We, JayBee AG (hereinafter “JayBee” / “we”), take the protection of your personal data seriously and would like to inform you hereinafter about data protection in our company through this data protection declaration.
As a result of the introduction of the European General Data Protection Regulation (hereinafter “EU-GDPR”), we have been given additional responsibilities to ensure the protection of personal data of the data subject within the scope of our data protection responsibilities.
I. Scope of application
- describes how we collect, use, and handle personal data that you provide to us or that we collect from you when you use our website;
- explains the circumstances under which we may disclose this personal data to third parties; and
- informs you about your rights in relation to your personal data.
- “Personal data” (see Art. 4 No. 1 EU-GDPR) means any information relating to an identified or identifiable natural person (“data subject”). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or information relating to physical, physiological, genetic, mental, economic, cultural, or social identity. Identifiability may also be established by combining such information or through additional knowledge. The form or embodiment of the information is irrelevant (even photos, video or audio recordings can contain personal data).
- “Processing” (see Art. 4 No. 2 EU-GDPR) means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, as well as changing the purpose or intended use of the data originally collected.
- “Controller” (see Art. 4 No. 7 EU-GDPR) means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
- “Processor” (see Art. 4 No. 8 EU-GDPR) means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller, following the controller’s instructions (e.g. an IT service provider). In terms of data protection law, a processor is not a third party.
- “Third party” (see Art. 4 No. 10 EU-GDPR) means a natural or legal person, public authority, agency or other body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data. This also includes legal persons affiliated with the controller.
- “Consent” of the data subject (see Art. 4 No. 11 EU-GDPR) means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
III. Name and address of the data controller
The controller responsible for processing your personal data within the meaning of Art. 4 No. 7 EU-GDPR is us:
Industriestrasse 22, 6300 Zug
Tel: +41 41 244 20 40
E-Mail address: email@example.com
You can find further information about our company in the imprint section on our website at https://jaybeeconsulting.ch/imprint.
IV. Contact details of the data protection officer (cf. Art. 37 EU-GDPR)
For all questions and as the contact person regarding data protection at our company, our data protection officer is available to you at any time. His contact details are:
Data Protection Officer
Industriestrasse 22, 6300 Zug
Tel: +41 41 244 20 40
E-Mail address: firstname.lastname@example.org
V. Legal bases for data processing
By law, in principle, every processing of personal data is prohibited and only allowed if the data processing falls under one of the following justifications:
- 6 para. 1 lit. a EU-GDPR (“consent”): If the data subject has voluntarily, in an informed manner and unambiguously given his or her consent through a declaration or other clear affirmative action to the processing of the personal data concerning him or her for one or more specific purposes;
- 6 para. 1 lit. b EU-GDPR: If the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- 6 para. 1 lit. c EU-GDPR: If the processing is necessary for compliance with a legal obligation the controller is subject to (e.g. a legal retention obligation);
- 6 para. 1 lit. d EU-GDPR: If the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- 6 para. 1 lit. e EU-GDPR: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- 6 para. 1 lit. f EU-GDPR (“legitimate interests”): If the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
For the processing activities carried out by us, we will indicate the applicable legal basis for each of them below. A processing activity may also be based on several legal bases.
VI. Data deletion and storage period
For each processing activity we undertake, we will indicate below how long your data will be stored by us and when it will be deleted or blocked. If no specific storage period is indicated below, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage ceases to apply. Your data will generally only be stored on our servers in the European Union, subject to any transfer that may occur under the provisions in Part A. Sections VIII. und IX.
However, storage may continue beyond the specified period in the event of a (potential) legal dispute with you or other legal proceedings, or if storage is required by legal provisions to which we, as the controller, are subject to. When the storage period required by law expires, your personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for such storage. The following factors may play a role in determining whether further storage is necessary:
- legal obligations to store data for a longer period;
- statutory limitation periods;
- (potential) legal disputes; or
- guidelines and orders issued by competent data protection authorities.
If you would like to know how long we store your personal data for a specific purpose, you can contact us here.
Further information on the storage period for cookies can be found in Part B. Section VI.
VII. Data security (cf. Art. 32 EU-GDPR)
We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction, or unauthorized access by third parties (e.g. SSL/TSL encryption for our website), taking into account the state of the art, the implementation costs, and the nature, scope, context, and purposes of processing as well as the risks of a data breach (including its likelihood and severity) for the data subject. Our security measures are continuously improved in line with technological developments.
