Privacy Policy Pacovis AG

Version dated 13.11.2024

1. What is the purpose of this privacy policy?

Pacovis AG (hereinafter also referred to as ‘we’, ‘us’) gathers and processes personal data relating to you or other persons (so-called ‘third parties’). We use the term ‘data’ here synonymously with ‘personal data’ or ‘personal information’.

With the ‘Pacovis Group’ we refer to Pacovis AG and its subsidiaries and group companies. An overview of the subsidiaries and group companies can be found here www.pacovis.com/ch-de/ueber-uns/standorte/.

This privacy policy describes what we do with your data when you use our websites or apps (hereinafter collectively referred to as the ‘website’), purchase our services or products, enter into a contract with us in any other way, communicate with us or otherwise interact with us. Where applicable, we will notify you in writing in a timely manner of any additional processing activities not mentioned in this privacy policy. In addition, we may provide you with specific information regarding the processing of your data separately, for instance, in consent forms, contractual terms, supplementary privacy policies, forms, and notices.

If you provide us with information about other individuals, such as work colleagues, we will assume that you are authorised to do so and that this information is accurate. By sharing information about third parties, you confirm this. Please also ensure that these third parties have been informed about this privacy policy.

This privacy policy is designed to meet the requirements of the EU General Data Protection Regulation (GDPR) and national data protection laws such as the Swiss Federal Act on Data Protection (FADP), the German Federal Data Protection Act (BDSG) and the German Telecommunications and Telemedia Data Protection Act (TDDDG). However, the applicability of these laws may vary depending on the specific circumstances.

2. Who is responsible for processing your data?

Pacovis AG, Stetten AG, Switzerland, is responsible under data protection law for the data processing of the Pacovis Group described in this privacy policy, unless otherwise communicated in individual cases (e.g. in other privacy policies, on forms or in contracts). However, this privacy policy also applies, unless otherwise communicated, to cases in which Pacovis AG is not the controller, but a group company of the Pacovis Group. This is particularly the case where your data is processed by such a group company in connection with its own legal obligations or contracts or where you share data with such a group company. In these cases, the group company is the data controller and only if you share your data with other group companies for their own purposes (see Section 7) will these other group companies also become data controllers.

If you have any questions or concerns about data protection and/or wish to exercise your rights under Section 11, you can contact us using the following details:

Pacovis AG
Grabenmattenstrasse 19
5608 Stetten AG
Switzerland
+41 56 485 93 93
datenschutz@pacovis.com 

Our representative in the EU according to Article 27 of the GDPR is:

Pacovis Deutschland GmbH
Konrad-Zuse-Weg 1
72555 Metzingen
Germany
datenschutz@pacovis.com

3. What data do we process?

We process different categories of data about you. The most important categories are as follows:

