Privacy Policy of SWISSBILLING SA

1. What is this Privacy Policy about?

The protection of your personal data and fair and transparent data processing are important to us. Therefore, we (“we”, “us” or “SWISSBILLING” “SWB”) would like to inform you about our data processing and provide you with the information you need to exercise your rights.

Further information can be found in the respective product and service-specific terms and conditions, on our website, in loyalty and added-value program conditions of our processors (see list section 6 below) and, if applicable, in further privacy policies.

2. Who are we?

We are part of the Cembra group:

We are responsible for processing your personal data according to this Privacy Policy. Our contact details are the following:

Swissbilling SA
Rue du Caudray 4
1020 Renens
Switzerland
+41 44 51 24 25 4

Our Data Protection Officer will be happy to answer any questions and concerns you may have in connection with our data protection practices.

Swissbilling SA
Data Protection Officer
Rue du Caudray 4
1020 Renens
Switzerland
+41 44 51 24 25 4
legal@swissbilling.ch

3. When, for whom and for what is this Privacy Policy intended?

This Privacy Policy applies to any processing of personal data in connection with all of our business activities in all our business areas. It is applicable to the processing of both existing and future personal data.

4. What personal data do we process for which purposes and from which sources ?

The personal data we process originate, on the one hand, from you as existing or future contractual partners, and, on the other hand, from publicly accessible sources (e.g., the media or Internet), from government agencies bodies (e.g., residents’ registration authorities, the land registry, the commercial registry or debt collection offices) and from third parties (e.g., CRIF AG, the Central Credit Office [ZEK] for merchants).

Depending on the occasion and purpose, we process different personal data, e.g., personal details (name, address and other contact data, date and place of birth as well as nationality), identification data (e.g., identity document data). In addition, this may include instruction, transaction and risk management data (e.g., payment transaction data and data from processing of contractual relationships), information about your financial situation (e.g. scoring/rating data [see explanation in section 4 d below]), tax-relevant information (information on where you are registered for tax purposes and any other relevant documents and information) as well as contractual and documentation data (e.g., information on the account, concluded transaction or about third parties such as civil partners or authorized representatives, etc.).

Particularly sensitive personal data are data that enjoy special protection (e.g., information on ethnic origin, political opinion, religious and ideological beliefs, sexual preferences, health data or information on criminal convictions). Such data will only be processed with your consent or based on a legal foundation.

Please note that consent to processing of personal data not requiring special protection – should it be required – are usually given on other grounds, depending on the particular case, e.g., to comply with the provisions of Code of obligations, , etc.

Among other things, we process personal data in the following situations for the following purposes and on the legal foundations mentioned below. Data processing may also be based on several legal foundations.

  1. When you contact us (by e-mail, letter or via the contact form on our website)

    If you contact us, whatever the reason is, the data you disclose, including the contact data you add in your message, will be saved with us for the purpose of processing your request.

    If you are a merchant and if you agree, your data may be used for prospection.

    The legal basis for this processing is Art. 13 al. 1 and 2 let. a FDPA, and where applicable Art. 6 al. 1 let. a and b GDPR.

    We store this data until you ask us to delete it, you revoke your consent to its storage, or the purpose of storing the data expires (e.g. after the processing of your request has been completed). In principle, general queries and comments, requests for information, etc. are kept for 2 years from the last communication with you, if no agreement is concluded. Otherwise, it is stored for 10 years after the termination of the contract. Mandatory legal provisions - in particular retention periods - remain reserved.

  2. When you contact us via phone call

    If you speak with our support department over the phone, the conversation may be registered and the data you disclose, including the contact data you specify, will be saved with us for the purpose of processing your request and may be used for quality checks and training purposes.

    The legal basis for this processing is Art. 13 al. 1 and 2 let. a FDPA, and where applicable Art. 6 al. 1 let. a and b GDPR.

    We store this data until you ask us to delete it, you revoke your consent to its storage, or the purpose of storing the data expires (e.g. after the processing of your request has been completed). In principle, general queries and comments, requests for information, etc. are kept for 2 years from the last communication with you, if no agreement is concluded. Otherwise, it is stored for 10 years after the termination of the contract. Mandatory legal provisions - in particular retention periods - remain reserved.

  3. While you visit our website

    When you visit our website, we process information such as log data, for instance information about the time of the access to our website, duration of the visit and pages retrieved. For these purposes, we can use technologies such as “cookies” and similar technologies. Cookies are small files stored on your terminal when you visit our website. Further information can be found on our website and in the product-specific contractual and, if applicable, data protection provisions. There are several types of cookies on our site, but we do not have any advertising cookies on our site:

    Please feel free to withdraw your consent to the use of the aforementioned cookies at any time by disabling cookies in your browser preferences. Please note that if you do not allow the storage of cookies, some features and pages will not behave correctly. You can also automatically or manually delete a cookie from your computer. To do so, follow the instructions in the online help of your browser.

    In any case, the cookies we use do not have a lifetime longer than 13 .

