Data Privacy Statement
The protection and security of your personal data is a top priority for SwissSign Group Ltd. and its subsidiaries (collectively “SwissSign”, “we” or “us”). You can expect us to handle your data prudently and carefully and to ensure a high level of data security.
We collect and use your personal data exclusively in accordance with the applicable legal provisions, in particular the Swiss Data Protection Act (DPA) and, where applicable, the European General Data Protection Regulation (GDPR).
This Data Privacy Statement informs you about the personal data we process regarding you, the purposes for which we need this data and the rights you have concerning the processing of your personal data. The Data Privacy Statement applies to the following websites: www.swisssign-group.com, www.swissign.com, swisssign.net and www.swissid.ch (collectively “websites”).
1. Name and contact details of the controllers
The entity responsible for the data processing on the websites www.swisssign-group.com and www.swissid.ch is:
SwissSign Group Ltd.
Tel: + 41 848 77 66 55
The entity responsible for data processing on the website www.swisssign.com and swisssign.net is:
Tel: + 41 848 77 66 55
If you have any questions about data protection, please contact firstname.lastname@example.org.
2. Scope of data collection and processing
When we use the term “personal data” in our Data Privacy Statement, we mean all information relating to an identified or identifiable person. This includes e.g. your name, address, telephone number, email address or an IP address assigned to you by your internet provider. The use of our websites is generally possible without providing any personal data. Where personal data is collected on our websites, this is always done on a voluntary basis wherever possible.
2.1 Log data
When you visit our websites, our web servers temporarily store every access in something known as a server log file. The following technical data is collected in the process, as is normally the case with every connection to a web server, without any action on your part, and it is stored by us for 14 months until it is automatically erased:
- IP address of the requesting computer
- Date and time of the access/request
- Website from which the access occurred
- Name and URL of the data requested
- Operating system of your computer
- Browser used by you (type, version and language)
- Name of your internet access provider
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status / HTTP status code
- Last website visited
- Browser settings
- Language and version of your browser software
- Device type (desktop, tablet, mobile)
This data is processed for the purpose of enabling the use of our websites (connection set-up), ensuring system security and stability on a permanent basis, optimising our offerings and services, as well as for internal statistical purposes and thus based on our legitimate interests. This data will not be passed on to third parties or used otherwise. No personal user profile is created.
You have the option to subscribe to our newsletter on our websites. This newsletter provides you with information about us and our offers.
If you wish to subscribe to our newsletter, the information marked with a * (self-declared) is mandatory.
The personal data collected in this context will be used exclusively to send you our newsletter within the scope of your consent and will not be passed on to unauthorised third parties.
You always have the option to cancel your subscription to the newsletter and revoke the consent you provided. To do this, click on the relevant button (link) in the newsletter sent to you. You will find this link to unsubscribe at the beginning and end of each newsletter you receive from us. Alternatively, you may send your revocation to email@example.com.
Your personal data will be deleted as soon as you unsubscribe from our newsletter. The foregoing shall be without prejudice to statutory retention periods.
2.3 Contacting us
On our websites you will find ways to contact us and to send us an enquiry. In this case, we will process the information provided by you for the conversation with you or for the purpose of processing and dealing with your enquiry.
If you wish to contact us using the contact form, the information marked with a * (self-declared) is mandatory.
The personal data collected in this context is used exclusively to answer your questions or to provide the services requested by you. We have a legitimate interest in processing your contact enquiries.
You may object to this data processing at any time. Please send your objection to firstname.lastname@example.org. In such a case, your enquiry will not be processed further.
Your personal data will be erased as soon as your enquiry has been completed. This is the case if the circumstances indicate that the relevant facts have been conclusively clarified and deletion is not precluded by any statutory retention obligations.
If you apply for a position with us, the data provided by you as part of the application procedure will be processed to verify whether we wish to establish and conduct an employment relationship with you. The processing may also be carried out electronically. If you apply via an online form, you will be forwarded to the website of our partner digitalent ag, of Baden/Aargau. Your data may only be viewed by selected SwissSign employees who are in charge of evaluating your application file.
When applying via an online form, the information marked with an * (self-declared) is absolutely necessary in order to attribute the application to you and to be able to contact you regarding your application and to check your application's prospects of success.
This data is stored, evaluated, processed or internally transmitted only in the context of your application. In addition, your data may be processed for statistical purposes (e.g. reporting). In this case, no conclusions can be drawn regarding individual persons.
The basis for the processing of the application data is our legitimate interest in conducting the application procedure.
If you are hired, the transmitted data will be stored for processing the employment relationship in accordance with the relevant statutory provisions. Otherwise, if the application process ends without you being hired, your data will normally be processed only until the time of the hiring decision. After that, the data will be deleted. Your data will only be stored in an applicant pool if you expressly give us your consent.
