Privacy Statement (esatus Schweiz AG)

General information

Thank you for your interest in our company and your visit to our website. In the course of this data protection declaration, esatus Schweiz AG (hereinafter "we", "us" or "esatus Schweiz AG") would like to inform you about the type, scope and purpose of the personal data collected, used and processed and comply with the obligation of transparency, in particular by clarifying the rights of data subjects.

Personal data is information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly (e.g. by reference to an online identifier). This includes, but is not limited to, information such as the name, address, telephone number and e-mail address or other physical characteristics by which a natural person can be identified. In this privacy statement, we refer to you as "you", "user" or "data subject".

This privacy statement applies to the esatus.com website operated by us, the relevant online presences maintained by us in the social media, as well as all points under section 2.2. esatus Schweiz AG is a wholly owned subsidiary of esatus AG. Data processing is carried out under joint responsibility. Due to the scope of data protection law and the relevant points of contact, reference is made below to the General Data Protection Regulation of the European Union (GDPR). In the event of deviations and the need for additions or relevant Swiss data protection law requirements, reference is made to the Swiss Data Protection Act (DSG).

1. Contact details of the controller and the data protection officer

esatus Switzerland AG

Tribschenstrasse 62a

CH-6005 Lucerne

info@esatus.ch

Phone: +41 614115588

Represented by: Dr. André Kudra (President), Jürgen Eichhöfer, Cordula Bettina Lisa Fey

UID: CHE-130.392.745 MWST

CH-ID: CH-100-3814535-5

Information about esatus AG: Imprint

2. General information on data processing

2.1 Information on data processing when visiting the website

When you visit the website (esatus.com), esatus Schweiz AG processes various personal data, depending on the type of processing. These processing operations are explained in the following section.

2.1.1 Operation of the website

This website is hosted by esatus AG. Data processing by esatus AG takes place in Germany. For the secure operation of this website, data is automatically recorded in log files when it is accessed. Data is automatically transferred to the esatus AG server by the browser you use. The following data is transmitted:

  • Browser type and version
  • Operating system used
  • Referrer URL (the previously visited website)
  • IP address of the accessing computer
  • Time and date of the server request

The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest). The provision and operation of the website as well as browser optimization and maintaining the security of this website represent the legitimate interest of esatus Schweiz AG and esatus AG. The log files are analyzed solely for the purpose of ensuring the security of this website and for statistical evaluations. This data is not merged with other data and data sources. esatus AG uses an intrusion detection system to ensure security. The legal basis for the processing of system logs for intrusion detection is Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest).

Intrusion detection is the active monitoring of computer systems and/or networks with the aim of detecting attacks and misuse. The aim of intrusion detection is to filter out those events that indicate attacks, attempted misuse or security breaches from all events taking place in the monitored area in order to subsequently investigate them in depth. This should enable events to be detected and reported promptly. Corresponding log files are created for intrusion detection. If an anomaly is detected by the intrusion detection, the affected IP address is traced accordingly.

Apart from esatus AG and esatus Schweiz AG, no other companies receive the data listed above. This data is stored for a period of 28 days. An exception to this is the detection of anomalies by intrusion detection. If, due to corresponding events (e.g. attacks, attempted misuse or security breaches), data must be stored for reasons of proof, this data is excluded from deletion until the respective incident has been finally clarified. After expiry of this storage period or final clarification of the incident, all corresponding data is deleted or the IP address is anonymized.

2.1.2 Contacting us via the website

You can send us an inquiry at any time using our contact form on our website. The following information will be requested:

  • Salutation
  • First name and surname
  • E-mail address
  • Free text field, which you fill in yourself

All other data that you send us via the free text field is voluntary. In addition, your IP address, time and date are automatically transmitted to us. In addition to our contact form, you can contact us via the e-mail addresses communicated on the website. The data contained in your message (e-mail) will be processed depending on the purpose of the message. The data is processed exclusively for the purpose of responding to your inquiry and the associated communication. Please note that, depending on your provider, e-mails are generally transmitted unencrypted. We can therefore accept no responsibility for the transmission path. If you contact us by telephone, we will process your telephone number and any data you communicate voluntarily during the conversation.

The legal basis for contacting us via our website depends on the content of your request. In principle, the legal basis for contacting us via the website is Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest). The legitimate interest here consists in providing the contact functionality and responding to your inquiries sent via the website. The IP address and the time stamp, which are automatically transmitted with your message, are used to prevent and trace misuse of our contact form. The processing of all data that you voluntarily transmit to us in the free text field is carried out in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR (consent). The data transmitted by you will generally be deleted after final processing of your request and fulfillment of the purpose.

