For specific or additional activities and operations, additional privacy policies, as well as other legal documents such as Terms and Conditions (AGB), usage terms or participation terms, may apply.
We adhere to Swiss data protection laws and, where applicable, foreign data protection laws, especially those of the European Union (EU) with the General Data Protection Regulation (GDPR). The European Commission acknowledges that Swiss data protection law ensures adequate data protection.
1. Contact Information
Responsibility for the processing of personal data:
Max Felchlin AG
We will inform you in cases where there are other entities responsible for the processing of personal data on an individual basis.
Data Protection Representation in the European Economic Area (EEA)
We have the following data protection representation in accordance with Art. 27 GDPR:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
The Data Protection Representation serves as an additional point of contact for inquiries related to the General Data Protection Regulation (GDPR) for individuals and authorities in the European Union (EU) and the rest of the European Economic Area (EEA).
2. Terms and Legal Bases
Personal data is any information relating to an identified or identifiable natural person. A data subject is a person about whom we process personal data.
The term « processing » includes any handling of personal data, regardless of the means and methods used. This includes activities such as querying, comparing, adapting, archiving, retaining, extracting, disclosing, acquiring, recording, collecting, deleting, disclosing, organising, storing, altering, disseminating, linking, destroying and using personal data.
The European Economic Area (EEA) includes the member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway. The General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data.
2.2 Legal Basis
We process personal data in accordance with Swiss data protection laws, particularly the Federal Act on Data Protection (Data Protection Act, DPA) and the Data Protection Ordinance (Data Protection Ordinance, DPO).
If and to the extent the General Data Protection Regulation (GDPR) is applicable, we process personal data based on at least one of the following legal foundations:
- Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data to fulfil a contract with the data subject and for the implementation of pre-contractual measures.
- Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data in order to protect our legitimate interests or those of third parties, unless the fundamental freedoms and rights as well as the interests of the data subject prevail. Legitimate interests include, in particular, our interest in conducting our activities and operations permanently, user-friendly, securely, and reliably, as well as being able to communicate about them. This also involves ensuring information security, protecting against misuse, enforcing our own legal claims, and complying with Swiss law.
- Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to fulfil a legal obligation to which we are subject under any applicable law of Member States in the European Economic Area (EEA).
- Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data for the performance of a task carried out in the public interest.
- Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the data subject.
- Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect vital interests of the data subject or another natural person.
3. Type, Scope, and Purpose
We process the personal data necessary to conduct our activities and operations permanently, in a user-friendly, secure, and reliable manner. Such personal data may particularly fall into categories such as inventory and contact details, browser and device data, content data, meta or marginal data, usage data, location data, sales data, and contract and payment data.
We process personal data for the duration required for the respective purpose(s), or as legally mandated. Personal data that is no longer required for processing will be anonymised or deleted.
We may engage third parties to process personal data on our behalf. We may also process personal data jointly with third parties or transmit it to third parties, especially specialised service providers whose services we utilise. We ensure data protection even when involving such third parties.
We generally process personal data only with the consent of the data subject. However, in cases where processing is permissible for other legal reasons, we may forego obtaining consent. For instance, we may process personal data without consent to fulfil a contract, comply with legal obligations, or safeguard overriding interests.
Additionally, we process personal data obtained from third parties, acquired from publicly accessible sources, or collected during the course of our activities and operations, to the extent that such processing is legally permissible.
We process data to facilitate communication with third parties. Within this context, we specifically process data that an individual provides during contact, such as through postal mail or email. We may store such data in an address book or similar tools.
Third parties transmitting data about other individuals are obligated to ensure data protection for those affected individuals. This includes ensuring the accuracy of the transmitted personal data, among other responsibilities.
5. Job Applications
We process personal data concerning job applicants to the extent necessary for assessing suitability for employment or for the subsequent execution of an employment contract. The required personal data primarily include information provided during the application process, for example, as part of a job posting. We also process personal data voluntarily disclosed or made public by applicants, particularly as part of cover letters, resumes, and other application materials, as well as online profiles.