  • Technical data: When you use our website or other electronic services, we collect the IP address of your device and other technical data to ensure the functionality and security of these services. This data also includes logs that record the use of our systems. We typically retain technical data for 24 months. To ensure the functionality of these services, we can also assign an individual code to you or your device (e.g. in the form of a cookie, see Section 12). Technical data cannot be traced back to you. However, it can be linked to other categories of data (and thus possibly to your person) when creating user accounts, registrations, access controls or processing contracts.
  • Registration data: Certain offers and services (such as login areas of our website) can only be used with a user account or registration, which can be done directly with us or via our external login service providers. You will need to provide us with certain information and we will collect information about your use of features or services. Registration data may be collected during access controls to certain systems; depending on the control system, biometric data may also be collected. We generally store registration data for 12 months after the end of use of the service or the cancellation of the user account.
  • Communication data: If you contact us via the contact form, by email, telephone or chat, in writing or by other means of communication, we will collect the information exchanged between you and us, including your contact details and the metadata of the communication. If we record or listen in on telephone conversations or video conferences, for example, for training and quality assurance purposes, we will expressly inform you of this. Such recordings may only be made and used in accordance with our internal guidelines. You will be notified if and when such recordings take place, for example, through a notification during the relevant video conference. If you prefer not to be recorded, please inform us or exit the session. If you simply do not want your image to be recorded, please switch off your camera. If we need to verify your identity, for example when you make a request for information, we collect data to confirm who you are (such as a copy of an ID). We usually keep this data for 12 months from the last interaction with you. This period may be longer, if this is necessary for evidentiary reasons, to comply with legal or contractual obligations or for technical reasons. Emails in personal mailboxes and written correspondence are typically retained for a minimum of 1 year. Recordings of (video) conferences are generally retained for 12 months. Chat logs are generally stored for 12 months.
  • Master data: We use the term master data to refer to the basic data that we require in addition to the contract data (see below) for the processing of our contractual and other business relationships or for marketing and advertising purposes, such as name, contact details and information, for example, about your role and function, your bank details, your date of birth, customer history, powers of attorney, signature authorisations and declarations of consent. We process your master data if you are a customer or other business contact or are working for such a person (e.g. as a contact person of the business partner), or because we wish to contact you for our own purposes or the purposes of a contractual partner (e.g. as part of marketing and advertising, with invitations to events, with vouchers, with newsletters, etc.). We obtain master data from you (e.g. when you make a purchase or register), from organisations for which you work or from third parties such as our contractual partners, associations and address brokers, as well as from publicly accessible sources such as public registers or the internet (websites, social media, etc.). We may also collect master data from our shareholders and investors. We generally store this data for 7 years from the last interaction with you. This period may be longer, if this is necessary for evidentiary reasons, to comply with legal or contractual obligations or for technical reasons. The retention period for exclusively marketing and advertising relationships is normally much shorter, usually no more than 5 years since the last interaction.
  • Contract data: These are data related to the conclusion or processing of a contract, e.g. information on contracts and the services to be provided or already provided, as well as data from the precontractual stage, the information required or used for processing and information on responses (e.g. complaints or information on satisfaction, etc.). As a rule, we collect this data from you, from contractual partners and from third parties involved in the performance of the contract, but also from third-party sources (e.g. credit reference agencies) and from publicly accessible sources. We generally store this data for 10 years from the last contractual activity. This period may be longer, if this is necessary for evidentiary reasons, to comply with legal or contractual obligations or for technical reasons.
  • Behavioural and preference data: Depending on our relationship with you, we strive to learn more about you and better tailor our products, services and offers to you. To do this, we collect and use data about your behaviour and preferences. We do this by analysing information about your behaviour in our area, and we may also supplement this information with information from third parties – including from publicly available sources. Based on this, we can calculate, for example, the likelihood of you using certain services or behaving in a particular way. We may already have some of the data processed for this purpose (e.g. when you use our services), or we obtain this data by documenting your behaviour (e.g. how you navigate our websites). We will anonymise or delete this data when it is no longer relevant for the purposes pursued, which can be up to 12 months depending on the type of data (for product and service preferences). This period may be longer, if this is necessary for evidentiary reasons, to comply with legal or contractual obligations or for technical reasons. We explain how tracking works on our websites in Section 12.
  • Additional data: We also collect data from you in other situations. Data (such as files, evidence, etc.) that may also relate to you may be collected in connection with official or court proceedings. We may also collect information for health protection purposes (e.g. as part of safeguarding policies). We may receive or produce photos, videos and sound recordings in which you may be recognisable (e.g. at events, through security cameras, etc.). Furthermore, we may also collect data about the persons entering certain buildings or having access rights (including access controls, based on registration data or visitor lists, etc.), who takes part in events or campaigns (e.g. competitions) and at which time, or about the persons using our infrastructure and systems. Finally, we collect and process data relating to our shareholders and other investors; in addition to master data, this includes information for the relevant registers, regarding the exercise of their rights and the organisation of events (e.g. general meetings). The retention period for this data depends on the processing purpose and is limited to what is necessary. This ranges from a few days for many of the security cameras to reports on events with images that can be stored for several years or longer. Data about you as a shareholder or other investor will be retained in accordance with the requirements of company law, but in any case, for as long as you are invested.

