- Who is responsible for data processing?
- What personal data do we process?
- Where does the personal data come from?
- For what purposes do we process personal data?
- On what legal basis do we process personal data?
- To whom do we disclose personal data?
- How do we disclose personal data abroad?
- How do we protect personal data?
- How long do we process personal data?
- What rights do you have in connection with the processing of your personal data?
- How can you contact us?
- what personal data we collect and process;
- for what purposes we use your personal data;
- who has access to your personal data;
- what benefit our data processing has for you;
- how long we process your personal data;
- what rights you have with regard to your personal data; and
- how you can contact us.
Processing personal data is complex, especially when companies like us work together in the digital realm. Our goal is to explain to you as simply as possible in this privacy statement what we do with your data, how we do it, and why we do it. If you nevertheless have further questions about our data processing, please feel free to contact us (item 12).
Incidentally, we have aligned the content of this privacy statement not only with the Swiss Data Protection Act (DPA), but also with the European General Data Protection Regulation (GDPR), which sets standards for strong data protection worldwide. However, whether and to what extent the DSGVO is applicable depends on the individual case.
2.Who is responsible for data processing?
For each data processing operation, there is a«controller», i.e. a company that is primarily responsible for ensuring compliance with data protection law during processing. In each case, this is the company that determines that processing takes place at all, what purposes it serves and how it is structured. Several companies may also be jointly responsible for processing. Most companies indicate on their website which processing operations fall under their responsibility.
In principle, TX Group AG is responsible under data protection law for data processing in accordance with this data protection declaration. Please note that any third-party offers that can be accessed via our offers are not subject to this data protection declaration. We assume no responsibility or liability for the observance of data protection by third party websites and recommend that you consult the data protection statements of these third party websites.
3. What personal data do we process?
The law defines «personal data» as all information that relates to a specific person or can be associated with a specific person. You will then find information on the most important categories of personal data that we process. In section 4 you can find out more about the origin of this data and in section 5 about the purposes for which we process this data.
However, it cannot be ruled out that, depending on the individual case, we may also have to or want to process further personal data. We will inform you accordingly, e.g. in consent declarations or in supplementary data protection declarations, if this is legally required. You can also find additional information in the information on cookies and similar technologies.
3.1. Master data
Master data is basic data such as surname, first name, title or contact details. We collect master data especially when you contact us via the contact form or register for a newsletter. Certain information is often marked as mandatory or technically designed as mandatory, but you can often voluntarily collect further personal data in addition to this information.
The master data includes, depending on the case, e.g.
- First and last name;
- Function / Profession
- Employer / Organisation
- Telephone number
- E-mail address
3.2. Communication data
When we are in contact with you, we process the exchanged communication content and information about the type, time and place of the communication. In certain situations, we may also ask you for proof of identity for identification purposes, e.g. when you exercise your data subject rights (section 11).
Depending on the situation, the communication data includes e.g.
- Name and contact details such as postal address, email address and telephone number;
- Content of emails, written correspondence, social media posts, telephone conversations, etc...;
- Details of the nature, time and possibly location of communications;
- Proof of identity such as copies of official IDs;
- Marginal data of the communication.
Telephone conversations with us may be recorded for education and training purposes; we will inform you of this at the beginning of each conversation. If you do not want us to record such conversations, you have the option to terminate the conversation at any time and contact us by other means (e.g. by e-mail).
3.3. Behavioural and transactional data
When you use our offers or when you receive newsletters, we collect data about the corresponding use and generally about your interaction with offers.
Behavioural and transactional data includes, for example, the following information, as far as it is available to us on a personal basis:
- about your behaviour on websites;
- about your use of electronic communications (e.g. whether and when you opened an email or clicked on a link).
If you have a user account, behavioural and transaction data may be assigned to your profile even if you are not logged in at the time of using the offer.
3.4. Technical data
The technical data include, depending on the case, e.g.