To protect entry forms on our websites, we use the reCAPTCHA feature of Google LLC, of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA or, if you are a habitual resident of the European Economic Area (EEA) or Switzerland, Google Ireland Limited, of Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
This feature primarily serves to distinguish whether an entry is made by a natural person or whether it is made improperly by machine and automated processing. The service also includes sending Google the IP address and any further data required by Google for the reCAPTCHA service.
2.5 SwissSign shop
If you wish to purchase certificates in our online shop at www.swisssign.com or swisssign.net, you must provide your personal information (first and last name, address, country, telephone number and, if applicable, payment data) that we need in order to process your order. The mandatory information required for the execution of the contracts is marked separately; additional information is voluntary. We process the data provided by you exclusively for the purpose of processing your order. Depending on the payment method chosen (invoice, credit card, etc.), the data required for processing the payment will be forwarded to the relevant payment providers.
In the event of an order, we may also use the data provided by you to send you emails containing information about the products or services purchased by you (e.g. information about product updates or other support information).
If you select "credit card" as your payment method during order processing, payment is made via the online payment system of the relevant credit card company (Mastercard, Visa, PostFinance Card, PostFinance e-finance, etc.). In this case, personal and payment data is processed directly through the corresponding credit card company. The data protection provisions of the relevant credit card company shall also apply in each case.
To comply with legal requirements, we are required to retain all certificate holder data, documentation and audit information for a minimum period of 11 years after termination of a certificate.
In order to prevent unauthorised third-party access to your personal data, in particular financial data, the transfer of your data to us is encrypted.
2.6 SwissID account
If you wish to use the features of the SwissID, you must create a SwissID account online and complete the registration process. The personal data entered for this purpose is stored for the use of our products and services. This includes platform-based communication with you (e.g. emails containing information about product updates or other support information).
The features of the SwissID are described in detail on the website www.swissid.ch.
Registration for a SwissID account takes place using your personal data, either via the website www.swissid.ch or the SwissID app. To do this, you need access to your email account and, where applicable, your mobile phone in order to use two-factor authentication. When you open a SwissID account, you will receive password-protected direct access to your personal data stored with us.
When you create a SwissID account, the information marked with a * (self-declared) is mandatory, and you must agree to our GTC.
Once you have confirmed your e-mail address, you are registered and your user account is set up. After registration, you can log into your SwissID account via the website www.swissid.ch or the SwissID app and manage your details, links to online services and released data or set up new features.
You also have the option of depositing a verified identity in your SwissID account. You can carry out this verification either with the SwissID app, via selected municipal and city administrations or by acquiring a “SuisseID”. More information can be found here: https://www.swissid.ch/en/faq.html#verified-identity.
If you wish to have your identity verified via the SwissID app, an encrypted picture of your identity document is sent to our Swiss partner PXL Vision AG, of Zurich, to verify its authenticity. In order to do this, you must give your explicit consent in advance. Once the verification has been completed, this data is deleted.
2.7 Data transfer to online service providers
The SwissID enables authentication for online services and the transmission of your attributes to online services (e.g. first name, last name). The attributes approved for release are transferred to the online service provider only upon successful authentication and with your express consent. The attributes to be transferred in the specific case will be indicated to you prior to the transfer, whereupon you may give or refuse your express consent to the transfer. In addition, you have the option of approving the transmission of data for a particular online service until such time as you revoke your consent.
The identity data collected for SwissID (whether self-declared or verified) is processed only for the purpose of identification and authentication vis-à-vis online service providers as part of online transactions. No further data processing, in particular the personalised analysis of transaction data, e.g. for marketing purposes and/or the disclosure of personal data to third parties, takes place. We reserve the right to conduct statistical analyses of anonymised data sets.
2.8 SwissID App
The SwissSign Group operates an app for iOS and Google Play. The SwissID App can be downloaded free of charge from the app stores of both providers. When downloading the app, the necessary information is sent to the relevant app store. The data protection provisions of both app stores apply. They can be accessed at: https://www.apple.com/legal/privacy/en-ww/ and https://policies.google.com/privacy.
For more information and tips on how to use the SwissID App, please visit: https://www.swissid.ch/en/app.html.
Most of the cookies we use are session cookies. These are deleted automatically when you log out or close your browser. Other cookies remain stored on your end device beyond the respective use, until such time as you delete them. We also use analysis cookies. These are utilised to analyse your web-surfing behaviour. The collected data is employed exclusively to optimise the performance and design of our websites. These cookies are third-party cookies (e.g. Google Analytics). However, the data is collected in anonymised form and utilised exclusively by us. The information stored in the cookies is not used to identify you and is not combined with other personal information about you.