    • Cookie necessary:
      They are essential to the operation of the site. Without them, you cannot use our web pages as intended. These cookies are only used by us.Legal basis: Art. 13 al. 1 FDPA, and where applicable Art. 6 al. 1 let. a GDPR.
    • Functional and performance cookies:
      They allow you to save your preferences for screen layouts and language to enhance your user experience. They also collect information about the use of our site in order to improve its attractiveness, content and functionality.Legal basis: Art. 13 al. 1 FDPA, and where applicable Art. 6 al. 1 let. a GDPR.
    • Cookies for audience measurement (Google Analytics):
      They are used to obtain statistics in order to optimize the performance of our site. We exclusively use the Google Analytics tool (server-side cookie), a tool of GOOGLE Inc. (California, USA). We have, however, taken the appropriate measures to ensure that no personal data is transmitted to GOOGLE Inc. (anonymization of your IP address and integration of Google Analytics on the server side) in order to protect your privacy. The statistics we obtain from this tool are completely anonymized and are not passed on to third parties or outside Switzerland.Legal basis: Art. 13 al. 1 FDPA, and where applicable Art. 6 al. 1 let. a GDPR.
  4. For the conclusion, execution and enforcement of agreements

    The processing of personal data occurs to provide our financial services in the context of concluding, executing and enforcing the agreements with our customers, employees or contractual partners or to implement precontractual measures that occur on pursuant to a request of yours.

    Future/existing merchants/customers: The purpose of data processing is primarily to analyze, monitor and control of the credit risk (scoring) of the merchants/customers and to prevent frauds. This may include the verification of the identity of the merchants. If we agree to provide our services, we process the data to generate and send invoices to the customers, pay the merchants and get reimbursed. Further details on the purpose of the data processing can be found in the respective contractual documents, terms and conditions and, if applicable, other documents made available to you.

    Future/existing employees: The purpose of data processing is primarily to recruit future employees and afterwards to execute the labor agreement. Further details on the purpose of the data processing can be found in the respective contractual documents, terms and conditions and, if applicable, other documents made available to you.

    Future/existing contractual partners: The purpose of data processing is primarily to send invoices to the customers. Further details on the purpose of the data processing can be found in the respective contractual documents, terms and conditions and, if applicable, other documents made available to you.

    Legal basis: Art. 13 para. 1 FADP and where applicable Art. 6 para. 1 let. b GDPR

    In principle, we store this data for 10 years after the end of the agreement. In the event no agreement was concluded, they are in principle kept for 2 years from the last communication with you. Mandatory legal provisions - in particular retention periods - remain reserved.

  5. While you visit us our buildings

    For security matters, we have taken measures to control the accesses to our buildings. Among others, we have a video surveillance system.

    Legal basis for this processing is 13 al. 1 (balance of interests) FADP and where applicable Art. 6 let. f GDPR.

    We store this data until the purpose of storing the data expires (e.g. after no violation has been noted). In principle, these data are kept for 3 months if no violation has taken place. Mandatory legal provisions - in particular retention periods - remain reserved.

  6. For marketing purposes

    We process data for market research, marketing evaluations, preparation and offering of customized services (e.g., direct marketing, print and online advertising, customer, interested party or cultural events, sponsoring, competitions, determining customer satisfaction, assessment of future customer needs or behavior or evaluation of customer, market or product potential) for our own offers

    Legal basis: Art. 13 al. 1 FDPA, and where applicable Art. 6 al. 1 let. a GDPR.

    We store this data until you ask us to delete it, you revoke your consent to its storage, or the purpose of storing the data expires (e.g. if we no longer do marketing actions). Mandatory legal provisions - in particular retention periods - remain reserved.

  7. In the context of a balance of interests

    In addition, we also process your data to protect our legitimate interests, provided that they are not outweighed by your interests (legal provisions: Art. 13 al. 1 FDPA, and where applicable Art. 6 al. 1 let. f GDPR).

    We store this data until you ask us to delete it, you revoke your consent to its storage, or the purpose of storing the data expires (e.g. if we no longer have interest). Mandatory legal provisions - in particular retention periods - remain reserved.

    The following is a non-exhaustive list of processing purposes that represent legitimate interests:

    • Protection of rights, e.g., to enforce claims in court, prior to litigation and out of court and before domestic and foreign authorities or to defend ourselves against claims. We can have the chances of success clarified by third parties in this connection or submit documents to authorities. Authorities may also request that we disclose documents containing personal data;
    • Ensuring IT security and IT operations of SWB;
    • Internal organization and general accounting;
    • Prevention and investigation of criminal offences;
    • Corporate transactions: We can also process personal data to prepare and process company takeovers and sales and the acquisition or sale of assets, such as receivables or real estate and similar transactions;
    • Evaluation, planning, statistics, product developments and business decisions (e. g., improvement and review of existing products, new products and services, procedures, technologies, systems, yields, capacity utilization figures).

5. Do you have an obligation to provide personal data?

Usually, you are not obliged to provide us with personal data. However, we are not able to enter into a contractual relationship with you if you do not provide us with the personal data required for a business relationship and the fulfillment of contractual obligations or which we are legally obliged to collect (e.g., information required for identification, such as name, place, contact details, etc.).