If and to the extent the General Data Protection Regulation (GDPR) is applicable, we process personal data about job applicants, especially in accordance with Art. 9 para. 2 lit. b GDPR.
We may offer applicants the option to store their information in our talent pool to consider them for future job openings. Additionally, we can use such information to maintain contact and provide updates. If we believe that an applicant is a suitable candidate for an open position based on their information, we may inform the applicant accordingly.
If the information provided is suitable for an open position, we can inform the applicant accordingly.
6. Data Security
We implement suitable technical and organisational measures to ensure data security appropriate to the respective risk. Through these measures, we specifically ensure the confidentiality, availability, traceability, and integrity of the processed personal data, although absolute data security cannot be guaranteed.
Access to our website and other online presence is secured through transport encryption (SSL / TLS, particularly with the Hypertext Transfer Protocol Secure, abbreviated to HTTPS). Most browsers indicate transport encryption with a small padlock in the address bar.
Our digital communication, like all digital communication in general, is subject to mass surveillance without cause or suspicion by law enforcement authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We cannot exert direct control over the processing of personal data by intelligence agencies, policy authorities, and other security agencies. We also cannot exclude the possibility that individual data subjects are targeted for surveillance.
7. Personal Data Abroad
We primarily process personal data in Switzerland and the European Economic Area (EEA). Nevertheless, personal data may be exported or transferred to other countries, particularly for processing purposes. here.
We may export personal data to any country or territory worldwide , including those beyond Earth and in the universe, as long as the local laws ensure sufficient data protection according to the decision of the Swiss Federal Council and - if and insofar as the General Data Protection Regulation (GDPR) is applicable - in accordance with the decision of the European Commission.
Personal data may be transferred to countries lacking adequate data protection laws, provided that other safeguards ensure data protection. This includes the use of standard data protection clauses or other suitable guarantees. In exceptional cases, personal data may be transferred to countries without adequate or appropriate data protection measures.
8. Rights of Data Subjects
8.1 Data Protection Claims
We grant data subjects all rights in accordance with the applicable data protection laws. Data subjects have the following rights in particular:
- Information: Data subjects can request information on whether we process personal data about them and, if so, what specific personal data is involved. Data subjects also receive the information necessary to assert their data protection rights and ensure transparency. This includes the details about the processed personal, the processing purpose, the duration of storage, any disclosure or export of data to other countries, and the origin of the personal data.
- Correction and Restriction: Data subjects can correct inaccurate personal data, complete incomplete data, and request restrictions on the processing of their data.
- Deletion and Objection: Data subjects can request the deletion of personal data ("Right to be Forgotten") and object to the processing of their data with effect for the future.
- Data Disclosure and Data Transfer: Data subjects can request the disclosure of personal data or the transfer of their data to another data controller.
We may postpone, restrict, or refuse the exercise of the rights of data subjects within the legally permissible framework. We may inform data subjects of any prerequisites they need to fulfil to exercise their data protection rights. For instance, we may refuse to provide information, wholly or partially, with reference to trade secrets or the protection of other individuals. Similarly, the deletion of personal data may be refused, wholly or partially, citing legal retention obligations.
In exceptional cases, we may charge costs for the exercise of these rights. We will inform data subjects in advance about any potential costs.
We are obliged to appropriately verify the identity of data subjects who request information or assert other rights. Data subjects are obliged to cooperate in this identification process.
8.2 Legal Protection
Data subjects have the right to seek legal recourse to enforce their data protection claims or file a complaint with the competent data protection supervisory authority.
The Federal Data Protection and Information Commissioner (FDPIC) serves as the data protection supervisory authority for complaints from data subjects against private individuals and federal entities in Switzerland.
For complaints from data subjects, the data protection supervisory authorities, if the General Data Protection Regulation (GDPR) is applicable, are organised as members of the European Data Protection Board (EDPB). In some member states within the European Economic Area (EEA), data protection supervisory authorities are organised at a federal level, particularly in countries like Germany.
