Privacy Notice of CUTISS Ltd
CUTISS (also «we», «us») collects and processes personal data that concern you but also other individuals («third parties»). We use the word «data» here interchangeably with «personal data».
CUTISS means CUTISS Ltd, Grabenstrasse 11, 8952 Schlieren, Switzerland and its subsidiaries and group companies. A list of these subsidiaries and group companies can be found here: https://cutiss.swiss/about-us.
«Personal data» means data relating to identified or identifiable individuals, which means that the relevant data, in combination with additional data, make it possible to draw conclusions about the identity of these individuals. «Sensitive personal data» is a subset of personal data that is specially protected under applicable data protection law. This includes, for example, data revealing racial or ethnic origin, health data, religious or philosophical beliefs, biometric data for identification purposes, and information relating to trade union membership. In Section 3, you will find information about the data we process in accordance with this Privacy Notice. «Processing» means any operation that is performed on personal data, such as collection, storage, use, alteration, disclosure and erasure.
In this Privacy Notice, we describe what we do with your data when you use https://cutiss.swiss, (hereinafter «website»), obtain services or products from us, interact with us in relation to a contract, communicate with us or otherwise deal with us. When appropriate we will provide a just-in-time notice to cover any additional processing activities not mentioned in this Privacy Notice. In addition, we may inform you about the processing of your data separately, for example in consent forms, terms and conditions, additional privacy notices, forms and other notices.
If you disclose data to us or share data with us about other individuals, such as family members, co-workers, etc., we assume that you are authorized to do so and that the relevant data is accurate. When you share data about others with us, you confirm that. Please make sure that these individuals have been informed about this Privacy Notice.
This Privacy Notice is aligned with the EU General Data Protection Regulation («GDPR»), the Swiss Data Protection Act («DPA») and the revised Swiss Data Protection Act («revDPA»). However, the application of these laws depends on each individual case.
2. Who Is The Controller For Processing Your Data?
Hemex AG, Pascal Winnen, Kasernenstrasse 30, 4410 Liestal, Schweiz («HEMEX») is the Data Protection Officer for CUTISS’s processing under this Privacy Notice, unless we tell you otherwise in an individual case, for example in additional privacy notices, on a form or in a contract. However, unless we tell you otherwise, this Privacy Notice also applies where a group company of the CUTISS group is the controller, instead of CUTISS AG. This applies, in particular, where your data is processed by a group company in connection with its own legal obligations or contracts or where you share data with such a group company. In these cases, this group company is the controller and only if it shares your data with other group companies for their own processing (see section 7), will these other group companies also become controllers.
For each processing activity there are one or several parties that are responsible for ensuring that the processing complies with data protection law. This party is called the controller. It is responsible, for example, for responding to access requests (Section 11) or for ensuring that personal data is processed securely and not used in an unlawful manner.
Additional parties may be joint controllers for the processing set out in this Privacy Notice if they participate in determining the purpose or means of the processing. All group companies may act as joint controllers. If you wish to receive information about the controllers for a specific processing activity, you are welcome to ask us as part of your access right (Section 11). CUTISS remains your primary contact, even if there are other joint controllers.
In Section 3, Section 7 and Section 12, you will find additional information about third parties with whom we work together and who are controllers for their processing. If you have any questions for these third parties or if you wish to exercise your rights, please contact them directly.
You may contact us for data protection concerns and to exercise your rights under Section 11, Art. 27 & Art. 37 ff. GDPR, Art. 10 & Art. 14 revDPA as follows:
Data Protection Officer
c/o CUTISS AG
3. What Data Do We Process?
We process various categories of data about you. The main categories of data are the fol-lowing:
3.1. Technical Data
When you use our website or other electronic offerings, we collect the IP address and information about the operating system of your device, the date, region, and time of use, as well as the type of browser with which you access our electronic offerings, to ensure the functionality and security of these services. This can help us deliver the correct formatting of the website or display a website adapted to your region, for example. These data also include logs that record the use of our systems. We generally retain technical data for 6 months. To ensure the functionality of these services, we may also assign an individual code to you or your device (e.g., in the form of a cookie; see section 12 for more details). Based on the IP address, we know through which provider you access our offerings (and thus also the region), but we usually cannot deduce who you are from this information alone. This changes if you create a user account, for example, because then personal data can be linked with technical data (we see, for example, which browser you use to create an account via our website). However, in the context of registrations, access controls, or contract processing, they may be linked with other categories of data (and thus possibly with your person). Examples of technical data also include logs (“Logs”) that occur in our systems (e.g., the log of user logins on our website).
3.2. Registration Data
Certain offers and services (e.g., login areas of our website, newsletter distribution, etc.) can only be used with a user account or registration, which can be done directly with us or through our external login service providers. In this process, you must provide us with certain data (e.g., username, password, name, email), and we collect data about the use of the offer or service.
