Privacy policy

 

This privacy policy details what personal data we process, how we process it and for what purposes, especially in connection with our website gfsbern.ch and our other services. Additionally, this privacy policy contains information about the rights of data subjects.

Individual or additional offers and services can be subject to special, supplementary or additional privacy policies as well as other legal documents such as general terms and conditions, terms of use, or terms and conditions of participation.

Our website is subject to Swiss data protection legislation as well as any applicable foreign data protection legislation such as, in particular, the European General Data Protection Regulation (GDPR). The European Commission recognises that Swiss data protection legislation provides an adequate level of data protection.

1. Contact information

Responsibility for the processing of personal data:

gfs.bern ag
Effingerstrasse 14
3011 Bern

We shall make it clear if a different controller is responsible for processing personal data in a specific case.

1.1 Data protection officer

The following data protection officer is our point of contact for data subjects and can be addressed by supervisory authorities on issues related to data protection:

Urs Bieri
Effingerstrasse 14
3011 Bern

1.2 Representative in the European Economic Area (EEA)

Pursuant to Article 27 GDPR, we have the following representative in the European Economic Area (EEA), including the European Union and the Principality of Liechtenstein, Iceland and Norway, who can also be addressed on all issues related to the General Data Protection Regulation (GDPR):

VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
Deutschland

2. Processing of personal data

2.1 Terminology

All information relating to an identified or identifiable person is personal data. A data subject is a person whose personal data are processed. Processing encompasses all handling of personal data regardless of the means and processes used, especially the storage, disclosure, procurement, collection, erasure, storage, modification, destruction and use of personal data.

The European Economic Area (EEA) comprises the European Union as well as the Principality of Liechtenstein, Iceland and Norway. The General Data Protection Regulation (GDPR) defines the processing of personal data.

2.2 Legal grounds

We process personal data in line with Swiss data protection legislation, especially the Federal Data Protection Act (FADP) and the Ordinance to the Swiss Federal Act on Data Protection (VDSG).

To the extent that the General Data Protection Regulation (GDPR) applies, we process personal data on at least one of the following legal grounds:

  • Point (b) of Article 6(1) GDPR serves as the legal grounds if the processing of personal data is necessary for the performance of a contract with the data subject and in order to take steps prior to entering into a contract.
  • Point (f) of Article 6(1) GDPR serves as the legal grounds if the processing of personal data is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. In particular, our legitimate interests are our interest in making our website permanent, user-friendly, secure and reliable and advertising our website where necessary, information security and protection against misuse and unauthorised use, the enforcement of our legal claims and compliance with Swiss law.
  • Point (c) of Article 6(1) GDPR serves as the legal grounds for the processing of personal data where processing is necessary for compliance with a legal obligation to which we are subject in accordance with any applicable law of a member state of the European Economic Area (EEA).
  • Point (e) of Article 6(1) GDPR serves as the legal grounds for the processing of personal data where processing is necessary for the performance of a task carried out in the public interest.
  • When the data subject has provided consent, point (a) of Article 6(1) GDPR serves as the legal grounds for the processing of personal data.
  • Point (d) of Article 6(1) GDPR serves as the legal grounds if it is necessary to process personal data in order to protect the vital interests of the data subject or the vital interests of another natural person.

 

2.3 Nature, scope and purpose

We process personal data that are necessary to make our website permanent, user-friendly, secure and reliable. Such personal data can be categorised as master and contact data, browser and device data, content data, metadata and usage data, location data, sales data, contractual data and payment data.

We process personal data for the period of time necessary for the purpose(s) in question or as required by statutory law. Personal data shall be anonymised or erased if it is no longer necessary to process them. As a rule, anyone whose data we process is entitled to have the data erased.

As a rule, we only process personal data with the consent of the data subject unless the processing is admissible for other legal reasons, e.g. in order to execute a contract with the data subject and take steps prior to entering into it so as to protect our legitimate interests because the processing is evident given the circumstances or prior notice has been provided.

In this context, we primarily process the information a data subject sends to us voluntarily and autonomously when he or she contacts us – e.g. by post, e-mail, contact form, social media or phone – or when he or she registers for a user account. For example, we can store such information in an address book or using similar resources. Where you send personal data concerning third parties to us, you are obliged to guarantee data protection for those third parties and ensure that the personal data are accurate.

Additionally, we process personal data we receive from third parties, obtain from publicly accessible sources or collect as part of the provision of our website, if and in so far as such processing is admissible for legal reasons.

Personal data from applications shall only be processed where they are needed to assess suitability for an employment relationship or in order to execute an employment contract later on. The personal data required to carry out an application process are evident from the information requested/provided, e.g. in a job description. Applicants can voluntarily provide additional information with their applications.