We are happy to provide you with more detailed information upon request. Please contact our data protection officer (see Part A. Section IV.).
Informationen hierzu erteilen wir Ihnen auf Anfrage gerne. Wenden Sie sich hierzu bitte an unseren Datenschutzbeauftragten (siehe unter Teil A. Abschnitt IV.).
VIII. Collaboration with processors (see Art. 28 EU-GDPR)
Like other companies, we also use external service providers, both domestic and foreign, to handle our business operations (e.g. IT, logistics, telecommunications, sales and marketing). They act only on our instructions and have contractually committed to comply with data protection regulations in accordance with Art. 28 EU-GDPR.
If your personal data is passed on by us to our partner companies or from our partner companies to us (e.g. for advertising purposes), this is done on the basis of existing processing agreements.
IX. Requirements for the transfer of personal data to third countries
As part of our business relationships, your personal data may be transferred or disclosed to third-party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries (e.g. Switzerland). Such processing is carried out exclusively to fulfill contractual and business obligations and to maintain your business relationship with us. We will inform you of the specific details of the transfer at the relevant points.
The European Commission certifies some third countries with so-called adequacy decisions, which provide a level of data protection comparable to that of the EEA standard (you can find a list of these countries and a copy of the adequacy decisions here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de). However, in other third countries to which personal data may be transferred, there may be no uniformly high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is sufficiently guaranteed. This can be done through binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data, certificates, recognized codes of conduct, or self-certification under the EU-US Privacy Shield (information on this can be found here: https://www.privacyshield.gov/welcome).
However, we will only transfer your personal data to a location outside the EEA if:
- this transfer is made to a location where the European Commission believes that it provides adequate protection for your personal data;
- we have taken appropriate measures to protect your personal data (for example, if both parties involved in the transfer have agreed to standard data protection clauses recognized by the European Commission); or
- the above does not apply, but we can still proceed legally, for example, if the transfer is necessary for the establishment, exercise, or defense of legal claims.
We are happy to provide you with more detailed information upon request. Please contact our data protection officer (see Part A. Section IV.).
X. No automated decision-making (including profiling)
We do not intend to use personal data collected from you for any automated decision-making process (including profiling).
XI. No obligation to provide personal data
We do not make the conclusion of contracts with us dependent on you providing us with personal data beforehand. As a customer, you are not generally under a legal or contractual obligation to provide us with your personal data; however, it may be that we can only provide certain offers to a limited extent or not at all if you do not provide the required data. If this should exceptionally be the case within the scope of the products or services offered by us and presented below, you will be notified separately.
XII. Legal obligation to transmit certain data
Under certain circumstances, we may be subject to a special legal or regulatory obligation to provide lawfully processed personal data to third parties, especially public authorities (cf. Art. 6 para. 1 lit. c EU-GDPR).
XIII. Your rights
You can exercise your rights as a data subject with regard to your processed personal data at any time by contacting us using the contact details provided in Part A. Section III. You have the right as a data subject to:
- request information about the data we process about you in accordance with Art. 15 EU-GDPR. In particular, you may request information about the processing purposes, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the source of your data if it was not collected by us, and the existence of automated decision-making, including profiling, and meaningful information about its details;
- request without delay the rectification of inaccurate or incomplete data we have stored about you in accordance with Art. 16 EU-GDPR;
- request the erasure of your data stored by us in accordance with Art. 17 EU-GDPR, unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
- request the restriction of processing of your data in accordance with Art. 18 EU-GDPR, to the extent that the accuracy of the data is contested by you, the processing is unlawful or you have objected to the processing;
- receive your data that you have provided to us in a structured, commonly used and machine-readable format or to request the transmission to another controller, in accordance with Art. 20 EU-GDPR (“data portability”);
- object to the processing of your data, if the processing is based on Art. 6 para. 1 lit. e or lit. f EU-GDPR. This is particularly the case if the processing is not necessary for the performance of a contract with you. If the objection does not concern direct marketing, we ask you to explain the reasons why we should not process your data as we have done. If you raise a justified objection, we will examine the situation and either terminate or adapt the data processing or show you our compelling legitimate grounds for continuing the processing;
- withdraw your consent – i.e. your voluntary, informed and unambiguous expression of will that you agree to the processing of your personal data for one or more specific purposes – which you have given to us at any time in accordance with Art. 7 para. 3 EU-GDPR, even before the EU-GDPR came into effect, i.e. before May 25, 2018. This will result in us no longer being allowed to continue the data processing based on this consent in the future; and lodge a complaint with a data protection supervisory authority regarding the processing of your personal data in our company, such as the supervisory authority responsible for us. The supervisory authority/data protection office responsible for us is the Federal Data Protection and Information Commissioner (FDPIC). The contact details can be found at the following link: https://www.edoeb.admin.ch/edoeb/de/home.html.