2.1.3 Cookies

Cookies are small text files that are stored on your computer and saved by your browser. A cookie contains a characteristic string of characters that enables your browser to be uniquely identified when you return to the website. Only cookies in the form of session IDs are used on our website. Session IDs enable us to identify you during your visit to our website, for example to permanently display the language you have selected. Session IDs are usually accepted automatically by the browser. You can deactivate this function, but this may impair your use of the website. Session IDs do not contain any information that can be read in plain text. Session IDs are required to make the use of our website more convenient. Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest) forms the legal basis for this. The session IDs are temporarily stored on your computer and deleted after you leave the browser session and close the browser. No other cookies are used.

2.1.4 Embedding of YouTube videos

YouTube videos are technically embedded on our website. Data processing by YouTube only begins when the data subject independently activates the content by clicking on it. The legal basis is Art. 6 para. 1 sentence 1 lit. a) GDPR (consent). Since personal data is only transmitted when the content is activated, please refer to YouTube's privacy policy.

YouTube: Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

2.2 Information on data processing independent of the website

Irrespective of visits to this website, esatus Schweiz AG processes personal data only

  • for the organization of events (e.g. workshops)
  • for the initiation of employment relationships
  • for the execution of contract initiation and contractual or legal obligations in the context of the use of the "SOWL" product of esatus AG
  • to carry out electronic communication (sending e-mails)
  • for external presentation and for advertising purposes in social media via esatus AG channels
  • to document the customer and order history
  • for the use of photographs of events
  • for advertising purposes via esatus AG channels
  • for other purposes that are explicitly stated on declarations of consent.

The esatus AG privacy policy applies to appearances on social media (LinkedIn, Twitter and XING).

2.2.1 Implementation of events

As part of the initiation and implementation of events (e.g. webinars), esatus AG processes various personal data depending on the type of event, such as

  • First name and surname
  • Contact details (address, telephone number, e-mail address)
  • Job title and job title
  • Employer or educational institutions

All data processed in the context of an event is used to initiate and carry out the corresponding event. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. a) and b) GDPR (consent and performance of a contract). Your data will be deleted after the event has been held. The data is processed by the joint controllers in Switzerland and Germany.

Information on data communicated or transmitted to esatus Schweiz AG in the context of events for the purpose of an application can be found in section 2.2.2.

2.2.2 External presentation and advertising purposes in social media

esatus Schweiz AG does not maintain its own social media channels. Communication takes place entirely via the channels of esatus AG. The following social media presences are operated for the purpose of external presentation and advertising:

  • LinkedIn (LinkedIn Ireland Unlimited Company, Gardner House, 2 Wilton Pl, Dublin 2, Ireland)
  • Twitter (Twitter Inc., 1355 Market St #900, San Francisco, CA 94103, United States)
  • XING (New Work SE, Am Strandkai 1, 20457 Hamburg, Germany)

As part of the use of social media, esatus Schweiz AG and esatus AG publish posts about employees in a professional context (e.g. participation in business events) in addition to product- and subject-specific topics. Employees are generally named via a link to the employee's profile.
The following types of data are processed in this context:

  • Contact data (e.g. e-mail address)
  • Content data (e.g. data in a free text field)

The purpose of maintaining these presences is to communicate with the users of the respective social platform and to communicate about the services of the two companies. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest). You may have given your consent to one of the platform operators listed above to process your personal data in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR.

esatus Schweiz AG and esatus AG do not process any usage data (e.g. access to websites and content) or metadata (e.g. IP address). This data is only processed by the respective provider of the social network. We have no influence on the other processing of your personal data within the scope of the aforementioned websites and are therefore not the controller within the meaning of Art. 4 No. 7 GDPR. The respective data protection declarations of the operators of the above-mentioned platforms apply.

2.2.3 Use of photographs of events for advertising purposes

As a rule, esatus AG or an appropriately commissioned service provider will also take photographs at events. These images are published in accordance with the declaration of consent voluntarily signed by the event participants. esatus Schweiz AG uses photographs of events for advertising purposes on various channels, such as the website and social media. esatus Schweiz AG would therefore like to point out that personal data (including photos) can be accessed and stored worldwide when published on the Internet. The data can therefore also be found via search engines, for example. It cannot be ruled out that other persons or companies may link the data with other personal data available on the Internet and thus create a personality profile, change the data or use it for other purposes.

The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. a) GDPR (consent). Consent can be withdrawn by the data subject at any time. Due to the joint responsibility, we ask the data subject to send an email to the following address: dsb@esatus.com. The data will all be deleted as soon as consent to the use of the photographs is revoked. esatus AG will delete the corresponding photographs on all its channels accordingly. esatus Schweiz AG and esatus AG have no influence on the deletion of the corresponding images stored by third parties.

