PRIVACY STATEMENT OF ITSPOT
of March 2020
The present Privacy Statement of Swisscom Directories Ltd (hereinafter «We» or «cityo») informs the customers and users (hereinafter «You» or «User») of our services, offers, and products (hereinafter «Services») about the procurement and processing of your data (personal data as well as non-person-related data; hereinafter «Data»).
- Data controller
In the following, We inform You about who is responsible for processing Your Data, which Data We collect in connection with Your use of our Services, for what purposes We process this Data, as well as to whom We forward this data in some cases, among other things. In addition, We inform You about the length of processing Your Data, the legal basis for the processing (insofar as any such basis should be necessary), as well as about what rights You are entitled to in relation to Us with regard to the processing of Your Data. This Privacy Statement applies to all of Your Data that We already have in our possession or that We will have in the future. Please note that We can amend the Privacy Statement from time to time. The most recent version, as published on www.cityo.ch, shall be applicable.
Personal data is deemed to be all information that relates to a specific or specifiable person (hereinafter «Personal Data»). This particularly includes information such as name, address, telephone number, e-mail address, and in some circumstances also IP addresses and device IDs. In the present Privacy Statement, the generic term Data also includes non-person-related data and anonymised data along with Personal Data. Processing is understood to mean any handling of Data, regardless of the means and processes used, particularly collecting, storing, using, reworking, publishing, archiving, or deleting Data (hereinafter «Processing»).
If You provide Us with the Personal Data of other individuals, please ensure that these persons are aware of this Privacy Statement, and only notify us of their Personal Data if you are entitled to do so pursuant to applicable data protection law.
IT-SPOT in Zurich, Switzerland, is the Controller for the Data Processing pursuant to this Privacy Statement. Please contact our Data Protection Office (available at firstname.lastname@example.org) for concerns and questions in connection with data protection. As an additional point of contact in the EU, our data protection representative is available to you and the supervisory authorities.
Categories of processed Data
We collect specific Data when You use our Services and are in contact with cityo (e.g., when visiting our websites, using one of our mobile apps or another of our digital services, making a contract, registering, and logging into Your user account, or when in contact with our employees). We fundamentally collect these Data directly from You. In specific cases, it may occur that We receive Data from other persons (e.g., if a third party provides a rating or a comment that relates to You, if Your employer provides Us with Your contact information, or if a company with which You maintain a contractual relationship forwards Your Data to Us).
The Personal Data that We process may include the following Data:
- Data that was provided to Us at registration for one of our Services (e.g., name, contact data, sex, marital status, date of birth, profession, photo, dependents, employees, language, payment information, access data, information on advertising, opt-ins and opt-outs, etc.).
- Data relating to offers and concluded contracts (e.g., contract date, type, content, product, parties, term, value, and amendments; payment details, contact data, contact persons, invoicing and correspondence addresses, customer feedback, termination notices, disputes, etc.).
- Data that is identified or disclosed during use of our Services by registered and non-registered Users. This includes, inter alia, the IP and MAC address or device ID of the device used, cookies, pages accessed by users and search terms entered, inputs into dialog boxes, reservations, evaluations, time and length of visits, clicks, reactions to offers from cityo and third parties, referring/exit URL, information on the time of use, the browser and device type, as well as the operating system used and the internet service provider, transferred data volume. This also includes Data that is published or disclosed through our services (including any integrated third-party services) (e.g., pictures, texts, comments, evaluations, reservations, videos, etc.). We can merge Personal Data from one of our Services with Data from another Service.
- Data that is exchanged in or with regard to contact with Us (e.g., communication by letter, telephone, fax, e-mail, text and photo messages (SMS/MMS), video messages or instant messaging, reactions to communication and offers from cityo, preferred communication channels, etc.).
- Data that You or third parties disclose when participating in lotteries, surveys, and the like.
- Certain Services (e.g., search.ch, local.ch and localcities.ch) can collect and store location-related data if the geo- location function of the device used is activated.
- Data that third parties with whom We maintain business relationships provide to Us (e.g., directory entries, address databases, changes in database entries, rating data, information on internal company contact persons, etc.).
- Data from public sources (e.g., Commercial Register entries, other listings, etc.).
The Data listed above do not represent Personal Data in every case. We are generally not able to match Data that accrues during use of Our Services without registration (e.g., through a User account) to any individual person specified by name. However, this may be possible in individual cases in combination with other Data.
In some circumstances, You will have to provide specific Personal Data in order to use Our Services, when this Data is necessary or required by law for commencing and handling the contractual relationship and performance of the related contractual obligations. Lacking this Personal Data, We will generally not be in a position to conclude the contract and perform it, or to provide a specific Service. Logging access to our digital services and the related collection of connection data (such as the IP address, for instance) is also necessary; it occurs automatically during use and cannot be turned off for individual Users. Therefore, if You do not agree with the collection of such Data, You should refrain from using Our Services.