9. Website Usage
Cookies can be temporarily stored in the browser as "session cookies" or for a specific period as so-called permanent cookies. "Session cookies" are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies, in particular, allow a browser to be recognized during the next visit to our website, enabling, for example, the measurement of our website’s reach. Permanent cookies can also be used for online marketing purposes, among other things.
We may log the following information for each access to our website and other online presence, provided that such information is transmitted to our digital infrastructure during such access: Date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed individual sub-page of our website including transmitted data volume, and the last webpage visited in the same browser window (referrer).
We log such information, which may also constitute personal data, in log files. The information is necessary to permanently provide our online presence in a user-friendly and reliable manner. The information is also necessary to ensure data security - including by third parties or with the assistance of third parties.
9.3 Tracking Pixels
10. Notifications and Communications
We send notifications and communications by e-mail and other communication channels such as instant messaging or SMS.
10.1 Success and Reach Measurement
Notifications and communications may contain web links or tracking pixels that capture whether an individual message has been opened and which web links were clicked. Such web links and tracking pixels can also capture the usage of notifications and communications on a personal level. We require this statistical capture of usage for success and reach measurement in order to effectively and user-friendly send notifications and communications based on the needs and reading habits of the recipient, ensuring a permanent, secure, and reliable delivery.
10.2 Consent and Objection
You must generally provide explicit consent for the use of your email address and other contact information, unless the use is permissible for other legal reasons. For possible consent, we preferably employ the «Double Opt-in» procedure. This means you will receive an e-mail with a web link that you must click to confirm, preventing misuse by unauthorised third parties. We may log such consents, including IP address, date, and time, for evidential and security reasons.
You can generally object to receiving notifications and communications, such as newsletters, at any time. With such an objection, you simultaneously object to the statistical tracking of usage for success and reach measurement. Necessary notifications and communications related to our activities and operations remain reserved.
10.3 Service Providers for Notifications and Communications
We send notifications and communications with the assistance of specialised service providers.
We use in particular:
11. Social Media
We maintain a presence on social media platforms and other online platforms to communicate with interested individuals and provide information about our activities and operations. In connection with such platforms, personal data may be processed outside Switzerland and the European Economic Area (EEA).
We are jointly responsible with Meta Platforms Ireland Limited (Ireland) for our social media presence on Facebook, including the so-called Page Insights, insofar as and to the extent that the General Data Protection Regulation (GDPR) is applicable. Meta Platforms Ireland Limited is part of the Meta companies (including in the USA). The Page Insights provide information on how visitors interact with our Facebook presence. We use Page Insights to effectively and user-friendly provide our social media presence on Facebook.
12. Third party services
We utilise services from specialised third parties to conduct our activities and operations in a permanent, user-friendly, secure, and reliable manner. Through such services, we can embed functions and content into our website, among other things. In the process of embedding, for technically necessary reasons, the used services temporarily capture the IP addresses of the users.
For necessary security-related, statistical, and technical purposes, third parties whose services we utilise may process data related to our activities and operations in an aggregated, anonymised, or pseudonymised manner. This includes, for example, performance or usage data required to provide respective service.
We use in particular:
- Services from Microsoft: Provider: Microsoft Corporation (USA) / Microsoft Ireland Operations Limited (Ireland) for users in the European Economic Area (EEA), the United Kingdom and Switzerland; General information on data protection: "Data protection at Microsoft", "Data protection and privacy (Trust Centre)", data protection declaration, data protection dashboard (data and privacy settings).
12.1 Digital Infrastructure
We utilise services from specialised third parties to access the necessary digital infrastructure in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.
We use in particular:
- Microsoft Azure: Storage space and other infrastructure; Provider: Microsoft; Microsoft Azure-specific information: "Data protection in Azure".
12.2 Automation and Integration of Apps and Services
We employ specialised platforms to integrate and connect existing third-party apps and services. Additionally, with such «No-Code» platforms, we can automate processes and activities involving third-party apps and services.
We use in particular:
- Microsoft Power Automate including Microsoft Power Platform: Integrated application platform; Provider: Microsoft; Microsoft Power Platform-specific information on data protection: "Compatibility and data protection", "Data storage and governance", "Security".
