Privacy Policy

Effective Date: 8 Dec 2024

Introduction

We, GWC GmbH (herin "GWC" / "we"), take the protection of your personal data seriously and would like to inform you hereinafter about data protection in our company through this data protection declaration.

As a result of the introduction of the European General Data Protection Regulation (hereinafter "EU-GDPR"), we have been given additional responsibilities to ensure the protection of personal data of the data subject within the scope of our data protection responsibilities.

To the extent that we either alone or jointly with others decide on the purposes and means of data processing, this includes in particular the obligation to inform you in a transparent manner about the nature, scope, purpose, duration and legal basis of the processing (cf. Art. 13 and 14 EU-GDPR). With this privacy policy, we inform you about how your personal data is processed by us.

Our privacy policy is modular in structure. It consists of a general part for any processing of personal data and processing situations that come into effect with each call of a web page (A. General) and a special part, the content of which only relates to the processing situations indicated there with the designation of the respective offer or product, especially the visit to our website as described in more detail here (B. Visit to the website) as well as data processing operations (C.-H.).

  1. General
  1. Scope of application
  1. This privacy policy:
  1. describes how we collect, use, and handle personal data that you provide to us or that we collect from you when you use our website;
  2. explains the circumstances under which we may disclose this personal data to third parties; and
  3. informs you about your rights in relation to your personal data.
  1. Our privacy policy applies in conjunction with all of our other legal notices or terms of use that appear elsewhere on our website or are otherwise made available to you.

  1. Definitions
  1. These are the definitions used in this privacy policy, based on the definitions provided in Art. 4 of the EU General Data Protection Regulation (EU-GDPR):
  1. "Personal data" (see Art. 4 No. 1 EU-GDPR) means any information relating to an identified or identifiable natural person ("data subject"). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or information relating to physical, physiological, genetic, mental, economic, cultural, or social identity. Identifiability may also be established by combining such information or through additional knowledge. The form or embodiment of the information is irrelevant (even photos, video or audio recordings can contain personal data).
  2. "Processing" (see Art. 4 No. 2 EU-GDPR) means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, as well as changing the purpose or intended use of the data originally collected.
  3. "Controller" (see Art. 4 No. 7 EU-GDPR) means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
  4. "Processor" (see Art. 4 No. 8 EU-GDPR) means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller, following the controller's instructions (e.g. an IT service provider). In terms of data protection law, a processor is not a third party.
  5. "Third party" (see Art. 4 No. 10 EU-GDPR) means a natural or legal person, public authority, agency or other body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data. This also includes legal persons affiliated with the controller.
  6. "Consent" of the data subject (see Art. 4 No. 11 EU-GDPR) means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

  1. Name and address of the data controller
  1. The controller responsible for processing your personal data within the meaning of Art. 4 No. 7 EU-GDPR is us:
GWC GmbH
Gotthardstrasse 10a, 8800 Thalwil
E-mail address: [email protected] 
  1. You can find further information about our company in the imprint section on our website at www.gwc-solutions.ch

  1. Contact details of the data protection officer (cf. Art. 37 EU-GDPR)
  1. For all questions and as the contact person regarding data protection at our company, our data protection officer is available to you at any time. His contact details are:
Data Protection Officer
Gotthardstrasse 10a, 8800 Thalwil
E-mail address: [email protected] 

  1. Legal bases for data processing
  1. By law, in principle, every processing of personal data is prohibited and only allowed if the data processing falls under one of the following justifications: 
  1. Art. 6 para. 1 lit. a EU-GDPR ("consent"): If the data subject has voluntarily, in an informed manner and unambiguously given his or her consent through a declaration or other clear affirmative action to the processing of the personal data concerning him or her for one or more specific purposes;
  2. Art. 6 para. 1 lit. b EU-GDPR: If the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. Art. 6 para. 1 lit. c EU-GDPR: If the processing is necessary for compliance with a legal obligation the controller is subject to (e.g. a legal retention obligation);
  4. Art. 6 para. 1 lit. d EU-GDPR: If the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. Art. 6 para. 1 lit. e EU-GDPR: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  6. Art. 6 para. 1 lit. f EU-GDPR ("legitimate interests"): If the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  1. For the processing activities carried out by us, we will indicate the applicable legal basis for each of them below. A processing activity may also be based on several legal bases.