Most internet browsers are normally configured to accept cookies. If you do not want cookies, you can configure your browser so that it informs you about the setting of cookies and only allows you to accept them on a case-by-case basis or generally prevents you from accepting them. You can also activate the automatic deletion of cookies when the browser is closed. In addition, you can always delete cookies that have already been set via an internet browser or other software programs.
4. Google Analytics
For purposes of designing and continuously optimising websites and apps that are appropriate to your needs, we use Google Analytics, a web analysis service of Google LLC, of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA or, if you are a habitual resident of the European Economic Area (EEA) or Switzerland, Google Ireland Limited, of Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
Google uses this information to analyse the use of our websites, compile reports on website activity and provide additional services related to website and internet usage. Google, according to its own information, will not under any circumstances merge your IP address with other data held by it.
We use Google Analytics only with activated IP anonymization. This means that your IP address is abbreviated by Google within Switzerland or the EU/EEA, as applicable.
You can prevent cookies from being stored by configuring your browser software accordingly. Please note, however, that if you do this, you may not be able to use all of the features of our websites to the fullest extent. You can also prevent data collection and processing by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
Your personal data is automatically erased after 14 months.
5. Google Ads
As part of our marketing activities, we use Google Ads, a service provided by Google LLC, of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, or, if you are a habitual resident of the European Economic Area (EEA) or Switzerland, Google Ireland Limited, of Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
Google Ads sets a cookie (known as a “conversion cookie”) on your end device, provided that you reach our websites through a Google advert. These cookies cease to be valid after 30 days, do not contain any personal data and are therefore not intended for personal identification. If you visit certain websites on our websites and the cookie has not yet expired, Google and we may detect that you have clicked on the ad and have been forwarded to our websites. Each Google Ads client receives a different cookie. Thus, cookies cannot be traced through advertisers' websites. The information obtained by means of the conversion cookie is utilised by Google to compile visitor statistics for our websites. These statistics show the total number of users who clicked on our advert and which of our websites were subsequently visited by the respective user. However, we receive no information through which you can be personally identified.
The information collected by the cookie regarding your use of our websites is normally transferred to and stored on one of Google’s servers in the USA or Ireland. Based on the information collected, categories that relate to your interests are assigned to your browser. These categories are used to post advertising that relates to your interests.
By using Google Ads, we reach users who have already visited our websites. This enables us to present our advertising to target groups who are already interested in our products or services.
You can generally prevent cookies from being stored by deactivating the storage of cookies in your browser. You may also object to interest-based advertising by Google Ads by adjusting the appropriate settings at: https://adssettings.google.us
Further information on data processing and tips regarding data protection in relation to Google Ads can be found at: https://policies.google.com/technologies/ads?hl=en.
6. Google Tag Manager
We use Google Tag Manager, a service provided by Google LLC, of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA or, if you are a habitual resident of the European Economic Area (EEA) or Switzerland, Google Ireland Limited, of Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
This service enables us to manage our website tags. Google Tag Manager itself, which implements the tags, is a cookie-free domain and does not collect any personal data. The tool, however, ensures that other tags are triggered, which in turn may collect data. On the other hand, Google Tag Manager itself does not access this data. If deactivation occurs at the domain or cookie level, it will remain valid for all tracking tags implemented with Google Tag Manager.
You can generally object to Google’s interest-based advertising. To do so, use your browser to access this link: and make the desired settings there.
To send out our newsletter, we use the services of mailXpert GmbH, of Schulstrasse 37, 8050 Zurich, Switzerland (“mailXpert”). mailXpert is a service that enables us to arrange and analysis the distribution of our newsletter. The data entered by you for the purpose of receiving the newsletter (e.g. email address) is transferred to and stored on the servers of mailXpert in Switzerland.
We may use web beacons or tracking pixels for analysing email transmission. In this way it is possible to determine whether a newsletter message has been opened and which links have been clicked on, if applicable. Technical information is also collected (e.g. time of retrieval, IP address, browser type and operating system). This information is anonymous and cannot be attributed to the respective newsletter recipient. They are used exclusively for statistical analysis of newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to the recipients' interests.
If you wish to object to the data analysis for statistical evaluation purposes, you must unsubscribe from the newsletter.
The personal data you have stored with us for the purpose of subscribing to the newsletter is stored by us until you unsubscribe from the newsletter and is deleted both from our servers and from mailXpert’s servers after you unsubscribe from the newsletter.
You can view the privacy statement of mailXpert here: https://www.mailxpert.ch/datenschutz.html.
8. Disclosure of personal data
We generally treat your personal data confidentially and only disclose it if you have expressly consented to this, we are legally obligated or entitled to do so or this is necessary to enforce our rights, in particular to enforce claims arising from the contractual relationship. Nevertheless, the legal provisions on the disclosure of personal data to third parties are of course observed.
