The protection of your personal data and fair and transparent data processing are important to us. Therefore, we (“we”, “us”, “SWISSBILLING” or “SWB”) would like to inform you about our data processing and provide you with the information you need to exercise your rights.
Further information can be found in the respective product and service-specific terms and conditions, on our website, in the loyalty and added-value program conditions of our processors (see list section 6 below) and, if applicable, in further privacy policies.
2. Who are we?
Rue du Caudray 4
+41 44 51 24 25 4
Our Data Protection Officer will be happy to answer any questions and concerns you may have in connection with our data protection practices.
4. What personal data do we process for which purposes and from which sources?
The personal data we process originate, on the one hand, from you as existing or future contractual partners, and, on the other hand, from publicly accessible sources (e.g., the media or Internet), from government agency bodies (e.g., residents’ registration authorities, the land registry, the commercial registry or debt collection offices) and from third parties (e.g., CRIF AG, the Central Credit Office [ZEK] for merchants).
Depending on the occasion and purpose, we process different personal data, e.g., personal details (name, address and other contact data, date and place of birth as well as nationality), identification data (e.g., identity document data). In addition, this may include instruction, transaction and risk management data (e.g., payment transaction data and data from processing of contractual relationships), information about your financial situation (e.g. scoring/rating data [see explanation in section 4 d below]), tax-relevant information (information on where you are registered for tax purposes and any other relevant documents and information) as well as contractual and documentation data (e.g., information on the account, concluded transaction or about third parties such as civil partners or authorized representatives, etc.).
Particularly sensitive personal data are data that enjoy special protection (e.g., information on ethnic origin, political opinion, religious and ideological beliefs, sexual preferences, health data or information on criminal convictions). Such data will only be processed with your consent or based on a legal basis.
Please note that consent to the processing of non-sensitive personal data - is not systematically requested as it is not always necessary, e.g. to comply with the provisions of the Code of Obligations, etc. - is not always required.
Among other things, we process personal data in the following situations for the following purposes and on the legal basis mentioned below. Data processing may also be based on several legal basis.
a) When you contact us (by e-mail, letter or via the contact form on our websites)
If you contact us, whatever the reason may be, the data you disclose, including the contact data you add in your message, will be saved with us for the purpose of processing your request.
If you are a merchant, your data may be used for prospection if you give your consent in this respect.
The legal basis for this processing is Art. 13 al. 1 and 2 let. a FDPA, and where applicable Art. 6 al. 1 let. a and b GDPR.
We store this data until you ask us to delete it, if you revoke your consent to its storage, or if the purpose of data storage expires (e.g. after the processing of your request has been completed). In principle, general queries and comments, requests for information and/or payment plan, etc. are kept for 2 years from the last communication exchanged with you, if no agreement is concluded. Otherwise, it is stored for 10 years after the termination of the contract. Mandatory legal provisions - in particular retention periods - remain reserved.
b) When you contact us via phone call
If you speak with our support department over the phone, the conversation may be recorded and the data you disclose, including the contact data you specify, will be saved with us for the purpose of processing your request and may be used for quality checks and training purposes.
The legal basis for this processing is Art. 13 al. 1 and 2 let. a FDPA, and where applicable Art. 6 al. 1 let. a and b GDPR.
We store this data until you ask us to delete it, if you revoke your consent to its storage, or if the purpose of data storage expires (e.g. after the processing of your request has been completed). In principle, general queries and comments, requests for information, etc. are kept for 2 years from the last communication exchanged with you, if no agreement is concluded. Otherwise, it is stored for 10 years after the termination of the contract. Mandatory legal provisions - in particular retention periods - remain reserved.
c) While you visit our websites www.swissbilling.ch and/or www.my.swissbilling.ch and/or use the Swissbilling mobile app
When you visit our websites and/or when you use our mobile app, we process information such as log data, for instance information about the time of the access to our websites, duration of the visit and pages retrieved. For these purposes, we can use technologies such as “cookies” and other similar technologies. Cookies are small files stored on your terminal when you visit one of our websites. Further information can be found on our websites and in the product-specific contractual and, if applicable, data protection provisions. There are several types of cookies on our site, but none of advertising nature.
You are free to withdraw your consent to the use of the aforementioned cookies at any time by disabling cookies in your browser preferences. Please note that if you do not allow the storage of cookies, some features and pages will not function correctly. You can also automatically or manually delete a cookie from your computer. To do so, follow the instructions in the online help of your browser.
In any case, the cookies we use do not last longer than 6 months.
- Necessary cookies:
They are essential to the operation of the site. Without them, you cannot use our web pages as intended. These cookies are exclusively used by us. Legal basis: Art. 13 al. 1 FDPA, and where applicable Art. 6 al. 1 let. a GDPR.
- Functional and performance cookies:
They allow you to save your preferences for screen layouts and language to enhance your user experience. They also collect information about the use of our site in order to improve its attractiveness, content and functionality. Legal basis: Art. 13 al. 1 FDPA, and where applicable Art. 6 al. 1 let. a GDPR.
