to counteract the risk of loss, inadvertent modification, accidental disclosure or unauthorised access.
10. What rights do you have?
Under certain circumstances, the applicable data protection legislation gives you the right to object to the processing of your data, especially if this is for the purposes of direct marketing, profiling undertaken for direct advertising and other legitimate interests in the processing.
To make it easier for you to control the processing of your personal data, you also have the following rights in connection with our data processing, depending on the applicable data protection legislation:
- the right to request access to information from us as to whether and what data we process relating to you;
- the right to request that we rectify data if it is inaccurate;
- the right to request that we erase your data;
- the right to request that we release certain personal data in a standard electronic format or transfer it to another data controller;
- the right to withdraw your consent, provided our processing is based on your consent;
- the right to request additional information that is required to exercise these rights.
If you wish to exercise the above-mentioned rights towards us, please submit your written concerns by letter or email; our contact details are available in Point 2. In order for us to rule out fraud, we will have to verify your identity (e.g. using a copy of your ID, unless we can do this some other way).
Please note that these rights are subject to conditions, exemptions or restrictions, depending on the applicable data protection legislation (e.g. to protect third parties or trade secrets). We will inform you accordingly if necessary.
If you do not agree with our handling of your rights or data protection, please let us know. If you are based in the EEA, the United Kingdom or Switzerland, in particular, you also have the right to complain to your country’s supervisory authority for data protection.
11. Use of the website
Cookies can be stored temporarily in your browser as session cookies or for a specific period of time as permanent cookies. Session cookies are deleted automatically when the browser is closed. Permanent cookies are stored for a specific period of time. In particular, cookies enable us to recognise a browser when you next visit our website and in doing so, for example, measure the reach of our website. However, permanent cookies can also be used for online marketing, for example.
Numerous services such as AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) and Your Online Choices (European Interactive Digital Advertising Alliance) are available to opt out of all cookies which are used to measure success and reach statistics or for advertising purposes.
Whenever you visit our website, we can collect the following information if your browser transfers it to our server infrastructure or if our web server is able to collect it: date and time, including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual pages of our website visited including the volume of data transferred, referrer URL.
We store this information – which can also represent personal data – in server log files. The information is necessary in order for us to make our website permanent, user-friendly and reliable, as well as to ensure data security, especially the protection of per-sonal data – including through third parties or with the help of third parties.
We may use tracking pixels on our website. Tracking pixels are also known as web beacons. Tracking pixels – including those from third parties whose services we use – are small, usually invisible images that are accessed automatically when you visit our website. Tracking pixels can be used to collect the same information as is stored in server log files.
We send notifications and messages by email and over other communication channels such as instant messaging or SMS.
Notifications and messages can contain links or tracking pixels that log whether an individual message has been opened and what links were clicked on. Such web links and tracking pixels can even record personal use of notifications and messages. We require these usage statistics to gauge our success and coverage in order to make notifications and messages effective and user-friendly on the basis of the needs and reading habits of their recipients and send them permanently, securely and reliably.
We send notifications and messages with the help of specialised service providers.
In particular, we use:
We maintain a presence on social media platforms and other online platforms in order to communicate with potential customers and provide information about our activities and operations. In connection with such platforms, personal data can also be processed outside of Switzerland and the European Economic Area (EEA).
If and in so far as the General Data Protection Regulation (GDPR) applies, we are jointly responsible with Meta Platforms Ireland Limited (Ireland) for our social media presence on Facebook, including Page Insights. Meta Platforms Ireland Limited is part of Meta (including in the USA). The Page Insights show how users interact with our Facebook page. We use Page Insights to make our social media presence on Facebook effective and user-friendly.
We use services provided by specialised third parties in order to carry out our activities and operations in a durable, user-friendly, secure and reliable manner. These services can be used for various activities, such as embedding functions and content in our website. In the case of embedding, the services used record the Internet Protocol (IP) address-es of the users at least temporarily for technically compelling reasons.
Third parties whose services we use may process data in connection with our activities and operations in aggregated, anonymised or pseudonymised form for necessary security-related, statistical and technical purposes. For example, this relates to performance or usage data that is required for them to be able to offer the service in question.
In particular, we use:
- Google services: provider: Google LLC (USA)/Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; general information on data protection: ‘Privacy and security principles’, data protection statement, ‘Google is committed to complying with applicable data protection laws’, ‘Guide to data protection in Google products’, ‘How we use data from websites or apps on or in which our services are used’ (information from Google), ‘Types of cookies and other technologies used by Google’, ‘Personalised advertising’ (activation/deactivation/settings).
We use services from specialised third parties to provide us with the digital infrastructure we need in connection with our activities and operations. These include, for example, hosting and storage services from selected providers.
In particular, we use:
Depending on your situation, we recommend muting your microphone by default and blurring your background, or displaying a virtual background, when attending audio or video conferences.
In particular, we use:
- Microsoft Teams: platform for audio and video conferencing, among other activities; provider: Microsoft; Teams-specific information: ‘Privacy and Microsoft Teams’.
We use third party services to embed maps on our website.
In particular, we use:
- Google Maps including Google Maps Platform: mapping service; provider: Google; Google Maps-specific information: ‘How Google uses location information’.
We use third-party services to embed selected fonts, as well as icons, logos and sym-bols into our website.
In particular, we use:
- Google Fonts: fonts; provider: Google; Google Fonts-specific information: ‘Privacy and Google Fonts’, ‘Privacy and data collection’
We use the option of displaying targeted advertisements for our activities and operations on third parties such as social media platforms and search en-gines.
We would like to use such advertising, in particular, to reach people who are already interested in our activities and operations or who might be interested in them (remarketing and targeting). For this purpose, we may transmit corresponding information to third parties who enable such advertising; this may potentially include personal information. We may also determine whether our advertising is successful, i.e. in particular whether it leads to visits to our website (conversion tracking).
Third parties with whom we advertise and where you are registered as a user may be able to assign the use of our website to your profile there.
In particular, we use:
- Google Ads: search engine advertising; provider: Google; Google Ads-specific information: advertising based on factors including search queries, using different domain names – in particular doubleclick.net, googleadservices.com and googlesyndication.com – for Google Ads, ‘Advertising’ (Google), ‘Why do I see a certain ad?’.
We try to determine how our online service is used. For example, we may measure the success and reach of our activities and operations and the impact of third-party links to our website. However, we can also, for example, test and compare how different parts or versions of our online service are used (‘A/B test’ method). Based on the results of the success and reach measurement, we can, in particular, correct errors, strengthen popular content or make improvements to our online service.
The Internet Protocol (IP) addresses of individual users are usually stored when measuring success and reach. In this case, IP addresses are always shortened (‘IP masking’) in order to follow the principle of data economy through the corresponding pseudonymisation.
Cookies may be used and user profiles may be created to measure success and reach. Any user profiles created include, for example, the individual pages visited or content viewed on our website, information on the size of the screen or browser window and the – at least, approximate – location. As a matter of principle, user profiles are only created pseudonymously and are not used to identify individual users. Individual third-party services with which users are registered may be able to assign the use of our online service to the user account or user profile of the service in question.
In particular, we use:
- Google Analytics: success and reach measurement; provider: Google; Google Analytics-specific information: measurements are taken both on and across different browsers and devices (cross-device tracking) as well as with pseudonymised Internet Protocol (IP) addresses, which are only transmitted in full to Google in the USA in exceptional cases, ‘data protection’, ‘Browser Add-on to disable Google Analytics’.
- Google Tag Manager: integration and management of other services for success and reach measurement, as well as other services from Google and third parties; provider: Google; Google Tag Manager-specific information: ‘Data collected with Google Tag Manager’; further information on data protection can be found via the individual integrated and managed services.
What data do we process on our social media pages?
We may operate pages and other websites (‘channels’, ‘profiles’, etc.) on social networks and other platforms operated by third parties and collect the data about you described in Point 3 and below. We receive this data from you and these platforms when you come into contact with us via our website (e.g. when you communicate with us, comment on our content or visit our site). At the same time, these platforms evaluate your use of our website and link this data with other data relating to you that is known to them (e.g. about your behaviour and preferences). They also take responsibility for processing this data for their own purposes, especially for marketing and market research purposes (e.g. to personalise adverts) and manage their platforms (e.g. what content they show you).
We process this data for the purposes described in Point 4, especially for communication, marketing purposes (including advertising on these platforms, see Point Error! Reference source not found.) and market research. Information on the relevant legal basis is available in Point 5. We may repost (e.g. in our adverts on the platform or elsewhere) any content you publish (e.g. comments on an announcement). We or the operators of the platforms may also delete or restrict content posted by or about you in accordance with the usage guidelines (e.g. inappropriate comments).
For further information regarding the processing undertaken by the operators of these platforms, please refer to their privacy policies, where you can also see in which countries they process your data, which information, deletion and other data subject rights you have and how you can exercise these or obtain more information. We currently use the following platforms:
Last updated: 1 September 2023