Much of the data set out in this Section 3 is provided to us by you (through forms, when you communicate with us, in relation to contracts, when you use the website, etc.). You are not obliged to do so, except in individual cases, e.g. in the context of binding protection concepts (legal obligations). If you wish to enter into contracts with us or use our services, you must also provide us with certain data, in particular master data, contract data and registration data, as part of your contractual obligation under the relevant contract. When using our website, the processing of technical data cannot be avoided. If you wish to gain access to certain systems or buildings, you must also provide us with registration data. However, in the case of behavioural and preference data, you generally have the option of objecting or not giving consent.

Insofar as it is not prohibited, we also collect data from public sources (for example debt collection registers, land registers, commercial registers, the media, or the internet including social media) or receive data from other companies within our group, from public authorities and from other third parties (such as credit agencies, address brokers, associations, contractual partners, internet analytics services, etc.).

4. For what purposes do we process your data?

We process your data for the purposes set out below. These purposes and their objectives represent our interests and potentially those of third parties. You can find further information on the legal basis of our processing in Section 5.

We process your data for purposes related to communication with you, in particular in relation to responding to enquiries and the exercising of your rights (Section 11) and to enable us to contact you in case of queries. For this purpose, we use, in particular, communication data and master data, and registration data in relation to offerings and services that you use. We keep this data to document our communication with you, for training purposes, for quality assurance and for follow-up enquiries.

We process data for the conclusion, administration and performance of contractual relationships.

We process data for the provision, operation and further development of our websites and other platforms (in particular the web shop) and apps. Further information is set out in Sections 12 and 13. 

We process data for marketing purposes and to maintain relationships, for example, to provide our customers and other contractual partners with loyalty and bonus programmes, to organise customer events, competitions and similar events, or to send our customers and other contractual partners personalised advertising about our products and services and those of third parties (e.g. advertising contractual partners). This may take place in the form of newsletters and other regular contacts (electronically, by post or by telephone), through other channels for which we have contact information from you, but also as part of marketing campaigns (e.g. events, competitions, etc.), and may also include free services (e.g. invitations, vouchers, etc.). You can object to such contact at any time (see Section 5) or refuse or withdraw consent to be contacted for marketing purposes. With your consent, we can target our online advertising on the internet more specifically to you (see Section 12). Ultimately, we also want to enable our contractual partners to contact our customers and other contractual partners for advertising purposes (see Section 7).

We further process your data for market and opinion research, to improve our services and operations and for product development.

We may also process your data for security purposes and for access control (domiciliary rights).

We process personal data to comply with laws, instructions and recommendations from authorities and internal regulations (compliance) and to protect and enforce our rights.

We also process data for the purposes of our risk management and as part of diligent corporate governance, including business organisation, corporate development and corporate transactions.

We may process your data for further purposes, for example as part of our internal processes and administration or for quality assurance purposes and training.

5. On what basis do we process your data?

Where we ask you for your consent (Article 6(1)(a) GDPR) for certain processing (e.g. for marketing mailings and for advertising management and behavioural analysis on the website), we will inform you separately about the relevant processing purposes. You may withdraw your consent at any time with effect for the future by providing us with written notification (by post) or, unless otherwise stated or agreed, by email; our contact details can be found in Section 2. For withdrawing consent for online tracking, see Section 12. Where you have a user account, you may also withdraw consent or contact us also through the relevant website or other service, as applicable. Once we have received notification of withdrawal of consent, we will no longer process your information for the purpose(s) you consented to, unless we have another legal basis for doing so. Withdrawal of consent does not, however, affect the lawfulness of the processing based on the consent prior to withdrawal.

Where we do not ask for your consent for processing, the processing of your personal data is based on the fact that the processing is necessary for initiating or executing a contract with you (or the entity you represent) (Article 6(1)(b) GDPR) or that we or third parties have a legitimate interest (Article 6(1)(f) GDPR), in particular in order to pursue the purposes and associated objectives described above under Section 4 and to be able to take appropriate measures.

Our legitimate interests also include compliance with legal regulations, insofar as this is not already recognised as a legal basis by the applicable data protection law. Among other things, our legitimate interests include the marketing of our products and services and an interest in gaining a better understanding of our markets and in running and further developing our enterprise, including its business operations, securely and efficiently.

