Data protection

1. Contact Information

The data controller is:

it serve ag
laenggassstrasse 26
ch-3012 bern

info@itserve.ch

In specific cases, third parties may be responsible for the processing of personal data, or there may be joint responsibility with third parties. We are happy to provide data subjects with information regarding the respective responsibility upon request.

2. Definitions and Legal Basis

2.1 Definitions
Data subject: A natural person whose personal data we process.

Personal data: Any information relating to an identified or identifiable natural person.

Sensitive personal data: Data regarding trade union, political, religious, or ideological views and activities; data regarding health, sexual life, or membership in an ethnic or racial group; genetic data; biometric data that uniquely identifies a natural person; data regarding criminal or administrative sanctions or proceedings; and data regarding social assistance measures.

Processing: Any handling of personal data, regardless of the means and procedures used, such as retrieving, comparing, adapting, archiving, storing, reading, disclosing, obtaining, recording, collecting, deleting, revealing, sorting, organizing, saving, modifying, disseminating, linking, destroying, and using personal data.

European Economic Area (EEA): Member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.

2.2 Legal Basis
We process personal data in accordance with Swiss law, in particular the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).

We process personal data – to the extent that the European General Data Protection Regulation (GDPR) applies – in accordance with at least one of the following legal bases:

• Art. 6(1)(b) GDPR for the processing of personal data necessary to fulfill a contract with the data subject and to implement pre-contractual measures.
• Art. 6(1)(f) GDPR for the necessary processing of personal data to safeguard legitimate interests – including the legitimate interests of third parties – provided that the fundamental freedoms and rights as well as the interests of the data subject do not take precedence. Such interests include, in particular, the sustainable, people-oriented, secure, and reliable conduct of our activities and operations, ensuring information security, protection against misuse, the enforcement of our own legal claims, and compliance with Swiss law.
• Art. 6(1)(c) GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under the applicable law of Member States in the European Economic Area (EEA).
• Art. 6(1)(e) GDPR for the necessary processing of personal data to perform a task carried out in the public interest.
• Art. 6(1)(a) GDPR for the processing of personal data with the consent of the data subject.
• Art. 6(1)(d) GDPR for the necessary processing of personal data to protect the vital interests of the data subject or another natural person.
• Art. 9(2) et seq. GDPR for the processing of special categories of personal data, in particular with the consent of the data subjects.

The European General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data and the processing of sensitive personal data as the processing of special categories of personal data (Art. 9 GDPR).

3. Nature, Scope, and Purpose of the Processing of Personal Data

We process the personal data necessary to carry out our activities and operations in a sustainable, user-friendly, secure, and reliable manner. The personal data processed may fall, in particular, into the categories of browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data. The personal data may also constitute special-category personal data.

We also process personal data that we receive from third parties, obtain from publicly available sources, or collect in the course of our activities and operations, to the extent that such processing is permitted.

We process personal data, where necessary, with the consent of the data subjects. In many cases, we may process personal data without consent, for example to fulfill legal obligations or to safeguard legitimate interests. We may also request consent from data subjects even when their consent is not required.

We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data, in particular, in accordance with statutory retention and statute of limitations periods.

4. Disclosure of Personal Data

We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties may include, for example, specialized providers whose services we utilize. Such third parties may in turn disclose personal data to other third parties.

In the course of our activities and operations, we may disclose personal data in particular to banks and other financial service providers, government agencies, educational and research institutions, consultants and attorneys, accounting and fiduciary service providers, collection agencies, interest groups, IT service providers, cooperation partners, credit and business information agencies, logistics and shipping companies, marketing and advertising agencies, media outlets, parent, sister, and subsidiary companies, organizations and associations, social institutions, telecommunications companies, insurance companies, and payment service providers.

5. Communication

We process personal data in order to communicate with individuals as well as with authorities, organizations, and companies. In doing so, we process, in particular, data that a data subject provides to us when contacting us, for example by mail or email. We may store such data in an address book or using comparable tools.

Third parties who transmit data about other individuals to us are legally obligated to independently ensure the data protection of those data subjects. In particular, they must ensure that they are authorized to transmit such data and must also guarantee the accuracy of the transmitted data.

