Version: 24.07.2023
1 What is this privacy policy about?
The protection of your personal data and fair and transparent data processing are important to us. Therefore, we would like to inform you about the data processing activities of SWISSBILLING ("SWISSBILLING", "we" or "us") and of other companies of the group to which we belong ("CEMBRA Group", an up-to-date list is available at www.cembra.ch/group) and provide you with the information you need to exercise your rights.
Further information can be found in the applicable product and service-specific terms and conditions, on our website and, where applicable, in the loyalty and value-added program terms and conditions of our cooperation partners and in further data protection declarations.
2 Who are we?
We are responsible for processing your personal data in accordance with this privacy policy. Our contact details are as follows:
Swissbilling SA
Rue du Caudray 4
1020 Renens
Switzerland
+41 58 226 10 50
Our Data Protection Officer is available to answer any questions or concerns you may have regarding our data protection practices. You can contact him at the above address or at legal@swissbilling.ch
3 For whom and for what is this privacy statement intended?
This privacy policy applies to all processing of personal data of our customers ("customers", "you", "your") in connection with all our business activities in all our business areas. It applies to the processing of both existing and future personal data held by us.
4 Which personal data do we process from which sources, for which purposes and with which legal basis?
4.1 Origin of personal data
The personal data we process originates on the one hand from you as an existing or future contractual customer and on the other hand from companies of the Cembra Group (as set out under www.cembra.ch/group), from merchants and cooperation-partners of Swissbilling, from publicly accessible sources (e.g. media or Internet), from government agencies (e.g. residents' registration authorities, land registry, commercial registry or debt collection offices) and from third parties (e.g. external credit rating agencies, the Central Office for Credit Information [ZEK] or the Consumer Credit Information Office [IKO]).
4.2 Categories of personal data
4.2.1 Within the scope of the contract initiation or processing
In the course of initiating or processing a contract, we may process various personal data, e.g., personal details (name, address and other contact details, date and place of birth and nationality, IP-address, device ID), identification data (e.g. ID card data) and authentication data (e.g. specimen signatures, location behavior). In addition, this may also include order, transaction and risk management data (e.g. payment transaction data and data from the initiation or settlement of contractual relationships with us or with merchants), financial data (e.g. information on income and assets, current or concluded credit agreements or means of payment agreements, creditworthiness data, scoring/rating data), tax-relevant data (information on tax domicile and any other tax-relevant information) as well as contractual and documentation data (e.g. information on the account, securities account, current or concluded transactions) or data on third parties (e.g. authorized representatives).
4.2.2 When logging into our mobile application
When registering on our mobile application ("App") - if available - or when using it, we process your terminal device data (e.g. details of the device manufacturer and type, operating system, device ID and IP address), your access data (e.g. access code) or your desired settings (e.g. storage of the user name or login keys or use of other login functions (e.g. Face or Touch ID)). Furthermore, we process data relating to the use of our app (e.g. number of accesses to the app incl. date and time), your consent to the terms of use of the app or to other provisions in connection with your transactions registered on the app (e.g. monthly invoices or payments for your purchases).
4.2.3 When visiting our website
When you visit our website, depending on the offer and functionality, we process data such as log data, for websites, for example, information about the time of access to our websites, the duration of the visit and the pages accessed.
4.2.4 If contact is made by telephone or electronically
If you communicate with us by telephone or email, we will retain the information exchanged and your contact details. We may also process data relating to your behavior or preferences. Where necessary, we will obtain your consent in advance.
4.3 Data processing purposes
4.3.1 For the conclusion, execution, and enforcement of contracts
Personal data is processed in order to provide our services in the context of concluding, implementing, and enforcing our contracts with our clients, or enforcing claims assigned to us, as well as to carry out pre-contractual measures at your request.
When carrying out pre-contractual measures, we may obtain information about you, e.g., from other companies of the Cembra Group, external credit assessors (e.g., CRIF and Intrum), government agencies, the Central Office for Credit Information (ZEK), the Consumer Credit Information Office (IKO) or other agencies, as well as reporting to ZEK, IKO and, in the event of corresponding legal obligations, to other agencies.
