1 Introduction / Scope
2 Responsible Body and Contact
If you have any concerns regarding data protection and privacy, please do not hesitate to send them to us using the following contact address for all the above-mentioned companies of mtrail: mtrail GmbH, Schwarztorstrasse 22, 3007 Bern, email: firstname.lastname@example.org.
You can reach our data protection officer Nataly Romo according to Art. 37 DSGVO at: email@example.com. Our representative in the EEA according to Art. 27 DSGVO is mtrail Deutschland GmbH, Nussbaumstr. 4, 80336 Munich, email: firstname.lastname@example.org.
3 Collection and Processing of Personal Data
We collect and process personal data almost every time you interact with us or we interact with you. In particular, this applies to the following occasions and purposes:
- Customer data of customers for whom we provide or have provided services.
- Personal data obtained indirectly from our customers while providing services.
- When visiting our website.
- When participating in an event of ours.
- When we communicate with you.
- In case of a contractual relationship, e.g., as a supplier, service provider or consultant.
- With job applications.
- If we are required to do so for legal or regulatory reasons.
- When we take measures for due diligence or other legitimate interests, such as to avoid conflicts of interest, prevent money laundering or other risks, ensure data accuracy, maintain security, or enforce our rights.
4 Categories of Personal Data
«Personal data» is information that can be attributed to an identified or identifiable natural person.
The personal data we process depends on your relationship with us and the purpose for which we process it. The following sections describe the main categories of personal data we deal with.
4.1 Master Data
Master data is the basic data about a person, such as the title, name or contact details. We collect master data about contact persons and representatives of customers, contractual partners, organisations and authorities as well as about job applicants.
Master data includes, for example:
- Salutation, first name, last name, gender, date of birth;
- Address, email address, telephone number and other contact details;
- Payment information (e.g., deposited means of payment, bank details, billing address);
- Details of linked websites, social media profiles, etc.;
- Information on predilections and interests, language preferences, etc.
- Information about your relationship with us (e.g., customer, visitor, supplier);
- Information about related third parties (e.g., contacts, recipients of services, agents);
- Information about your participation in events (e.g., networking events);
- Official documents in which you are mentioned (e.g., identity documents, excerpts from a commercial register, permits);
- Information about the title and company role for contact persons and representatives of our business partners.
4.2 Contract Data
Contract data is personal data that arises in connection with the conclusion or execution of a contract. We conclude contracts primarily with customers, subcontractors, business partners and job applicants.
Contract data includes, for example, information:
- About the initiation and conclusion of contracts, for example, the signature date, details of the application process and the contract as such (e.g., type and term or, if applicable, proof of identity such as copies of official identification documents);
- For contract processing and management (e.g., contact information, shipping addresses, deliveries made or failed, payment information);
- Related to a job application, for example, resume, references, qualifications, diplomas and certificates, interview notes (which may also contain personal data of third parties);
- For interacting with you as a contact person or representative of a business partner.
4.3 Communication Data
When you contact us or we contact you, for example, when you write or call us, we process the content of the communication exchanged and information about the nature, timing and location of the communication. In certain situations, we may also ask you for a proof of your identity.
Communication data are, for example:
- Name and contact information, such as postal address, email address, and phone number;
- Content of emails, written correspondence, chat messages, posts on social media, comments on a website, phone calls, video conferences, etc.;
- Responses to customer and satisfaction surveys;
- Information about the nature, timing and, if applicable, location of the communication;
- Proof of identity, such as copies of official identification documents;
- Meta or marginal data of the communication;
- Recordings of phone and video conference calls. Any intent to record a call will be pointed out to you at the beginning of the call. If you do not agree to the recording, you have the option to terminate the conversation and contact us by other means (e.g., by email).
4.4 Behavioural and Transactional Data
When you contact us, visit one of our offices or attend one of our events, we may collect behavioural and transactional data. This includes, for example, the following information, if it is available to us in a personalised form:
- About your participation in our events (e.g., date, place and type of event);
- About your use of our electronic communication (e.g., whether and when you opened an email or clicked on a link);
- About your use of our Wi-Fi networks (e.g., date, time and duration of connection, Wi-Fi network location and data volume).