We will process Personal Data particularly for the following purposes, to the extent permitted by applicable law:
- Commencing, concluding, performing, and processing contracts;
- Offering, enhancing, and improving our Services, developing new Services, operating, maintaining, optimizing, and ensuring the security of our Services and infrastructure.
- Managing the Users of our Services, checking identities, log-ins, and other authentications;
- Maintaining, managing, and developing our customer relationships, communicating with customers and third parties, customer service and support, promotions, advertising and marketing, creating user profiles, offering customized Services and relevant content;
- Maintaining and publishing directories (in printed form, on data carriers, and/or on the Internet), maintaining, comparing, and updating databases including central address and contact data directories of Ours and of companies with which We maintain a contractual relationship;
- Protecting Users, our employees, and third parties, as well as protecting our Data, secrets, and assets, the security of our systems, buildings, and other infrastructure;
- Quality control, market research, preparing statistics, reports, and management information, management and development of the company, our offerings, and our activities, acquisition and sale of business units, companies, and portions thereof;
- Complying with legal and regulatory obligations and internal rules, law enforcement, civil, administrative, and criminal proceedings, complaints, fighting abuse, investigations and answering inquiries from government agencies and official bodies.
In addition, We can also process Personal Data for additional purposes insofar as a legal obligation requires the Processing or We provide information about it elsewhere or the Processing was obvious from the circumstances at the time the Data was collected.
We use the Personal Data for the purposes listed above based on the following legal foundations insofar as any such is required under applicable data protection law:
- Fulfilment of contractual obligations;
- Fulfilment of legal obligations;
- Consent granted to Us or to third parties;
- Legitimate interests of Us and of third parties, particularly:
- Offering and providing Services;
- Advertising and marketing;
- Maintaining contact and communication with Users and third parties;
- Understanding User behaviours, preferences, and requirements, market studies;
- Enhancing and improving our Services, developing new Services;
- User management, identity checks, log-ins, authentications;
- Protecting Users, our employees, and third parties, our Data, secrets, infrastructure, and assets;
- Maintenance and secure, efficient and effective organisation of business operations including secure, efficient and effective operations and the successful development of the digital services and other IT systems, error correction;
- Reasonable governance and development, successful sale or acquisition of business units, companies or parts of companies and other corporate transactions;
- Complying with legal and regulatory obligations and internal rules, law enforcement, civil, administrative, and criminal proceedings, complaints, fighting abuse, investigations and answering inquiries from government agencies.
We can publish and disclose Data as follows:Publication of Data
Certain of our Services provide for publication of Data. Published Data can generally be accessed anywhere, also outside of Switzerland. For example, the published directory data are publicly available (e.g., at local.ch, search.ch, öffentliches-verzeichnis.ch, in print editions of directories, etc.). Data published using corresponding functions of our Services (e.g., posts, pictures, texts, videos, comments, evaluations, etc.) may also be accessible to the public. This applies likewise to the user names used for those purposes. We or third parties can also publish published Data on other platforms and in other media (for instance, print media), in adapted form as necessary. Data that are published via our Services may possibly also be indexed by search machines (such as Google) or processed by third parties on whom we have no influence; in this way, such Data may continue to be publicly available in every country on Earth, even after this Data may have been deleted from our system.Data processors
We can commission third parties to provide specific services (e.g., in the areas of IT, operation of applications, administration, printing, shipping, etc.) and to process and store Data (known as «data processors»). Data processors may have access to Personal Data and process them on Our behalf. We obligate the data processors to comply with data protection law and only to process Data in the way that We do it Ourselves. Data processors that may receive Personal Data may be located in any country, particularly in Switzerland, in EU and EEA countries, and in the US.Contract partners
We can disclose Data to contract partners (for example, sales partners, service providers, customers, suppliers, financial companies, etc.). This occurs, for instance, to fulfil contractual obligations, to offer specific Services, to compare, validate, and update databases (including central address and contact data directories of Ours and of our contract partners), for debt collection and marketing purposes, to analyse the use and operation of our Services, systems, and infrastructure, and for payment processing. Possible recipients can also be acquirers or persons interested in acquiring business units, companies, or portions thereof. Contract partners may receive access to Personal Data and process it for their own purposes (for instance, to perform a contract or to perform their own legal obligations). In this context, they themselves are obligated to comply with applicable data protection laws. Contract partners that may receive Personal Data may be located in any country, particularly in Switzerland, in EU and EEA countries, and in the US.Disclosure to government agencies and other disclosure on legal grounds
If Data that is not otherwise public is transferred to a country without reasonable data protection provisions, We will ensure suitable data protection by deploying adequate contractual guarantees on the basis of EU standard contract clauses, binding corporate rules, or based on the exception of consent, of contract processing, of the determination, assertion or enforcement of legal claims, of overriding public interests, or because the transfer is necessary to protect the physical integrity of a data subject. Where applicable data protection law so provides, You can obtain a copy of the contractual guarantees with regard to Your Personal Data from our Data Protection Office, or You can find out where such a copy can be obtained. We reserve the right to redact such copies for reasons of data protection or for reasons of secrecy.