- The IP address of your device and other device IDs (e.g. MAC address);
- Identification numbers assigned to your device by cookies and similar technologies (e.g. pixel tags);
- Information about your device and its configuration, e.g. operating system or language settings;
- Information about the browser you use to access the service and its configuration;
- Information about your movements and actions on our websites and in our apps;
- Information about your internet provider;
- Your approximate location and time of use;
- System records of accesses and other processes, e.g. which of our offers were called up, reference/exit pages, the time and duration of the visit (log data).
4. Where does the personal data come from?
We often receive personal data directly from you, e.g. when you send us data or communicate with us. In particular, we usually receive master data and communication data from you.
For example, you provide us with personal data in the following cases:
- You register for one of our offers (especially the newsletter);
- You contact us (e.g. by e-mail or via the contact form);
The provision of personal data is usually voluntary, i.e. you are usually not obliged to disclose personal data to us. However, we must collect and process those personal data that are necessary for the processing of our offers and for the fulfilment of associated obligations or are required by law. Without this data, we cannot provide the offer.
We may also collect personal data about you ourselves or by automated means. This is often behavioural and transactional data (see section 3.3) and technical data (see section 3.4).
We collect personal data about you in the following cases, for example:
- You visit one of our websites;
- You click on a link in one of our newsletters or otherwise interact with one of our electronic communications.
5. For what purposes do we process personal data?
We process personal data for one or more purposes. These are in particular the purposes explained below.
We would like to stay in contact with you and respond to your concerns. We therefore process personal data for communication with you, e.g. answering enquiries and customer care. For this purpose, we process communication and master data in particular.
The purpose of communication includes in particular:
- answering enquiries;
- contacting you with questions;
- customer service and customer care;
- quality assurance and training;
- all other processing purposes to the extent that we communicate with you to do so.
We would like to make you attractive offers. We therefore process personal data for relationship management and information purposes, e.g. to send you written and electronic communications. These may be our own offers or offers from other companies in the TX Group.
These may include, for example, the following communications and offers:
- Newspapers, magazines and other printed matter;
- Delivery of vouchers.
Unless we separately ask for your consent to contact you for marketing purposes, you may opt out of such contacts at any time (see section 11). In the case of newsletters and other electronic communications, you can usually unsubscribe directly from the relevant service via an unsubscribe link integrated in the communication.
5.3. Market research and product development
We want to improve our offers and make them more attractive for you, but also develop new offers. We therefore process personal data for market research and for the development of our offers. To this end, we process in particular master data, behavioural data and+ transaction data, but also communication data and information from user surveys and other data, e.g. from the media, the Internet and other public sources. If you have consented, you may also be contacted by other TX Group companies, for example to participate in other user surveys. As far as possible, we use pseudonymised or anonymised data for these purposes.
Market research and offer development include in particular:
- the further development of our offers (e.g. design of media content etc.);
- the assessment and improvement of the acceptance of our offers and our communication in connection with offers;
- the optimisation and improvement of the user-friendliness of websites;
- the development and testing of new offers;
- the testing and improvement of our internal processes;
- the education and training of our employees;
- statistical analyses, e.g. to evaluate information about our customers' interactions with us on a non-personal basis;
- Market monitoring, e.g. to understand and respond to current developments and trends.
5.4. Safety and prevention
We want to ensure your and our security and prevent abuse. We therefore also process personal data for security purposes, to ensure IT security, to prevent fraud and abuse and for evidence purposes. This may concern all categories of personal data mentioned in section 3, in particular also behavioural and transactional data.
The purpose of security and prevention includes, for example:
- the analysis of behavioural and transactional data for the purpose of identifying suspicious behaviour patterns and fraudulent activities;
- analysing system records of the use of our systems (log data);
- preventing, preventing and resolving cyber-attacks and malware attacks;
- Analysing and testing our networks and IT infrastructures, as well as system and error checks;
- controlling access to electronic systems (e.g. logins for user accounts);
- Documentation purposes and creation of security copies.
5.5. Compliance with legal requirements
We want to and must comply with legal requirements. We therefore also process personal data to comply with legal obligations and to prevent, detect and, if necessary, prosecute violations. This includes, for example, the receipt and processing of complaints and other reports, compliance with orders of a court or authority, and measures to detect and clarify abuses. This may concern all categories of personal data mentioned in section 4.