6. With whom do we share your personal data?

Within SWB, the departments, employees and other bodies which have access to your personal data are exclusively the ones which require such access in order to perform their tasks.

In addition, we may outsource individual or entire business areas and services to Cembra Money Bank AG and to third parties in Switzerland and abroad, assign claims and rights and enter into cooperations with partners. If necessary, your personal data will be forwarded to these recipients. We ensure that the data protection are adhered to by such third parties by diligent selection of such processors and the conclusion of adequate agreements.

In particular, this involves services and cooperation in the following areas:

All:

  • IT services, e.g., services in the areas of data storage (hosting), security measures, cloud services, mailing of advertising material, data analysis, email exchanges;
  • measures for the security of our buildings;
  • advisory services, e.g., services of tax advisors, lawyers, business consultants, employee recruitment advisors;

Future/existing merchants/customers:

  • credit checks, by GRIF AG and/or Creditreform AG;
  • fraud prevention;
  • invoice production, by Avaloq Outline AG;
  • administration of contractual relationships including debt enforcement, e.g., application and contract processing, invoicing and processing of direct debits, enforcement of due claims;
  •  e.g., if claims are not paid timely, by CJS Caisse juridique Suisse SA;

Employees:

  • payroll, e.g. Cembra Money Bank AG;
  • cooperation with insurance partners, e.g., AXA Versicherungen AG, and

Forwarding of personal data is possible also in other cases. We can disclose your personal data to third parties if it is in our legitimate interest or you have authorized us to do so and are even obliged to do so if this is legally required (normally, to authorities).

7. When do we transfer personal data abroad?

We can outsource our services abroad (see preceding section). Personal data can also be transmitted abroad during the execution of agreements or transactions, e.g., during the implementation of payment orders or the handling of payments. The recipients of your personal data may be abroad – and also outside the European Union (“EU”) or the European Economic Area (“EEA”, this includes the Principality of Liechtenstein, for example). The relevant countries may not have laws that protect your personal data to the same extent as in Switzerland or in the EU or EEA. If we transmit your personal data to such a third country, we shall secure the protection of your personal data in an appropriate manner. This may include the conclusion of data adequate processing agreements with the recipients of your personal data in such countries. Adequate agreements may include ones which have been approved, set up or recognized by the European Commission and Federal Data Protection and Information Commissioner (FDPIC). Transmission is also permitted to recipients who have joined the Swiss-US Privacy Shield Program, i.e., have confirmed to observe high data protection standards.

Our main processors abroad are the following ones:

8. Does profiling take place and do we perform automated decisions?

We can process your personal data to create profiles, e.g., for analyzing, evaluating and decision-making. Such processing can be performed by us for fraud prevention and for risk management purposes. You can object to the processing of your data for advertising purposes at any time (cf. section 11).

If we perform automated decision-making it is either required for the conclusion or fulfillment of a contractual relationship or it is based on your explicit consent. We shall inform you in each case of such decisions if this is legally required.

9. How do we protect your personal data?

We apply appropriate technical and organizational security measures in order to ensure the security of your personal data, e.g., to protect them against unauthorized or unlawful processing and the risk of loss and to prevent any unintentional change, undesired disclosure or unauthorized access.

The access to your data is limited to those who need it. For example, all data passing through our website is secured in accordance with current standards (HTTPS).

In order to avoid losses, your data is backed up daily. This back-up is saved in two tier III data and protected by an encryption key, for a period depending on the purpose of the data processing.

10. Which rights do you have?

Each person affected has particular rights pursuant to the data protection law applicable to them, especially the following rights:

  • the right to access;
  • the right to rectification;
  • the right to deletion;
  • the right to restriction of processing;
  • the right to object to the further processing of your personal data;
  • the right to transfer of particular personal data (portability) if GDPR is applicable; and
  • the right to file a complaint with the competent authority.

To exercise your rights, please send your request by signed letter, with a copy of your identity document, to the following address Swissbilling SA, Rue de Caudray 4, 1020 Renens, Switzerland. We will endeavor to reply within 30 days.

You can revoke your consent for the processing of personal data at any time, without giving any reason. Please bear in mind such revocation of consent will only have effect for the future data processing that occurred before the revocation remains unaffected. Subject to the deactivation and deletion of cookies by you directly, the revocation of your consent should in principle be sent to us by email to legal@swissbilling.ch or by signed letter. A procedure will be sent to you.

Moreover, you can object to the processing of your personal data for the purpose of advertising at any time by notifying us as aforementioned.

11. Amendments of this Privacy Policy

This Privacy Policy can be amended in the course of time if we amend our data processing or new legal provisions become applicable. The currently applicable Privacy Policy can be found on https://www.swissbilling.ch/en/privacy-policy. We inform you in a suitable manner (in writing or electronically, e.g., by e-mail) if an adjusted Privacy Policy has entered into force.

In the event of ambiguities, the English text of this Privacy Policy precedes.

Version: January 2020