During access controls to certain facilities, registration data (access codes in badges) may be generated; depending on the control system, biometric data for identification may also be collected. We generally retain registration data for 6 months after the end of the use of the service or the termination of the user account (see the category “other data” for more details).
3.3. Communication Data
When you communicate with us via the contact form, email, telephone, chat, by letter, or through other means of communication, we collect the communication data exchanged between you and us. Communication data includes your name and contact details, the method, location, and time of communication, and usually also its content (i.e., the content of emails, letters, chats, etc.). These data may also contain information about third parties. For identification purposes, we may also process your ID number or a password set by you or your press pass. If we record or monitor phone calls or video conferences for training and quality assurance purposes, for example, we will specifically inform you of this. Such recordings may only be made and used in accordance with our internal guidelines. You will be informed whether and when such recordings take place, for example through a notification during the relevant video conference. If you do not wish to be recorded, please inform us or terminate your participation. If you only wish not to have your image recorded, please turn off your camera.
If we want or need to verify your identity, for example in response to an information request from you, an application for media access, etc., we collect data to identify you (e.g., a copy of an ID document). We generally retain these data for 6 months from the last exchange with you. This period may be longer if necessary for evidentiary reasons or to comply with legal or contractual requirements or due to technical reasons. Emails in personal mailboxes and written correspondence are generally kept for at least 10 years. Recordings of (video) conferences are generally retained for 6 months. Chats are generally retained for 6 months as well.
3.4. Master Data
Master data refers to the basic data that we need, in addition to contract data (see below), for the processing of our contractual and other business relationships or for marketing and advertising purposes. This includes information such as name, address, email address, telephone number, and other contact details, gender, date of birth, nationality, details about associated persons, websites, profiles on social media, photos and videos, copies of identification documents; as well as information about your relationship with us (customer, supplier, visitor, recipient of services, etc.), details about your status with us, allocations, classifications and distribution lists, information about our interactions with you (possibly a history thereof with corresponding entries), reports (e.g., from the media) or official documents (e.g., commercial register excerpts, permits etc.) concerning you. As payment information we collect for example your bank details, account number and credit card data. Consent or blocking notes are also part of the master data, as well as information about third parties, e.g., contact persons, recipients of services, recipients of advertising or representatives.
For contact persons and representatives of our customers, suppliers and partners we process master data such as name and address, details about role and function in the company, qualifications and possibly information about superiors, employees and subordinates and interactions with these individuals. Master data is not collected comprehensively for all contacts. The specific data we collect depends particularly on the purpose of processing.
We process your master data if you are a customer or other business contact or act for one (e.g., as a contact person of a business partner), or because we want to approach you for our own purposes or those of a contract partner (e.g., as part of marketing and advertising activities with invitations to events, newsletters etc.). We receive master data from yourself (e.g., when making a purchase or during registration), from entities for which you work or from third parties such as our contract partners, associations and address dealers and from publicly accessible sources such as public registers or the internet (websites, social media etc.). In the context of master data we may also process health data and information about third parties. We may also collect master data from our shareholders and investors.
We generally retain this data for 10 years from the last exchange with you but at least until the end of the contract. This period may be longer if necessary for evidentiary reasons or to comply with legal or contractual requirements or due to technical reasons. For pure marketing and advertising contacts the period is usually much shorter, often no more than 2 years since the last contact.
3.5. Contract Data
Contract data are the data that arise in connection with the conclusion of a contract or the execution of a contract, such as details about contracts and the services to be provided or already provided, as well as data from the preliminary stages of a contract conclusion, the information required or used for processing, and information about reactions (e.g., complaints or satisfaction feedback, etc.). Health data and information about third parties are also included, for example, regarding hereditary diseases in the family. We typically collect these data from you, from contractual partners, and from third parties involved in the execution of the contract, but also from third-party sources (e.g., providers of creditworthiness data) and publicly accessible sources.
We generally retain these data for 10 years from the last contract activity but at least until the end of the contract. This period may be longer if necessary for evidentiary reasons or to comply with legal or contractual requirements or due to technical reasons.
Contract data include information about the conclusion of the contract, your contracts (e.g., type and date of conclusion), information from the application process (such as an application for our products or services), and details about the relevant contract (e.g., its duration) and the execution and management of contracts (e.g., information related to billing, customer service, support with technical issues, and enforcement of contractual claims). Contract data also include information about defects, complaints, and adjustments to a contract, as well as customer satisfaction data that we may collect through surveys.
Furthermore, financial data such as creditworthiness information (i.e., information that allows conclusions about the likelihood that claims will be settled), reminders, and debt collection are part of contract data. We receive some of this data directly from you (e.g., when you make payments), but also from credit reporting agencies and debt collection companies and publicly accessible sources (e.g., a commercial register).
