This Privacy Policy explains the nature, scope, and purpose of processing personal data (hereinafter referred to as “data”) within our online offering and its associated websites, features, and content, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”). Regarding the terminology used, such as “processing” or “controller”, we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Controller

SWAN – Swiss Academic Nutritionists
Könizstrasse 161
CH- 3097 Liebefeld
Email: contact@swan-nutrition.ch
Präsidium SWAN: Isabelle Frey-Wagner / Esther Infanger
Website: www.swan-nutrition.ch

Image Credits

For the design of our website, we use so-called CC0 images (free, licence-free images without restrictions) from the databases of:

unsplash

pixabay

Types of Data Processed

• Meta/communication data (e.g. device information, IP addresses
• Inventory data (e.g. names, addresses)
• Contact data (e.g. email, telephone numbers)
• Content data (e.g. text entries, photographs, videos)
• Usage data (e.g. websites visited, interest in content, access times)

Categories of Data Subjects

Visitors and users of the online offering (hereinafter we also refer to the data subjects collectively as “users”).

Purpose of Processing

• Provision of the online offering, its functions, and content
• Responding to contact requests and communicating with users
• Security measures
• Reach measurement/marketing

Terminology used

Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data.

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Applicable Legal Bases

In accordance with Art. 13 GDPR, we inform you of the legal bases for our data processing activities. Where the legal basis is not specified in this Privacy Policy, the following applies: The legal basis for obtaining consent is Art. 6(1)(a) and Art. 7 GDPR; the legal basis for processing carried out to fulfil our services and implement contractual measures, as well as for responding to enquiries, is Art. 6(1)(b) GDPR; the legal basis for processing carried out to fulfil our legal obligations is Art. 6(1)(c) GDPR; and the legal basis for processing carried out to protect our legitimate interests is Art. 6(1)(f) GDPR. In the event that the vital interests of the data subject or another natural person necessitate the processing of personal data, Art. 6(1)(d) GDPR serves as the legal basis.

Security Measures

In accordance with Art. 32 GDPR, and taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
These measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access, input, disclosure, ensuring availability and separation of data. Furthermore, we have established procedures to ensure the exercise of data subjects’ rights, the deletion of data, and the ability to respond to data security incidents. In addition, we take the protection of personal data into account at the earliest stage of development and selection of hardware, software and processes, in accordance with the principle of privacy by design and by default (Art. 25 GDPR).

Cooperation with Processors and Third Parties

Where we disclose, transmit or otherwise grant access to data to other persons and companies (processors or third parties) in the course of our processing activities, this is done solely on the basis of a legal permission (e.g. where the transmission of data to third parties, such as payment service providers, is necessary for the performance of a contract pursuant to Art. 6(1)(b) GDPR), where you have given your consent, where a legal obligation provides for such disclosure, or on the basis of our legitimate interests (e.g. when engaging agents, web hosting providers, etc.).
Where we commission third parties to process data on the basis of a so-called “data processing agreement”, this is done on the basis of Art. 28 GDPR.

Transfers to Third Countries

Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or where this occurs in the context of using third-party services or disclosing or transferring data to third parties, this takes place only where it is necessary for the fulfilment of our (pre-)contractual obligations, on the basis of your consent, by reason of a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have data processed in a third country only where the specific requirements of Art. 44 et seq. GDPR are met. That is, processing takes place, for example, on the basis of specific safeguards, such as the officially recognised determination of a level of data protection equivalent to that of the EU (e.g. for the USA through the “Data Privacy Framework”) or compliance with officially recognised specific contractual obligations (so-called “Standard Contractual Clauses”).

Rights of Data Subjects

You have the right to request confirmation as to whether data concerning you is being processed, and to obtain access to such data as well as further information and a copy of the data, in accordance with Art. 15 GDPR.
You have the right, in accordance with Art. 16 GDPR, to request the completion of data concerning you or the rectification of inaccurate data concerning you.
You have the right, in accordance with Art. 17 GDPR, to request that data concerning you be erased without undue delay, or, alternatively, to request a restriction of the processing of such data in accordance with Art. 18 GDPR.
You have the right to receive the data concerning you that you have provided to us, in accordance with Art. 20 GDPR, and to request the transmission of such data to other controllers.
You furthermore have the right, pursuant to Art. 77 GDPR, to lodge a complaint with the competent supervisory authority.

Right of Withdrawal

You have the right to withdraw any consent you have given, pursuant to Art. 7(3) GDPR, with effect for the future.

Right to Object

You have the right to object at any time to the future processing of data concerning you, pursuant to Art. 21 GDPR. This right to object applies in particular to processing carried out for the purposes of direct marketing.

