Data Privacy Statement
The protection and security of your personal data is a top priority for SwissSign Group Ltd. and its subsidiaries (collectively “SwissSign”, “we” or “us”). You can expect us to handle your data prudently and carefully and to ensure a high level of data security.
We collect and use your personal data exclusively in accordance with the applicable legal provisions, in particular the Swiss Data Protection Act (DPA) and, where applicable, the European General Data Protection Regulation (GDPR).
This Data Privacy Statement informs you about the personal data we process regarding you, the purposes for which we need this data and the rights you have concerning the processing of your personal data. The Data Privacy Statement applies to the following websites: www.swisssign-group.com, www.swissign.com, www.swisssign.net and www.swissid.ch (collectively “websites”).
1 Name and contact details of the controllers
The entity responsible for the data processing on the websites www.swisssign-group.com and www.swissid.ch is:
SwissSign Group Ltd.
Tel: + 41 848 77 66 55
The entity responsible for data processing on the websites www.swisssign.com and www.swisssign.net is:
Tel: + 41 848 77 66 55
If you have any questions about data protection, please contact email@example.com.
2 Scope of data collection and processing
When we use the term “personal data” in our Data Privacy Statement, we mean all information relating to an identified or identifiable person. This includes e.g. your name, address, telephone number, email address or an IP address assigned to you by your internet provider. The use of our websites is generally possible without providing any personal data. Where personal data is collected on our websites, this is always done on a voluntary basis wherever possible.
2.1 Log data
When you visit our websites, our web servers temporarily store every access in something known as a server log file. The following technical data is collected in the process, as is normally the case with every connection to a web server, without any action on your part, and it is stored by us for 14 months until it is automatically erased:
• IP address of the requesting computer
• Date and time of the access/request
• Website from which the access occurred
• Name and URL of the data requested
• Operating system of your computer
• Browser used by you (type, version and language)
• Name of your internet access provider
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status / HTTP status code
• Last website visited
• Browser settings
• Language and version of your browser software
• Device type (desktop, tablet, mobile)
This data is processed for the purpose of enabling the use of our websites (connection set-up), ensuring system security and stability on a permanent basis, optimising our offerings and services, as well as for internal statistical purposes. This data will not be passed on to third parties or used otherwise. No personal user profile is created.
You have the option to subscribe to our newsletter on our websites. This newsletter provides you with information about us and our offers.
If you wish to subscribe to our newsletter, the information marked with a * (self-declared) is mandatory.
The personal data collected in this context will be used exclusively to send you our newsletter within the scope of your consent and will not be passed on to unauthorised third parties.
You always have the option to cancel your subscription to the newsletter and revoke the consent you provided. To do this, click on the relevant button (link) in the newsletter sent to you. You will find this link to unsubscribe at the beginning and end of each newsletter you receive from us. Alternatively, you may send your revocation to firstname.lastname@example.org.
Your personal data will be deleted as soon as you unsubscribe from our newsletter. The foregoing shall be without prejudice to statutory retention periods.
2.3 Contacting us
On our websites you will find ways to contact us and to send us an enquiry. In this case, we will process the information provided by you for the conversation with you or for the purpose of processing and dealing with your enquiry.
If you wish to contact us using the contact form, the information marked with an * (self-declared) is mandatory.
The personal data collected in this context is used exclusively to answer your questions or to provide the services requested by you.
You may object to this data processing at any time. Please send your objection to email@example.com. In such a case, your enquiry will not be processed further.
Your personal data will be erased as soon as your enquiry has been completed. This is the case if the circumstances indicate that the relevant facts have been conclusively clarified and deletion is not precluded by any statutory retention obligations.
If you apply for a position with us, the data provided by you as part of the application procedure will be processed to verify whether we wish to establish and conduct an employment relationship with you. The processing may also be carried out electronically. If you apply via an online form, you will be forwarded to the website of our partner digitalent ag, of Baden/Aargau. Your data may only be viewed by selected SwissSign employees who are in charge of evaluating your application file.
When applying via an online form, the information marked with an * (self-declared) is absolutely necessary in order to attribute the application to you and to be able to contact you regarding your application and to check your application's prospects of success.
This data is stored, evaluated, processed or internally transmitted only in the context of your application. In addition, your data may be processed for statistical purposes (e.g. reporting). In this case, no conclusions can be drawn regarding individual persons.