12.3 Audio and Video Conferences
Depending on the life situation, we recommend muting the microphone by default during participation in audio or video conferences and, if possible, blurring the background or using a virtual background.
We use in particular:
- Microsoft Teams: Platform for audio and video conferencing, among other things; Service provider: Microsoft; Teams-specific information: "Data protection and Microsoft Teams".
12.4 Online Collaboration
12.5 Map Material
We use third-party services to embed maps in our website.
We use in particular:
- Google Maps including Google Maps Platform: Map service; Provider: Google; Google Maps-specific information: "How Google uses location information".
12.6 Digital Audio and Video Content
We use services from specialised third parties to enable the direct playback of digital audio and video content, such as music or podcasts.
We use in particular:
- YouTube: Video platform; Service provider: Google; YouTube-specific information: "Privacy and Security Centre", "My data on YouTube".
We engage in e-commerce and use services from third parties to successfully offer services, content, or goods.
We use in particular:
We utilise specialised service providers to securely and reliably process payments from our customers. For the processing of payments, the legal texts of individual service providers, such as terms and conditions or privacy policies, apply additionally.
We use in particular:
- Worldline: Processing of payments, in particular with mobile payment solutions; Provider: Worldline Financial Services (Europe) SA (France) and other Worldline companies; Data protection information: General data protection declaration, Data protection declaration of Worldline Financial Services (Europe) SA, "Security for cashless payments".
13. Website Extensions
We employ extensions for our website to access additional features. We may use selected services from suitable providers or implement such extensions on our own server infrastructure.
We use in particular:
- Google reCAPTCHA: Spam protection (differentiation between desired content from humans and unwanted content from bots and spam); Service provider: Google; Google reCAPTCHA-specific information: "What is reCAPTCHA?". ("What is reCAPTCHA?").
14. Success and Reach Measurement
We aim to understand how our online offering is used. In this context, we can measure the success and reach of our activities and operations, as well as the impact of third-party links to our website. For example, we may experiment and compare how different parts or versions of our online offering are utilised (using the « A/B test » method). Based on the results of the success and reach measurement, we can address errors, enhance popular content, or make improvements to our online offering.
For success and reach measurement, in most cases, the IP addresses of individual users are stored. In this instance, IP addresses are generally shortened («IP masking») to adhere to the principle of data minimisation through the appropriate pseudonymisation.
During success and reach measurement, cookies may be used, and user profiles can be created. Any user profiles that are potentially created may include information such as the individual pages visited or content viewed on our website, details about the screen size or browser window, and the approximate location. In principle, any user profiles are created exclusively in a pseudonymised form and are not used for the identification of individual users. Certain third-party services, for which users are logged in, may associate the use of our online offering with the user account or profile on that respective service.
We use in particular:
- Google Analytics: Performance and reach measurement; Service provider: Google; Google Analytics-specific information: Measurement also across different browsers and devices (cross-device tracking) and with pseudonymised IP addresses, which are only transmitted in full to Google in the USA in exceptional cases, "Data protection", "Browser add-on to deactivate Google Analytics".
- Google Tag Manager: Integration and management of other services for success and reach measurement as well as other services from Google and third parties; Provider: Google; Google Tag Manager-specific information: "Data collected with Google Tag Manager"; further information on data protection can be found in the individual integrated and managed services.
- Matomo: Performance and reach measurement; Service provider: Matomo (free open source software); Data protection provisions: Use on own server infrastructure and with pseudonymised IP addresses, "List of all Matomo features".
15. Video Surveillance
We employ video surveillance for the prevention of crimes, securing evidence in case of criminal activities, and to enforce our house rules. This is considered, to the extent as far as the General Data Protection Regulation (GDPR) is applicable, as predominant legitimate interests according to Art. 6 para. 1 lit. f GDPR.
We retain recordings from our video surveillance for as long as they are necessary for evidence purposes.
We may secure recordings due to legal obligations, for the enforcement of our legal claims, and in cases of suspected criminal activities. Additionally, we may transmit them to relevant authorities, particularly judicial or law enforcement authorities.
16. Final Provisions