Cookies and Right to Object to Direct Marketing

“Cookies” are small files that are stored on users’ computers. A variety of information can be stored within cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after their visit to an online offering. Cookies that are deleted after a user leaves an online offering and closes their browser are referred to as temporary cookies, “session cookies” or “transient cookies”. Such a cookie may store, for example, the contents of a shopping cart in an online shop or a login status. Cookies that remain stored even after the browser is closed are referred to as “permanent” or “persistent” cookies. For example, a login status can be stored so that users can retrieve it after several days. Such cookies may likewise store users’ interests, which are used for reach measurement or marketing purposes. Cookies that are offered by providers other than the controller operating the online offering are referred to as “third-party cookies” (conversely, where only the controller’s own cookies are used, these are referred to as “first-party cookies”).

We may use both temporary and persistent cookies and provide information about this within our Privacy Policy.
If users do not wish cookies to be stored on their computer, they are asked to disable the relevant option in their browser’s system settings. Cookies that have already been stored can be deleted in the browser’s system settings. Please note that disabling cookies may result in functional limitations of this online offering.

A general objection to the use of cookies employed for online marketing purposes, particularly in the case of tracking, can be declared via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be prevented by disabling them in the browser settings. Please note that in this case it may not be possible to use all features of this online offering.

Deletion of Data

Data processed by us is deleted or its processing restricted in accordance with Art. 17 and 18 GDPR. Unless expressly stated otherwise in this Privacy Policy, data stored by us will be deleted as soon as it is no longer required for its intended purpose and no statutory retention obligations stand in the way of deletion. Where data is not deleted because it is required for other legally permissible purposes, its processing will be restricted. This means the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.

Retention periods under German law — In accordance with statutory requirements in Germany, retention applies in particular for 10 years pursuant to §§ 147(1) of the German Fiscal Code (AO) and 257(1) nos. 1 and 4, (4) of the German Commercial Code (HGB) (books, records, management reports, accounting vouchers, commercial books, documents relevant for taxation, etc.), and for 6 years pursuant to § 257(1) nos. 2 and 3, (4) HGB (commercial correspondence).

Retention periods under Austrian law — In accordance with statutory requirements in Austria, retention applies in particular for 7 years pursuant to § 132(1) of the Austrian Federal Fiscal Code (BAO) (accounting records, vouchers/invoices, accounts, receipts, business papers, records of income and expenditure, etc.), for 22 years in connection with real property, and for 10 years for documents relating to electronically supplied services, telecommunications, broadcasting and television services provided to non-taxable persons in EU member states for which the Mini One Stop Shop (MOSS) scheme is used.

Business-Related Processing

In addition, we process the following data:

• Contractual data (e.g. subject matter of the contract, duration, customer category)
• Payment data (e.g. bank details, payment history)

from our customers, prospective customers and business partners for the purposes of providing contractual services, customer service and customer relations management, marketing, advertising and market research.

Administration, Financial Accounting, Office Management, Contact Management

We process data in the context of administrative tasks and the organisation of our business operations, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process in the course of providing our contractual services. The legal bases for processing are Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR. The data subjects affected by this processing include customers, prospective customers, business partners and website visitors. The purpose of and our legitimate interest in the processing lies in administration, financial accounting, office organisation and the archiving of data — that is, tasks which serve to maintain our business operations, fulfil our responsibilities and provide our services. The deletion of data with regard to contractual services and contractual communications is carried out in accordance with the information provided in relation to those processing activities.

We disclose or transfer data in this context to tax authorities, advisors such as tax consultants or auditors, as well as other fee-collecting bodies and payment service providers.

Furthermore, on the basis of our legitimate business interests, we store information relating to suppliers, organisers and other business partners, for example for the purpose of future contact. These predominantly business-related data are, as a general rule, stored on a permanent basis.

Provision of Our Statutory and Business Services

We process the data of our members, supporters, prospective customers, clients or other persons in accordance with Art. 6(1)(b) GDPR where we offer them contractual services or act within the scope of an existing business relationship, e.g. with members, or where we ourselves are recipients of services or benefits. In all other respects, we process the data of affected persons pursuant to Art. 6(1)(f) GDPR on the basis of our legitimate interests, e.g. where administrative tasks or public relations work are concerned.

The data processed in this context, as well as the nature, scope, purpose and necessity of such processing, are determined by the underlying contractual relationship. This generally includes master data and basic personal data (e.g. name, address, etc.), as well as contact details (e.g. email address, telephone number, etc.), contractual data (e.g. services used, communicated content and information, names of contact persons) and, where we offer chargeable services or products, payment data (e.g. bank details, payment history, etc.).

We delete data that is no longer required for the fulfilment of our statutory and business purposes. This is determined by the nature of the respective tasks and contractual relationships. In the case of business-related processing, we retain data for as long as it may be relevant to the processing of the business transaction, as well as with regard to any potential warranty or liability obligations. The necessity of retaining data is reviewed every three years; statutory retention obligations apply in all other respects.

Registration Function

Users may create a user account. During the registration process, the required mandatory details are communicated to users and processed on the basis of Art. 6(1)(b) GDPR for the purpose of providing the user account. The data processed includes in particular login information (name, password and an email address). The data entered during registration is used for the purposes of using the user account and its intended functions.