If you would like to request additional information or exercise your rights with respect to personal data, or if you are not satisfied with the way we handle your personal data, please feel free to contact us here. Please provide us with as much information as possible to help us determine the information you are seeking and the nature of your complaint.
Before we review your request, we may need to request additional information from you to confirm your identity. If you do not provide us with the requested information and we are therefore unable to identify you, we may be forced to reject your request.
Normally, we will respond to your request within one month of receiving it. However, in some cases, it may be necessary to extend this period by an additional two months, especially if the complexity or number of your requests requires it.
For such inquiries and actions, we generally do not charge any fees, unless:
- information from you to confirm your identity. If you do not provide us with the requested information and we are therefore unable to identify you, we may be forced to reject your request; or
- you make obviously unfounded or excessive requests, especially in the case of frequent repetition. In these cases, we may either: (a) charge reasonable administrative costs or (b) refuse to process the request.
B. Visiting the website, social media presence
I. Explanation of function
You can obtain information about our companies and the services we offer, in particular at https://jaybeeconsulting.ch/en/ including the associated subpages (hereinafter together referred to as “website”). When you visit our website, personal data may be processed by us.
II. Personal data processed
When you use the website for informational purposes, the following categories of personal data may be collected, stored, and processed by us:
1 “Log data”: When you visit our website, a so-called log data record (so-called “server log files”) is temporarily and anonymized stored on our web server. This consists of:
- the page from which the page was requested (so-called “referrer URL”);
- the name and URL of the requested page;
- the date and time of the call;
- the description of the type, language, and version of the web browser used;
- the IP address of the requesting computer, which is shortened so that personal reference is no longer possible;
- the transmitted data volume;
- the operating system;
- the message whether the call was successful (access status/HTTP status code);
- the GMT time zone difference.
2 “Contact form data”: We collect the personal data that you provide to us when you fill out forms on our websites (e.g. gender, name and surname, address, company, email address, and the time of transmission). We may use this personal data to process your request and/or provide the services you have requested or to provide the desired information.
3 “Application data”: If you apply for a job opening with us, we ask you to contact us directly by email or to upload your application documents (resume and cover letter) so that we can assess your suitability for the position.
4 “Survey data”: Occasionally, we ask you if you would like to give us feedback on our services and/or events by participating in a survey. Participation is voluntary. We use the feedback from the surveys to evaluate our performance and optimize our service offering and/or events.
5 “Event data”: If you would like to participate in one of our events, you will be asked to fill out a registration form. The registration form contains information on how we handle your personal data in connection with the respective event.
6 Newsletter and publications: We will only send you publications or newsletters if you have given us your general consent or have expressed a particular interest in certain information. We also process your data to provide you with tailored and relevant advertising, current communications, and invitations. Subject to your consent, this also applies to data that provides information on how you access and use our emails.
III. Purpose and legal basis of data processing
We process the personal data described above in accordance with the provisions of the EU-GDPR, other applicable data protection regulations, and only to the extent necessary. To the extent that the processing of personal data is based on Art. 6 para. 1 lit. f EU-GDPR, the stated purposes also represent our legitimate interests.
In the context of the processing of your personal data based on Art. 6 para. 1 lit. f EU-GDPR, our legitimate interests may include the following purposes in particular:
- to communicate with you;
- to carry out business transactions;
- for record-keeping, statistical analysis, internal reporting and research purposes;
- to ensure network and information security;
- to inform you of changes to our services;
- to investigate a complaint from you;
- for evidentiary purposes in an existing or threatened legal dispute between you and us;
- to analyze user behavior on our website;
- to customize various aspects of our website to optimize the user experience;
- for hosting, maintenance, and other support of the operation of our website;
- to detect and prevent fraud and other criminal activities
- for the purposes of risk management;
- for resuming or restarting operations in a crisis situation (e.g. creating backups);
- for storing documents;
- for database management;
- to protect the rights, property, and/or safety of JayBee AG, its employees, and other individuals; and
- to ensure the quality of the services we provide to our users.