In the context of contract and collection processing, we process your personal data for the administration of our relationship (e.g. for sending invoices and for payment or refund purposes) and for processing customer service-related questions and complaints. This includes, in particular, email communication with you regarding invoicing for products and services purchased from us and from our partners. In the event that our terms and conditions do not specify differently, you acknowledge and agree that we may also analyze your personal data resulting from the relationship with us in Switzerland and abroad and use it to create profiles in order to offer you our products, services, and those of companies of the Cembra Group and of cooperation partners by post, e-mail, SMS or in our app for direct marketing purposes. The companies of the Cembra Group are also entitled to process, transmit, evaluate and use your personal data on their own behalf or on behalf of third parties for the purpose of quality and/or effectiveness analysis as well as for commercial and marketing purposes. Our services include, among others, the organization of competitions, cultural events, sponsoring and customer satisfaction surveys. We may also commission third parties or companies of the Cembra Group to evaluate your personal data and to send you such offers. You can revoke your consent to electronic communication with us and to receiving information about our products and services or those of companies of the Cembra Group and third parties at any time.
Further details on the purpose of data processing can be found in the respective contract documents, terms and conditions and any other documents provided to you.
4.3.2 When using our app
When you install and use our app, we process your personal data in particular to:
• the registration and login, in particular to enable your authentication before using the app;
• provide you with a secure connection between the app and the mobile device;
• ensure the sending of information in connection with their purchased services or goods (e.g. sending of new invoices via the app).
We may evaluate your use of the app and the information available on the app in order to better tailor our products and services to you. If we send you offers electronically, we will first obtain your consent to do so. You can revoke your consent for this purpose at any time.
4.3.3 When visiting our website
When you visit our website, we process your personal data for IT security reasons, to improve the user-friendliness of the website and its functions, and to personalize the content presented. For this purpose, we may use online tracking technologies such as Google Analytics or cookies, which enable us to collect information about the use of our website.
Cookies are small files that are stored on your terminal device when you visit our website. There may be different types of cookies on our website:
• Required cookies:
They are required for our website to function and cannot be disabled. Without them, some areas of our website cannot function.
Spam prevention for our online forms is provided by Google reCAPTCHA. Only set when a form is submitted.
• Functionality and performance cookies:
They allow us to save your settings for screen layouts and language to improve your user experience. They are also used to collect information about the use of our website in order to improve its attractiveness, content, and functionality.
• Cookies for audience measurement (Google Analytics):
They are used to collect statistics and optimize the performance of our website. In doing so, we ensure that no personal data is transmitted to GOOGLE Inc. (anonymization of your IP address and integration of Google Analytics on the server side) in order to protect your privacy. The statistics we receive from this tool are completely anonymized and are not passed on to third parties or abroad.
You can revoke your consent to the use of the aforementioned cookies (with the exception of the necessary cookies) at any time by deactivating the cookies in your browser settings. Please note that some functions and pages will not work correctly if you do not allow cookies to be stored. You can also delete a cookie from your computer automatically or manually. To do so, follow the instructions in the online help of your browser.
4.4.4 Within the framework of the balancing of interests
In addition, we also process your data to protect our legitimate interests, insofar as your interests do not outweigh these. The following is a non-exhaustive list of processing purposes that constitute a legitimate interest:
• Analysis, monitoring, and management of credit risk (scoring);
• Fraud prevention;
• Safeguarding rights, e.g. to enforce claims in or out of court and before authorities in Switzerland and abroad or to defend ourselves against claims. In doing so, we may have the prospects of litigation clarified by third parties or submit documents to an authority. It may also be that authorities request us to disclose documents containing personal data;
• Ensuring IT security and IT operations;
• Prevention and investigation of criminal offences;
• Contact enquiries on your part with our customer service;
• Telephone calls can be recorded for quality control and training purposes, for example;
• Building and facility security measures (e.g. access controls and video surveillance);
• Corporate transactions: We may also process personal data to prepare and process corporate acquisitions and sales and purchases or sales of assets, such as receivables or real estate and similar transactions;
• Evaluation, planning, statistics, product developments and business decisions (e.g. improvement and review of existing products, new products and services, processes, technologies, systems, returns, utilization rates).
5 Do you have a duty to provide personal data?
As a rule, you are not obliged to provide us with personal data. However, we are not able to conclude a contract with you if you do not provide us with the personal data required for a business relationship and the fulfilment of contractual obligations or by law (e.g. information required for identification such as name, date of birth, address, nationality, etc.). Furthermore, without the provision of the necessary personal data, you will not be able to access certain of our online services (e.g. electronic invoice, app) in whole or in part.
