Privacy Policy

Date: December 11, 2023

Table of Contents

Data Controller

pec consulting GmbH
Bodenstrasse 45
8104 Weiningen ZH
Switzerland
Email Address:

info [at] pec-consult.com

Phone:

+41 43 8190 549

Imprint:

https://pec-consult.ch/imprint

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Processed Data

  • Inventory data.
  • Payment data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication, and procedural data.

Categories of Data Subjects

  • Prospects.
  • Communication partners.
  • Users.
  • Business and contractual partners.

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations.
  • Contact requests and communication.
  • Security measures.
  • Office and organizational procedures.
  • Administration and response to inquiries.
  • Feedback.
  • Provision of our online offerings and user-friendliness.
  • Information technology infrastructure.

Relevant Legal Bases

Relevant legal bases according to the Swiss Data Protection Act: If you are located in Switzerland, we process your data based on the Federal Act on Data Protection (abbreviated “Swiss DPA”). This also applies if our processing of your data otherwise affects you in Switzerland and you are affected by the processing. The Swiss DPA generally does not require (unlike, for example, the GDPR) that a legal basis for the processing of personal data be named. We only process personal data if the processing is lawful, carried out in good faith, and is proportionate (Art. 6 para. 1 and 2 of the Swiss DPA). Furthermore, personal data is only collected by us for specific and recognizable purposes for the data subject and only processed in a manner compatible with these purposes (Art. 6 para. 3 of the Swiss DPA).

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.
Measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access, input, transmission, ensuring availability, and their separation. Furthermore, we have established procedures to ensure the exercise of data subjects’ rights, the deletion of data, and responses to data endangerment. Moreover, we consider the protection of personal data already in the development or selection of hardware, software, and procedures, according to the principle of data protection, through technology design and through data protection-friendly default settings.

IP Address Truncation: If IP addresses are processed by us or by the service providers and technologies used and the processing of a complete IP address is not necessary, the IP address is truncated (also known as “IP masking”). Here, the last two digits, or the last part of the IP address after a dot, are removed or replaced by placeholders. The truncation of the IP address is intended to prevent or significantly complicate the identification of a person based on their IP address.

TLS/SSL Encryption (https): To protect the data of users transmitted via our online services, we use TLS/SSL encryption. Secure Sockets Layer (SSL) is the standard technology for securing internet connections by encrypting data transmitted between a website or app and a browser (or between two servers). Transport Layer Security (TLS) is an updated and more secure version of SSL. Hyper Text Transfer Protocol Secure (HTTPS) is displayed in the URL when a website is secured by an SSL/TLS certificate.

Transmission of Personal Data

In the course of our processing of personal data, it may happen that the data is transferred to other bodies, companies, legally independent organizational units, or persons, or that it is disclosed to them. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements, which serve the protection of your data, with the recipients of your data.
Data Transfer within the Organization: We may transfer personal data to other entities within our organization or grant them access to this data. If this transfer is for administrative purposes, the transfer of the data is based on our legitimate business and commercial interests or takes place if it is necessary for the fulfillment of our contractual obligations or if the consent of the data subjects or a legal permission exists.

International Data Transfers

Disclosure of Personal Data Abroad: According to the Swiss Data Protection Act (DPA), we only disclose personal data abroad if adequate protection of the data subjects is guaranteed (Art. 16 Swiss DPA). If the Federal Council has not determined adequate protection (list: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we take alternative security measures. These can include international treaties, specific guarantees, data protection clauses in contracts, standard data protection clauses approved by the Federal Data Protection and Information Commissioner (FDPIC), or company-internal data protection regulations recognized in advance by the FDPIC or a competent data protection authority of another country.
According to Art. 16 of the Swiss DPA, exceptions for the disclosure of data abroad can be permitted if certain conditions are met, including the consent of the data subject, contract execution, public interest, protection of life or physical integrity, publicly disclosed data, or data from a legally provided register. These disclosures always take place in accordance with legal requirements.

Rights of Data Subjects

Rights of Data Subjects under the Swiss DPA:
As a data subject, you have the following rights according to the provisions of the Swiss DPA:

  • Right to Information: You have the right to request confirmation as to whether personal data concerning you is being processed and to receive the information necessary to exercise your rights under this law and to ensure transparent data processing.
  • Right to Data Portability: You have the right to request the release of your personal data that you have provided to us in a common electronic format.
  • Right to Rectification: You have the right to request the correction of incorrect personal data concerning you.
  • Right to Object, Erasure, and Destruction: You have the right to object to the processing of your data and to request the deletion or destruction of personal data concerning you.

Use of Cookies

Cookies are small text files or other storage markers that store information on end devices and read information from the end devices. For example, to store the login status in a user account, a shopping cart content in an e-shop, the accessed content or used functions of an online offer. Cookies can also be used for various purposes, e.g., for the functionality, security, and comfort of online offers as well as the creation of analyses of visitor flows.
Notes on Consent: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users, unless this is not legally required. Consent is particularly not necessary if the storage and reading of information, including cookies, is absolutely necessary to provide the telemedia service (i.e., our online offer) expressly requested by the users. The absolutely necessary cookies usually include cookies with functions that display and run the online offer, load balancing, security, storing user preferences and selection options, or similar purposes related to the provision ofthe main and ancillary functions of the online offer requested by the users. The revocable consent is clearly communicated to the users and contains information about the respective cookie use.

Notes on Legal Bases for Data Protection: The legal basis on which we process personal data of users with the help of cookies depends on whether we ask users for consent. If the users consent, the legal basis for processing their data is the declared consent. Otherwise, the data processed with the help of cookies are processed based on our legitimate interests (e.g., in a business operation of our online offer and its improvement) or, if this is part of fulfilling our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. The purposes for which the cookies are processed by us are clarified in the course of this Privacy Policy or in the context of our consent and processing processes.

Storage Duration: Regarding the storage duration, the following types of cookies are distinguished:

  • Temporary Cookies (also: Session or Session Cookies): Temporary cookies are deleted at the latest after a user leaves an online offer and closes his end device (e.g., browser or mobile application).
  • Permanent Cookies: Permanent cookies remain stored even after closing the end device. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Likewise, the data collected using cookies can be used for reach measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g., when obtaining consent), users should assume that cookies are permanent and the storage duration can be up to two years.

General Notes on Revocation and Objection (Opt-Out): Users can revoke their given consents at any time and object to the processing in accordance with legal requirements. For example, users can restrict the use of cookies in their browser settings (although this may also limit the functionality of our online offer). An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

  • Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Information on Processing Processes, Procedures, and Services:

  • Complianz: Cookie Consent Management; Service Provider: Execution on servers and/or computers under own data protection responsibility; Website: https://complianz.io/; Privacy Policy: https://complianz.io/legal/. Additional Information: An individual user ID, language, types of consents, and the time of their submission are stored server-side and in the cookie on the user’s device.

Business Services

We process data of our contractual and business partners, e.g., customers and prospects (collectively referred to as “contractual partners”) within the framework of contractual and comparable legal relationships as well as related measures and within the framework of communication with the contractual partners (or pre-contractual), e.g., to respond to inquiries.
We process these data to fulfill our contractual obligations. This includes, in particular, the obligations to provide the agreed services, any update obligations, and remedial action in the event of warranty and other performance disruptions. In addition, we process the data to protect our rights and for the purposes of the administrative tasks associated with these obligations and the corporate organization. Furthermore, we process the data based on our legitimate interests in proper and business-efficient management and in security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Within the framework of the applicable law, we only disclose the data of contractual partners to third parties to the extent necessary for the aforementioned purposes or for the fulfillment of legal obligations. Contractual partners are informed about other forms of processing, e.g., for marketing purposes, within the framework of this Privacy Policy.

The data required for the aforementioned purposes are communicated to the contractual partners before or in the course of data collection, e.g., in online forms, by special marking (e.g., colors) or symbols (e.g., asterisks or similar), or personally.

We delete the data after the expiration of statutory warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., as long as they must be kept for legal archiving reasons. The statutory retention period for tax-relevant documents and for commercial books, inventories, opening balances, annual financial statements, the working instructions and other organizational documents necessary for understanding these documents, and booking vouchers is ten years, and for received commercial and business letters and copies of sent commercial and business letters is six years. The period begins at the end of the calendar year in which the last entry in the book was made, the inventory, the opening balance, the annual financial statement or the management report was prepared, the commercial or business letter was received or sent, or the booking voucher was created, furthermore, the recording was made, or the other documents were created.

Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and privacy notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.

  • Processed Data Types: Inventory data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, phone numbers); Contract data (e.g., subject matter of the contract, duration, customer category).
  • Data Subjects: Prospects. Business and contractual partners.
  • Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Contact requests and communication; Office and organizational procedures. Administration and response to inquiries.
  • Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR). Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Provision of Online Offerings and Web Hosting

We process the data of users to be able to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the contents and functions of our online services to the browser or the end device of the users.

  • Processed Data Types: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Provision of our online offerings and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). Security measures.
  • Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Information on Processing Processes, Procedures, and Services:

  • Collection of Access Data and Log Files: Access to our online offer is logged in the form of so-called “server log files”. Server log files can include the address and name of the accessed web pages and files, date and time of access, transferred data volumes, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. Server log files can be used for security purposes, e.g., to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and also to ensure the utilization of the servers and their stability; Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of Data: Logfile information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.
  • STRATO: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service Provider: STRATO AG, Pascalstraße 10, 10587 Berlin, Germany; Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.strato.de; Privacy Policy: https://www.strato.de/datenschutz. Data Processing Agreement: Provided by the service provider.

Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, phone, or via social media) and within the framework of existing user and business relationships, the information provided by the inquiring persons is processed to the extent necessary to respond to the contact inquiries and any requested measures.

  • Processed Data Types: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, consent status).
  • Data Subjects: Communication partners.
  • Purposes of Processing: Contact requests and communication; Administration and response to inquiries; Feedback (e.g., collecting feedback via online form). Provision of our online offerings and user-friendliness.
  • Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further Information on Processing Processes, Procedures, and Services:

  • Contact Form: When users contact us via our contact form, email, or other communication channels, we process the data communicated to us in this context to handle the communicated concern; Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).