  1. Data deletion and storage period
  1. For each processing activity we undertake, we will indicate below how long your data will be stored by us and when it will be deleted or blocked. If no specific storage period is indicated below, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage ceases to apply. Your data will generally only be stored on our servers in Switzerland and the European Union, subject to any transfer that may occur under the provisions in Part A. Sections VIII. und IX. 

  1. However, storage may continue beyond the specified period in the event of a (potential) legal dispute with you or other legal proceedings, or if storage is required by legal provisions to which we, as the controller, are subject to. When the storage period required by law expires, your personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for such storage. The following factors may play a role in determining whether further storage is necessary:
  1. legal obligations to store data for a longer period;
  2. statutory limitation periods;
  3. (potential) legal disputes; or
  4. guidelines and orders issued by competent data protection authorities.
  1. In cases where we continue to process your personal data for the aforementioned reasons, we will ensure that such data is treated in accordance with this privacy policy. Otherwise, we will delete your data as soon as it is no longer needed.
  2. If you would like to know how long we store your personal data for a specific purpose, you can contact us [email protected].
  3. Further information on the storage period for cookies can be found in Part B. Section VI.

  1. Data security (cf. Art. 32 EU-GDPR)
  1. We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction, or unauthorized access by third parties (e.g. SSL/TSL encryption for our website), taking into account the state of the art, the implementation costs, and the nature, scope, context, and purposes of processing as well as the risks of a data breach (including its likelihood and severity) for the data subject. Our security measures are continuously improved in line with technological developments. 
  2. We are happy to provide you with more detailed information upon request. Please contact our data protection officer (see Part A. Section IV.).

  1. Collaboration with processors (see Art. 28 EU-GDPR)
  1. Like other companies, we also use external service providers, both domestic and foreign, to handle our business operations (e.g. IT, logistics, telecommunications, sales and marketing). They act only on our instructions and have contractually committed to comply with data protection regulations in accordance with Art. 28 EU-GDPR.
  2. If your personal data is passed on by us to our partner companies or from our partner companies to us (e.g. for advertising purposes), this is done on the basis of existing processing agreements.

  1. Requirements for the transfer of personal data to third countries
  1. As part of our business relationships, your personal data may be transferred or disclosed to third-party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries (e.g. Switzerland). Such processing is carried out exclusively to fulfill contractual and business obligations and to maintain your business relationship with us. We will inform you of the specific details of the transfer at the relevant points.
  2. The European Commission certifies some third countries with so-called adequacy decisions, which provide a level of data protection comparable to that of the EEA standard (you can find a list of these countries and a copy of the adequacy decisions here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de). However, in other third countries to which personal data may be transferred, there may be no uniformly high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is sufficiently guaranteed. This can be done through binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data, certificates, recognized codes of conduct, or self-certification under the EU-US Privacy Shield (information on this can be found here: https://www.privacyshield.gov/welcome).
  3. However, we will only transfer your personal data to a location outside the EEA if:
  1. this transfer is made to a location where the European Commission believes that it provides adequate protection for your personal data;
  2. we have taken appropriate measures to protect your personal data (for example, if both parties involved in the transfer have agreed to standard data protection clauses recognized by the European Commission); or
  3. the above does not apply, but we can still proceed legally, for example, if the transfer is necessary for the establishment, exercise, or defense of legal claims.
  1. We are happy to provide you with more detailed information upon request. Please contact our data protection officer (see Part A. Section IV.).

  1. No automated decision-making (including profiling)
  1. We do not intend to use personal data collected from you for any automated decision-making process (including profiling).