2.4 Processing of personal data by third parties, including abroad

We can engage third parties to process personal data, process personal data with third parties or with the help of third parties, or transmit personal data to third parties. In particular, such third parties are providers whose services we use. We guarantee an adequate level of data protection from these third parties too.

As a rule, such third parties are based in Switzerland and the European Economic Area (EEA). However, such third parties can also be situated in other states and territories on Earth or even elsewhere in the universe as long as their data protection legislation is deemed to provide an adequate level of data protection by the Swiss Federal Data Protection and Information Commissioner and – if and in so far as the General Data Protection Regulation (GDPR) applies – the European Commission, or if an adequate level of data protection is guaranteed for other reasons such as a contractual agreement, especially one based on standard contractual clauses, or a certification. In exceptional cases, such a third party can even be based in a country without an adequate level of data protection as long as the data protection requirements such as the express consent of the data subject are met.

3. Rights of the data subject

Data subjects whose personal data we process have the rights provided by Swiss data protection legislation. This includes the right to access information and the right to have the processed personal data rectified, erased, or blocked.

To the extent that the General Data Protection Regulation (GDPR) applies, data subjects whose personal data we process can, free of charge, request confirmation of whether we are processing their personal data and, if so, request information on the processing of their personal data, request the restriction of the processing of their personal data, exercise their right to data portability and have their personal data rectified, erased (“right to be forgotten”), blocked or completed.

To the extent that the GDPR applies, data subjects whose personal data we process can withdraw their consent at any time with future effect and object to the processing of their personal data at any time.

Data subjects whose personal data we process are entitled to lodge a complaint with a supervisory authority. In Switzerland, the supervisory authority for data protection is the Federal Data Protection and Information Commissioner (FDPIC).

4. Data security

We implement reasonable technical and organisational measures in order to ensure data protection and especially data security. However, the processing of personal data on the internet can always have security flaws despite such measures. Therefore, we cannot guarantee absolute data security.

Our website is accessed by means of transport encryption (SSL/TLS, especially Hypertext Transfer Protocol Secure (HTTPS)). Most browsers show a padlock in the address bar to show that transport encryption is active.

As with any use of the internet, accessing our website is subject to non-specific and unbiased mass surveillance and other monitoring by security authorities in Switzerland, the European Union, the USA and other countries. We have no direct influence over the processing of personal data by secret services, police, or other security authorities.

5. Use of the website

5.1 Cookies

We can use cookies for our website. Cookies – first-party cookies used by us and third-party cookies from third parties whose services we use – are data stored in your browser. Such data does not have to be limited to traditional cookies in text form. Cookies cannot run programs or install malware such as Trojan horses or viruses on your computer.

Cookies can be stored temporarily in your browser when you visit our website (i.e. session cookies) or for a specific period of time (persistent cookies). Session cookies are deleted automatically when you close your browser. Persistent cookies are stored for a specific period of time. In particular, these cookies enable us to recognise your browser when you next visit our website and in doing so, for example, measure the coverage of our website. However, persistent cookies can also be used for online marketing, for example.

You can deactivate or erase cookies at any time, either fully or in part, by changing the settings in your browser. Without cookies, you might not be able to make full use of our website. If and in so far as necessary, we shall actively ask for your express consent to the use of cookies.

Numerous services such as the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) and Your Online Choices (European Interactive Digital Advertising Alliance) are available to opt out of all cookies which are used to measure success and coverage statistics or for advertising purposes.

5.2 Server log files

Whenever you visit our website, we can collect the following information if your browser transfers it to our server infrastructure or if our web server is able to collect it: Date and time, including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual pages of our website visited including the volume of data transferred, referrer URL.

We store this information – which can also represent personal data – in server log files. The information is necessary in order for us to make our website permanent, user-friendly and reliable, as well as to ensure data security, especially the protection of personal data – including through third parties or with the help of third parties.

5.3 Tracking pixels

We may use tracking pixels on our website. Tracking pixels are also known as web beacons. Tracking pixels – including those from third parties whose services we use – are small, usually invisible images that are accessed automatically when you visit our website. Tracking pixels can be used to collect the same information as is stored in server log files.

6. Notifications and messages

We send notifications and messages such as newsletters by e-mail and over other communication channels such as instant messaging.

6.1 Success and coverage measurement

Notifications and messages can contain links or tracking pixels that log whether an individual message has been opened and what links were clicked on. Such web links and tracking pixels can even record personal use of notifications and messages. We require these usage statistics to gauge our success and coverage in order to make notifications and messages effective and user-friendly on the basis of the needs and reading habits of their recipients and provide them permanently, securely and reliably.