Compliance with legal requirements includes in particular:
- receiving and processing complaints and other reports;
- ensuring compliance and risk management;
- disclosing information and documents to authorities if we have a factual reason to do so or are legally obliged to do so;
- cooperating with external investigations, e.g. by a law enforcement or regulatory authority;
- guaranteeing the legally required data security;
- the fulfilment of disclosure, information or reporting obligations, e.g. in connection with supervisory and tax obligations, e.g. archiving obligations and for the prevention, detection and clarification of criminal offences and other violations;
- the legally regulated fight against money laundering and terrorist financing.
In all cases, this may involve Swiss law, but also foreign regulations to which we are subject, as well as self-regulations, industry and other standards, our own «corporate governance» or official directives.
5.6. Safeguarding the law
We have the right to enforce claims and defend ourselves against third-party claims. We therefore also process personal data to protect the law, e.g. to enforce claims in court, before or out of court and before authorities in Switzerland and abroad, or to defend ourselves against claims. In doing so, we process different personal data depending on the constellation, e.g. contact data as well as information about processes that have given or could give rise to a dispute.
The purpose of upholding the law includes in particular:
- Clarifying and enforcing our claims, which may include claims by our affiliates and our contractual and business partners;
- Defending claims against us, our employees, our affiliates and our contractual and business partners;
- the clarification of the prospects of litigation and other legal, economic and other issues;
- participating in proceedings before courts and authorities at home and abroad. For example, we may preserve evidence, clarify the prospects of litigation or submit documents to a public authority. It may also be that authorities request us to disclose documents and data carriers containing personal data.
5.7. Intra-group administration and support
We want to make our internal processes as efficient as possible. We therefore process personal data for our internal group administration. For this purpose, we can process all the data mentioned in section 3.
Internal group support and administration includes in particular:
- the joint use of content, e.g. if content that you have published on our offers is published, possibly in an adapted form, in other offers of the TX Group;
- the central storage and management of data used by several companies of the TX Group;
- the management of IT;
- the archiving of data and the management of our archives;
- the training and education, e.g. when we evaluate telephone recordings or other communications;
- the review or execution of corporate transactions such as acquisitions, disposals and mergers;
- forwarding enquiries to the relevant departments, e.g. if you send an enquiry to a TX Group company that concerns another company;
- generally reviewing and improving internal processes.
6. On what legal basis do we process personal data?
The GDPR only permits the processing of personal data if it is based on one or more legal bases. Depending on the purpose of the data processing, our processing of personal data is based on different legal bases.
Insofar as the GDPR applies to our processing of personal data, these legal bases are found in Art. 6 and 9 GDPR, in particular Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. a (consent), Art. 6 para. 1 lit. b (performance of a contract or implementation of pre-contractual measures), Art. 6 para. 1 lit. c (performance of a legal obligation) and Art. 6 para. 1 lit. f (safeguarding legitimate interests).
We may process personal data in particular if the processing:
- is necessary for the performance of a contract (e.g. subscription) with the data subject or for pre-contractual measures;
- is necessary for the exercise of legitimate interests;
We have a legitimate interest in particular in the processing for the purposes described above in section 5 and in the disclosure of data in accordance with section 8 and the objectives associated with each of these. The legitimate interests in each case include our own interests and the interests of third parties.
These legitimate interests include, for example, the interest in:
- to continuously improve our offer and adapt it to your needs;
- in good customer care, maintaining contacts and communicating with customers even outside of a contract;
- in the group-internal administration and group-internal traffic that is necessary in a group with a division of labour;
- in the mutual support of the Group companies in their activities and objectives;
- in the fight against fraud and the prevention and investigation of offences;
- in the protection of customers, employees and other persons and data, secrets and assets of the TX Group;
- ensuring IT security;
- in ensuring and organising business operations, including the operation and development of websites and other systems;
- in the management and development of the company;
- in the sale or purchase of companies, parts of companies and other assets;
- in the enforcement or defence of legal claims;
- in compliance with Swiss and foreign law and internal rules.