We store Personal Data as long as this is necessary for the purpose for which We have collected them. Specific Personal Data are also subject to legally binding retention obligations of ten or more years, which we comply with. We can also store Personal Data for at least the term of the applicable limitation periods, which in many cases are five or ten years. We generally delete Personal Data that accrue in connection with the use of our Services (e.g., logs, analyses, etc.) and that are not subject to any such retention or limitation periods earlier, as soon as We no longer have any interest in the Processing. Data can also be retained for a longer period in each case in anonymized form. Subject to any express contractual agreement, We are not obligated to You to retain Data for any particular period of time.
We use various common technologies in order to collect, store, and analyse Data when You use Our Services. This specifically includes cookies using which your browser or your device can be identified. A cookie is a small file that is sent to Your computer or is stored automatically on Your computer or mobile device when You call up one of our Services. When You call up a Service again, it can recognize Your browser or Your device using the cookie. Cookies can store user settings and other information. Along with what are called «session cookies,» which are automatically deleted after a visit to Our Services, We also use temporary and permanent cookies that remain stored on Your computer or mobile device for a longer period. The cookies used primarily serve to provide You with the functionalities of the various Services conveniently and securely (for instance, logging in to Your User account).
In addition to cookies, We can also make use of other technologies (e.g., pixels, web beacons, tags, advertising IDs) in order to analyse the use of our Services, to personalize our Services, and to display offers and advertising customized to You. For instance, when We send newsletters and e-mails, We can use technologies that allow Us to analyse what content is interesting to Users and whether, when, and how they react to our offers (e.g., by downloading pictures in an e-mail, clicking on URLs in an e-mail or on a website, filling in form data, etc.). We assume that the User consents to the use of corresponding technologies by using such functions.
Finally, We use various common web analysis and tracking tools to measure and evaluate the use of Our Services. Such tools, which are usually provided by third parties, provide Us with information and statistics on the use of our Services that help Us to better understand the use of Our Services and to adapt them to User needs accordingly.
We integrate plugins from social networks (e.g., Facebook, Google Plus, Twitter) into our Services. These plugins make it easier to share content on these platforms. A summary of the plugins used can be found here.
When visiting Our Services that contain such plugins, a connection to the server of the corresponding provider can be established automatically. In this case, certain Data (such as, for instance, the time of visiting the Service, browser type, IP address) are collected and stored by the provider. If You have a user account at one of these providers, that provider can assign this information to Your profile. If You additionally interact with these plugins (e.g., by clicking on the «Like» button or by making a comment), this information is also transmitted to this provider, stored there, and possibly published. When using a social login service (e.g., Facebook Connect), the provider can transmit Personal Data to Us, such as name, e-mail address, and profile picture, which are stored at that provider about You.
In addition, We integrate services from third parties into Our Services, which make it possible for You to interact with customers and other Users of cityo as well as third parties (as, for example, making a reservation using a booking service or providing evaluations and comments). Any provided Data will be forwarded to these third parties for processing and performance of the corresponding service or directly processed by them.
Each data subject has a right to access his or her Personal Data. In addition, he or she has the right to require Us to correct, delete and limit Personal Data relating to him or her and to object to such processing of Personal Data. Exercise of such rights generally presumes that the data subject can unequivocally prove his or her identity. If the processing of personal data is based on consent, the data subject is entitled to revoke his or her consent at any time. In states of the EU or the EEA, the data subject has the right in certain cases to receive the Data generated during the use of online services in a structured, commonly used and machine-readable format that permits further use and transmission. Any requests in connection with these rights shall be addressed to the Data Protection Office (see clause 2 above). We reserve the right to restrict the rights of the data subject within the limits laid down by the law from time to time in force, for instance, to only provide limited information or to refrain from deleting Data. In addition, please note that deletion of Your Personal Data may mean that Services may no longer be available or cannot be used in whole or in part.
If We automatically make a decision affecting an individual that has legal effects vis-à-vis the data subject or considerably impairs this person in a similar way, the data subject can speak with a responsible person at Our offices and demand recon- sideration of the decision from that person, or demand an evaluation by a person from the start, insofar as applicable law permits such an action. In this case, the data subject may in some circumstances no longer be able to use certain automated services. The person will be informed of such decisions separately.
Each data subject has the right to make a complaint to the responsible data protection authority. If the data controller is based in Switzerland, the relevant authority is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).