4.5 Technical Data
When you visit our websites, we collect certain technical data, such as your IP address or logs in which we record the use of our systems.
Behavioural data, i.e. information about your use of our websites, can also be collected from technical data. As a rule, however, we cannot deduce who you are from technical data, as we only use technically necessary cookies.
Technical data includes:
- The IP address of your device and other device identifiers (e.g., MAC address);
- Identifiers assigned to your device by cookies and similar technologies (e.g., pixel tags);
- Information about your device and its configuration, such as the operating system or language settings;
- Information about the browser you are using and its configuration;
- Information about your Internet provider;
- Your approximate location and time of use;
- System records of access and other operations (log data);
- Meta or marginal data of telecommunication.
4.6 Image and Sound Recordings
We make photo, video and audio recordings where you may appear, for example, when you attend an event or participate in a video conference.
Image and sound recordings include, for example:
- Photos, videos and audio recordings of customer events and public events;
- Photo, video and audio recordings of courses, lectures, trainings, etc.;
- Recordings of telephone and video conferences.
5 Sources of Personal Data
You often disclose personal data to us by yourself, for example, when you transmit data to us, contact our offices or communicate with us. In this way, you mainly disclose master data, contract data and communication data.
The provision of personal data is usually voluntary, i.e. you are not obliged to disclose this data to us. However, we must collect and process those personal data that are necessary or required by law for the execution of a contractual relationship and the fulfilment of the related obligations, for example, mandatory master and contract data. Otherwise, we cannot conclude or continue the respective contract.
To the extent permitted, we also obtain certain data from publicly accessible sources (e.g., debt collection registers, land registers, commercial registers, press, Internet), or receive such data from our customers and their employees, authorities (arbitration courts) and other third parties.
6 Purposes of Personal Data Processing
We process data for different reasons and purposes, which are described in the following sections.
We would like to stay in contact with you and respond to your individual concerns. Therefore, we process personal data for communication with you. For this purpose, we use in particular communication and master data. If the communication is related to a contract, we also process contract data. In addition, we may personalise the content and timing of messages based on behavioural, transactional and other data.
The purpose of communication includes in particular:
- Responding to inquiries;
- Contacting you with questions;
- Customer service and support;
- Project collaboration;
- Quality assurance and training purposes;
- Other processing purposes, for which we communicate with you (e.g., contract processing).
6.2 Contract Processing
We aim to offer you the best possible service. Therefore, we process personal data in connection with the establishment, administration and execution of contractual relationships. If agreed, contract processing also includes the personalisation of services. For this purpose, we use in particular master, contract and communication data.
In principle, the purpose of contract processing comprises everything that is necessary or expedient for the conclusion, implementation and, if applicable, execution of a contract. This includes, for example, data processing operations to:
- Decide whether and how (e.g., with which means of payment) we conclude a contract with you (including credit assessment);
- Fulfil contractual agreements, such as delivering goods, services or functionality (including personalised service components);
- Provide customer services and measure customer satisfaction;
- Bill for our services, and for general accounting purposes;
- Plan and prepare the provision of our services, e.g., scheduling of our employees;
- Check the suitability of job applicants and, if necessary, prepare and conclude the employment contract;
- Determine whether we are willing and able to work with a company, and monitor and evaluate its performance;
- Prepare and implement corporate law transactions such as company acquisitions, sales and mergers;
- Enforce legal claims arising from contracts (debt collection, litigation, etc.);
- Manage and administer our IT and other resources;
- Store data within the scope of retention obligations;
- Cancel and terminate contracts.
We process personal data for relationship management, for example, to send you an invitation to an event.
Messages and offers may be personalised in order to send you only information that is likely to be of interest to you. For this purpose, we use in particular master, contract and communication data.
