Privacy statement
1. Privacy statement
This privacy statement informs you about the type, scope and purpose of the processing of personal data within our online offering, the websites, functions and contents associated with it and external online presences.
2. Controller
Anton Bischofberger
3. Categories of data processed
• inventory and contact data, e.g. names, addresses, emails, telephone numbers
• content data, e.g. text inputted, photos, videos
• usage data, e.g. websites visited, interest in content, access times
• meta/communication data, e.g. device information, IP addresses
4. Categories of data subjects
Visitors and users of the online offering.
5. Purpose of processing
• to make available the online offering, its functions and content
• to respond to contact requests and communicate with users
• security measures
• measurement of scope for marketing purposes.
6. Terms employed
With regard to the terms used (such as controller or processing), please refer to the definitions in art. 4 of the General Data Protection Regulation (GDPR). Personal data (hereinafter also referred to as data for short) is any information relating to an identified or identifiable natural person (hereinafter referred to as data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means. The term is broad and includes virtually any handling of data. Pseudonymisation describes the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separate and is subject to technical and organisational measures which ensure that the personal data is not attributed to an identified or identifiable natural person. Profiling is any automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location. The online offering refers to the websites, functions and content connected to said online offering and external online presences, such as our social media profiles. Controller means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Users are visitors and users of the online offering.
7. Relevant legal bases
The new General Data Protection Regulation (GDPR) of the European Union (EU) has been in force since 25 May 2018. Knoepfel AG is a company established in Switzerland with Switzerland as its target market. On the website of the Swiss Federal Council, the Federal Data Protection and Information Commissioner (FDPIC) provides information on the GDPR and its impact on Switzerland (PDF). In accordance with art. 13 of the GDPR, we inform you of the legal basis for our data processing. If the legal basis is not stated in the privacy statement, the following will apply: The legal basis for obtaining consent is art. 6(1)(a) and art. 7 GDPR; the legal basis for processing to fulfil our services and carry out contractual measures and respond to enquiries is art. 6(1)(b) GDPR; the legal basis for processing to fulfil our legal obligations is art. 6(1)(c) GDPR; and the legal basis for processing to protect our legitimate interests is art. 6(1)(f) GDPR. In the event that vital interests of the data subject or another natural person make the processing of personal data necessary, art. 6(1)(d) GDPR will serve as the legal basis.
8. Security measures
We implement appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The measures include, in particular, measures designed to ensure the confidentiality, integrity and availability of data by controlling physical access to data and access thereto, data inputted, its disclosure and the ability to ensure its availability and segregation. We also have procedures in place to ensure the exercise of data subjects’ rights, the erasure of data and the response to data compromise. Furthermore, we take the protection of personal data into account during the development and selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default (art. 25 GDPR).
9. Cooperation with processors and third parties
If in the course processing data in line with the provisions in force since May 2018 we disclose data to other persons and companies (processors or third parties), transmit data to them or otherwise grant them access to data, this will only take place if permitted by law (e.g. if a transfer of the data to third parties, e.g. payment service providers, is necessary for the performance of the contract pursuant to art. 6(1)(b) GDPR), you have consented, a legal obligation provides for this or if this takes place on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.). If we commission third parties to process data on the basis of a “commissioned data processing agreement”, this will take place in line with art. 28 GDPR.
10. Transfers of data
The processing of data in Switzerland or other countries outside the European Union (EU) or the European Economic Area (EEA) only takes place if it is done to fulfil our (pre-)contractual obligations, on the basis of your consent, in order to comply with a legal obligation or on the basis of our legitimate interests. This also applies to the use of third-party services or the disclosure or transfer of data to third parties. Except for legal obligations or authorisation under a contract, we only have data processed in Switzerland, outside the EU or the EEA if the special requirements of art. 44 ff. GDPR are met.
11. Rights of data subjects
You have the right to obtain confirmation as to whether relevant data is being processed and to obtain information about such data as well as further information and a copy of the data in accordance with art. 15 GDPR. In accordance with article 16 GDPR, you have the right to request that data concerning you be completed or that inaccurate data concerning you be rectified. In accordance with art. 17 GDPR, you have the right to demand that the data in question be deleted without delay or, alternatively, that the processing of the data be restricted in accordance with art. 18 GDPR. You have the right to receive the data relating to you and provided by you as set out in article 20 GDPR and to request that the data be transferred to other data controllers. You also have the right to lodge a complaint with the competent supervisory authority in accordance with article 77 GDPR.
12. Right of revocation
You have the right to withdraw your consent pursuant to art. 7(3) GDPR with effect for the future.
