General Privacy Notice of Buss AG

Buss AG and its group companies process personal data in different ways and for different purposes. A list of the group companies can be found under the following link: https://busscorp.com/contact/. References to “we” or “us”, refer to Buss AG in each case (see section 2).

“Personal data” means any information relating to an identified or identifiable natural person, and “processing” means any operation with personal data, such as collecting, using, and disclosing it.

This privacy notice explains our processing of such data (hereinafter referred to as “personal data” or “data”) when

• you visit our https://busscorp.com,
• you purchase our services or products,
• you apply for a job with us. In this case, please also note the supplementary Privacy Notice for applicants, which you can access on our website https://busscorp.com/privacy-policy-job-applicants/,
• you otherwise interact with us in the context of a contract,
• you contact us via email, post letter, on social media, through SMS, via a contact form, etc,
• you register for our newsletter
• ou otherwise interact with us in connection with our offers.

Although our services are generally addressed to companies, please take the time to read this Privacy Notice to find out how and why Buss AG processes your personal data, how Buss AG protects your personal data and what rights you have in this context. If you have any questions or wish to receive further information about our data processing, please do not hesitate to contact us (please see section 2 for our contact details).

If the Privacy Notice refers to “personal data“, this also includes “personal data” according to the GDPR. However, whether and to what extent the GDPR is applicable, depends on the individual case.

For the data processing set out in this Privacy Notice, the following company is the “controller”, i.e. the party primarily responsible for complying with data protection law, unless otherwise communicated in individual cases (e.g. in further privacy notices, on forms or in contracts):

Buss AG
Hohenrainstrasse 10
4133 Pratteln
Switzerland

If you are in contact with another group company, e.g. because you or your company obtain a service from this company or because you correspond directly with this group company, this company is considered to be the controller.

If you have any questions about data protection, please do not hesitate to contact us using the following address so that we can deal with your request as quickly as possible:

Gérard Hofer, CFO
+41 61 825 65 84
gerard.hofer@busscorp.com

We process different categories of personal data depending on the specific circumstances and purposes. You will find the most important categories below, whereby this list cannot be exhaustive.

In the case of contractual partners that are companies, we process less personal data because the applicable data protection law only covers data of natural persons (i.e. humans). However, we do process data of the contact persons we are in contact with, e.g. name, contact details, professional details communication details, information about signatories etc. as part of the general information about the companies we cooperate and contract with.

In general, you disclose most of the data mentioned in this section yourself (e.g. via forms, in the course of communication with us, in connection with contracts, when using the website, etc.). Subject to individual exemptions, you are not obliged to do so. If you wish to enter into contracts with us or claim services, you are required to provide us with data, in particular master data and contract data, as part of your contractual obligation under the relevant contract.

If you transmit or disclose data to us about other persons, such as work colleagues, we assume that you are authorised to do so and that such data is correct. You confirm this by submitting data about third parties. Please also ensure that the third parties have been informed about this Privacy Notice (e.g. by a reference to this Privacy Notice).

We refer to master data as the basic data that we require for the processing of our business relationships, for job applications or for marketing and advertising purposes and that relates directly to your identity. For example, we process the following master data:

• name, gender, age,
• contact details,
• for contact persons of companies, also details of your relationship to the company for which you work,
• signature authorisations.

In general, we receive this master data from yourself, but may also obtain it from other persons working for your company or from third parties such as our contractual partners and associations and address traders and from publicly accessible sources such as public registers or the internet (websites, social media, etc.).

Contract data is information that accrues in connection with the conclusion or execution of a contract, e.g. information about contracts and the services to be rendered or rendered, as well as data from the period prior to the conclusion of a contract, information about the conclusion of the contract itself (e.g. the date of conclusion and the subject matter of the contract), as well as the information required or used for processing. For example, we process the following contract data:

• date, information on the conclusion, nature and duration as well as conditions of the contract in question, data concerning the termination of the contract,
• contact details,
• information on the use of services,
• information on payments and payment methods, invoices, mutual claims, contacts with customer service, complaints, defects, returns, information on customer satisfaction, complaints, feedback, etc.

We receive this data from you, but also from partners with whom we work. This data may also relate to your company, in which case it is not “personal data”, but it may also relate to you if you work for a company or if you purchase services from us yourself.

Communication data is data related to our communication with you, e.g. when you contact us via the contact form or via other means of communication. Communication data are e.g.:

• name and contact details
• content of the correspondence
• responses to customer and satisfaction surveys
• information on the type, time and if applicable, location of the communication and other peripheral data of the communication.

If we record telephone conversations, we will inform you at the beginning of each conversation. If you do not agree to the recording and storage of the conversation, you have the option to terminate the conversation or contact us via other communication channels.

We may also collect data from you in other situations. In connection with official or judicial proceedings, for example, data (such as files, evidence, etc.) incurs that may also relate to you. We may also collect data for health protection purposes (e.g. in the context of protection concepts). We may also obtain or produce photographs, videos and sound recordings in which you may be identifiable (e.g. at events, through security cameras etc.). We may also collect information about participants in events or activities (e.g. competitions).