- Cookies for audience measurement (Google Analytics):
They are used to obtain statistics in order to optimize the performance of our site. For our website swissbilling.ch, we exclusively use the Google Analytics tool (server-side cookie), a tool of GOOGLE Inc. (California, USA). We have, however, taken the appropriate measures to ensure that no personal data is transmitted to GOOGLE Inc. (anonymization of your IP address and integration of Google Analytics on the server side) in order to protect your privacy. The statistics we obtain from this tool are completely anonymized and are not passed on to third parties or outside Switzerland. Legal basis: Art. 13 al. 1 FDPA, and where applicable Art. 6 al. 1 let. a GDPR.
d) For the conclusion, execution and enforcement of agreements
The processing of personal data aims at providing our financial services in the context of concluding, executing and enforcing the agreements with our customers, employees or contractual partners or implementing precontractual measures that occur following a request that you have filed.
Future/existing merchants/customers: The purpose of data processing is primarily to analyze, monitor and control the credit risk (scoring) of the merchants/customers and to prevent frauds. This may include the verification of the identity of the merchants. If we agree to provide our services, we process the data to generate and send invoices to the customers, pay the merchants and get reimbursed. Further details on the purpose of the data processing can be found in the respective contractual documents, terms and conditions and, if applicable, other documents made available to you.
Future/existing employees: The purpose of data processing is primarily to recruit future employees and afterwards to execute the labor agreement. Further details on the purpose of the data processing can be found in the respective contractual documents, terms and conditions and, if applicable, other documents made available to you.
Future/existing contractual partners: The purpose of data processing is primarily to send invoices to the customers. Further details on the purpose of the data processing can be found in the respective contractual documents, terms and conditions and, if applicable, other documents made available to you.
Legal basis: Art. 13 para. 1 FADP and where applicable Art. 6 para. 1 let. b GDPR.
In principle, we store this data for 10 years after termination of the agreement. In the event where no agreement is concluded, the data are in principle kept for 2 years from the last communication exchanged with you. Mandatory legal provisions - in particular retention periods - remain reserved.
e) While you visit our buildings
For security reasons, we have taken measures to control the access to our buildings.
Legal basis for this processing is Art. 13 al. 1 (balance of interests) FADP and where applicable Art. 6 let. f GDPR.
We store these data until the purpose of data storage expires (e.g. after no violation has been noted). In principle, these data are kept for 3 months if no violation has taken place. Mandatory legal provisions - in particular retention periods - remain reserved.
f) For marketing purposes
We process data for market research, marketing evaluations, preparation and offering of customized services (e.g., direct marketing, print and online advertising, customer, interested party or cultural events, sponsoring, competitions, determining customer satisfaction, assessment of future customer needs or behavior or evaluation of customer, market or product potential) for our own offers.
Legal basis: Art. 13 al. 1 FDPA, and where applicable Art. 6 al. 1 let. a GDPR.
We store this data until you ask us to delete it, if you revoke your consent to its storage, or if the purpose of data storage expires (e.g. if we no longer carry out marketing actions). Mandatory legal provisions - in particular retention periods - remain reserved.
g) In the context of a balance of interests
In addition, we also process your data to protect our legitimate interests, provided they are not outweighed by your interests.
Legal provisions: Art. 13 al. 1 FDPA, and where applicable Art. 6 al. 1 let. f GDPR).
We store this data until you ask us to delete it, if you revoke your consent to its storage, or if the purpose of data storage expires (e.g. if we no longer have an interest in this respect). Mandatory legal provisions - in particular retention periods - remain reserved.
The following is a non-exhaustive list of processing purposes that present legitimate interests:
- Protection of rights, e.g., to enforce claims in court, prior to litigation, outside of court and before domestic and foreign authorities or to defend ourselves against claims. Third parties can clarify the chances of success in this respect or submit documents to authorities. Authorities may also request that we disclose documents containing personal data;
- Ensuring IT security and IT operations of SWB;
- Internal organization and general accounting;
- Prevention and investigation of criminal offences;
- Corporate transactions: We can also process personal data to prepare and process company takeovers and sales and the acquisition or sale of assets, such as receivables or real estate and similar transactions;
- Evaluation, planning, statistics, product development and business decisions (e. g., improvement and review of existing products, new products and services, procedures, technologies, systems, yields, capacity utilization figures).
5. Do you have an obligation to provide personal data?
Usually, you are not obliged to provide us with personal data. However, we are not able to enter into a contractual relationship with you if you do not provide us with the personal data required for a business relationship and the fulfillment of contractual obligations or which we are legally obliged to collect (e.g., information required for identification, such as name, place, contact details, etc.).
6. With whom do we share your personal data?
Within SWB, the departments, employees and other bodies which have access to your personal data are exclusively the ones which require such access in order to perform their tasks.