6.2 Consent and objection

As a rule, you have to expressly consent to the use of your e-mail address and other contact addresses unless they can be used on other legal grounds. Where possible, we use the double opt-in procedure for you to consent to receive e-mails. This means that you will receive an e-mail containing a confirmation link that you need to click on so as to prevent misuse by unauthorised third parties. We can log such declarations of consent, including your IP address and the date and time, for reasons of security and documentation.

You can unsubscribe from notifications and messages such as newsletters at any time. This does not apply to notifications and messages that are strictly necessary for our website. In particular, by unsubscribing, you can object to the collection of statistical usage data for the purposes of measuring success and coverage.

7. Social media

We maintain a presence on social media platforms and other online platforms in order to communicate with potential customers and provide information about our products and services. In this context, personal data can also be processed outside of Switzerland and the European Economic Area (EEA).

The general terms and conditions, terms of use, privacy policies and other terms and conditions of each individual operator of such online platforms also apply. In particular, these terms and conditions outline the rights of data subjects, especially their right to access information.

If and in so far as the GDPR applies, we are jointly responsible with Facebook Ireland Limited in Ireland for our social media presence on Facebook, including Page Insights. The Page Insights show how users interact with our Facebook page. We use Page Insights to make our social media presence on Facebook effective and user-friendly.

For more information about the nature, scope and purpose of data processing, information about the rights of data subjects and the contact details of Facebook and the data protection officer of Facebook, see Facebook’s privacy policy. We have concluded the Controller Addendum with Facebook and in doing so agreed that Facebook is responsible for guaranteeing the rights of data subjects. For information about the Page Insights, see Facebook’s “Information about Page Insights” including the “Page Insights Controller Addendum” and “Information about Page Insights data”.

8. Success and coverage measurement

8.1 Google Analytics

We use Google Analytics to analyse how our website is used; in doing so, we are also able to measure the coverage of our website and the success of links to our website on third-party pages. It is a service provided by Google LLC in the USA. Google Ireland Limited in Ireland is responsible for users in the European Economic Area (EEA) and Switzerland.

Google attempts to record individual visitors to our website when they use different browsers or devices (this is known as cross-device tracking). Cookies are also used in this context. Google Analytics requires your IP address, although this is not merged with any other data held by Google.

In any case, we shall have your IP address anonymised before it is analysed by Google. As a result, your complete IP address will not be transmitted to Google in the USA.

We use Google Analytics with Google Signals. Consequently, we receive enhanced statistics relating to visitors to our website who have activated personalised advertisements as logged-in Google users. In spite of these enhanced statistics, we are unable to associate them with individual Google user profiles.

For more information about the nature, scope and purpose of data processing, see Google’s Privacy and Security Principles and Privacy Policy, the Google product privacy guide (including Google Analytics), the information about how Google uses data from sites that use Google services and the information about how Google uses cookies. Additionally, you can use the Google Analytics opt-out browser add-on and deactivate personalised advertisements.

8.2 Google Tag Manager

We use the Google Tag Manager to integrate analytics or advertising services from Google or third parties into our website and manage them. It is a service provided by Google LLC in the USA. Google Ireland Limited in Ireland is responsible for users in the European Economic Area (EEA) and Switzerland. Although no cookies are used in this context, cookies can be used in connection with the related and managed services. This privacy policy shall provide details about the processing of personal data by such services.

8.3 Hotjar

We use Hotjar to analyse how our website is used. Hotjar makes it possible to track the actions of visitors to our website, for instance with regard to movements and clicks with a mouse or another input method. Cookies and other technology are also used to log user behaviour as well as information such as the screen size, anonymised IP address and rough location (country) of the user. Hotjar, a service provided by Hotjar Ltd. in Malta, states that it stores the collected data in a pseudonymised user profile.

Neither we nor Hotjar attribute the data to any individual visitor to our website. The collected data shall not be used to identify individual visitors or merged with other data relating to other individual visitors. For more information about the nature, scope and purpose of the data processing, see “Privacy by design”, “Cookie information” and the privacy policy of Hotjar. You can also object to the collection of data by Hotjar.

9. Third-party services

We use third-party services that are necessary to make our website permanent, user-friendly, secure and reliable. We also use such services to embed content in our website. Such services – e.g. hosting and storage services, video services and payment services – require your IP address as the services would otherwise be unable to transfer their content. Such services can be based outside of Switzerland and the European Economic Area (EEA), provided that an adequate level of data protection is guaranteed.

Third parties whose services we use can process aggregated, anonymised or pseudonymised data in connection with our website as well as from other sources, including cookies, log files and tracking pixels, for their own security, statistical and technical purposes.