6. Data Security

We take appropriate technical and organizational measures to ensure data security commensurate with the respective risk. Through our measures, we ensure in particular the confidentiality, availability, traceability, and integrity of the personal data processed, without, however, being able to guarantee absolute data security.

Access to our website and our other digital presence is secured via transport encryption (SSL/TLS, specifically using the Hypertext Transfer Protocol Secure, abbreviated as HTTPS). Most browsers warn users before visiting a website without transport encryption.

Our digital communications – like all digital communications in general– are subject to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We have no direct influence over the processing of personal data by intelligence agencies, police departments, and other security authorities. Nor can we rule out the possibility that a data subject may be specifically monitored.

7. Personal Data Abroad

We generally process personal data in Switzerland and within the European Economic Area (EEA). However, we may also export or transfer personal data to other countries, in particular to process it there or have it processed there.

We may export personal data to any country on Earth and elsewhere in the universe, provided that the law of that country ensures adequate data protection in accordance with a decision by the Swiss Federal Council and –where and to the extent that the General Data Protection Regulation (GDPR) applies – also in accordance with a decision by the European Commission.

We may transfer personal data to countries whose laws do not ensure adequate data protection, provided that data protection is ensured for other reasons, in particular on the basis of standard data protection clauses or other suitable safeguards. In exceptional cases, we may export personal data to countries without adequate or appropriate data protection if the specific legal requirements for data protection are met, such as the explicit consent of the data subjects or a direct connection to the conclusion or performance of a contract. Upon request, we are happy to provide data subjects with information regarding any such safeguards or to supply a copy of any such safeguards.

8. Rights of Data Subjects

8.1 Data Protection Rights
We grant data subjects all rights in accordance with applicable law. Data subjects have the following rights in particular:

• Right of access: Data subjects may request information as to whether we process personal data about them and, if so, what personal data is involved. Data subjects also receive the information necessary to assert their data protection rights and ensure transparency. This includes the personal data being processed as such, as well as details regarding the purpose of processing, the duration of storage, any disclosure or export of data to other countries, and the origin of the personal data.
• Rectification and restriction: Data subjects may have inaccurate personal data corrected, incomplete data completed, and the processing of their data restricted.
• Right to express one’s own point of view and human review: Data subjects may, in the case of decisions based exclusively on automated processing of personal data that have legal consequences for them or significantly affect them (automated individual decisions), express their own point of view and request a review by a human.
• Erasure and objection: Data subjects may have personal data erased (‘right to be forgotten’) and object to the processing of their data with effect for the future.
• Data Disclosure and Data Portability: Data subjects may request the disclosure of personal data or the transfer of their data to another controller.

We may defer, restrict, or refuse the exercise of data subjects’ rights within the legally permissible scope. We may inform data subjects of any conditions that must be met for the exercise of their data protection rights. For example, we may refuse to provide information in whole or in part, citing confidentiality obligations, overriding interests, or the protection of other individuals. We may also, for example, refuse to delete personal data in whole or in part, particularly by citing statutory retention obligations.

We may, in exceptional cases, charge a fee for the exercise of these rights. We will inform data subjects in advance of any such costs.

We are obligated to identify data subjects who request information or assert other rights through appropriate measures. Data subjects are obligated to cooperate.

8.2 Legal Protection
Data subjects have the right to enforce their data protection claims through legal channels or to file a complaint with a data protection supervisory authority.

The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection supervisory authorities are organized as members of the European Data Protection Board (EDPB). In some member states of the European Economic Area (EEA), the data protection supervisory authorities have a federal structure, particularly in Germany.

9. Use of the Website

9.1 Cookies
We may use cookies. Cookies – both our own cookies (first-party cookies) and cookies from third parties whose services we use (third-party cookies) – are data stored in the browser. Such stored data need not be limited to traditional text-based cookies.

Cookies can be stored temporarily in the browser as ‘session cookies’ or for a specific period as so-called permanent cookies. ‘Session cookies’ are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies enable, in particular, the recognition of a browser upon the next visit to our website and thereby, for example, the measurement of our website’s reach. Permanent cookies can also be used, for example, for online marketing.

Cookies can be fully or partially disabled, restricted, or deleted at any time in the browser settings. Browser settings often also allow for automated deletion and other management of cookies. Without cookies, our website may no longer be fully available. We actively request – at least to the extent required by applicable law – your explicit consent to the use of cookies.