2.2.4 Execution of contract initiation and contractual or legal obligations in the context of the use of the "SOWL" product of esatus AG

In connection with the initiation of a contract as well as contractual or legal obligations in the context of the use of the "SOWL" product, the corresponding data will be forwarded to esatus AG for technical provision.

SOWL is a cloud agent, an identity management system for digital identities (credentials). When using SOWL, personal data is processed by the respective company that uses SOWL. The data processing may include both the process of issuing identities and credentials and the identity verification via a corresponding credential.

SOWL can be operated both in-house (hosted by the customer) and by esatus AG (SaaS). esatus AG has no access to the SOWL instances that are hosted by the respective customer. A daily license sync is performed for SOWL. The daily license sync sends esatus AG corresponding metadata for the respective system. This metadata is the following data (no personal reference):

  • Number of proofs
  • Number of credentials issued
  • Number of revocations
  • Number of identities
  • Number of errors
  • Number of warnings
  • License ID

For customers who have the hosting of SOWL operated by esatus AG, esatus AG can access the respective SOWL instance for support purposes after appropriate approval by the customer. All productive SOWL instances are hosted by Amazon Web Services (AWS). The AWS services used by esatus AG are provided exclusively within Germany. These are server capacities that are operated in eu-central-1 (Frankfurt). The deletion of corresponding personal data is the responsibility of the respective customer using the SOWL instance.

If you use a product demo (e.g. SOWL demo access), esatus AG will not process any of your personal data other than technical data to ensure the functionality of SOWL. The data used to demonstrate the functionalities is test data that has nothing to do with the identity of the user. All esatus Schweiz AG customers are explicitly instructed not to use real data in the demo area. The SOWL demo environment is operated at Microsoft Azure. This involves server capacities that are operated at Microsoft Azure in the Germany West Central region.

The esatus Wallet App is provided by esatus AG. All information can be found in the privacy statement of esatus AG.

2.2.5 Documentation of customer and order history and associated processing purposes

As part of the documentation of customer data and the order history, esatus Schweiz AG processes personal data that has been transmitted to us by our customers or future customers. These are for example and not exhaustive:

  • Full name
  • Salutation
  • Full address
  • Bank details (e.g. IBAN)
  • Further information necessary for the execution of the contract

The purpose of this processing is the proper maintenance of our business activities and the traceability of business processes. The legal basis is Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest) and Art. 6 para. 1 sentence 1 lit. b) GDPR (implementation of pre-contractual measures and contract fulfillment). For all data that you voluntarily transmit to us in this context, Art. 6 para. 1 sentence 1 lit. a) GDPR (consent) is to be regarded as the relevant legal basis. All corresponding data will be stored by esatus AG for the duration of the purpose fulfillment. In addition, further processing may be necessary to fulfill legal obligations. In the context of the processing of personal data for the fulfillment of legal requirements (e.g. commercial or tax retention periods) in connection with the business activities of esatus AG, Art. 6 para. 1 sentence 1 lit. c) GDPR (legal obligation) forms the relevant legal basis. Processing takes place until the legal obligations are fulfilled.

In addition, it may be necessary to process personal data in order to assert legal claims. The legal basis is Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest), whereby our interest is the clarification and possible defense of claims. Processing only takes place within the scope of and until the conclusion of the assertion of any claims.

3. Rights of the data subjects

Right to information Art. 8 DSG

Pursuant to Art. 8 FADP, any person may request information from the controller of a data file as to whether data relating to them is being processed. To do so, please contact the office named above or in the legal notice or send an email to dsb@esatus.com

The data subject receives information about the following content:

  • all data available about them in the data collection, including the available information about the origin of the data;
  • the purpose and, where applicable, the legal basis of the processing as well as the categories of personal data processed, the parties involved in the collection and the data recipients.

Depending on the form of the request, this information will be provided in writing or in text form and free of charge once you have been identified.

Further provisions and restrictions on the right to information are set out in the law.

Right to rectification, blocking and erasure

You have the right to request the correction, blocking and deletion of your data at any time. You also have the right to data portability.

Right of withdrawal

The data subject has the right to withdraw their consent at any time if the processing is based on previously given consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right to lodge a complaint

You have the right to lodge a complaint with the competent supervisory authority at any time.

As a responsible company, we do not use automated decision-making or profiling.

4. Duration of storage

The duration of the storage of personal data depends on the corresponding statutory retention period and the purpose of the processing. As soon as the statutory retention period expires or the purpose of the processing expires, the personal data will be deleted unless it is required for the fulfillment or initiation of a contract. Justified deviations may arise in the context of individual processing procedures, which we will point out separately.

Due to the further development of our website and our other offers or due to changes in legal or official requirements, it may become necessary to amend this privacy statement.

Editing status: 27.03.2023