3.6. Behavioral and Preference Data
Depending on the nature of our relationship with you, we try to get to know you better and tailor our products, services, and offers more closely to your needs. To do this, we collect and use data about your behavior and preferences. We do this by evaluating information about your behavior in our area, and we may also supplement this information with data from third parties – including publicly accessible sources. Based on this information, we can calculate the likelihood that you will use certain services or behave in a certain way.
The data processed for this purpose are partly already known to us (e.g., when you use our services), or we obtain these data by recording your behavior (e.g., how you navigate on our website, whether and when you have opened an email, as well as your interaction with our social media profiles and your participation in events). Preference data give us insight into what your needs are, which products or services might interest you, or when and how you are likely to respond to messages from us. We gain this information from the analysis of existing data such as behavioral data so that we can get to know you better, tailor our advice and offers more precisely to you, and generally improve our offerings.
To improve the quality of our analyses, we may link these data with additional data that we also obtain from third parties such as address dealers, authorities, and publicly accessible sources like the internet. Behavioral and preference data can be evaluated on a personal basis (e.g., to show you personalized advertising) but also on a non-personal basis (e.g., for market research or product development). Behavioral and preference data can also be combined with other data (e.g., movement data can be used for contact tracing within a health protection concept).
We anonymize or delete these data when they are no longer meaningful for the purposes pursued, which can vary depending on the type of data between 2 weeks and 24 months (for product and service preferences). This period may be longer if necessary for evidentiary reasons or to comply with legal or contractual requirements or due to technical reasons.
Section 12 describes how tracking on our website works.
3.7. Other Data
We also collect data from you in other situations. For example, in connection with administrative or judicial proceedings, data may be generated (such as files, evidence, etc.) that can relate to you. For reasons of health protection, we may also collect data (e.g., as part of protection concepts). We may receive or produce photos, videos, and audio recordings in which you can be identified (e.g., at events, through security cameras, etc.). We may also collect data on who enters certain buildings when or has corresponding access rights (including at access controls based on registration data or visitor lists, etc.), who participates in events when or who uses our infrastructure and systems when. Finally, we collect and process data about our shareholders and other investors; in addition to basic data, this includes information for the relevant registers regarding the exercise of their rights and the conduct of events (e.g., general meetings). The retention period for these data is determined by the purpose and is limited to what is necessary. This ranges from a few days for many security cameras and typically a few weeks for contact tracing data to visitor data that is usually kept for 3 months, up to reports on events with images that can be kept for several years or longer. Data about you as a shareholder or other investor are retained according to corporate law requirements but in any case as long as you are invested.
Many of the data mentioned in this section 3 are provided by you (e.g., via forms, during communication with us, in connection with contracts, when using the website, etc.). You are not obliged to provide this information except in individual cases, e.g., within the framework of mandatory protection concepts (legal obligations). If you wish to enter into contracts with us or claim services, you must also provide us with data within the scope of your contractual obligation according to the relevant contract, especially basic data, contract data, and registration data. When using our website, processing technical data is inevitable. If you want access to certain systems or buildings, you must provide us with registration data. However, for behavioral and preference data, you generally have the option to object or not give consent.
We only provide certain services if you transmit registration data to us because we or our contractual partners want to know who uses our services or has accepted an invitation to an event because it is technically necessary or because we want to communicate with you. If you or someone you represent (e.g., your employer) wants to enter into a contract with us or fulfill one, we must collect corresponding basic data, contract data and communication data from you; we process technical data if you want to use our website or other electronic offers for this purpose. If you do not provide us with the necessary data for the conclusion and execution of the contract, you must expect that we will refuse the conclusion of the contract; you commit a breach of contract; or we cannot fulfill the contract. Similarly, we can only send a response to an inquiry from you if we process the corresponding communication data and – if you communicate online with us – possibly also technical data. The use of our website is also not possible without receiving technical data.
To the extent that it is not prohibited by law, we also obtain data from publicly accessible sources (e.g., debt enforcement registers, land registers, commercial registers), media or internet including social media) or receive information from other companies within our group, authorities and other third parties (such as credit reporting agencies). The categories of personal information that we receive about you from third parties include particularly information from public registers; information obtained in connection with administrative and judicial proceedings; details related to your professional functions and activities (so that we can conclude and execute business transactions with your employer through your assistance); information about you in correspondence and discussions with third parties; credit reports (if we conduct business directly with you); information provided by people around you (family members, advisors legal representatives etc.) so that we can conclude contracts involving yourself; references; your address for deliveries; powers of attorney; compliance-related information such as fraud prevention money laundering counter-terrorism measures export restrictions; details from banks insurance companies sales partners regarding services rendered by yourself (such as payments purchases etc.); media internet-based personal details where appropriate (for instance during job applications marketing/sales press reviews etc.); your address interests socio-demographic details particularly for marketing research purposes; usage-related details concerning external websites online services where such usage can be attributed to yourself.