9.1 Digital infrastructure

We use third-party services to use the digital infrastructure we need for our website. For example, these services include hosting and storage services from specialised providers.

We use the following in particular:

Cyon: hosting; provider: Cyon GmbH (Switzerland); data protection information: Privacy policy.

9.2 Entertainment

9.2.1 We use SoundCloud to make it possible to play music and podcasts on our website using a SoundCloud widget. SoundCloud is a service provided by SoundCloud Limited in Germany. For information about the nature, scope and purpose of data processing, see the privacy policy and cookie information of SoundCloud.

9.2.2 We use Vimeo in order to embed videos in our website. Cookies are also used in this context. Vimeo is a service provided by Vimeo Inc. in the USA. For more information about the nature, scope, and purpose of data processing, see the FAQs about data protection and the privacy policy of Vimeo.

9.2.3 We use YouTube in order to embed videos in our website. Cookies are also used in this context. YouTube is a service provided by Google LLC in the USA. Google Ireland Limited in Ireland is responsible for users in the European Economic Area (EEA) and Switzerland. For more information about the nature, scope and purpose of data processing, see Google’s Privacy and Security Principles and Privacy Policy, the Google product privacy guide (including YouTube), the information about how Google uses data from sites that use Google services and the information about how Google uses cookies. You can also object to personalised advertisements.

9.3 Fonts

We use Google Fonts in order to embed selected fonts in our website. No cookies are used in this context. This service is provided independently of other Google services by Google LLC in the USA. Google Ireland Limited in Ireland is responsible for users in the European Economic Area (EEA) and Switzerland. For more information about the nature, scope and purpose of data processing, see Google’s Privacy and Security Principles and Privacy Policy.

9.4 Advertising

9.4.1 Facebook ads

We use Facebook ads to advertise our products and services more strategically on Facebook. Facebook ads are provided by Facebook Ireland Ltd. in Ireland or Facebook Inc. in the USA. Cookies are also used for Facebook ads.

In particular, we want to use such advertisements to reach people who are interested in our website or who already use it. For this purpose, we send the relevant information to Facebook, including personal information if necessary (custom audiences including lookalike audiences), by means of the Facebook pixel in particular. Additionally, we are able to determine whether our advertising is successful, i.e. whether it has resulted in visits to our website (this is known as conversion tracking).

For more information about the nature, scope and purpose of data processing, see the privacy policy of Facebook. Additionally, Facebook users can change their privacy settings to control what adverts they see on Facebook and what adverts will be shown to them on Facebook in future.

We use Google Ads (formerly AdWords) to advertise our website strategically in the Google search engine and elsewhere on the internet, such as on other websites, on the basis of search queries. Google Ads is a service provided by Google LLC in the USA. Google Ireland Limited in Ireland is responsible for users in the European Economic Area (EEA) and Switzerland. Google Ads also uses cookies. Google uses various domain names – especially doubleclick.net, googleadservices.com and googlesyndication.com – for Google Ads.

In particular, we want to use such advertisements to reach people who are interested in our website or who already use it. For this purpose, we send the relevant information to Google (remarketing), including personal information. Additionally, we are able to determine whether our advertising is successful, i.e. whether it has resulted in visits to our website (this is known as conversion tracking).

For more information about the nature, scope and purpose of data processing, see Google’s Privacy and Security Principles and Privacy Policy, the information about how Google uses data from sites that use Google services and the information about how Google uses cookies. You can also object to personalised advertisements.

9.4.3 LinkedIn Ads

We use LinkedIn Marketing Solutions to advertise our products and services more strategically on LinkedIn (LinkedIn ads). This service is provided by LinkedIn Ireland Unlimited Company in Ireland or the LinkedIn Corporation in the USA. Cookies are also used in this context.

In particular, we want to use such advertisements to reach people who are interested in our website or who already use it. For this purpose, we send the relevant information to LinkedIn (retargeting), including personal information if necessary, by means of the LinkedIn Insight Tag in particular. Additionally, we are able to determine whether our advertising is successful, i.e. whether it has resulted in visits to our website (this is known as conversion tracking). If you are logged in on LinkedIn as a user, LinkedIn will be able to associate your use of our website with your profile.

For more information about the nature, scope and purpose of data processing, see LinkedIn’s Privacy Policy, Cookie Policy and Privacy Hub. You can also object to personalised advertisements.

10. Final provisions

This privacy policy was generated using the data protection generator from Datenschutzpartner.

We can amend or supplement this privacy policy at any time. We shall give notice of any such amendments or addenda in an appropriate manner, especially by publishing the current version of the privacy policy on our website.

Cookie explanation