In addition, we may outsource individual or entire business areas and services to Cembra Money Bank AG and to third parties in Switzerland and abroad, assign claims and rights and enter into cooperation with partners. If necessary, your personal data will be forwarded to these recipients. Through our diligent selection of processors and the conclusion of adequate agreements, we ensure that third parties comply with the applicable data protection provisions.
In particular, this involves services and cooperation in the following areas:
- IT services, e.g., services in the areas of data storage (hosting), security measures, cloud services, mailing of advertising material, data analysis, email exchanges;
- measures for the security of our buildings;
- advisory services, e.g., services of tax advisors, lawyers, business consultants, employee recruitment advisors;
- credit checks, by GRIF AG and/or Creditreform AG;
- fraud prevention;
- invoice production, by Avaloq Outline AG;
- administration of contractual relationships including debt enforcement, e.g., application and contract processing, invoicing and processing of direct debits, enforcement of due claims;
- e.g., if claims are not paid timely, by CJS Caisse juridique Suisse SA;
- payroll, e.g. Cembra Money Bank AG;
- cooperation with insurance partners, e.g., AXA Versicherungen AG.
Forwarding of personal data is possible also in other cases. We can disclose your personal data to third parties if it is in our legitimate interest or if you have authorized us to do so. This is also the case if you are legally required to do so (normally, to authorities).
7. When do we transfer personal data abroad?
We can outsource our services abroad (see preceding section). Personal data can also be transmitted abroad during the execution of agreements or transactions, e.g., during the implementation of payment orders or the handling of payments. The recipients of your personal data may be abroad – and also outside the European Union (“EU”) or the European Economic Area (“EEA”, this includes the Principality of Liechtenstein, for example). The relevant countries may not have laws that protect your personal data to the same extent as in Switzerland or in the EU or EEA. If we transmit your personal data to such a third country, we shall secure the protection of your personal data in an appropriate manner. This may include the conclusion of adequate data processing agreements with the recipients of your personal data in such countries or BCR (binding corporate rules). Adequate agreements may include ones which have been approved, set up or recognized by the European Commission and Federal Data Protection and Information Commissioner (FDPIC).
Our main processors abroad are the following:
- The Rockets science Group LLC (Mailchimp/Mandrill): https://mailchimp.com/help/mailchimp-european-data-transfers/
- Salesforce: https://www.salesforce.com/company/privacy/
- Zendesk Inc: https://www.zendesk.fr/company/privacy-and-data-protection/
- Atlassian (Jira, Confluence): https://www.atlassian.com/trust/compliance
- Google (Google Analytics): https://support.google.com/analytics/answer/3379636
- Microsoft (Azure DevOps): https://blogs.microsoft.com/on-the-issues/2020/07/16/eu-cross-border-data-ruling/
- Slack Technologies Inc: https://slack.com/intl/fr-ch/security-practices?eu_nc=1
8. Does profiling take place and do we perform automated decisions?
We can process your personal data to create profiles, e.g., for analyzing, evaluating and decision-making. Such processing can be performed by us for fraud prevention and for risk management purposes. You can object to the processing of your data for advertising purposes at any time (cf. section 10).
If we perform automated decision-making it is either required for the conclusion or fulfillment of a contractual relationship or it is based on your explicit consent. We shall inform you of such decisions if this is legally required.
9. How do we protect your personal data?
We apply appropriate technical and organizational security measures in order to ensure the security of your personal data, e.g., to protect them against unauthorized or unlawful processing and the risk of loss and to prevent any unintentional change, undesired disclosure or unauthorized access.
The access to your data is limited to those who need it. For example, all data passing through our website is secured in accordance with current standards (HTTPS).
In order to prevent losses, your data is backed up daily. This back-up is saved in two tier III data and protected by an encryption key, for a period depending on the purpose of the data processing.
10. Which rights are you entitled to?
Each person affected has specific rights pursuant to the data protection law applicable to them. These include the following:
- the right of access;
- the right to rectification;
- the right to erasure (« right to be forgotten »);
- the right to restriction of processing;
- the right to object;
- the right not to be subject to a decision based solely on automated processing if GDPR is applicable;
- the right to data portability if GDPR is applicable; and
- the right to file a complaint with the competent authority.
To exercise your rights, please send your request by signed letter, with a copy of your identity document, to the following address: Swissbilling SA, Rue de Caudray 4, 1020 Renens, Switzerland. We will reply within 30 days.
You can revoke your consent for the processing of personal data at any time, without giving any reason. Please bear in mind such revocation of consent will only have effect for future data processing. Processing that occurred before the revocation remains unaffected. Subject to the deactivation and deletion of cookies by you directly, the revocation of your consent should generally be sent to us by email to email@example.com or by signed letter. A procedure will be sent to you.
Moreover, you can object to the processing of your personal data for the purpose of advertising at any time by notifying us as aforementioned.
Version: September 2020