If we receive sensitive personal data (for example health data or biometric data for identification purposes), we may process your data on other legal bases, for example, in the event of a dispute, as required in relation to potential litigation or for the enforcement or defence of legal claims. In some cases, other legal bases may apply, which we will communicate to you separately as necessary.

6. What applies in case of profiling and automated individual decisions?

We may automatically evaluate personal aspects relating to you (profiling) based on your data (Section 3) for the purposes set out in Section 4, where we wish to determine preference data, but also in order to detect misuse and security risks, to perform statistical analyses or for operational planning. We may also create profiles for these purposes, i.e. we may combine behavioural and preference data, but also master data, contract data and technical data relating to you in order to better understand you as a person with your various interests and other characteristics.

7. With whom do we share your data?

In relation to our contracts, the website, our services and products, our legal obligations or otherwise in protecting our legitimate interests and for the other purposes set out in Section 4, we may disclose your personal data to third parties, in particular to the following categories of recipients:

  • Companies of the Pacovis Group: The group companies may use the data for the same purposes described in this privacy policy (see Section 4).
  • Service providers: We work with domestic and foreign service providers who process your data on our behalf or as joint controllers with us or who receive data about you from us as separate controllers (for example, IT providers, shipping companies, advertising service providers, login service providers, cleaning companies, security companies, banks, insurance companies, debt collection companies, credit information agencies, or address verification providers). This may include health data. For the service providers used for the website, see Section 12.
  • Contractual partners including customers: This refers to our customers and other contractual partners (e.g. suppliers and subcontractors), as this data disclosure arises from these contracts. If you work for one of these contractual partners, we may also transmit your data to that partner in this regard. These recipients also include contractual partners with whom we cooperate or who advertise for us and to whom we therefore disclose data about you for analysis and marketing purposes. We require these partners to send you or display advertising based on your data only with your consent (for online advertising, see Section 12).
  • Authorities: We may disclose personal data to authorities, courts, and other authorities, both domestically and internationally, if we are legally obligated or authorized to do so, or if it is deemed necessary to protect our interests. These authorities process data about you that they have received from us under their own responsibility.
  • Other persons: This refers to other cases where the involvement of third parties arises from the purposes set out in Section 4, for example, industry organisations, media outlets, associations as well as purchasers and parties interested in acquiring business units, companies or other parts of the Pacovis Group.

All these categories of recipients may involve third parties, so your data may also be disclosed to them. We can restrict the processing by certain third parties (e.g. IT providers), but not by others (e.g. authorities, banks, etc.).

We also enable certain third parties to collect personal data from you on our website (see Section 12) and at events organised by us (e.g. press photographers, providers of tools that we have integrated on our website, etc.). Where we have no control over this data collection, these third parties are sole controllers. If you have concerns or wish to exercise your data protection rights, please contact these third parties directly.

8. Will your personal data also be transmitted abroad?

As explained in Section 7, we disclose data to other parties. These are not only located in Switzerland or Europe, but can be in any country in the world.

If a data recipient is located in a country without adequate statutory data protection, we contractually oblige the recipient to comply with the applicable data protection regulations (we use the revised standard contractual clauses of the European Commission, which are available here: eur-lex.europa.eu/eli/dec_impl/2021/914/oj, unless the recipient is already subject to a legally recognised set of rules to ensure data protection and we cannot rely on an exemption clause.

An exception may arise, especially in the context of legal proceedings abroad, as well as in situations involving significant public interests or when the disclosure is necessary for contract fulfilment. This exception may also apply if you have provided consent or if the data in question has been publicly accessible and you have not objected to its processing.

9. How long will we continue to process your data?

We process your data for as long as our processing purposes, the legal retention periods and our legitimate interests in terms of documentation and keeping evidence require it, or for as long as storage is a technical requirement. You will find further information on the respective storage and processing periods for the individual data categories in Section 3, and for cookies in Section 12. If there are no contrary legal or contractual obligations, we will delete or anonymise your data once the storage or processing period has expired as part of our usual processes.