We weigh the risks to your data protection rights when processing your personal data and ensure that the principle of proportionality is respected when processing your data on the basis of our legitimate interests under Art. 6 para. 1 lit. f EU-GDPR. We have also taken measures to protect your rights through the provision of appropriate retention periods and security controls. If you would like to learn more about the legal basis on which we process your personal data for a specific purpose, you can contact us here.
You may object to the processing of your personal data on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f EU GDPR at any time by contacting us here. See also Part A, Section XIII.
Furthermore, we may use your personal data for specific other purposes that are indicated at the respective points on our website at the time of collection.
The processing of log data serves statistical purposes and the improvement of the quality of our website, in particular the stability and security of the connection (legal basis is Art. 6 para. 1 lit. f EU-GDPR).
The processing of contact form data is carried out to process customer inquiries (legal basis is Art. 6 para. 1 lit. b or lit. f EU-GDPR).
The processing of application data is carried out with your consent to participate in the corresponding application process (legal basis is Art. 6 para. 1 lit. a EU-GDPR) and serves the processing of pre-contractual measures requested by you (legal basis is Art. 6 para. 1 lit. b EU-GDPR).
The processing of event data is carried out with your consent to participate in the corresponding event (legal basis is Art. 6 para. 1 lit. a EU-GDPR) and serves our legitimate interest in organizing the corresponding event (legal basis is Art. 6 para. 1 lit. f EU-GDPR).
In other cases, we process your personal data when such processing is necessary for us to comply with our legal and supervisory obligations (legal basis is Art. 6 para. 1 lit. c EU GDPR).
If you choose not to provide us with the personal data we have requested, we may not be able to provide you with the requested information or services or otherwise fulfill the purpose for which we have requested the personal data. Your visit to our website remains unaffected by this.
IV. Duration of data processing
Your data will only be processed for as long as is necessary to achieve the processing purposes mentioned above; the legal bases stated within the scope of the processing purposes apply accordingly. Regarding the use and storage period of cookies, please refer to Part A. Section VI.
Third parties we use will store your data on their system for as long as is necessary in connection with the provision of services to us according to the respective order. For more information on storage periods, please refer to Part A. Section VI.
V. Transmission of personal data to third parties; legal basis
The following categories of recipients, who are usually processors (see Section A. Section IX. for more information), may have access to your personal data:
- Service providers for the operation of our website and the processing of data stored or transmitted through the systems (e.g. for data center services, payment processing, IT security). The legal basis for disclosure is then Art. 6 para. 1 lit. b or lit. f EU-GDPR, unless it is processors;
- Government agencies/authorities, if this is necessary to fulfill a legal obligation. The legal basis for disclosure is then Art. 6 para. 1 lit. c EU- GDPR;
- Persons involved in the conduct of our business (e.g. auditors, banks, insurance companies, legal advisers, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures). The legal basis for disclosure is then Art. 6 para. 1 lit. b or lit. f EU-GDPR.
For guarantees of an adequate level of data protection in the event of data transfer to third countries, see Section A. Section IX. In addition, we will only disclose your personal data to third parties if you have given explicit consent pursuant to Art. 6 para. 1 lit. a EU-GDPR.
- Technical Cookies: These are essential for navigating the website, using basic functions, and ensuring the security of the website; they do not collect any information about you for marketing purposes, nor do they store which websites you have visited;
- Performance Cookies: These collect information about how you use our website, which pages you visit, and whether errors occur during website use; they do not collect any information that could identify you – all collected information is anonymous and is only used to improve our website and find out what our users are interested in;
- Advertising Cookies, Targeting Cookies: These are used to offer website users demand-oriented advertising on the website or offers from third parties and to measure the effectiveness of these offers;
- Sharing Cookies: These are used to improve the interactivity of our website with other services (e.g. social networks).