We use the personal data we collect primarily for processing your orders. If you have subscribed to our newsletter, we use your e-mail address for sending it. In addition, we also process your personal data, to the extent permitted and deemed appropriate, for other purposes in which we (and sometimes third parties) have a legitimate interest corresponding to the purpose:

• For communication purposes, i.e. to contact you and to maintain contact with you. This includes answering enquiries and contacting you in case of queries, e.g. by e-mail. For this purpose, we process your communication and master data in particular.
• For customer care and marketing purposes to offer you targeted information about new offers according to your personal interests and preferences, for example, through the newsletter and personalised advertising. For this purpose, we process in particular technical data and master and communication data. For further information on online marketing, please refer to section 5.
• We also process data to improve our services and for product development.
• To ensure IT security and prevention: We process personal data to monitor the performance of our operations, in particular IT, our website, applications and other platforms, for security purposes, to ensure IT security, to prevent theft, fraud and abuse and for evidence purposes. This includes, for example, the evaluation of system-side records of the use of our systems (log data), the prevention, defense and investigation of cyber attacks and malware attacks, analyses and tests of our networks and IT infrastructures, system and error checks.
• To maintain the internal rules and other measures for IT, building and facility security and for the protection of our employees and other persons and assets belonging to or entrusted to us (such as access controls, visitor lists, network and mail scanners, telephone records).
• For legal protection: We may also process personal data in order to enforce claims in or out of court and authorities in Switzerland and abroad, or to defend ourselves against claims. For this purpose, master data and communication data may be processed.
• To comply with legal requirements: This includes, for example, the processing of complaints and other notifications, compliance with orders of a court or authority, measures to detect and investigate abuses and generally measures that we are obliged to take by applicable law, self-regulation or industry standards. For this purposes, we may especially process your master and communication data.
• For administration and support: In order to make our internal processes efficient, we process data as necessary for the administration of IT, for accounting or for archiving data. For this purposes, we may in particular process,  communication and behavioural data as well as technical data.
• We may also process data for other purposes. These include company management including business organization and company development, other internal processes and administrative purposes (e.g. management of master data, accounting and archiving), training and educational purposes and the preparation and processing of the purchase and sale of business units, companies or parts of companies and other transactions under company law and the associated transfer of personal data, as well as measures for business management and the protection of other legitimate interests.

If we ask for your consent for certain data processing, we will inform you separately about the corresponding purposes of the processing. You can revoke your consent at any time by notifying us in writing.

If you communicate with us via social media and our profiles there (e.g. on Facebook, LinkedIn, Youtube etc.) or comment on or share content, we collect data, which we use primarily in order to communicate with you, for marketing purposes and for statistical evaluations. Please note that when you visit our social media sites the platform provider itself also collects and uses data (e.g. on user behavior), possibly together with other data already in its possession (e.g. for marketing purposes or to personalize the platform content). For more information on data processing by social network providers, please refer to the privacy policies of the respective social networks.

BUSS has no influence on the data collection and further processing by the social networks, nor on the scope, location and duration of data storage, analyses and linking or data transfer by the social networks.

In connection with our processing activities, we also disclose your personal data to other recipients.

Personal data that we receive from you or from third-party sources may be forwarded, in particular, to other companies of the Buss AG – Group (see section 2). This may serve the internal group administration or the support of the respective group companies and their own processing purposes, e.g. for the personalization of marketing activities or the development and improvement of services.

We further disclose personal data to service providers as required for their services. This particularly concerns IT service providers, but also consulting companies, analysis service providers, debt collection service providers, credit agencies, marketing service providers, etc. As far as service providers process personal data as processors, they are obliged to process personal data exclusively in accordance with our instructions and to implement data security measures. The disclosure of data serves in particular our legitimate interest in the secure, fast and efficient provision of our online services by a professional provider.

Data may also be disclosed to other recipients, e.g. to courts and authorities as part of legal proceedings and legal information and cooperation duties, to buyers of companies and assets, to financing companies in the case of securitizations and to collection agencies.

In individual cases, it is possible that we also disclose personal data to other third parties for their own purposes, e.g. if you have given us your consent to do so or if we are legally obliged or entitled to disclose such data.

Recipients of data are not only located in Switzerland. This applies in particular to group companies and certain service providers. These may also be located outside the European Economic Area (EEA) and Switzerland (especially in the USA and China), but also in other countries worldwide, e.g. Japan. For example, we may transfer data to authorities and other persons abroad if we are legally obliged to do so or, for example, in the context of a company sale or legal proceedings. Not all of these countries currently guarantee an adequate level of data protection according to the standards of Swiss law. We compensate for the lower level of protection, if necessary, by means of appropriate agreements, in particular the standard contractual clauses issued by the European Commission and recognized by the Swiss Data Protection and Information Commissioner (FDPIC). For more information and a copy of these clauses, please refer to: https://www.edoeb.admin.ch/edoeb/en/home/datenschutz/arbeit_wirtschaft/datenuebermittlung_ausland.html.