To the extent that we engage third parties to provide our services, we take the appropriate legal, technical, and organisational measures to ensure the protection of your personal data in accordance with the relevant statutory provisions.
If the level of data protection in a country in which the data is processed does not comply with the applicable data protection provisions, we ensure contractually that the protection of your personal data corresponds to that prevailing in Switzerland or the European Economic Area (EEA), as applicable, at all times.
9. Storage period
Unless expressly stated in this Privacy Statement, we process and store your personal data only for as long as necessary for the performance of our contractual and statutory obligations or otherwise for the purposes for which they are processed and, in addition, in accordance with the statutory retention periods. As soon as your personal data is no longer necessary for the above-mentioned purposes or a prescribed retention period expires, your personal data will normally be erased or blocked insofar as possible.
10. Data security
We have put in place technical, contractual and organisational security measures to protect your personal data stored with us against manipulation, loss, destruction or access by unauthorized persons. This includes, inter alia, the use of generally accepted encryption procedures (e.g. encryption with SSL/TLS). Our security measures will be adjusted and enhanced in line with technological progress.
We also take our own internal data protection very seriously. We obligate our employees and the service providers engaged by us to observe confidentiality and to comply with the provisions of data protection legislation. In addition, access to your personal data is only granted to them insofar as necessary.
11. Links to other sites
Our websites may contain links to other websites that are not operated by us or covered by this Data Privacy Statement. Once you have clicked on the link, we no longer have any influence on the processing of any data transferred to third parties (such as e.g. your IP address), as the conduct of third parties is intrinsically beyond our control. For this reason, we cannot assume any liability for such third-party content. The respective provider or operator of the linked sites is always responsible for the content thereof.
The linked pages were checked for possible legal violations and recognizable legal violations when they were linked. No unlawful content was detected at the time of linking. Nevertheless, ongoing content control and review of the linked pages without concrete evidence of a legal violation is unreasonable. Upon becoming aware of violations of the law, such links are immediately removed.
12. Your rights
With regard to your personal data, you have the following rights vis-à-vis us under the data protection law applicable to you:
12.1 Right of access
You have the right to request information from us as to whether we are processing personal data concerning you and, if so, the specific data in question. You can find the best way to do this on the website of the Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch/edoeb/de/home/datenschutz/dokumentation/musterbriefe/allgemeine-auskunfts---loeschungs--und-berichtigungsbegehren.html.
12.2 Right to rectification
You have the right to request the rectification of your inaccurate personal data and, if applicable, the completion of incomplete personal data in our systems (see link in para. 12.1).
12.3 Right to erasure
You have the right to request that your personal data be erased, for example if the data is no longer necessary for the purposes for which it was collected (see link in para. 12.1). However, if we are obligated or entitled to retain your personal data based on legal or contractual obligations, we may restrict or block your personal data only to the extent necessary.
12.4 Right to restriction of processing
In accordance with the applicable legal requirements, you have the right to request us to restrict the processing of your personal data.
12.5 Right to object
You have the right to object at any time to the processing of your personal data in accordance with the applicable legal requirements.
12.6 Withdrawal of consent
You have the right to withdraw your consent to the processing of your personal data at any time, generally with prospective effect. Withdrawal of consent does not affect the lawfulness of processing performed based on the consent before its withdrawal. Such withdrawal means that you may not be able to continue using our services in whole or in part.
12.7 Right to lodge a complaint
If applicable, you also have the right to enforce your rights in court or to lodge a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC) (http://www.edoeb.admin.ch/edoeb/en/home.html).
Please note that these rights are subject to exceptions and restrictions. In particular, we may need to continue to process and store your personal data in order to perform a contract with you, to comply with legal obligations, or to safeguard our own legitimate interests. To the extent legally permissible, we may therefore also reject your data protection-related enquiries or grant them only in part.
For questions relating to the data protection we practice and for information concerning your rights and how to assert them, you may contact us using the options appearing in Section 1 of this Privacy Statement. If necessary, we reserve the right to request your identification in an appropriate manner in order to process your enquiries.
13. Changes to the Data Privacy Statement
We expressly reserve the right to amend and supplement this Data Privacy Statement at any time. The current version published on our websites shall apply.
The current version is dated December 2020 and replaces all prior data privacy statements of SwissSign.
Changes compared to the version of 2018
- Group-wide standardisation of the Data Privacy Statement
- Clear differentiation of the scope of data collection for different types of interaction (e.g. job application; newsletter)
- Reference to a dedicated contact point (email address) for data protection matters
- Specification of user rights (including reference to the FDPIC and its templates)
- Adjustments based on the Schrems II judgment
- Specification of the functionality of the cookies used
- Adaptation and specification of the third parties involved