If we do not provide you with explicit information on the storage period of persistent cookies (e.g. within the context of a so-called cookie opt-in), please assume that the storage period can be up to two years.
On the following pages, you will find explanations on how to configure the processing of cookies in the most common browsers:
- Microsoft Windows Internet Explorer Mobile
- Mozilla Firefox
- Google Chrome für Desktop
- Google Chrome für Mobile
- Apple Safari für Desktop
- Apple Safari für Mobile
Please note that disabling cookies may prevent you from using all the functions of our website.
b) Social Media Plugins: On our website, we do not use any social media plugins. If our website contains symbols of social media providers (e.g. Twitter, LinkedIn or XING), we only use them for passive linking to the respective provider’s pages, so that no direct connection is established between your browser and the server of the respective social network. The responsibility for data protection-compliant operation lies with the respective provider.
On certain parts of our website, we provide a button for “sharing” press releases with others via the social media providers Twitter, LinkedIn, or XING. We have designed the function for sharing content in such a way that no data is transmitted to the respective social media provider until you actively select it to share the message. With the selection, another window opens in which you complete the sharing process in the familiar environment of the social network.
If you share content from our pages with your social media account, the respective social media provider may associate your visit to our website with your user account. We would like to point out that as the operator of our website, we do not have full knowledge of the content of the data transmitted or its use by the social network.
Further information on this can be found in the privacy policies of the respective social media providers:
- Twitter, Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin D02 AX07, Ireland: https://twitter.com/de/privacy
- LinkedIn, LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland: https://www.linkedin.com/legal/privacy-policy
- XING, New Work SE, Am Strandkai 1, 20457 Hamburg: https://privacy.xing.com/de/datenschutzerklaerung
- Telegram, Telegram UK Holdings Ltd (71-75 Shelton Street, Covent Garden, London, England, WC2H 9J: https://telegram.org/privacy
- WhatsApp, WhatsApp LLC. 1601 Willow Road Menlo Park, California 94025, United States of America: https://www.whatsapp.com/legal/privacy-policy
- Skype, Skype Communications SARL, 23-29 Rives de Clausen, L-2165 Luxembourg: https://privacy.microsoft.com/en-us/privacystatement
- Facebook, Meta/Facebook Headquarters, 1 Hacker Way Menlo Park, CA 94025, United States of America: https://www.facebook.com/privacy/policy/
c) Google Analytics: To design our websites in a needs-based manner, we create pseudonymous user profiles using Google Analytics. Google Analytics uses targeting cookies that can be stored on your device and read by us. In this way, we are able to recognize and count recurring visitors and to learn how often our websites have been accessed by different users. The data processing is based on Art. 6 para. 1 lit. a EU-GDPR (consent).
- you inform us that you want to revoke your consent;
- you can prevent the storage of cookies by adjusting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent;
- you can also prevent the collection of data generated by the cookie and related to your use of our website (including your IP address) by Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link (https://tools.google.com/dlpage/gaoptout?hl=de).
C. Contact by email
You have the option to contact us by email. You are solely responsible for the information and/or content you send us. We recommend that you do not transmit confidential data. Personal data is only collected by us if you voluntarily provide it to us. Therefore, you are solely responsible for the data you transmit to us. In order to answer your questions, we may ask you for additional information such as your address, telephone number, etc. We only collect personal data from you if it is necessary to answer your questions or provide the services you have requested.
When processing your email request, our legitimate interest in data processing pursuant to Art. 6 para. 1 lit. f EU-GDPR exists. You can object to this data processing at any time (see also Part A. Section XIII.).
D. Contractual relationship with JayBee as service provider
In the context of a contractual relationship with JayBee, in which we provide services to you, we process, among other things, the following personal data:
- your name and contact information (including name, address, telephone number or email address);
- information about the company you work for, your position or title;
- identification and background information that you provide to us or that we collect from you as part of the establishment of the contractual relationship;
- billing and payment information;
- information that you provide to us in the course of and for the purposes of providing services, or that we create as part of our services for you, including order-related communication;
- personal data of third parties required for the establishment of the contractual relationship or the provision of services. This includes, among others, your immediate and indirect shareholders, business and contractual partners as well as advisors, representatives of authorities in a regulatory procedure, as well as each of the employees and members of the mentioned persons and institutions;
- all other information related to you that you provide to us in connection with the contractual relationship.