Users may be informed by email of information relevant to their user account, such as technical changes. Where users have terminated their user account, their data relating to that account will be deleted, subject to any statutory retention obligation. It is the responsibility of users to back up their data prior to the end of the contract in the event of termination. We are entitled to permanently and irreversibly delete all data stored during the contractual period.

In the context of the use of our registration and login functions and the use of the user account, we store the IP address and the timestamp of each user action. Such storage is carried out on the basis of our legitimate interests, as well as those of users, in protection against misuse and other unauthorised use. This data is not disclosed to third parties as a general rule, unless such disclosure is required to pursue our claims or a legal obligation to do so exists pursuant to Art. 6(1)(c) GDPR. IP addresses are anonymised or deleted no later than 7 days after collection.

Contact

When contacting us (e.g. via contact form, email, telephone or social media), the information provided by the user is processed for the purpose of handling and processing the contact request pursuant to Art. 6(1)(b) GDPR. User information may be stored in a Customer Relationship Management system (“CRM system”) or a comparable enquiry management system.

We delete enquiries once they are no longer required. We review the necessity of retention every two years; statutory archiving obligations apply in all other respects.

Hosting and Email Delivery

The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email delivery, security services and technical maintenance services, which we use for the purpose of operating this online offering.

In this context, we and/or our hosting provider process master data, contact data, content data, contractual data, usage data, and meta and communications data of customers, prospective customers and visitors to this online offering, on the basis of our legitimate interests in the efficient and secure provision of this online offering, pursuant to Art. 6(1)(f) GDPR in conjunction with Art. 28 GDPR (conclusion of a data processing agreement).

Collection of Access Data and Log Files

We, and/or our hosting provider, collect data on the basis of our legitimate interests within the meaning of Art. 6(1)(f) GDPR regarding every access to the server on which this service is hosted (so-called server log files). The access data collected includes the name of the webpage retrieved, file, date and time of access, volume of data transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Log file information is stored for security purposes (e.g. to investigate misuse or fraudulent activity) for a maximum period of 7 days and thereafter deleted. Data whose further retention is required for evidentiary purposes is exempt from deletion until the final resolution of the relevant incident.

Jetpack (WordPress Stats)

On the basis of our legitimate interests (i.e. our interest in the analysis, optimisation and efficient operation of our online offering within the meaning of Art. 6(1)(f) GDPR), we use the Jetpack plugin (specifically the “WordPress Stats” sub-function), which integrates a tool for the statistical analysis of visitor traffic and is provided by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA. Jetpack uses so-called “cookies” — text files that are stored on your computer and enable an analysis of your use of the website.

The information generated by the cookie about your use of this online offering is stored on a server in the USA. User profiles may be created from the data processed; however, these are used solely for analysis purposes and not for advertising purposes. Further information can be found in the Privacy Policy at https://automattic.com/privacy/ and in the notes on Jetpack cookies at https://jetpack.com/support/cookies/.

Online Presence in Social Media

We maintain online presences within social networks and platforms in order to communicate with customers, prospective customers and users active on those platforms, and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and data processing policies of their respective operators apply.

Unless stated otherwise in this Privacy Policy, we process the data of users who communicate with us within social networks and platforms, for example by posting on our online presences or sending us messages.

Integration of Third-Party Services and Content

Within our online offering, we use content or service offerings from third-party providers on the basis of our legitimate interests (i.e. our interest in the analysis, optimisation and efficient operation of our online offering within the meaning of Art. 6(1)(f) GDPR) in order to integrate their content and services, such as videos or fonts (hereinafter collectively referred to as “content”).

This always requires that the third-party providers of such content are able to access the IP address of the user, as without the IP address they would be unable to send the content to the user’s browser. The IP address is therefore necessary for the display of such content. We endeavour to use only content whose respective providers use the IP address solely for the purpose of delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. Through the use of pixel tags, information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may furthermore be stored in cookies on users’ devices and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and further details regarding the use of our online offering, and may also be combined with such information from other sources.

X

Within our online offering, functions and content of the service X (formerly Twitter), provided by X Corp. (formerly Twitter Inc.), 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, may be integrated. This may include, for example, content such as images, videos or text, as well as buttons enabling users to share content from this online offering on X. Where users are members of the X platform, X Corp. may associate the retrieval of the above-mentioned content and functions with the profiles of those users on that platform.

Privacy Policy: https://twitter.com/en/privacy Opt-Out: https://twitter.com/personalization

Linkedin

Within our online offering, functions and content of the service LinkedIn, provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, may be integrated. This may include, for example, content such as images, videos or text, as well as buttons enabling users to share content from this online offering on LinkedIn. Where users are members of the LinkedIn platform, LinkedIn may associate the retrieval of the above-mentioned content and functions with the profiles of those users on that platform.

As LinkedIn Ireland Unlimited Company is established within the EU (Ireland), data transfers are governed directly by GDPR without the need for a separate third-country transfer mechanism.

Privacy Policy: https://www.linkedin.com/legal/privacy-policy Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Created with Privacy Policy-Generator.de by RA Dr Thomas Schwenke