4. For What Purposes Do We Process Your Data?
We process your data for the purposes that we explain below. Additional information for the online area can be found in sections 12 and 13. These purposes, or the underlying objectives, represent legitimate interests of ours and possibly of third parties. You can find further information on the legal basis of our processing in section 5.
We process your data for purposes related to communication with you, in particular to respond to inquiries and to assert your rights (section 11) and to contact you if there are any follow-up questions. For this purpose, we primarily use communication data and basic data, and in connection with offers and services you have used, also registration data. We retain these data to document our communication with you, for training purposes, quality assurance, and for follow-up inquiries.
4.2. Contractual Relationships
We process data for the initiation, management, and execution of contractual relationships. We enter into contracts of various kinds with our business and private customers, suppliers, subcontractors, or other contractual partners such as partners in projects or parties in legal disputes. In this process, we particularly process basic data, contract data, and communication data, and depending on the circumstances, also registration data of the customer or the persons to whom the customer provides a service.
As part of business development, personal data – especially basic data, contract data, and communication data – are collected from potential customers or other contractual partners (e.g., in an order form or contract) or arise from communication. Also related to the conclusion of the contract, we process data to check creditworthiness and for opening the customer relationship. Some of this information is verified to comply with legal requirements.
In the course of executing contractual relationships, we process data for managing customer relations, providing and demanding contractual services (which also includes involving third parties such as logistics companies, security services, advertising service providers, banks, insurance companies or credit reporting agencies that can then provide us with data), for consulting and customer support. The enforcement of legal claims arising from contracts (debt collection, court proceedings etc.) is also part of the execution process, as well as accounting, termination of contracts and public communication.
4.3. Marketing Purposes and Relationship Management
We process data for marketing purposes and for maintaining relationships, e.g., to send our customers and other contractual partners personalized advertising for products and services. This can take the form of newsletters and other regular contacts (electronically, by mail, by phone), through other channels for which we have your contact information, but also as part of individual marketing campaigns (e.g., events) and may also include free services (e.g., invitations). You can reject such contacts at any time (see at the end of this section 4) or refuse or revoke consent to be contacted for advertising purposes. With your consent, we can target our online advertising on the internet more specifically to you (see section 12 for details).
Relationship management also includes the personalized approach to existing customers and their contacts, potentially based on behavioral and preference data. As part of relationship management, we may operate a Customer Relationship Management system (CRM), in which we store the data necessary for maintaining relationships with customers, suppliers, and other business partners. This can include information about contact persons, relationship history (e.g., about products and services received or delivered, interactions, etc.), interests, preferences, marketing activities (newsletters, invitations to events, etc.), and other details.
All these processing activities are important for us not only to promote our offers as effectively as possible, but also to make our relationships with customers and other third parties more personal and positive, to focus on the most important relationships, and to use our resources as efficiently as possible.
4.4. Market Research and Product Development
We also process your data for market research, to improve our services and operations, and for product development. We strive to continuously improve our products and services (including our website) and to be able to respond quickly to changing needs. Therefore, we analyze, for example, how you navigate through our website or how different groups of people use which products in what way, and how new products and services can be designed (for further details, see section 12). This gives us insights into the market acceptance of existing products and the market potential of new products and services. For this purpose, we particularly process basic data, behavioral and preference data, as well as communication data and information from customer surveys, polls, studies, and additional information from media sources, social media, the internet, and other public sources. Where possible, we use pseudonymized or anonymized information for these purposes. We may also use media monitoring services or conduct media monitoring ourselves to process personal data in order to engage in media relations or understand and respond to current developments and trends.
4.5. Security Purposes
We may also process your data for security purposes and access control. We continuously review and improve the appropriate security of our IT and other infrastructure (e.g., buildings). Like all companies, we cannot completely rule out data security breaches, but we do our part to reduce the risks. Therefore, we process data for monitoring, controls, analyses, and tests of our networks and IT infrastructures, for system and error checks, for documentation purposes, and as part of security backups. Access controls include both the control of access to electronic systems (e.g., logging into user accounts) and physical access control (e.g., building entry). For security purposes (preventative and for investigating incidents), we also maintain entry logs or visitor lists and use surveillance systems (e.g., security cameras). We inform you about surveillance systems at the respective locations with appropriate signs.