6.4 Safety and Prevention
We want to ensure your and our security and prevent misuse. Therefore, we also process personal data for security purposes, to protect our IT, to prevent theft, fraud and abuse, and for evidence purposes. This may involve all the categories of personal data listed above, including in particular behavioural and transactional data as well as image and sound recordings. We may collect, analyse and store this data for the purposes mentioned.
Safety and prevention purposes include, for example:
- The prevention, defence and detection of cyber and malware attacks;
- Analyses and tests of our networks and IT infrastructures as well as system and error checks;
- Access control to electronic systems (e.g., logins to user accounts);
- Physical access control (e.g., access to office space);
- Documentation and creation of backup copies.
6.5 Compliance with Legal Requirements
We want to create the conditions for meeting legal requirements. Therefore, we process personal data to fulfil legal obligations and prevent and detect criminal acts. This includes, for example, the compliance with court orders or official directives, measures to detect and clarify abuses, and the legally required retention of meta or marginal data of telecommunications traffic (mobile subscription). This may affect all of the above categories of personal data.
Compliance with legal requirements includes in particular:
- Accepting and processing complaints and other reports;
- Conducting internal investigations;
- Ensuring compliance and risk management;
- Disclosing information and documents to authorities, if we have a factual reason (e.g., because we are aggrieved parties ourselves) or are required to do so by law;
- Participating in external investigations, such as those conducted by a law enforcement or regulatory agency;
- Ensuring data security as required by law;
- Fulfilling disclosure, information or reporting obligations, for example, in connection with supervisory and tax procedures, archiving and the prevention, detection and clarification of criminal and administrative offences;
- The legally regulated fight against money laundering and terrorist financing.
In complying with legal requirements, we follow Swiss law, but also foreign regulations to which we are subject, as well as self-regulations, industry and other standards, our own «corporate governance» or official directives.
6.6 Preservation of Rights
We want to be able to enforce our claims and defend ourselves against claims by others. For the preservation of our rights, we process different personal data depending on the circumstances, as well as information on events that have led or could lead to a dispute.
The purpose of legal defence includes in particular:
- Clarifying and enforcing our claims, which may comprise claims of affiliated companies as well as contractual and business partners;
- Defending claims against us, our employees, our affiliated companies, and our contractual and business partners;
- Clarifying litigation prospect and other legal, business and similar issues;
- Participating in proceedings before courts and authorities at home and abroad.
For example, we may secure evidence or submit documents to an authority. We may also be requested by authorities to hand over documents and data carriers containing personal data.
6.7 In-House Management and Support
We want our internal processes to be efficient. Therefore, we also process personal data for the internal administration of the mtrail companies, in particular master data, contract data and communication data.
Internal management includes in particular:
- IT and real estate management;
- Archiving data and managing our archive;
- Education and training, for example, when we evaluate recordings of telephone, video, or other communications;
- The central storage and management of data used by several companies of mtrail;
- Reviewing or executing transactions under corporate law, such as corporate acquisitions, sales and mergers;
- Forwarding inquiries to the appropriate parties, for example, if you submit an inquiry to an mtrail company that involves another company;
- Selling receivables, where we provide the purchaser, for example, with information about the reason and amount of the receivable and, if applicable, about the creditworthiness and behaviour of the debtor;
- The review and improvement of internal processes in general.
7 Legal Basis of Personal Data Processing
Depending on the purpose, we rely on different legal bases when processing personal data. In particular, we may process personal data if the processing is:
- Necessary for the performance of a contract with the data subject or for pre-contractual measures (e.g., review of a contract request);
- Necessary for the protection of legitimate interests, for example, if the data processing is an essential part of our business activity;
- Based on consent;
- Required to comply with domestic or foreign law.
We have a legitimate interest in particular in the processing of data for the purposes described above as well as in the disclosure of data described hereafter for the purposes associated therewith in each case. The legitimate interests in each case include our own interests and the interests of third parties.