10. How do we protect your data?

We take appropriate security measures in order to maintain the required security of your personal data and ensure its confidentiality, integrity and availability, and to protect it against unauthorised or unlawful processing, and to mitigate the risk of loss, accidental alteration, and unauthorised disclosure or access.

11. What are your rights?

Applicable data protection laws grant you the right to object to the processing of your data under some circumstances, in particular for direct marketing purposes, for profiling carried out for direct marketing purposes and for other legitimate interests in processing.

To help you control the processing of your personal data, you have the following rights in relation to our data processing, depending on the applicable data protection law:

  • The right to request information from us as to whether and what data we process from you;
  • The right to obtain from us rectification of inaccurate data;
  • The right to request erasure of data;
  • The right to request that we provide certain personal data in a commonly used electronic format or transfer it to another controller;
  • The right to withdraw consent, where our processing is based on your consent;
  • The right to receive, upon request, further information that is helpful in exercising these rights;
  • The right to express your point of view in cases of automated individual decisions (Section 6) and to request that the decision be reviewed by a human.

If you wish to exercise the above rights against us (or against one of our group companies), please contact us in writing, at our premises or, unless otherwise stated or agreed, by email; our contact details can be found in Section 2. In order for us to be able to prevent misuse, we need to identify you (for example by means of a copy of your ID document if identification is not possible otherwise).

Please note that conditions, exceptions or restrictions apply to these rights under applicable data protection law (for example to protect third parties or trade secrets). We will inform you accordingly where applicable.

If you do not agree with the way we handle your rights or with our data protection practices, please let us know (Section 2). If you are located in the EEA, the United Kingdom or in Switzerland, you also have the right to lodge a complaint with the competent data protection supervisory authority in your country. You can find a list of authorities in the EEA here: edpb.europa.eu/about-edpb/board/members_de. You can contact the supervisory authority of the United Kingdom here: ico.org.uk/global/contact-us/. The Swiss supervisory authority can be contacted here: www.edoeb.admin.ch/edoeb/de/home/deredoeb/kontakt.html.

12. Do we use online tracking and online advertising technology?

We use various techniques on our website that allow us and third parties engaged by us to recognise you during your use of our website, and possibly to track you across several visits. This section provides information about this.

In essence, we wish to distinguish access by you (through your system) from access by other users, so that we can ensure the functionality of the website and carry out analyses and personalisation. We do not intend to determine your identity, even if that is possible where we or third parties engaged by us can identify you based on a combination with registration data. However, even without registration data, the technologies we use are designed in such a way that you are recognised as an individual visitor each time you access the website, for example by our server (or third-party servers) that assign a specific identification number to you or your browser (a ‘cookie’).

Cookies are individual codes (e.g. a serial number) that our server or a server belonging to our service providers or advertising partners transmits to your system when you connect to our website, and that your system (browser, mobile phone) accepts and stores until the set expiration time. Your system transmits these codes to our server or the third-party server with each additional access. That way, you are recognised even if your identity is unknown.

Other technologies may be used to recognise you with some likelihood (i.e. distinguish you from other users), such as ‘fingerprinting’. Fingerprinting combines your IP address, the browser you use, screen resolution, language settings and other information that your system tells every server, resulting in a more or less unique fingerprint. This makes it possible to do without cookies.

Whenever you access a server (for example when you use a website or an app, or because an email includes a visible or invisible image), your visits can therefore be tracked. If we integrate offers from an advertising partners or a provider of an analysis tool on our website, they may track you in the same way, even if you cannot be identified in a particular case.

We use these technologies on our website and may allow certain third parties to do so as well. However, depending on the purpose of these technologies, we may ask for consent before they are used. You can also set your browser to block or deceive certain types of cookies or alternative technologies, or to delete existing cookies. You can also add software to your browser that blocks certain third-party tracking. You can find more information on the help pages of your browser (usually by searching the keyword ‘privacy’) or on the websites of the third parties set out below.