If you are hired, the transmitted data will be stored for processing the employment relationship in accordance with the relevant statutory provisions. Otherwise, if the application process ends without you being hired, your data will normally be processed only until the time of the hiring decision. After that, the data will be deleted. Your data will only be stored in an applicant pool if you expressly give us your consent.
To protect entry forms on our websites, we use the reCAPTCHA feature of Google LLC, of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA or, if you are a habitual resident of the European Economic Area (EEA) or Switzerland, Google Ireland Limited, of Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
This feature primarily serves to distinguish whether an entry is made by a natural person or whether it is made improperly by machine and automated processing. The service also includes sending Google the IP address and any further data required by Google for the reCAPTCHA service.
2.5 SwissSign shop
If you wish to purchase certificates in our online shop at www.swisssign.com or swisssign.net, you must provide your personal information (first and last name, address, country, telephone number and, if applicable, payment data) that we need in order to process your order. The mandatory information required for the execution of the contracts is marked separately; additional information is voluntary. We process the data provided by you exclusively for the purpose of processing your order. Depending on the payment method chosen (invoice, credit card, etc.), the data required for processing the payment will be forwarded to the relevant payment providers.
In the event of an order, we may also use the data provided by you to send you emails containing information about the products or services purchased by you (e.g. information about product updates or other support information).
If you select "credit card" as your payment method during order processing, payment is made via the online payment system of the relevant credit card company (Mastercard, Visa, PostFinance Card, PostFinance e-finance, etc.). In this case, personal and payment data is processed directly through the corresponding credit card company. The data protection provisions of the relevant credit card company shall also apply in each case.
To comply with legal requirements, we are required to retain all certificate holder data, documentation and audit information for a minimum period of 11 years after termination of a certificate.
In order to prevent unauthorised third-party access to your personal data, in particular financial data, the transfer of your data to us is encrypted.
2.6 SwissID account
If you wish to use the features of the SwissID, you must create a SwissID account online and complete the registration process. The personal data entered for this purpose is stored for the use of our products and services. This includes platform-based communication with you (e.g. emails containing information about product updates or other support information).
The features of the SwissID are described in detail on the website www.swissid.ch.
Registration for a SwissID account takes place using your personal data, either via the website www.swissid.ch or the SwissID app. To do this, you need access to your email account and, where applicable, your mobile phone in order to use two-factor authentication. When you open a SwissID account, you will receive password-protected direct access to your personal data stored with us.
When you create a SwissID account, the information marked with an * (self-declared) is mandatory, and you must agree to our GTC.
Once you have confirmed your e-mail address, you are registered and your user account is set up. After registration, you can log into your SwissID account via the website www.swissid.ch or the SwissID app and manage your details, links to online services and released data or set up new features.
You also have the option of depositing a verified identity in your SwissID account. You can carry out this verification either with the SwissID app or via the identification points shown in our list. More information can be found here: https://www.swissid.ch/en/privatkunden/identitaetspruefung.html.
If you wish to have your identity verified via the SwissID app (“Identity verification”), apicture of your identity document and a video selfie will be sent in encrypted form to our Swiss partner PXL Vision AG, Mühlebachstrasse 164, 8008 Zurich. PXL Vision processes data only on behalf of SwissSign for the sole purpose of verifying your identity and improving the software. However, you must explicitly consent to this in advance.
If you wish to set up a SwissID with a higher level of security, the photo of your identity document and the video selfie will be compared with the NFC certificate in your identity document and verified in that way. SwissSign will store the results of this verification together with your identity data until such time as you delete your SwissID account. If a digital signature certificate is created with these identity data, SwissSign will have a legal duty to store them for 11 years from the date the certificate becomes invalid (see 2.9 SwissID Sign).
2.7 Data transfer to online service providers
The SwissID enables authentication for online services and the transmission of your attributes to online services (e.g. first name, last name). The attributes approved for release are transferred to the online service provider only upon successful authentication and with your express consent. The attributes to be transferred in the specific case will be indicated to you prior to the transfer, whereupon you may give or refuse your express consent to the transfer. In addition, you have the option of approving the transmission of data for a particular online service until such time as you revoke your consent.
The identity data collected for SwissID (whether self-declared or verified) is processed only for the purpose of identification and authentication vis-à-vis online service providers as part of online transactions. No further data processing, in particular the personalised analysis of transaction data, e.g. for marketing purposes and/or the disclosure of personal data to third parties, takes place. We reserve the right to conduct statistical analyses of anonymised data sets.