In certain cases, we may transfer data in accordance with data protection requirements even without such contracts, e.g. if you have consented to the relevant disclosure or if the disclosure is necessary for the execution of the contract, for the establishment, exercise or enforcement of legal claims or for overriding public interest.

Please note that data exchange via internet is often routed via third countries. Thus, your data may end up abroad even if the sender and recipient are in the same country.

We store and process your personal data for as long as it is necessary for the purpose of processing (in the case of contracts, generally for the duration of the contractual relationship), for as long as we have a legitimate interest in storing it (e.g. in order to enforce legal claims, for archiving and or to ensure IT security) and for as long as the data is subject to a statutory retention obligation (for example, for certain data, a ten-year retention period applies). If there are no legal or contractual obligations to the contrary, we will destroy or anonymize your data after expiry of the storage or processing period as part of our normal procedures.

As a rule, we store master data for 10 years from the last contact with you, but at least from the end of the contract. This period may be longer if this is necessary for reasons of proof or to comply with legal or contractual requirements or for technical reasons. In the case of solely marketing and advertising contacts, the period is normally much shorter, usually no more than 2 years from the last contact.

We generally store contract data for 10 years from the last contract activity, but at least from the end of the contract. This period may be longer if this is necessary for reasons of proof or to comply with legal or contractual requirements or for technical reasons.

We generally store communication data for 10 years from the corresponding communication, but at least from the end of the contract. This period may be longer if this is necessary for reasons of proof or to comply with legal or contractual requirements or for technical reasons.

We store technical data for as long as is necessary for the purposes described above, but generally no longer than 5 years from the collection of the technical data.

With regard to cookies, you can find information on the retention period under the following link https://busscorp.com/general-privacy-notice/#cookie-consent-change.

Depending on the applicable law, data processing is only permitted if the applicable law specifically authorises it. This does not apply under the Swiss Data Protection Act, but does apply under the GDPR, for example, insofar as it is applicable (which can only be determined on a case-by-case basis). If the GDPR applies, we base the processing of your personal data on the following legal bases:

• your separate consent (Art. 6 para. 1 lit. a GDPR);
• the fulfilment of the contract, including pre-contractual measures (e.g. the review of a contract application; Art. 6 para. 1 lit. b GDPR);
• compliance with EEA law (Art. 6 para. 1 lit. c GDPR);
• our legitimate interest in the processing of the data, in particular for the purposes mentioned in section 4, and the assertion or defence of legal claims and for compliance with Swiss law (Art. 6 para. 1 lit. f GDPR).

We take appropriate security measures to protect the confidentiality, integrity and availability of your personal data, to protect it against unauthorized or unlawful processing and to protect it against the risks of loss, accidental alteration, unauthorized disclosure or access. However, security risks cannot be completely ruled out; residual risks are unavoidable.

You have certain rights under applicable data protection law to obtain further information about, and to influence our data processing.

Access right: You can request further information about our data processing. We are at your disposal for this purpose. You can also submit a so-called information request if you wish to receive further information and a copy of your data.

Objection and deletion: You can object to our data processing and also request that we delete your personal data at any time if we are not obliged to continue processing or storing this data and if it is not necessary for the contractual relationship.

Correction: You can have incorrect or incomplete personal data corrected or completed or complemented by a note indicating your objection.

Data portability: You also have the right to receive the personal data you have provided to us in a structured, common and machine-readable format or to have it transferred to a third party, as far as the corresponding data processing is based on your consent or is necessary for the performance of the contract.

Revocation: If we process data based on your consent, you can revoke your consent at any time. The revocation is only valid for the future and we reserve the right to continue processing the data on a different basis in the event of a revocation.

Within the scope of the GDPR, you can also request the restriction of the processing of data if you contest the accuracy of the data, the processing is unlawful, the data is no longer needed for the purposes of the data processing or you have objected to the processing. (Art. 18 GDPR). You also have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you on the basis of Article 6(1)(e) or (f) GDPR (legitimate interests). You can also object at any time to the processing of your personal data that is processed for the purpose of direct marketing.

Please note that these rights are subject to statutory provisions and restrictions and are therefore not always fully applicable.

In particular, we may need to process and store your personal data in order to fulfil a contract with you, to protect our own legitimate interests, such as the assertion, exercise or defense of legal claims, or to comply with legal obligations. To the extent legally permissible, in particular to protect the rights and freedoms of other data subjects and to safeguard interests worthy of protection, we may also reject a data subject request in whole or in part (e.g. by blacking out certain content relating to third parties or our trade secrets).

If you wish to exercise any of your rights towards us, please contact us in writing. You can find our contact details in section 2. As a rule, we will have to verify your identity (e.g. by a copy of your identity card). You are also free to file a complaint against our processing of your data with the competent supervisory authority.

The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

Within the scope of application of the GDPR, you can contact the competent national supervisory authorities (https://edpb.europa.eu/about-edpb/about-edpb/members_en).