13 Right of objection
You may object to the future processing of data relating to you at any time as set out in art. 21 GDPR. Such objections may be lodged in particular against processing for the purpose of direct advertising.
14. Cookies and right to object to direct advertising
Cookies are small files that are stored on a user’s computer. Different information can be stored within cookies. The primary purpose of a cookie is to store information about a user or the device on which the cookie is stored during or after his or her visit to an online offering. Temporary cookies, session cookies or transient cookies are cookies that are deleted after a user leaves an online service and closes his or her browser. Such a cookie can, for example, store the contents of a shopping basket in an online store or a login status. Permanent or persistent cookies are cookies that continue to be stored even after the browser has closed. For example, a login status may be stored if a user visits a website a few days later. Likewise, the interests of users can be stored in such cookies, which are used for audience reach measurement or marketing purposes. Third-party cookies are cookies used by providers other than the controller operating the online offering. If they are solely created by the controller, they are referred to as first-party cookies. We may use temporary and permanent cookies and explain this in our privacy statement. If users do not want cookies to be stored on their computer, they are asked to select the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offering. A general objection to the use of cookies used for online marketing purposes can be declared for a large number of services, especially in the case of tracking, via the US site YourAdChoices or the EU site. Furthermore, you can disable the storage of cookies in your browser settings. Please note that you may then not be able to use all the functions of this online offering.
15 Deletion of data
The data processed by us will be deleted or its processing restricted as set out in articles 17 and 18 GDPR. Unless expressly stated within the scope of this privacy statement, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not run contrary to any statutory retention obligations. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted, i.e. the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained under commercial or tax law.
16. Contact
When contacting us (e.g. by email or telephone), the information provided by the user will be used to process the contact request and for the purposes set out in art. 6(1)(b) GDPR (in the context of contractual/pre-contractual relations) and art. 6(1)(f) GDPR (other enquiries). The user’s details may be stored in a customer relationship management system (“CRM system”) or comparable enquiry system. We will delete such enquiries if they are no longer necessary. We review whether this needs to take place every two years. Legal archiving obligations are also applicable.
17. Hosting and dispatch of emails
The hosting services used by us serve to provide the following services: infrastructure and platform services; computing capacity; storage space and database services; email dispatch; security services and technical maintenance services used by us to operate this online service. In so doing, we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, meta data and communication data pertaining to customers, interested parties and visitors of this website based on our legitimate interests in efficiently and securely providing this online offering pursuant to art. 6(1)(f) GDPR in conjunction with art. 28 GDPR (conclusion of a commissioned processing agreement).
18. Collection of access data and log files
We, or our hosting provider, collect data every time the server on which this website is hosted is accessed (server log files) based on our legitimate interests within the meaning of art. 6(1)(f) GDPR. The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the page previously visited), IP address and the requesting provider. Log file information is stored for security reasons (e.g. for the clarification of abuse or fraud) for a maximum of seven days and then deleted. Data whose further storage is required for evidentiary purposes is not subject to deletion until the associated incident is finally clarified.
19. Google Analytics
We use Google Analytics, a web analytics services provided by Google LLC (“Google”), based on our legitimate interests (i.e. our interest in the analysis, optimisation and cost-effective operation of our online offering within the meaning of art. 6(1)(f) GDPR). Google uses cookies. The information generated by the cookies about the use of the online offering by users is usually transmitted to a Google server in the US and stored there. Google uses this information on our behalf for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. In doing so, pseudonymous user profiles may be created from the data processed. We only use Google Analytics with IP anonymisation activated. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting parties to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the US and shortened there. The IP address transmitted by the user’s browser is not combined with other data from Google. Users can prevent the storage of cookies by setting their browser software accordingly. Users can also prevent the collection by Google of data generated by cookies and related to their use of the online offering and the processing of such data by Google by downloading and installing the browser plugin available by clicking on the following link. For more information on Google’s use of data, settings and opt-out options, please refer to Google’s privacy policy and to the settings for the display of advertisements by Google. The personal data of users is deleted or anonymised after 26 months.
20. Targeting with Google Analytics
We use Google Analytics to only display the ads placed by Google and its partners within the context of advertising services to those users who have shown an interest in our online offering or who have certain characteristics (e.g. users interested in certain topics or products determined on the basis of websites visited), which we transmit to Google (known as “Remarketing” or “Google Analytics Audiences”). With the aid of Remarketing Audiences, we also want to ensure that our ads correspond to the potential interest of users.