2.8 SwissID App
The SwissSign Group operates an app for iOS and Google Play. The SwissID App can be downloaded free of charge from the app stores of both providers. When downloading the app, the necessary information is sent to the relevant app store. The data protection provisions of both app stores apply. They can be accessed at: https://www.apple.com/legal/privacy/en-ww/ and https://policies.google.com/privacy.
For more information and tips on how to use the SwissID App, please visit: https://www.swissid.ch/en/privatkunden/app.html.
2.9 SwissID Sign
With SwissID Sign, SwissSign provides a platform through which authorised SwissID holders can sign documents in a legally valid manner. SwissSign only collects, stores and processes the data needed to use the signature service. To create the digital signature certificate and to preserve traceability, SwissSign collects and stores the following specific data from you:
- Copy of the identity document you have furnished (passport, identity card) including the attributes contained in that document.
- Personally used means of authentication (SwissID)
- Information supplied by you in the signing room (surname, first name, e-mail address of recipients)
- Log files recording any signature processes
- Any data on revocation of the certificate
Documents uploaded to the web client are stored for the signature request for a maximum of 30 days. Signed documents are stored by default for 30 days from the time of signature. After this period, only the log file of the signature is visible to the SwissID holder, but the document is irrevocably erased. SwissSign does not provide any archiving of uploaded documents.
In order to comply with legal requirements, we are obliged to retain all holder data, documentation and audit information on the signature certificate for a period of 11 years from the date of invalidity of a certificate.
Most of the cookies we use are session cookies. These are deleted automatically when you log out or close your browser. Other cookies remain stored on your end device beyond the respective use, until such time as you delete them. We also use analysis cookies. These are utilised to analyse your web-surfing behaviour. The collected data is employed exclusively to optimise the performance and design of our websites. These cookies are third-party cookies (e.g. Google Analytics). However, the data is collected in anonymised form and utilised exclusively by us. The information stored in the cookies is not used to identify you and is not combined with other personal information about you.
Most internet browsers are normally configured to accept cookies. If you do not want cookies, you can configure your browser so that it informs you about the setting of cookies and allows you to accept them on a case-by-case basis or generally prevents you from accepting them. You can also activate the automatic deletion of cookies when the browser is closed. In addition, you can always delete cookies that have already been set via an internet browser or other software programs.
4 Google Analytics
For purposes of designing and continuously optimising websites and apps that are appropriate to your needs, we use Google Analytics, a web analysis service of Google LLC, of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA or, if you are a habitual resident of the European Economic Area (EEA) or Switzerland, Google Ireland Limited, of Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
Google uses this information to analyse the use of our websites, compile reports on website activity and provide additional services related to website and internet usage. Google, according to its own information, will not under any circumstances merge your IP address with other data held by it.
We use Google Analytics only with activated IP anonymization. This means that your IP address is abbreviated by Google within Switzerland or the EU/EEA, as applicable.
You can prevent cookies from being stored by configuring your browser software accordingly. Please note, however, if you do this, you may not be able to use all of the features of our websites to the fullest extent. You can also prevent data collection and processing by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
Your personal data is automatically erased after 14 months.
5 Google Ads
As part of our marketing activities, we use Google Ads, a service provided by Google LLC, of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, or, if you are a habitual resident of the European Economic Area (EEA) or Switzerland, Google Ireland Limited, of Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
Google Ads sets a cookie (known as a “conversion cookie”) on your end device, provided that you reach our websites through a Google advert. These cookies cease to be valid after 30 days, do not contain any personal data and are therefore not intended for personal identification. If you visit certain pages on our websites and the cookie has not yet expired, Google and we may detect that you have clicked on the ad and have been forwarded to our websites. Each Google Ads client receives a different cookie. Thus, cookies cannot be traced through advertisers' websites. The information obtained by means of the conversion cookie is utilised by Google to compile visitor statistics for our websites. These statistics show the total number of users who clicked on our advert and which of our websites were subsequently visited by the respective user. However, we receive no information through which you can be personally identified.
The information collected by the cookie regarding your use of our websites is normally transferred to and stored on one of Google’s servers in the USA or Ireland. Based on the information collected, categories that relate to your interests are assigned to your browser. These categories are used to post advertising that relates to your interests.
By using Google Ads, we reach users who have already visited our websites. This enables us to present our advertising to target groups who are already interested in our products or services.
You can generally prevent cookies from being stored by deactivating the storage of cookies in your browser. You may also object to interest-based advertising by Google Ads by adjusting the appropriate settings at: https://adssettings.google.com.