6 Who do we share your personal data with?
Within SWISSBILLING, those departments, employees and other bodies that need to access your personal data in order to perform their tasks will be given access. We may also outsource individual or entire business areas and services to companies of the Cembra Group and to third parties in Switzerland and abroad, assign claims and rights and enter into cooperations with partners. In doing so, your personal data will be forwarded to these recipients - to the extent necessary. We ensure through the selection of the order processors and through suitable contractual agreements that data protection is also observed by third parties during the processing of personal data. This concerns in particular services and cooperations in the following areas:
• IT services, e.g. services in the areas of data storage (hosting), cloud services, dispatch of advertising materials, data analysis, e-mail exchange;
• Creditworthiness checks;
• Fraud prevention;
• Business information and debt collection, e.g. if due receivables are not paid;
• Consultancy services, e.g. services of tax consultants, lawyers, management consultants, personnel consultants;
• Administration of contractual relationships including collection, front and back office services, e.g. application and contract processing, invoicing or billing, collection of debts due, telephony;
• Compliance and data management;
• Cooperation with business partners such as insurance partners.
In the event that our terms and conditions do not specify differently, we may also disclose your personal data for business purposes (e.g. credit risk, anti-fraud and marketing purposes) to recipients within the Cembra Group for their own purposes. As a result, your personal data may also be processed and linked for the respective purposes together with personal data originating from Cembra or from a Cembra Group company. A current list of our group companies can be found at www.cembra.ch/gruppe. We may disclose your personal data to third parties if it is in our legitimate interest or you have authorized us to do so. We are obliged to do so if required by law (usually vis-à-vis authorities). In the context of the transfer and exchange of data within the Cembra Group, you expressly waive compliance with banking secrecy.
7 When do we pass on personal data abroad?
We may outsource our services abroad (see previous section). Personal data may also be transferred abroad when processing contracts or executing transactions or when offering online services, e.g. when executing payment orders. The recipients of your personal data may be located in the European Economic Area ("EEA") and in the USA. Some of the countries concerned may not have laws that protect your personal data to the same extent as in Switzerland or the EEA. If we transfer your personal data to such a third country, we will ensure the protection of your personal data in an appropriate manner. One means of doing this is by entering into data transfer agreements - so-called standard contractual clauses issued or recognized by the European Commission and/or the Federal Data Protection and Information Commissioner (FDPIC) - with the recipients of your personal data in non-EU countries that ensure the required level of data protection.
8 Do we profile and make automated decisions?
We may process your data in order to create profiles, e.g. for analyses, evaluations and decisions. Such processing serves us and in particular the companies of the Cembra Group for fraud prevention and risk management purposes. We also use profiles so that we can provide you with individual advice and personalized offers. You can object to the processing of your data for advertising purposes at any time (see section 11). If we make automated individual decisions, they are generally necessary for the conclusion or fulfilment of a contractual relationship or are based on your consent. We will inform you of such decisions where required by law.
9 How we protect your personal data
We use appropriate technical and organizational security procedures to maintain the security of your personal data, for example to protect it against unauthorized or unlawful processing and against the risk of loss, and to prevent accidental alteration, disclosure, or access.
10 How long do we store your data
We store your personal data as long as it is necessary for the purpose for which we collected it. We also store your personal data if we are subject to a legal obligation to retain it. For example, a ten-year retention period applies to most documents. Finally, we store personal data if we have a legitimate interest in storing it, e.g. if limitation periods are running, if we need personal data to enforce or defend claims, as well as for archiving purposes and to ensure IT security.
11 What rights do you have?
Every data subject has certain rights under the data protection law applicable to them, in particular the following rights:
• The right to access,
• The right to rectification,
• The right to erasure,
• The right to restrict processing,
• The right to object to the further processing of their personal data, and
• The right to the portability of certain personal data.
In addition, there is a right of appeal to a competent data protection supervisory authority, in Switzerland to the Federal Data Protection and Information Commissioner (FDPIC).
You can revoke your consent to the processing of your personal data at any time. Please note that a revocation is only effective for the future. Processing that took place before the revocation is not affected. Consent obtained for other reasons, e.g. due to regulatory provisions, will not be affected. Revocation of your consent should in principle be made by e-mail to legal@swissbilling.ch or by signed letter to us. A confirmation will be sent to you.
12 Changes to this privacy policy
This privacy statement may be amended over time as we change our data processing practices or new legislation becomes applicable. The currently valid data protection declaration can be viewed at https://www.swissbilling.ch/en/privacy-policy. We will inform our active customers in an appropriate manner (in writing or electronically, e.g. by e-mail) when an adapted data protection declaration comes into force.
In the event of any ambiguity, the German wording of this privacy policy shall prevail.