4.6. Compliance With Laws
We process personal data to comply with laws, directives, and recommendations from authorities and internal regulations (“Compliance”). This includes, for example, the implementation of health and safety concepts or legally regulated efforts to combat money laundering and terrorist financing. In certain cases, we may be obligated to conduct specific investigations on customers (“Know Your Customer”) or to report to authorities. The fulfillment of disclosure, information, or reporting obligations, for instance in connection with supervisory and tax law duties, presupposes data processing or entails it, such as compliance with archiving obligations and the prevention, detection, and investigation of criminal offenses and other violations. This also includes receiving and processing complaints and other reports, monitoring communication, conducting internal investigations, or disclosing documents to an authority if we have a sufficient reason or are legally obliged to do so. Personal data about you may also be processed during external investigations by a law enforcement or regulatory authority or a commissioned private entity. Furthermore, we process data for the care of our shareholders and other investors and the fulfillment of our related obligations. For all these purposes, we particularly process your basic data, your contract data, and communication data, but in some cases also behavioral data and data from the category of other data. Legal obligations may involve Swiss law as well as foreign provisions that we are subject to; this also includes self-regulations, industry standards, our own “Corporate Governance,” and instructions and requests from authorities.
4.7. Risk Management
We also process data for the purposes of our risk management and as part of prudent corporate governance, including business organization and corporate development. For these purposes, we particularly process basic data, contract data, registration data, and technical data, but also behavioral and communication data. For example, as part of our financial management, we need to monitor our debtors and creditors, and we must avoid becoming victims of offenses and abuses, which may require the evaluation of data for corresponding patterns. For these purposes and for your protection as well as ours from criminal or abusive activities, we may also perform profiling and create and process profiles (see also section 6). In the context of planning our resources and organizing our operations, we need to evaluate and process data on the use of our services and other offerings or exchange information about it with others (e.g., outsourcing partners), which may include your data. The same applies to services provided to us by third parties. As part of corporate development, we may sell business units or companies to others or acquire them from others or enter into partnerships, which can also lead to the exchange and processing of data (including yours, e.g., as a customer or supplier or as a supplier representative).
4.8. Further Purposes
We may process your data for additional purposes, which include, for example, training and educational purposes, administrative purposes (such as the management of basic data, accounting, data archiving, and the auditing, management, and ongoing improvement of IT infrastructure), the protection of our rights (e.g., to enforce claims in court or through pre-litigation or out-of-court proceedings and before authorities domestically and abroad, or to defend against claims, such as through evidence preservation, legal investigations, and participation in judicial or administrative proceedings), and the evaluation and improvement of internal processes. We may use recordings of (video) conferences for training and quality assurance purposes. The protection of other legitimate interests also falls under these additional purposes, which cannot be exhaustively listed.
5. On What Basis Do We Process Your Data?
To the extent that we ask for your consent for certain processing activities (e.g., for the processing of particularly sensitive personal data, for marketing mailings, and for advertising control and behavioral analysis on the website), we will inform you separately about the respective purposes of the processing. You can revoke your consent at any time by written communication (by post) or, unless otherwise specified or agreed upon, by email to us, effective for the future; our contact details can be found in section 2. For revoking your consent to online tracking, see section 12. If you have a user account, a revocation or contact with us may also be carried out via the relevant website or other service as applicable. As soon as we receive notification of the revocation of your consent, we will no longer process your data for the purposes to which you originally agreed, unless we have another legal basis for doing so. The revocation of your consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.
5.2. Initiating or Performing a Contract
Where we do not ask for your consent for processing, we base the processing of your personal data on the fact that the processing is necessary for the initiation or execution of a contract with you (or the entity you represent), or that we or third parties have a legitimate interest in doing so, particularly to pursue the purposes and associated objectives described above under section 4 and to be able to implement corresponding measures.
5.3. Legitimate Interest
Our legitimate interests also include compliance with legal regulations, to the extent that these are not already recognized as a legal basis by the applicable data protection law (e.g., under the GDPR, the law in the EEA and Switzerland). This also includes the marketing of our products and services, the interest in better understanding our markets, and running and further developing our company, including its operational business, securely and efficiently.
5.4. Legal Regulations
If we receive sensitive personal data (e.g., health data, information on political, religious, or philosophical beliefs, or biometric data for identification), we may also process your data based on other legal grounds, for example in the case of disputes due to the necessity of processing for a potential legal proceeding or the enforcement or defense of legal claims. In individual cases, other legal reasons may apply, which we will communicate to you separately as necessary.
6. What Applies in Case of Profiling and Automated Individual Decisions?
We may automatically evaluate certain of your personal characteristics for the purposes mentioned in section 4 based on your data (section 3) (“profiling”) when we want to determine preference data, but also to identify abuse and security risks, perform statistical analyses, or for operational planning purposes. For the same purposes, we may also create profiles, i.e., we can combine behavioral and preference data as well as basic and contractual data and technical data assigned to you in order to better understand you as a person with your various interests and other characteristics.
In both cases, we ensure the proportionality and reliability of the results and take measures against the abusive use of these profiles or profiling. If this can have legal effects or significant disadvantages for you, we generally provide for a manual review.
7. With Whom Do We Share Your Data?
In connection with our contracts, the website, our services and products, our legal obligations, or otherwise to protect our legitimate interests and the other purposes listed in section 4, we also transmit your personal data to third parties, in particular to the following categories of recipients:
7.1. Group Companies
You can find a list of our group companies here: https://cutiss.swiss/about-us. The group companies will have access in particular to your basic, contractual, and registration data as well as behavioral and preference data in order to make offers to you from their own range of products and services or for advertising purposes. If you wish to object to the sharing and use of your data for marketing purposes, you can do so through us (section 2), even if it concerns another group company because data has already been transferred. We also transfer your data to other group companies for certain products and services, for example, when certain products and services originate from other group companies rather than from us and we only coordinate the processing. The group companies may use the data according to this privacy statement for the same purposes as we do (see section 4). We may also disclose health data to our group companies.
7.2. Service Providers
To efficiently provide our products and services and to focus on our core competencies, we rely on third-party services in numerous areas. These services include, for example, IT services, the dispatch of information, marketing, sales, communication or printing services, building management, security and cleaning, organization and execution of events and receptions, debt collection, credit reporting agencies, address verification (e.g., for updating address databases in case of relocations), fraud prevention measures, and services from consulting firms, lawyers, banks, insurers, and telecommunications companies. We disclose to these service providers the data necessary for their services, which may also concern you. These service providers may also use such data for their purposes. In addition, we enter into contracts with these service providers that include provisions for data protection unless such protection is already provided by law. Our service providers may process data on how their services are used and other data that arise during the use of their service as independent controllers for their own legitimate interests (e.g., for statistical evaluations or billing). Service providers inform about their independent data processing in their own privacy statements.
7.3. Contractual Partners
If you act as an employee for a company with which we have entered into a contract, the execution of this contract may result in us transmitting data about you to the company in this context. This may also include health data.
The recipients also include contractual partners with whom we cooperate. Cooperation and advertising partners receive from us selected basic, contractual, behavioral, and preference data so that they can carry out non-personal analyses in their area (e.g., about the number of our customers who have seen their advertising) and also use the data for advertising purposes (including targeted communication with you).
We may disclose personal data to offices, courts, and other authorities domestically and abroad if we are legally obligated or authorized to do so, or if it appears necessary to protect our interests. This may also include health data. The authorities process data about you under their own responsibility, which they receive from us.
Cases of application include, for example, criminal investigations, police measures (e.g., health protection concepts, violence prevention, etc.), supervisory regulations and investigations, judicial proceedings, reporting obligations, pre-litigation and out-of-court procedures, as well as legal information and cooperation duties. Data disclosure can also occur when we want to obtain information from public bodies, for example, to justify an interest in obtaining information or because we need to specify about whom we require information (e.g., from a register).
7.5. Other Persons
Other recipients include, for example, delivery addresses or payees you have specified that differ from your own, other third parties within the context of representation (e.g., if we send your data to your lawyer or bank), or individuals involved in administrative or court proceedings. If we collaborate with media and provide them with material (e.g., photos), you may also be affected. The same applies to the publication of content (e.g., photos, interviews, quotes, etc.) on our website or in other publications of ours. As part of business development, we may sell or acquire businesses, divisions, assets, or companies, or enter into partnerships, which can also result in the disclosure of data (including yours, e.g., as a customer or supplier or as a supplier representative) to individuals involved in these transactions. In the course of communication with our competitors, industry organizations, associations, and other bodies, there may also be an exchange of data that concerns you.
All these categories of recipients may in turn involve third parties so that your data may become accessible to them as well. We can restrict processing by certain third parties (e.g., IT providers), but not by others (e.g., authorities, banks, etc.). In many cases, the disclosure of confidential data is necessary to execute contracts or provide other services. Confidentiality agreements usually do not exclude such disclosures of data nor does the disclosure to service providers. However, according to the sensitivity of the data and other circumstances, we ensure that these third parties handle the data appropriately. We cannot comply with your objection to data transfer where such disclosures are necessary for our activities.
We also allow certain third parties to collect personal data from you on our website and at our events (e.g., media photographers, providers of tools that we have integrated into our website, etc.). To the extent that we are not significantly involved in these data collections, these third parties are solely responsible for them. For concerns and to assert your data protection rights, please contact these third parties directly. See section 12 for the website.
8. Is Your Personal Data Disclosed Abroad?
As explained in section 7, we also disclose data to other entities. These are not only located in Switzerland. Therefore, your data may be processed both in Europe and in the USA; however, in exceptional cases, it could be processed in any country worldwide.
Many states outside of Switzerland or the EU and EEA currently do not have laws that ensure an adequate level of data protection from the perspective of the Swiss DPA (Data Protection Act) or the GDPR (General Data Protection Regulation). If a recipient is located in a country without adequate legal data protection, we contractually oblige the recipient to comply with applicable data protection (for this purpose, we use the revised standard contractual clauses of the European Commission, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), unless they are already subject to a legally recognized framework for ensuring data protection and we cannot rely on an exception provision. An exception may apply particularly in legal proceedings abroad but also in cases of overriding public interest or when contract execution requires such disclosure if you have consented or if it concerns data you have made publicly accessible and have not objected to its processing. The aforementioned contractual arrangements can partially compensate for this weaker or absent legal protection. However, contractual arrangements cannot eliminate all risks (especially governmental access abroad). You should be aware of these residual risks, even if the risk may be low in individual cases and we take further measures (e.g., pseudonymization or anonymization) to minimize it. Please also note that data exchanged over the Internet often passes through third countries. Therefore, your data may end up abroad even if both sender and receiver are located in the same country.
9. How Long Do We Process Your Data?
We process your data for as long as our processing purposes, legal retention periods, and our legitimate interests in processing for documentation and evidence purposes require it, or as long as storage is technically necessary. Documentation and evidence purposes include our interest in documenting processes, interactions, and other facts in case of legal claims, discrepancies, purposes of IT and infrastructure security, and proof of good corporate governance and compliance. Storage may be technically necessary if certain data cannot be separated from other data, and we must therefore retain them together (e.g., in the case of backups or document management systems).
Further information on the respective storage and processing duration can be found for each category of data in section 3 or for cookie categories in section 12. If there are no legal or contractual obligations to the contrary, we will delete or anonymize your data after the expiration of the storage or processing period as part of our usual procedures.
10. How Do We Protect Your Data?
We implement appropriate security measures to maintain the confidentiality, integrity, and availability of your personal data, to protect it against unauthorized or unlawful processing, and to counteract the risks of loss, accidental alteration, unintended disclosure, or unauthorized access.
Security measures of a technical and organizational nature may include actions such as encryption and pseudonymization of data, logging, access restrictions, storage of backup copies, instructions to our employees, confidentiality agreements, and audits. We protect your data transmitted via our website during transit with suitable encryption mechanisms. However, we can only secure areas that we control. We also require our processors to implement appropriate security measures. Nevertheless, security risks cannot be completely eliminated; residual risks are unavoidable.
11. What Are Your Rights?
The applicable data protection law grants you the right under certain circumstances to object to the processing of your data, especially for purposes of direct marketing, profiling carried out for direct advertising, and other legitimate interests in processing.
To facilitate your control over the processing of your personal data, depending on the applicable data protection law, you also have the following rights in connection with our data processing:
- The right to request information from us about whether and which data we process about you;
- The right to have us correct data if it is inaccurate;
- The right to request the deletion of data;
- The right to request from us the release of certain personal data in a common electronic format or their transfer to another controller;
- The right to revoke consent, insofar as our processing is based on your consent;
- The right to request additional information necessary for the exercise of these rights upon inquiry.
If you wish to exercise the rights mentioned above towards us (or towards one of our group companies), please contact us in writing, on-site, or, where not otherwise specified or agreed upon, by email; our contact details can be found in section 2. To prevent misuse, we must identify you (e.g., with a copy of your ID, if there is no other way).
You also have these rights in relation to other entities that work independently with us—please contact them directly if you want to exercise rights in connection with their processing. Information about our important partners and service providers can be found in section 7, and further information in section 12.
Please note that these rights are subject to conditions, exceptions, or restrictions according to applicable data protection law (e.g., for the protection of third parties or trade secrets). We will inform you accordingly if necessary.
In particular, we may need to continue processing and storing your personal data to fulfill a contract with you, protect our legitimate interests such as asserting, exercising, or defending legal claims, or comply with legal obligations. Therefore, to the extent legally permissible and especially to protect the rights and freedoms of other affected individuals as well as to safeguard legitimate interests, we may reject a data subject’s request wholly or partly (e.g., by redacting certain content concerning third parties or our trade secrets).
If you disagree with how we handle your rights or privacy issues, please let us know or inform our data protection officer (section 2). Especially if you are located in the EEA, the United Kingdom, or Switzerland, you also have the right to complain to the data protection supervisory authority of your country. A list of authorities in the EEA can be found here: https://edpb.europa.eu/about-edpb/board/members_en. The supervisory authority of the United Kingdom can be reached here: https://ico.org.uk/global/contact-us/. The Swiss supervisory authority can be reached here: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact/address.html.