Further information on data processing and tips regarding data protection in relation to Google Ads can be found at: https://policies.google.com/technologies/ads?hl=en.
6 Google Tag Manager
We use Google Tag Manager, a service provided by Google LLC, of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA or, if you are a habitual resident of the European Economic Area (EEA) or Switzerland, Google Ireland Limited, of Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
This service enables us to manage our website tags. Google Tag Manager itself, which implements the tags, is a cookie-free domain and does not collect any personal data. The tool, however, ensures that other tags are triggered, which in turn may collect data. On the other hand, Google Tag Manager itself does not access this data. If deactivation occurs at the domain or cookie level, it will remain valid for all tracking tags implemented with Google Tag Manager.
You can generally object to Google’s interest-based advertising. To do so, use your browser to access this link: https://adssettings.google.de and make the desired settings there.
7 Google Firebase Analytics
To continuously improve the SwissID App as well as the SwissID Web App and adapt it to the needs of our users, we utilise Google Firebase Analytics, a service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, or if you have your habitual residence in the European Economic Area (EEA) or Switzerland, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
This service makes it possible to analyse the use of our app as well as the Web App (for example, session duration, device model, operating system, region and app updates). IP addresses are only stored in anonymous form.
Firebase Analytics uses an advertising ID. However, you can restrict this use in the device settings of your mobile device.
For Android: Settings > Google > Ads > Reset advertising ID
For iOS: Settings > Privacy > Advertising > No ad tracking
You can prevent the storage of cookies by setting your browser software accordingly. However, we would like to point out that in that case, you may not be able to use all the features of our websites to their full extent. You can also prevent data collection and processing by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
8 LinkedIn Insight Tag
In connection with our marketing activities, we use the LinkedIn Insight Tag, a service of LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA, 94085, USA, or if you are ordinarily resident in the European Economic Area (EEA) or Switzerland, LinkedIn Ireland Unlimited Company, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland (“LinkedIn”).
This service enables us to carry out a statistical analysis of the use of our website and of our marketing campaigns. For this purpose, a so-called conversion cookie is stored on your end device. The IP addresses are truncated or hashed (when used for reaching members across devices). Members’ direct identifiers are removed within seven days in order to make the data pseudonymous. This remaining pseudonymised data is then deleted within 90 days. We do not receive any personal data from LinkedIn, but only receive reports and messages (which do not identify you) about the website audience and the ad performance.
Please note that the data may be stored and processed by LinkedIn so that a connection to the relevant LinkedIn user profile can be made and that LinkedIn is able to use the data for its own advertising purposes.
https://www.linkedin.com/help/linkedin/answer/62931?lang=en; Chapter “Manage your LinkedIn Ads settings.”
To send out our newsletter, we use the services of mailXpert GmbH, of Schulstrasse 37, 8050 Zurich, Switzerland (“mailXpert”). mailXpert is a service that enables us to arrange and analysis the distribution of our newsletter. The data entered by you for the purpose of receiving the newsletter (e.g. email address) is transferred to and stored on the servers of mailXpert in Switzerland.
We may use web beacons or tracking pixels for analysing email transmission. In this way it is possible to determine whether a newsletter message has been opened and which links have been clicked on, if applicable. Technical information is also collected (e.g. time of retrieval, IP address, browser type and operating system). This information is anonymous and cannot be attributed to the respective newsletter recipient. They are used exclusively for statistical analysis of newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to the recipients' interests.
If you wish to object to the data analysis for statistical evaluation purposes, you must unsubscribe from the newsletter.
The personal data you have stored with us for the purpose of subscribing to the newsletter is stored by us until you unsubscribe from the newsletter and is deleted both from our servers and from mailXpert’s servers after you unsubscribe from the newsletter.
You can view the privacy statement of mailXpert here: https://www.mailxpert.ch/datenschutz.html.
10 Address verification
To capture correct and complete addresses in conjunction with the SwissID, we use Swiss Post’s address verification system. In the process, the address details provided when a SwissID account is opened are compared to Swiss Post’s database of all letterboxes. In addition, the address details (last name, first name, street, house number, addition, postcode and city/town) are sent to Post CH Ltd, Competence Centre Addresses, Sternmatt 6, PO Box, 6010 Kriens.
You must consent to this data transmission and the comparison with Swiss Post‘s address database in advance.
You can consult Swiss Post’s data protection statement here: https://www.post.ch/en/pages/footer/data-protection-and-disclaimer.