21 Google AdWords and conversion measurement
We use the services of Google LLC, 1600 Amphitheatre Park, Mountain View, CA 9.10. USA (“Google”) based on our legitimate interests (i.e. our interest in the analysis, optimisation and cost-effective operation of our online offering within the meaning of art. 6(1)(f) GDPR). We use the online marketing method Google “AdWords” to place ads in the Google advertising network (e.g. in search results, in videos, on web pages, etc.) so that they are displayed to users who have a presumed interest in such ads. This allows us to target ads for and within our online offering, so as to only show users ads potentially matching their interests. If, for example, a user is shown ads for products in which he or she was interested in other online offerings, this is referred to as “remarketing”. In order to achieve this, when our website and other websites on which the Google advertising network is active are visited, a code is executed directly by Google and “(re)marketing tags” (invisible graphics or code, also known as “web beacons”) are integrated into the website. With the aid of such tags, an individual cookie, i.e. a small file, is stored on the user’s device (comparable technologies can also be used instead of cookies). This file records which web pages the user has visited, which content the user is interested in and which offerings the user has clicked on, as well as technical information on the browser and operating system, referring web pages, time of visit and other information on the use of the online offering. Furthermore, we receive an individual “conversion cookie”. The information obtained with the aid of the cookie is used by Google to compile conversion statistics on our behalf. However, we are only informed about the anonymous total number of users who have clicked on our ad and have been redirected to a page tagged with a conversion tracking tag. We do not obtain any information personally indentifying users. The users’ data is processed pseudonymously within the Google advertising network. This means that Google does not store and process the name or email address of users, for example, but processes the relevant data on the basis of cookies within pseudonymous user profiles. This means that from Google’s perspective, the ads are not managed and displayed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. This does not apply if a user has expressly allowed Google to process data that has not been pseudonymised. The information collected about users is transmitted to Google and stored on Google’s servers in the US. For more information about Google’s use of data, settings and opt-out options, please refer to Google’s privacy policy and settings for the display of advertisements by Google.
22. Online presences in social media
We maintain online presences on social networks and platforms in order to be able to communicate with customers, interested parties and users on such networks and platforms and to inform them about our services. When visiting such networks and platforms, the terms and conditions and data processing guidelines of their respective operators are applicable. Unless otherwise stated in our privacy statement, we process the data of users if they communicate with us on social networks and platforms, e.g. write posts on our online presences or send us messages.
23. Integration of third-party services and content
We use content or service offers from third-party providers within our online offering based on our legitimate interests (i.e. our interest in the analysis, optimisation and cost-effective operation of our online offering within the meaning of art. 6(1)(f) GDPR) to integrate the content or services offered by them, such as videos or fonts (hereinafter uniformly referred to as “content”). For this to occur, the third-party providers of such content must be aware of a user’s IP address, since in the absence of an IP address they would not be able to send their content to the user’s browser. The IP address is therefore necessary to display such content. We endeavour to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use “pixel tags” (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. “Pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offering, as well as being linked to such information from other sources.
24. Use of Facebook social plugins
We use social plugins (“plugins”) from the social network facebook.com, operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”), based on our legitimate interests (i.e. our interest in the analysis, optimisation and cost-effective operation of our online offering within the meaning of art. 6(1)(f) GDPR). These may include, for example, content such as images, videos or texts and buttons with which users can share content in this online offering within Facebook. The list and appearance of Facebook social plugins can be viewed here. When a user uses a function of this online offering containing such a plugin, his or her device establishes a direct connection with Facebook’s servers. The content of the plugin is transmitted by Facebook directly to the user’s device and integrated into the online offering by the latter. During this process, user profiles can be created from the data processed. We therefore have no influence over the scope of the data collected by Facebook with the aid of this plugin and therefore inform users according to our level of knowledge. By integrating the plugins, Facebook receives the information that a user has accessed the corresponding page of the online offering. If the user is logged in to Facebook, Facebook can assign the visit to his or her Facebook account. If users interact with the plugins, for example by clicking the Like button or posting a comment, the corresponding information is transmitted from their device directly to Facebook and stored there. If a user is not a member of Facebook, there is still the possibility that Facebook will find out and store his or her IP address. According to Facebook, only an anonymised IP address is stored in Germany. The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the related rights and setting options for protecting the user’s privacy, can be found in Facebook’s privacy policy. If a user is a Facebook member and does not want Facebook to collect data about him or her via this online offer and link it to his or her membership data stored on Facebook, he or she must log out of Facebook and delete his or her cookies before using our online offer. Further settings and opt-out options in relation to the use of data for advertising purposes are possible within the Facebook profile settings (login required) or via the US site YourAdChoices or the EU site. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices.