Trisa AG (hereinafter also "we", "us") obtains and processes personal data that concerns you or other people (so-called "third parties"). We use the term "data" here synonymously with "personal data" or "personal data".
If you provide us with information about other people, we will assume that you are authorized to do so and that this information is accurate. By transmitting data via third parties, you confirm this.
This data protection declaration is designed to meet the requirements of the EU General Data Protection Regulation («DSGVO»), the Swiss Data Protection Act («DSG») and the revised Swiss Data Protection Act («revDSG»). However, whether and to what extent these laws are applicable depends on the individual case.
2. Who is responsible for processing your data?
In terms of data protection law, Trisa AG, Triengen ("Trisa") is responsible for the data processing by Trisa AG described in this data protection declaration, unless otherwise communicated in individual cases, e.g. in further data protection declarations, on forms or in contracts. Unless otherwise communicated, this data protection declaration also applies to cases in which it is not Trisa but a group company of the Trisa Group that is responsible. This is particularly the case where your data is processed by such a group company in connection with its own legal obligations or contracts or you share data with such a group company. In these cases, this group company is the responsible party and only if you share your data with other group companies for their own purposes (see section 7) will these other group companies also become responsible parties.
You can contact us for your data protection concerns and to exercise your rights in accordance with Section 11 as follows:
We have appointed the following additional positions:
Data protection officer in accordance with Art. 37 ff. GDPR:
Data Protection Officer
You can also contact this office for data protection concerns.
3. What data do we process?
We process different categories of data about you. The most important categories are as follows:
When you use our website or other electronic offers (e.g. free WiFi), we collect the IP address of your device and other technical data to ensure the functionality and security of these offers. This data also includes logs that record the use of our systems. We generally retain technical data for 12 months. To ensure the functionality of these offers, we can also assign you or your device an individual code (e.g. in the form of a cookie, see section 12). The technical data themselves do not allow any conclusions to be drawn about your identity. However, as part of user accounts, registrations, access controls or the processing of contracts, they can be linked to other categories of data (and thus possibly to you personally).
Certain offers and services (e.g. login areas of our website, competitions, free WiFi access, etc.) can only be used with a user account or registration, which can be done directly with us or via our external login service providers. You will need to provide us with certain information and we will collect information about your use of the offer or service. If you redeem a Trisa voucher with us, we may require certain data from you when redeeming it. If we issue you a voucher for one of our contractual partners, we may transmit or receive certain of your registration data to the respective contractual partner (see Section 7). Registration data may be collected during access controls to certain facilities; depending on the control system, also biometric data. We generally retain registration data for 12 months after the end of use of the service or the termination of the user account.
If you contact us via the contact form, by email, telephone, letter or other means of communication, we collect the data exchanged between you and us, including your contact details and the peripheral data of the communication. If we record or listen to telephone conversations or video conferences, for example for training and quality assurance purposes, we will specifically inform you of this. Such recordings may only be made and used in accordance with our internal guidelines. You will be informed whether and when such recordings take place, e.g. through a display during the relevant video conference. If you do not wish to be recorded, please let us know or stop participating. If you simply do not want your image to be recorded, please turn off your camera. If we want or need to determine your identity, e.g. in the event of a request for information you have made, a request for media access, etc., we collect data to identify you (e.g. a copy of an ID card). We generally retain this data for 12 months from the last exchange with you. This period may be longer if this is necessary for evidentiary reasons or to comply with legal or contractual requirements or for technical reasons. Emails in personal mailboxes and written correspondence are generally retained for at least 10 years.
Contractual data (see below) is required for the processing of our contractual and other business relationships or for marketing and advertising purposes, such as name, contact details and information, for example, about your role and function, your bank details, your date of birth, customer history, powers of attorney, signature authorizations and declarations of consent. We process your master data if you are a customer or other business contact or work for one (e.g. as a contact person for a business partner), or because we want to address you for our own purposes or the purposes of a contractual partner (e.g. in the context of marketing and Advertising, with invitations to events, with vouchers or prize giveaways, with newsletters, etc.). We receive master data from you (e.g. when making a purchase or as part of a registration), from entities you work for or from third parties such as our contractual partners, associations and address dealers and from publicly accessible sources such as public registers or the Internet (Websites, social media, etc.). We can also process information about third parties as part of master data. We generally store this data for 10 years from the last exchange with you, but at least from the end of the contract. This period may be longer if this is necessary for evidentiary reasons or to comply with legal or contractual requirements or for technical reasons. For purely marketing and advertising contacts, the period is usually much shorter, usually no more than 2 years since the last contact.
These are data that arise in connection with the conclusion of a contract or the processing of the contract, e.g. information about contracts and the services to be provided or provided, as well as data from the run-up to the conclusion of a contract, the information required or used for processing and information about reactions (e.g. complaints or information about satisfaction etc.). We generally collect this data from you, from contractual partners and from third parties involved in the processing of the contract, but also from third-party sources (e.g. providers of creditworthiness data) and from publicly accessible sources. We generally retain this data for 10 years from the last contractual activity, but at least from the end of the contract. This period may be longer if this is necessary for evidentiary reasons or to comply with legal or contractual requirements or for technical reasons.
Behavioral and preference data
Depending on our relationship with you, we try to get to know you and better tailor our products, services and offers to you. To do this, we collect and use data about your behavior and preferences. We do this by evaluating information about your behavior in our area, and we may also supplement this information with information from third parties - including from publicly available sources. Based on this, we can calculate the probability that you will use certain services or behave in a certain way. Some of the data processed for this purpose is already known to us (e.g. when you use our services), or we obtain this data by recording your behavior (e.g. how you navigate on our website). We anonymize or delete this data when it is no longer meaningful for the purposes pursued, which is the case between [2-3] weeks (for movement profiles) and  months (for product and service preferences), depending on the type of data can be. This period may be longer if this is necessary for evidentiary reasons or to comply with legal or contractual requirements or for technical reasons. We describe how tracking works on our website in Section 12.
We also collect data from you in other situations. In connection with official or judicial proceedings, for example, data is generated (such as files, evidence, etc.) which can also relate to you. We may also collect data for health protection reasons (e.g. as part of protection concepts). We may receive or produce photos, videos and audio recordings in which you may be recognizable (e.g. at events, through security cameras, etc.). We may also collect data about who enters certain buildings and when or has corresponding access rights (including access controls based on registration data or visitor lists, etc.), who takes part in events or activities and when, or who uses our infrastructure and systems and when. The retention period of this data depends on the purpose and is limited to what is necessary. This ranges from a few days for many of the security cameras and typically a few weeks for contact tracing data, to visitor data that is typically retained for  months, to reports of events with images that are a few years or longer can be stored.
You provide us with many of the data mentioned in this Section 3 yourself (e.g. via forms, when communicating with us, in connection with contracts, when using the website, etc.). You are not obliged to do this, subject to individual cases, e.g. within the framework of binding protection concepts (legal obligations). If you want to conclude contracts with us or use services, you must also provide us with data as part of your contractual obligation in accordance with the relevant contract, in particular master, contract and registration data. When using our website, the processing of technical data is unavoidable. If you wish to gain access to certain systems or buildings, you will be required to provide us with registration information.
Unless this is impermissible, we also obtain data from publicly accessible sources (e.g. debt collection registers, land registers, commercial registers, media or the Internet including social media) or receive data from other companies within our group, from authorities and from other third parties (such as credit reference agencies , address dealers, associations, contractual partners, Internet analysis services, etc.).
4. For what purposes do we process your data?
We process your data for the purposes that we explain below. Further information for the online area can be found in Sections 12 and 13. These purposes and the objectives on which they are based represent legitimate interests of us and, if applicable, of third parties. You can find further information on the legal basis for our processing in Section 5.
We process your data for purposes related to communication with you, in particular to answer inquiries and assert your rights (Section 11) and to contact you if you have any questions. For this purpose, we use communication data and master data in particular. We retain this data to document our communications with you, for training purposes, for quality assurance and for inquiries.
We process data for the recording, administration and processing of contractual relationships.
We process data for marketing purposes and to maintain relationships, e.g. to send our customers and other contractual partners personalized advertising about products and services from us and third parties. This can take place, for example, in the form of newsletters and other regular contacts (electronically, by post, by telephone), via other channels for which we have contact information from you, but also as part of individual marketing campaigns (e.g. events, competitions, etc.). Free services included (e.g. invitations, vouchers, gifts, etc.). You can reject such contacts at any time (see at the end of this section 4) or refuse or revoke your consent to be contacted for advertising purposes. With your consent, we can target our online advertising on the Internet more specifically to you (see section 12).
We continue to process your data for market research, to improve our services and operations and for product development.
We may also process your data for security purposes and access control.
We process personal data to comply with laws, instructions and recommendations from authorities and internal regulations ("compliance").
We also process data for risk management purposes and as part of prudent corporate management, including operational organization and corporate development.
We may process your data for other purposes, e.g. as part of our internal processes and administration.
5. On what basis do we process your data?
If we ask you for your consent for certain processing operations, we will inform you separately about the corresponding purposes of the processing. You can revoke your consent at any time with future effect by sending us a written notice (by post) or, unless otherwise stated or agreed, by email; Our contact details can be found in Section 2. To revoke your consent to online tracking, see Section 12. Where you have a user account, you may also be able to revoke your consent or contact us via the relevant website or other service become. Once we have received notice of your withdrawal of consent, we will no longer process your data for the purposes to which you originally consented, unless we have another legal basis for doing so. Revoking your consent will not affect the lawfulness of the processing carried out based on your consent before its revocation.
Where we do not ask for your consent for processing, we will base the processing of your personal data on the fact that the processing is necessary for the initiation or performance of a contract with you (or the entity you represent) or that we or a third party have a legitimate interest in particular in order to pursue the purposes and associated goals described above in section 4 and to be able to carry out corresponding measures. Our legitimate interests also include compliance with legal regulations, unless this is already recognized as a legal basis by the applicable data protection law (e.g. in the case of the GDPR, the law in the EEA and Switzerland). If we receive sensitive data (e.g. health data, information about political, religious or philosophical views or biometric data for identification), we may also process your data based on other legal bases, for example in the event of a dispute due to the need for processing for any legal process or the enforcement or defense of legal claims. In individual cases, other legal reasons may apply, which we will communicate to you separately if necessary.
6. What applies to profiling and automated individual decisions?
We can automatically evaluate certain of your personal characteristics for the purposes stated in Section 4 using your data (Section 3) (“profiling”) if we want to determine preference data, but also to determine misuse and security risks, to carry out statistical evaluations or for operational planning purposes. For the same purposes, we can also create profiles, i.e. we can combine behavioral and preference data, but also master and contract data and technical data assigned to you, in order to better understand you as a person with your different interests and other characteristics.
In this case, we pay attention to the proportionality and reliability of the results and take measures to prevent misuse of these profiles or profiling. If these can have legal effects or significant disadvantages for you, we generally carry out a manual check.
7. Who do we share your data with?
In connection with our contracts, the website, our services and products, our legal obligations or otherwise to protect our legitimate interests and the other purposes listed in section 4, we also transmit your personal data to third parties, in particular to the following categories of recipients:
Group companies: You can find a list of our group companies here [https://trisa.ch/de/trisa/trisa-gruppe]. According to this data protection declaration, the group companies can use the data for the same purposes as we do (see section 4).
Service providers: We work with service providers at home and abroad who process data about you on our behalf or under joint responsibility with us or who receive data about you from us on their own responsibility.
Contractual partners including customers: This initially refers to our customers and other contractual partners because this data transfer results from these contracts. If you work for such a contractual partner yourself, we may also transmit data about you to them in this context. Recipients also include contractual partners with whom we cooperate or who advertise for us and to whom we therefore transmit data about you for analysis and marketing purposes (these can in turn be service recipients, but also, for example, sponsors and providers of online advertising). We require these partners to only send you advertising or display it based on your data if you have agreed to this (for the online area, see Section 12). Our central cooperation partners and online advertising contractual partners are listed in Section 12.
Authorities: We can pass on personal data to authorities, courts and other authorities at home and abroad if we are legally obliged or authorized to do so or if this appears necessary to protect our interests. The authorities are responsible for processing data about you that they receive from us.
Other persons: This refers to other cases where the involvement of third parties arises from the purposes set out in section 4, e.g. service recipients, media and associations in which we participate or if you are part of one of our publications.
All of these categories of recipients may in turn involve third parties so that your data can also become accessible to them. We can restrict processing by certain third parties (e.g. IT providers), but not that of other third parties (e.g. authorities, banks, etc.).
8. Does your personal data also go abroad?
As explained in Section 7, we also disclose data to other parties. These are not only in Switzerland. Your data can therefore also be processed in Europe; but in exceptional cases in every country in the world.
If a recipient is located in a country without adequate legal data protection, we contractually oblige the recipient to comply with the applicable data protection (for this purpose we use the European Commission's revised Standard Contractual Clauses, which can be found here: https://eur-lex.europa.eu/eli/ dec_impl/2021/914/oj? are available) unless it is already subject to a legally recognized set of rules to ensure data protection and we cannot rely on an exception provision. An exception may apply in particular in legal proceedings abroad, but also in cases of overriding public interests or if the execution of a contract requires such disclosure, if you have given your consent or if it concerns data that you have made generally accessible and the processing of which you have not objected to.
9. How long do we process your data?
We process your data for as long as our processing purposes, the legal retention periods and our legitimate interests in processing for documentation and evidence purposes require it, or for as long as storage is required for technical reasons. Further information on the respective storage and processing period can be found under the individual data categories in Section 3 or for the cookie categories in Section 12. If there are no legal or contractual obligations to the contrary, we will delete or anonymize your data after the storage period has expired. or processing time as part of our usual processes.
10. How do we protect your data?
We take appropriate security measures to maintain the confidentiality, integrity and availability of your personal data, to protect it against unauthorized or unlawful processing and to counteract the risks of loss, accidental alteration, unwanted disclosure or unauthorized access.
11. What rights do you have?
Under certain circumstances, applicable data protection law grants you the right to object to the processing of your data, in particular those for the purposes of direct marketing, profiling for direct advertising and other legitimate interests in processing.
To make it easier for you to control the processing of your personal data, you also have the following rights in connection with our data processing, depending on the applicable data protection law:
- The right to request information from us as to whether and what data we process about you;
- the right for us to correct data if it is inaccurate;
- the right to request deletion of data;
- the right to request that we release certain personal data in a common electronic format or to transfer it to another person responsible;
- the right to withdraw consent to the extent that our processing is based on your consent;
- the right to request further information necessary to exercise these rights;
If you wish to exercise the above rights against us (or against any of our group companies), please contact us in writing, at our location or, unless otherwise stated or agreed, by email; Our contact details can be found in Section 2. In order for us to rule out misuse, we must identify you (e.g. with a copy of your ID, unless this is possible otherwise).
Please note that these rights are subject to requirements, exceptions or restrictions under applicable data protection law (e.g. to protect third parties or trade secrets). We will inform you accordingly if necessary.
If you do not agree with our handling of your rights or data protection, please let us know or our data protection officer (Section 2). In particular, if you are located in the EEA, the UK or Switzerland, you also have the right to complain to your country's data protection supervisory authority. A list of authorities in the EEA can be found here: https://edpb.europa.eu/about-edpb/board/members_de. The UK regulator can be contacted here: https://ico.org.uk/global/contact-us/. You can reach the Swiss supervisory authority here: https://www.edoeb.admin.ch/edoeb/de/home/der-edoeb/kontakt/adresse.html.
12. Do we use online tracking and online advertising techniques?
We use various technologies on our website that allow us and third parties we engage to recognize you when you use it and, under certain circumstances, to track you across multiple visits. In this section we will inform you about it.
Essentially, it's about us being able to distinguish your access (via your system) from access from other users so that we can ensure the functionality of the website and carry out evaluations and personalization. We do not want to draw conclusions about your identity, even if we can, if we or third parties we engage can identify you through combination with registration data. Even without registration data, the technologies used are designed in such a way that you are recognized as an individual visitor each time you access the page, for example by our server (or the servers of third parties) assigning you or your browser a specific identification number (so-called "cookie").
We use such techniques on our website and allow certain third parties to do the same. Depending on the purpose of these techniques, we will ask for your consent before they are used. You can access your current settings on the homepage using the cookie button. You can program your browser so that it blocks certain cookies or alternative technologies, deceives you or deletes existing cookies. You can also enhance your browser with software that blocks tracking by certain third parties. Further information can be found on the help pages of your browser (usually under the keyword "data protection") or on the third-party websites that we list below.
A distinction is made between the following cookies (techniques with comparable functions such as fingerprinting are included here):
Some cookies are necessary for the website to function as such or for certain functions. For example, they ensure that you can switch between pages without losing information entered in a form. They also ensure that you stay logged in. These cookies only exist temporarily ("session cookies"). If you block them, the website may not work. Other cookies are necessary so that the server can store decisions or entries you make beyond a single session (i.e. a visit to the website) if you use this function (e.g. selected language, consent given, the automatic login function, etc.) . These cookies have an expiry date of up to  months and are managed by the company DataReporter GmbH Zeileisstraße 6, 4600 Wels in Austria.
In addition to marketing cookies, we use other techniques to control online advertising on other websites and thereby reduce wastage. For example, we can transmit the email addresses of our users, customers and other people to whom we want to show advertising to operators of advertising platforms (e.g. social media). If these people are registered there with the same email address (which the advertising platforms determine through a comparison), the operators will show the advertising we place specifically to these people. The operators do not receive personal email addresses from people who are not already known. However, if you have known email addresses, you will find out that these people are in contact with us and what content they have accessed.
We can also include other offers from third parties on our website, in particular from social media providers. These offers are deactivated by default. As soon as you activate them (e.g. by clicking a switch), the relevant providers can determine that you are on our website. If you have an account with the social media provider, they can assign this information to you and thus track your use of online offerings. These social media providers process this data on their own responsibility.
We currently use offers from the following service providers and advertising contract partners (insofar as they use data from you or cookies set by you to control advertising):
Google Ireland (based in Ireland) is the provider of the "Google Analytics" service and acts as our data processor. For this purpose, Google Ireland relies on Google LLC (based in the USA) as its processor (both "Google"). Google uses performance cookies (see above) to track the behavior of visitors to our website (duration, frequency of pages accessed, geographical origin of access, etc.) and, on this basis, creates reports for us about the use of our website. We have configured the service so that the IP addresses of visitors to Google in Europe are shortened before being forwarded to the USA and therefore cannot be traced back. We have turned off the "Data sharing" and "Signals" settings. Although we can assume that the information we share with Google is not personal data for Google, it is possible that Google can draw conclusions about the identity of visitors from this data for its own purposes, create personal profiles and share this data with Google -Accounts of these people can be linked. If you agree to the use of Google Analytics, you explicitly consent to such processing, which also includes the transfer of personal data (in particular website and app usage data, device information and individual IDs) to the USA and other countries. Information about Google Analytics data protection can be found here [https://support.google.com/analytics/answer/6004245] and if you have a Google account, you can find further information about processing by Google here [https:// policies.google.com/technologies/partner-sites?hl=de].
13. What data do we process on our social network pages?
We can operate pages and other online presences on social networks and other platforms operated by third parties ("fan pages", "channels", "profiles", etc.) and collect the data about you described in Section 3 and below. We receive this data from you and the platforms when you come into contact with us via our online presence (e.g. when you communicate with us, comment on our content or visit our presence). At the same time, the platforms evaluate your use of our online presence and link this data with other data about you known to the platforms (e.g. about your behavior and preferences). They also process this data for their own purposes under their own responsibility, in particular for marketing and market research purposes (e.g. to personalize advertising) and to control their platforms (e.g. what content they show you).
We process this data for the purposes described in Section 4, in particular for communication, for marketing purposes (including advertising on these platforms, see Section 12) and for market research. You can find information about the relevant legal bases in Section 5. We can distribute content that you have published yourself (e.g. comments on an announcement) (e.g. in our advertising on the platform or elsewhere). We or the operators of the platforms may also delete or restrict content from or about you in accordance with the usage guidelines (e.g. inappropriate comments).
For further information on the processing carried out by the platform operators, please refer to the platforms’ data protection information. There you will also find out in which countries they process your data, what information, deletion and other data subject rights you have and how you can exercise these or obtain further information. We currently use the following platforms:
Facebook: Here we operate the page www.facebook.com/trisaag. The responsible body for operating the platform for users from Europe is Meta Platforms Ireland Limited in Dublin. Their data protection information is available at www.facebook.com/policy. Some of your data will be transferred to the USA. Objection to advertising is possible here: www.facebook.com/settings?tab=ads. We and Meta Platforms Ireland Limited are jointly responsible for the data collected and processed when you visit our site to create "Page Insights". Page Insights creates statistics about what visitors do on our site (commenting on posts, forwarding content, etc.). This is described at www.facebook.com/legal/terms/information_about_page_insights_data. It helps us understand how our site is used and how we can improve it. We only receive anonymous, aggregated data. We have regulated our responsibilities regarding data protection in accordance with the information on www.facebook.com/legal/terms/page_controller_addendum.
Instagram: Here we operate the website www.instagram.com/trisa_switzerland. The responsible body for the operation of the platform for users from Europe is Meta Platforms Ireland Limited in Dublin. Their data protection information is available at www.privacycenter.instagram.com/policy. Some of your data will be transferred to the USA. Objection to advertising is possible here: https://help.instagram.com. We and Meta Platforms Ireland Limited are jointly responsible for the data collected and processed when you visit our site to create "Page Insights". Page Insights creates statistics about what visitors do on our site (commenting on posts, forwarding content, etc.). This is described on https://help.instagram.com/788388387972460/?helpref=uf_share. It helps us understand how our site is used and how we can improve it. We only receive anonymous, aggregated data.
Youtube: Here we operate the website www.youtube.com/@TRISAAG. The responsible body for operating the platform for users from Europe is Google Building Gordon House Ireland in Dublin. Their data protection information is available at www.policies.google.com/privacy. Some of your data will be transferred to the USA. Objection to advertising is possible here: https://adssettings.google.com/.
Last updated: September 1, 2023