11 Disclosure of personal data
We generally treat your personal data confidentially and only disclose it if you have expressly consented to this, we are legally obligated or entitled to do so or this is necessary to enforce our rights, in particular to enforce claims arising from the contractual relationship. Nevertheless, the legal provisions on the disclosure of personal data to third parties are of course observed.
To the extent that we engage third parties to provide our services, we take the appropriate legal, technical, and organisational measures to ensure the protection of your personal data in accordance with the relevant statutory provisions.
If the level of data protection in a country in which the data is processed does not comply with the applicable data protection provisions, we take steps to ensure that the protection of your personal data corresponds to that prevailing in Switzerland or the European Economic Area (EEA), as applicable, at all times. These steps primarily include concluding standard data protection clauses of the EU Commission with the relevant companies and/or ensuring the existence of other guarantees consistent with the applicable legislation.
12 Retention period
Unless expressly stated in this Data Privacy Statement, we process and store your personal data only as long as necessary for the performance of our contractual and statutory obligations or otherwise for the purposes for which they are processed and, in addition, in accordance with the statutory retention periods. As soon as your personal data is no longer necessary for the above-mentioned purposes or a prescribed retention period expires, your personal data will normally be erased or blocked insofar as possible.
13 Data security
We have put in place technical, contractual and organisational security measures to protect your personal data stored with us against manipulation, loss, destruction or access by unauthorized persons. This includes, inter alia, the use of generally accepted encryption procedures (e.g. encryption with SSL/TLS). Our security measures will be adjusted and enhanced in line with technological progress.
We also take our own internal data protection very seriously. We obligate our employees and the service providers engaged by us to observe confidentiality and to comply with the provisions of data protection legislation. In addition, access to your personal data is only granted to them insofar as necessary.
14 Links to other sites
Our websites may contain links to other websites that are not operated by us or covered by this Data Privacy Statement. Whether or not the operators of these websites comply with the applicable data protection legislation is beyond our control. Therefore, we assume no responsibility for the correctness, currentness or completeness of the information provided there.
15 Your rights
With regard to your personal data, you have the following rights vis-à-vis us under the data protection law applicable to you:
15.1 Right of access
You have the right to request information from us as to whether we are processing personal data concerning you and, if so, the specific data in question. You can find the best way to do this on the website of the Federal Data Protection and Information Commissioner (FDPIC) at: https://www.edoeb.admin.ch/edoeb/de/home/datenschutz/dokumentation/musterbriefe/allgemeine-auskunfts---loeschungs--und-berichtigungsbegehren.html.
15.2 Right to rectification
You have the right to request the rectification of your inaccurate personal data and, if applicable, the completion of incomplete personal data in our systems (see link in para. 15.1).
15.3 Right to erasure
You have the right to request that your personal data be erased, for example if the data is no longer necessary for the purposes for which it was collected (see link in para. 15.1). However, if we are obligated or entitled to retain your personal data based on legal or contractual obligations, we may restrict or block your personal data only to the extent necessary.
15.4 Right to restriction of processing
In accordance with the applicable legal requirements, you have the right to request us to restrict the processing of your personal data.
15.5 Right to object
You have the right to object at any time to the processing of your personal data in accordance with the applicable legal requirements.
15.6 Withdrawal of consent
You have the right to withdraw your consent to the processing of your personal data at any time, generally with prospective effect. Withdrawal of consent does not affect the lawfulness of processing performed based on the consent before its withdrawal. Such withdrawal means that you may not be able to continue using our services in whole or in part.
15.7 Right to lodge a complaint
If applicable, you also have the right to enforce your rights in court or to lodge a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the FDPIC (http://www.edoeb.admin.ch/edoeb/en/home.html).
Please note that these rights are subject to exceptions and restrictions. In particular, we may need to continue to process and store your personal data in order to perform a contract with you, to comply with legal obligations, or to safeguard our own legitimate interests. To the extent legally permissible, we may therefore also reject your data protection-related enquiries or grant them only in part.
For questions relating to the data protection, we practice and for information concerning your rights and how to assert them, you may contact us using the options appearing in Section 1 of this Data Privacy Statement. If necessary, we reserve the right to request your identification in an appropriate manner in order to process your enquiries.
16 Changes to the Data Privacy Statement
We expressly reserve the right to amend and supplement this Data Privacy Statement at any time. The current version published on our websites shall apply.
Changes compared to the version of 2020
- Added newly introduced applications from third parties