- is based on consent;
Consent can be revoked at any time with effect for the future. However, this does not affect the lawfulness of the data processing carried out until the revocation.
- is required to comply with domestic or foreign legal provisions.
7. Who do we share personal data with?
We may pass on personal data (section 3) to other companies in the TX Group, for example for the purposes of internal group administration or to support the TX Group companies concerned.
We may also pass on your personal data to companies within and outside the TX Group if we use their services. As a rule, these service providers process personal data on our behalf as so-called "order processors". Order processors are obliged to process personal data exclusively in accordance with our instructions and to take suitable data security measures. Certain service providers are also jointly responsible with us or independently. We ensure that data protection is guaranteed throughout the processing of your personal data by selecting the service providers and by means of suitable contractual agreements.
This involves, for example, services in the following areas:
- Dispatch of e-mail newsletters: EQS Group AG, Munich, Germany
- Data analysis and refinement: Google Analytics, Google Ireland Ltd., Dublin, Ireland
- Online map service: Google Maps, Google Ireland Ltd., Dublin, Ireland
- Video platforms: YouTube LLC, San Bruno USA / Vimeo LLC, New York, USA / TwentyThree ApS, Copenhagen, Denmark
- Data storage: Google Ireland Ltd, Dublin, Ireland
- Financial data service: Allfunds Bank S.A.U., Madrid, Spain
- Web design: Scharlachrot AG, Zurich, Switzerland
- Web hosting: exigo AG, Chur, Switzerland
Consultancy services, e.g. services of tax advisors, lawyers or management consultants
In individual cases, it is also possible that we pass on personal data to other third parties, including for their own purposes, e.g. if you have consented to the corresponding transfer and processing or if we are legally obliged or entitled to pass it on.
This includes, for example, the following cases:
- the transfer of receivables to other companies such as collection agencies;
- the examination or execution of transactions under company law such as company acquisitions, sales and mergers;
- the disclosure of personal data to courts and authorities in Switzerland and abroad, e.g. to law enforcement agencies in cases of suspected criminal offences;
- the processing of personal data in order to comply with a court order or to assert or defend legal claims or if we consider it necessary for other legal reasons. We may also disclose personal data to other parties involved in the proceedings.
In these cases, the recipient of the data is a separate data controller under data protection law, who will usually inform you about their own data protection declaration. Please also note our information on cookies and similar technologies for independent data collection by third-party providers whose cookies and similar technologies we have integrated on our offers.
8. How do we disclose personal data abroad?
The recipients of your personal data mentioned in section 7 may also be located abroad, including outside the European Economic Area (EEA). These countries do not all have laws that protect your personal data to the same extent as in Switzerland or the EEA. If we transfer your personal data to such a country, we will ensure the protection of your personal data in an appropriate manner.
One means of ensuring adequate data protection is, for example, the conclusion of data transfer agreements with the recipients of your personal data in third countries that ensure the required level of data protection. These include contracts that have been approved, issued or recognised by the European Commission and the Federal Data Protection and Information Commissioner, so-called standard contractual clauses. An example of the data transfer contracts we typically use can be found here. Please note that such contractual arrangements can partially compensate for weaker or missing legal protection, but cannot completely exclude all risks (e.g. of government access abroad). In exceptional cases, the transfer to countries without adequate protection may also be permissible in other cases, e.g. based on consent, in connection with legal proceedings abroad or if the transfer is necessary for the performance of a contract.
9. How do we protect personal data?
We take appropriate security measures of a technical and organisational nature to maintain the security of your personal data, to protect it against unauthorised or unlawful processing and to protect it against the risk of loss, accidental alteration, unauthorised disclosure or access. Our security measures are continuously adapted and improved in line with technological developments. However, like all companies, we cannot rule out data security breaches with absolute certainty; certain residual risks are unavoidable.
We only grant our employees access to your personal data if this is necessary for the activities of the employees concerned. This may also include employees in support areas such as IT. They are bound by our instructions and are obliged to maintain confidentiality when handling your personal data.