  1. No obligation to provide personal data
  1. We do not make the conclusion of contracts with us dependent on you providing us with personal data beforehand. As a customer, you are not generally under a legal or contractual obligation to provide us with your personal data; however, it may be that we can only provide certain offers to a limited extent or not at all if you do not provide the required data. If this should exceptionally be the case within the scope of the products or services offered by us and presented below, you will be notified separately.

  1. Legal obligation to transmit certain data
  1. Under certain circumstances, we may be subject to a special legal or regulatory obligation to provide lawfully processed personal data to third parties, especially public authorities (cf. Art. 6 para. 1 lit. c EU-GDPR).

  1. Your rights
  1. You can exercise your rights as a data subject with regard to your processed personal data at any time by contacting us using the contact details provided in Part A. Section III. You have the right as a data subject to: 
  1. request information about the data we process about you in accordance with Art. 15 EU-GDPR. In particular, you may request information about the processing purposes, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the source of your data if it was not collected by us, and the existence of automated decision-making, including profiling, and meaningful information about its details;
  2. request without delay the rectification of inaccurate or incomplete data we have stored about you in accordance with Art. 16 EU-GDPR;
  3. request the erasure of your data stored by us in accordance with Art. 17 EU-GDPR, unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
  4. request the restriction of processing of your data in accordance with Art. 18 EU-GDPR, to the extent that the accuracy of the data is contested by you, the processing is unlawful or you have objected to the processing;
  5. receive your data that you have provided to us in a structured, commonly used and machine-readable format or to request the transmission to another controller, in accordance with Art. 20 EU-GDPR ("data portability");
  6. object to the processing of your data, if the processing is based on Art. 6 para. 1 lit. e or lit. f EU-GDPR. This is particularly the case if the processing is not necessary for the performance of a contract with you. If the objection does not concern direct marketing, we ask you to explain the reasons why we should not process your data as we have done. If you raise a justified objection, we will examine the situation and either terminate or adapt the data processing or show you our compelling legitimate grounds for continuing the processing;
  7. withdraw your consent – i.e. your voluntary, informed and unambiguous expression of will that you agree to the processing of your personal data for one or more specific purposes – which you have given to us at any time in accordance with Art. 7 para. 3 EU-GDPR, even before the EU-GDPR came into effect, i.e. before May 25, 2018. This will result in us no longer being allowed to continue the data processing based on this consent in the future; and lodge a complaint with a data protection supervisory authority regarding the processing of your personal data in our company, such as the supervisory authority responsible for us. The supervisory authority/data protection office responsible for us is the Federal Data Protection and Information Commissioner (FDPIC). The contact details can be found at the following link: https://www.edoeb.admin.ch/edoeb/de/home.html.
  1. If you would like to request additional information or exercise your rights with respect to personal data, or if you are not satisfied with the way we handle your personal data, please feel free to contact us [email protected]. Please provide us with as much information as possible to help us determine the information you are seeking and the nature of your complaint.
  2. Before we review your request, we may need to request additional information from you to confirm your identity. If you do not provide us with the requested information and we are therefore unable to identify you, we may be forced to reject your request.
  3. Normally, we will respond to your request within one month of receiving it. However, in some cases, it may be necessary to extend this period by an additional two months, especially if the complexity or number of your requests requires it.
  4. For such inquiries and actions, we generally do not charge any fees, unless:
  1. information from you to confirm your identity. If you do not provide us with the requested information and we are therefore unable to identify you, we may be forced to reject your request; or
  2. you make obviously unfounded or excessive requests, especially in the case of frequent repetition. In these cases, we may either: (a) charge reasonable administrative costs or (b) refuse to process the request.

  1. Changes to the Privacy Policy
  1. As part of the ongoing development of data protection law and technological or organizational changes, our privacy policy will be regularly reviewed for any necessary adjustments or additions. You will be informed about any changes, in particular on our website. This privacy policy is valid as of April 2023.