12. Do We Use Online Tracking?
On our website, we use various techniques that allow us and third parties engaged by us to recognize you during your use and potentially track you across multiple visits. In this section, we inform you about this. Essentially, it is about being able to distinguish accesses from you (via your system) from those of other users so that we can ensure the functionality of the website and carry out evaluations and personalizations. We do not intend to deduce your identity, even though we can do so if we or third parties engaged by us can identify you by combining it with registration data. Even without registration data, however, the technologies used are designed in such a way that you are recognized as an individual visitor on each page view, for example by our server (or the servers of the third parties) assigning a specific identification number to you or your browser (known as a “cookie”).
Cookies are individual codes (e.g., a serial number) that our server or a server of our service providers or advertising partners transmits to your system when connecting to our website, and which your system (browser, mobile) receives and stores until the programmed expiration date. With each subsequent access, your system transmits these codes back to our server or the server of the third party. This way, you are recognized again, even if your identity is unknown.
Other techniques may also be used that allow you to be recognized with more or less probability (i.e., distinguished from other users), such as “fingerprinting.” Fingerprinting combines your IP address, the browser you use, screen resolution, language choice, and other details that your system communicates to every server, resulting in a more or less unique fingerprint. This can eliminate the need for cookies.
Whenever you access a server (e.g., when using a website or an app or because an image is integrated visibly or invisibly in an email), your visits can thus be “tracked.” If we integrate offers from an advertising partner or provider of an analytics tool on our website, they can track you in the same way, even if you cannot be identified in individual cases.
We use such techniques on our website and allow certain third parties to do so as well. You can program your browser to block certain cookies or alternative techniques, deceive them, or delete existing cookies. You can also extend your browser with software that blocks tracking by certain third parties. More information on this can be found on the help pages of your browser (usually under the keyword “privacy”) or on the websites of the third parties we list below.
The following cookies are distinguished (techniques with functions comparable to fingerprinting are also included here):
12.1.1. Necessary Cookies
Some cookies are necessary for the functioning of the website itself or certain features. For example, they ensure that you can navigate between pages without losing information entered in a form. They also ensure that you remain logged in. These cookies are temporary (“session cookies”). If you block them, the website may not function properly. Other cookies are necessary so that the server can save decisions you make or entries beyond a session (i.e., a visit to the website), if you use this function (e.g., chosen language, given consent, the function for automatic login, etc.). These cookies have an expiration date of up to 24 months.
12.1.2. Performance Cookies
12.2. Social Media
We may also include additional third-party offerings on our website, particularly from social media providers. These offers are by default disabled. As soon as you activate them (for example, by clicking a switch), the relevant providers can detect that you are on our website. If you have an account with the social media provider, they can attribute this information to you and thus track your use of online services. These social media providers process this data under their own responsibility.
12.3. Google Analytics
13. What Data Do We Process On Our Social Network Pages?
We can operate pages and other online presences on social networks and platforms operated by third parties (“Fanpages,” “Channels,” “Profiles,” etc.) and collect the data about you described in section 3 and below. We receive this data from you and the platforms when you interact with us through our online presence (e.g., when you communicate with us, comment on our content, “like” it, or visit our presence). At the same time, the platforms evaluate your use of our online presences and link this data with other information about you that is known to the platforms (e.g., regarding your behavior and preferences). They also process this data for their own purposes under their own responsibility, especially for marketing and market research purposes (e.g., to personalize advertising) and to manage their platforms (e.g., which content they show you).
We process this data for the purposes described in section 4, particularly for communication, marketing purposes (including advertising on these platforms, see section 12), and market research. You can find information on the corresponding legal bases in section 5. Content that you publish yourself (e.g., comments on an announcement) can be further disseminated by us (e.g., in our advertising on the platform or elsewhere). We or the operators of the platforms may also delete or restrict content from or about you according to the usage guidelines (e.g., inappropriate comments).
For more information on how the platform operators process data, please refer to their privacy notices. There you will also learn in which countries they process your data, what rights of access, deletion, and other affected rights you have, and how you can exercise them or obtain further information. Currently, we use the following platforms:
13.2. X (formerly known as Twitter)
Here we operate the page https://twitter.com/Cutiss_AG. The entity responsible for your personal data for users from the European Union, EFTA states, or the United Kingdom is:
Twitter International Unlimited Company
Attn: Data Protection Officer
One Cumberland Place, Fenian Street
Dublin 2, D02 AX07
Meta Platforms Ireland Ltd.
4 Grand Canal Square
Grand Canal Harbour
Dublin 2 Ireland
14. Can We Update This Privacy Notice?
Last update: January 2024