We distinguish between the following categories of cookies (including other comparable technologies such as fingerprinting):

  • Necessary cookies: Some cookies are necessary for the functioning of the website or for certain functions. For example, they ensure that you can move between pages without losing information that was entered in a form. They also ensure that you remain logged in. These cookies are temporary (session cookies). If you block them, the website may not work properly. Other cookies are necessary for the server to store options or information (which you have entered) beyond a session (i.e. a visit to the website) if you use this function (e.g. language settings, consents, automatic login functionality, etc.). These cookies are valid for up to 12 months.
  • Performance cookies: In order to optimise our website and related offers and to better adapt them to the needs of users, we use cookies to record and analyse the use of our website, potentially beyond one session. We use third-party analytics services for this purpose. We have listed them below. Before we use such cookies, we ask for your consent. You can withdraw consent at any time through the cookie settings. Performance cookies are valid for up to 1 month. Details can be found on the websites of the third-party providers.

We may also integrate other third-party offers on our website, in particular from social media providers such as LinkedIn, Facebook, Twitter, YouTube, Pinterest or Instagram. These offers are deactivated by default. As soon as you activate them (for example by clicking a button), these providers can determine that you are using our website. If you have an account with that social media provider, it can assign this information to you and thereby track your use of online offers. These social media providers process this data as separate controllers.

We currently use offers from the following service providers and advertising partners (where they use data from you or cookies set on your computer for advertising purposes):

  • Google Analytics: Google Ireland Ltd. (located in Ireland) is the provider of the service ‘Google Analytics’ and acts as our processor. Google Ireland relies on Google LLC (located in the United States) as its sub-processor (both ‘Google’). Google collects information about the behaviour of visitors to our website (duration, page views, geographic region of access, etc.) through performance cookies (see above) and on this basis creates reports for us about the use of our website. We have configured the service so that the IP addresses of persons located in Europe who visit Google are curtailed before they are transmitted to the USA and thus cannot be traced back. We have the settings ‘Data transmission’ and ‘Signals’ turned off. Although we can assume that the information we share with Google is not personal data for Google, it may be possible that Google may be able to draw conclusions about the identity of visitors based on the data collected, create personal profiles and link this data with the Google accounts of these individuals for its own purposes. In any event, if you consent to the use of Google Analytics, you expressly consent to any such processing, including the transfer of your personal data (in particular website and app usage, device information and unique IDs) to the United States and other countries. Information on Google Analytics data protection can be found here support.google.com/analytics/answer/6004245 and, if you have a Google account, you can find further information on data processing by Google here policies.google.com/technologies/partner-sites.
  • Piwik PRO: Piwik PRO GmbH (located in Germany) is the provider of the 'Piwik PRO' service and acts as our processor. Piwik PRO GmbH collects information about the behaviour of visitors to our website (duration, page views, geographic region of access, etc.) through performance cookies (see above) and on this basis creates reports for us about the use of our website.

13. What data do we process on our pages in social networks?

We may operate pages and other online presences (channels, profiles, etc.) on social networks and other platforms operated by third parties and collect the data about you described in Section 3 and below. We receive this data from you and from the platforms when you interact with us through our online presence (for example when you communicate with us, comment on our content or visit our online presence). At the same time, the platforms analyse your use of our online presences and combine this data with other data they hold about you (for example about your behaviour and preferences). They also process this data for their own purposes, in particular for marketing and market research purposes (for example to personalise advertising) and to manage their platforms (for example what content they show you) and, to that end, they act as separate controllers.

We process this data for the purposes set out in Section 4, in particular for communication, for marketing purposes (including advertising on these platforms) and for market research. You will find information about the applicable legal bases in Section 5. We may disseminate content published by you (for example comments on an announcement), for example as part of our advertising on the platform or elsewhere. We or the operators of the platforms may also delete or restrict content from or about you in accordance with their terms of use (for example inappropriate comments).

For further information on the processing of the platform operators, please refer to the privacy information for the relevant platforms. There you can also find out about the countries where they process your data, your rights of access and erasure of data and other data subjects’ rights, and how you can exercise them or obtain further information. We currently use the LinkedIn and YouTube platforms.

14. Can this privacy policy be changed?

This privacy policy does not form an integral part of a contract with you. We can change this privacy policy at any time. The version published on this website is the current version.