Our legitimate interests include, for example, the interest in:
- Providing good customer service and maintaining contact and communication with customers even beyond a contractual relationship;
- Improving products and services and developing new ones;
- The mutual support of the mtrail companies in their activities and goals;
- The fight against fraud and the prevention and investigation of crimes;
- The protection of customers, other persons, and data, secrets and assets of mtrail;
- Ensuring IT security, especially in connection with the use of websites and other IT infrastructure;
- Ensuring and organising business operations, including the operation and further development of websites and other systems;
- The management and development of the company;
- The purchase and sale of companies, parts of companies and other assets;
- Enforcing or defending legal claims;
- The compliance with Swiss and foreign law as well as internal regulations.
8 Data Sharing
Your personal data may be shared and used within the mtrail corporate structure. Outside of mtrail, the data is only passed on to selected service providers. Personal data is always processed on our behalf and according to our instructions.
We will only disclose your personal data to trusted third parties if this is necessary to provide our services, if the third parties deliver a service for us, if we are required to do so by law or authorities, or if we have an overriding interest in disclosing the data. We will also disclose personal data to third parties if you have given your consent or requested us to do so.
8.1 Inside mtrail
We may share personal data that we receive from you or from third party sources with other mtrail companies. Such sharing may be due to business administration purposes or to support those companies and their own processing purposes, for example, in the development and improvement of products and services, or in conducting credit checks or efforts to prevent theft, fraud and abuse. As appropriate, the personal data received may be matched and linked to existing personal data by the relevant companies.
Internal sharing may involve, for example, the following data and purposes:
- The above categories of personal data for the management and processing of contractual relationships, especially in connection with products and services that involve several mtrail companies;
- Master, contract, communication, behavioural and transactional data, findings from customer and other surveys and studies, as well as image and sound recordings for the purposes of market research and product development, insofar as a personal reference of this data is necessary;
- Master, contract, communication, behavioural and transactional data as well as image and sound recordings for the needs-based design and personalisation of offers, communication and marketing measures;
- Master, contract, communication, behavioural and transactional data as well as preference data for fraud and abuse prevention as well as for credit assessment (e.g., in the context of purchase on account);
- Master, behavioural and transactional data as well as image and sound recordings for theft prevention and evidentiary purposes;
- Security-related data for security purposes and to meet legal requirements;
- Data to support law enforcement.
8.2 Outside mtrail
We may share your personal data with companies outside of mtrail when we use their services. As a rule, these service providers process the personal data on our behalf as so-called «order processors». Our order processors are obliged to process the personal data exclusively in accordance with our instructions and to take appropriate data security measures. Through the selection of service providers and appropriate contractual agreements, we ensure that data protection is guaranteed throughout the processing of your personal data.
Data is shared externally, for example, for the following services and purposes:
- Shipping and logistics, e.g., for the shipment of ordered goods;
- Advertising and marketing, e.g., for sending notices and information;
- Business administration, e.g., accounting or asset management;
- Payment services;
- Credit information, e.g., for purchase on account;
- Collection services;
- Insurance services;
- IT services, for example, data storage (hosting), cloud services, sending email newsletters, data analysis and refinement;
- Consulting services, e.g., services of tax consultants, lawyers, management consultants or consultants for personnel recruitment and placement.
In addition, we may pass on personal data to third parties for their own purposes, for example, if we are legally obliged or entitled to do so. In these cases, the recipient is independently responsible for the data under data protection law.
This includes, for example, the following cases:
- The assignment of receivables to other companies, e.g., collection agencies;
- The review or implementation of corporate law transactions such as company acquisitions, sales and mergers;
- The cooperation with courts and authorities in Switzerland and abroad, e.g., law enforcement agencies in cases of suspected criminal activity;
- Measures to comply with a court order or official directive, to assert or defend legal claims, or considered necessary for other legal reasons. In this context, we may also disclose personal data to other parties to the proceedings.
9 Data Transmission Abroad
As a rule, we process your personal data in our area of responsibility only in Switzerland and in the EU as well as in the European Economic Area (EEA). Service providers who process personal data on our behalf, are obliged by contracts to ensure data protection. Our service providers are generally located in Switzerland and in the EU / EEA.
Certain personal data may be transferred to the USA or, in exceptional cases, to other countries worldwide. Data transfers to countries that do not have an adequate level of data protection, will be carried out only after prior risk assessment and on the basis of the EU standard contractual clauses, or due to the fact that there is an explicit consent of the data subject(s) or that such a transfer is necessary for the performance of a contract with the data subject(s), for the performance or fulfilment of a contract in the interest of the data subject(s) or for the assertion, exercise or defence of legal claims.
10 Data Security
We take appropriate technical and organisational measures to ensure the security of your personal data and to protect it against unauthorised or unlawful processing, loss, accidental destruction or alteration, and unauthorised disclosure or access. However, like all companies, we cannot rule out breaches of data security with absolute certainty; certain residual risks are unavoidable.
Security measures of a technical nature include, for example, the encryption and pseudonymisation of data, logging, access restrictions and the retention of backup copies. When accessing our website, the SSL encryption process is used.
Security measures of an organisational nature include, for example, instructions to our employees, training and controls.
We also oblige our order processors to take appropriate technical and organisational security measures.
11 Handling of Particularly Sensitive Personal Data
Certain types of personal data are considered «particularly sensitive» from a data protection perspective, such as health data and biometric characteristics. Depending on the circumstances, the above-mentioned categories of personal data may include such particularly sensitive personal data. In general, however, we process particularly sensitive personal data only if this is necessary for the provision of a service, if you provide us with this data of your own accord, or if you consent to the processing. Furthermore, we may process particularly sensitive personal data if this is necessary for legal defence or compliance with domestic or foreign laws, if the relevant data has obviously been disclosed to the public by the data subject, or if the applicable law otherwise permits the processing.
We may process particularly sensitive personal data, for example, when you apply for a job and provide information about your health, union affiliation, or criminal history and convictions.
12 Duration of Processing and Retention
We process and store your personal data:
- As long as it is necessary to achieve the purpose of the processing or related purposes, in the case of contracts usually at least for the duration of the contractual relationship;
- As long as we have a legitimate interest to do so. This may be the case in particular if we need personal data to assert or defend legal claims, for archiving purposes and to ensure IT security;
- As long as the data is subject to a statutory retention obligation. For certain data, for example, a retention period of ten years is applicable. Shorter retention periods apply for other data such as records of certain processes on the Internet (log data).
In general, we adhere to the following retention periods, but may deviate from them in individual cases:
- Contracts: In general, we store master and contract data for ten years from the last contract activity or the end of the contract. However, this period may be longer if this is necessary for evidentiary purposes, due to legal or contractual provisions, or for technical reasons. Transactional data in connection with contracts is generally retained for ten years.
- Technical data: Cookies are usually stored for between a few days and two years, unless they are deleted immediately after the end of the session.
- Communication Data: Emails, communications by contact forms and written correspondence are generally retained for ten years.
- Image and sound recordings: The retention period varies depending on the purpose. It ranges up to several years for reports on events with pictures.
- Applications: We generally delete application data within six months of the conclusion of the application process. With your consent, we may retain your application for possible future employment.
In certain cases, we ask you for your consent if we want to store personal data for a longer period of time (e.g., for job applications that we want to keep open).
After the applicably periods have expired, we delete or anonymise your personal data.
13 Your Rights
You have the right to object to the processing of your personal data, in particular if we do so on the basis of a legitimate interest and the other applicable conditions are met.
If the applicable requirements are met and no statutory exception applies, you also have the following rights:
- The right to request information about your personal data stored by us;
- The right to rectify inaccurate or incomplete personal data;
- The right to erasure or anonymisation of your personal data;
- The right to request us to restrict the processing of your personal data;
- The right to receive certain personal data in a structured, common and machine-readable format;
- The right to withdraw your consent with effect for the future, insofar as processing is based on consent;
- The right to appeal to a competent supervisory authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).
Please note that the above rights may be restricted or excluded in individual cases, for example, if there are doubts about your identity, if we are obliged to retain certain data, or if this is necessary to protect other persons, safeguard legitimate interests, fulfil legal obligations, or assert claims.
14 Contact for Questions
Bern, June 30, 2023