For cookies used for performance and reach measurement or for advertising, a general opt-out is available for numerous services via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

9.2 Logging
We may log at least the following information for every access to our website and our other digital presence, provided that this information is determined or transmitted by default during such accesses to our digital infrastructure: Date and time, including time zone; IP address; access status (HTTP status code); operating system, including user interface and version; browser, including language and version; specific subpage of our website accessed, including the amount of data transferred; the last webpage accessed in the same browser window (referrer).

We log such information, which may also constitute personal data, in log files. This information is necessary to ensure that our digital presence is available on a permanent, user-friendly, and reliable basis. The information is also necessary to ensure data security – including through third parties or with the assistance of third parties.

9.3 Web Beacons 
We may incorporate web beacons into our digital presence. Tracking pixels are also known as web beacons. Tracking pixels – including those from third parties whose services we use – are typically small, invisible images or JavaScript scripts that are automatically loaded when you access our digital presence. Tracking pixels can capture at least the same information as is recorded in log files.

10. Social Media

We maintain a presence on social media platforms and other online platforms to communicate with interested individuals and to provide information about our activities and operations. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).

The General Terms and Conditions (GTC) and Terms of Use, as well as privacy policies and other provisions of the individual operators of such platforms, also apply in each case. These provisions provide information in particular about the rights of data subjects directly vis-à-vis the respective platform, including, for example, the right of access.

11. Third-Party Services

We use services provided by specialized third parties to carry out our activities and operations in a sustainable, user-friendly, secure, and reliable manner. These services allow us, among other things, to embed functions and content into our website. When such embedding occurs, the services used collect users’ IP addresses – at least temporarily – for technically necessary reasons.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in an aggregated, anonymized, or pseudonymized form. This includes, for example, performance or usage data required to provide the respective service.

In particular, we use:

• Google services: Providers: Google LLC (USA)/Google Ireland Limited (Ireland), in part for users in the European Economic Area (EEA) and Switzerland; General information on dataprotection: ‘Handling of Data Protection & Security Measures,’ Privacy Policy, ‘More information on how Google uses personal data,’ ‘Google is committed to complying with applicable data protection laws,’ ‘Guide to Data Protection in Google Products,’ ‘How We Use Data from Websites or Apps on Which Our Services Are Used,’ Cookie Policy, ‘Ads You Can Control’ (Settings for personalized ads).

11.1 Digital Infrastructure
We use services from specialized third parties to access the digital infrastructure required in connection with our activities and operations. These include, for example, hosting and storage services from selected providers.

11.2 Map Data 
We use third-party services to embed maps on our website. In particular, we use:

• OpenStreetMap (OSM): Map service; Provider: OpenStreetMap Foundation (United Kingdom); Privacy information: Privacy Policy.

12. Success and Reach Measurement

We strive to measure the success and reach of our activities and operations. In this context, we may also measure the impact of third-party references or test how different parts or versions of our digital presence are used (‘A/B testing’ method). Based on the results of success and reach measurement, we can, in particular, correct errors, enhance popular content, or make improvements.

In most cases, the IP addresses of individual users are collected for performance and reach measurement. In this case, IP addresses are generally truncated (‘IP masking’) to comply with the principle of data minimization through appropriate pseudonymization.

Cookies may be used for performance and reach measurement, and user profiles may be created. Any user profiles created may include, for example, the individual pages visited or content viewed on our digital presence, information about the size of the screen or browser window, and the user’s location (at least approximately). In principle, any user profiles are created exclusively in pseudonymized form and are not used to identify individual users. Certain third-party services with which users are registered may, in some cases, associate the use of our online offering with the user account or user profile for the respective service.

In particular, we use: Google Marketing Platform: performance and reach measurement, specifically with Google Analytics; provider: Google; Google Marketing Platform-specific details: Measurement across different browsers and devices (cross-device tracking) using pseudonymized IP addresses, which are only transferred in full to Google in the U.S. in exceptional cases; Google Analytics Privacy Policy; ‘Browser add-on to disable Google Analytics.’

13. Final Notes on the Privacy Policy

We have created this privacy policy using the privacy policy generator from Datenschutzpartner.

We may update this privacy policy at any time. We will notify you of updates in an appropriate manner, in particular by publishing the current version of the privacy policy on our website.