Security measures of a technical nature include, for example, password-protected areas, the encryption and pseudonymisation of data, logging, access restrictions and the storage of backup copies. Security measures of an organisational nature include, for example, instructions to our employees, confidentiality agreements and controls. We also oblige our order processors to take appropriate technical and organisational security measures.
10. How long do we process personal data?
We process and store your personal data for at least as long as it is necessary for the purpose of the processing or compatible purposes, in the case of contracts usually at least for the duration of the contractual relationship. In general, we also store personal data for as long as we have a legitimate interest in storing it. This may be the case in particular if we need personal data to enforce or defend claims, for archiving purposes and to ensure IT security. And we store personal data for as long as it is subject to a statutory retention obligation. For example, a ten-year retention period applies to certain data. For other data, shorter retention periods apply in each case, e.g. for records of certain processes on the internet (log data). After these periods have expired, we delete or anonymise your personal data.
11. What rights do you have in connection with the processing of your personal data?
You have the right to object to data processing, especially if we process your personal data on the basis of a legitimate interest and the other applicable conditions are met. You can also object at any time to data processing in connection with direct marketing (e.g. advertising e-mails).
Provided the applicable conditions are met and no legal exceptions apply, you also have the right to information, correction, deletion, restriction of data processing and the right to receive the personal data you have provided in a standard format. You also have the right to revoke any consent you may have given us with effect for the future.
- Right to information: You have the right to be informed about how we process your personal data and what rights you have in connection with the processing of your personal data. This privacy statement fulfils this obligation. If you would like further information, please feel free to contact us.
- Right to information: You have the right to request information about your personal data stored by us at any time. This gives you the opportunity to check what personal data we are processing about you. In individual cases, the right to information may be restricted or excluded, in particular if there are doubts about your identity or if this is necessary to protect other persons.
- Right to rectification: You have the right to have inaccurate or incomplete personal data corrected or completed or supplemented by a note of objection and to be informed of the correction.
- Right to erasure: You have the right to request the erasure of your personal data if the personal data is no longer required for the purposes pursued, you have effectively revoked your consent or effectively objected to the processing, or the personal data is being processed unlawfully. In individual cases, the right to erasure may be excluded, in particular if the processing is necessary for the exercise of freedom of expression or for the exercise of legal claims. We can also make personal data anonymous so that there is no longer any personal data. Please note that even after your request to delete your personal data, we must retain some of it within the scope of our legal or contractual retention obligations and in this case only block your personal data to the extent necessary for this purpose. Furthermore, deletion of your personal data may mean that you can no longer obtain or use the services you have registered for.
- Right to restrict processing: Under certain circumstances, you have the right to request that the processing of your personal data be restricted. This can mean, for example, that personal data is (temporarily) no longer processed or that published personal data is (temporarily) removed from a website.
- Right to data release or transfer: You have the right to receive from us the personal data that you have provided to us in a structured, common and machine-readable format, provided that the specific data processing is based on your consent or is necessary for the performance of the contract, and the processing is carried out with the aid of automated procedures.
- Right of revocation: Insofar as we process your personal data on the basis of consent, you have the right to revoke your consent at any time. The revocation only applies to the future; processing activities based on your consent in the past do not become unlawful as a result of your revocation. We reserve the right to continue to process personal data on another basis in the event of a revocation of consent.
You can contact us in accordance with point 12 if you wish to exercise any of your rights or if you have any questions about the processing of your personal data. In addition, you can unsubscribe from newsletters and other promotional emails by clicking on the corresponding link at the end of the email. Here you can find out how to deactivate cookies and similar technologies.
You are also free to lodge a complaint with a competent supervisory authority if you have concerns about whether the processing of your personal data complies with the law.
The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
12. How can you contact us?
If you have any questions about this data protection declaration or our processing of your personal data, or if you would like to assert your rights in accordance with section 11, please feel free to contact [email protected].
For concerns from the EU area, you can contact our representative (Art. 27 DSGVO):
Große Bleichen 21
The original data protection declaration is in German. The translated versions merely serve to improve comprehensibility. In the event of contradictions, the German text shall take precedence.
Version: June 2023