JayBee may also process special categories of personal data within the meaning of Art. 9 EU-GDPR (such as biometric data) and data concerning criminal convictions and offences within the meaning of Art. 10 EU-GDPR on a case-by-case basis.
The information we collect and process about you results from your interaction with us and our performance of services for you. We may also obtain information about you from other sources such as authorities (e.g. in the context of file inspection and/or information requests) or publicly available sources (public registers, internet searches) to update your information. We process this information to communicate with you, to conduct anti-money laundering, conflict and reputation checks before establishing the contractual relationship, to offer you the desired services, to invoice for the services and to maintain the business relationship with you, including asserting, enforcing and defending legal claims.
To the extent necessary for the provision of services, we may disclose personal data to the following recipients:
- you as the recipient of services or contractual party;
- other third parties. These include, among others, your immediate and indirect shareholders, business and contractual partners and advisors.
In individual cases, data may also be transferred to recipients in third countries outside the European Union or the European Economic Area for which the European Commission has not formally established the existence of an adequate level of data protection in accordance with Art. 46 EU-GDPR. Unless the transfer is necessary for the assertion, exercise or defence of legal claims (Art. 49 para. 1 lit. e EU-GDPR) and no other transfer ground according to Art. 49 para.1 EU-GDPR exists, appropriate safeguards for the protection of personal data at the recipient are provided, regularly in the form of data processing agreements based on so-called standard data protection clauses in accordance with Art. 46 para. 2 lit. c EU-GDPR. If you would like to know more, please contact us here.
The legal basis for the processing of your personal data for the aforementioned purposes lies in pre-contractual measures and the performance of a contract within the meaning of Art. 6 para. 1 lit. b EU-GDPR, in the fulfilment of legal obligations under Art. 6 para. 1 lit. c EU-GDPR, and possibly in our legitimate interest in the targeted and efficient handling of the mandate relationship within the meaning of Art. 6 para. 1 lit. f EU-GDPR.
E. Contractual Relationship with JayBee as business partner
As part of a contractual relationship with JayBee in the context of cooperation as a service provider, supplier, and other business partners, we process, among other things, the following personal data:
- your name and contact information (including name, address, telephone number, or email address);
- information about the company you work for, your position, or your title;
- identification and background information that you provide to us or that we collect from you in the context of establishing the contractual relationship;
- invoice and payment information;
- Information that you provide to us in the context of and for the purposes of providing services to us or that you create in the course of providing services to us, including order-related communication;
- personal data of third parties that are required for establishing the contractual relationship or providing services by you. This includes, among others, your direct and indirect shareholders, business and contractual partners as well as consultants, representatives of authorities in a regulatory procedure, as well as each of the employees and members of the aforementioned persons and entities;
- any other information related to you that you provide to us in connection with the contractual relationship.
The information we collect and process about you results from your interaction with us and your provision of services to us. We may also obtain information about you from other sources such as authorities (e.g., as part of file inspection and/or information requests) or publicly accessible sources (public registers, internet research) to update your information. We process this information to communicate with you, to perform anti-money laundering, conflict, and reputation checks before establishing the contractual relationship, to be able to obtain the services we require, to pay invoices, and to maintain our business relationship with you, including asserting, enforcing, and defending legal claims.
To the extent necessary for the provision of your services, we may disclose personal data to the following recipients:
The legal basis for processing your personal data for the aforementioned purposes lies in pre-contractual measures and the performance of a contract in accordance with Art. 6 para. 1 lit. b EU-DSGVO, as well as, if applicable, in our legitimate interest in the targeted and efficient use of your services in accordance with Art. 6 para. 1 lit. f EU-DSGVO.
The personal data falling within the scope of these data protection provisions and mentioned herein are stored in a central electronic data processing system of our Customer Relationship Management (CRM) tool. We work with the software platform Zoho Corporation GmbH, Trinkausstr. 7, 40213 Düsseldorf, Germany, VAT identification number pursuant to § 27a of the German Value Added Tax Act: DE340244058, Court of jurisdiction: Local Court of Düsseldorf, D-40002, Registration number: HRB no. 91825.
In addition to the purposes mentioned above, we use this personal data to optimally organize and manage our business relationships with you. We use various features in our central data processing system (such as the legal areas that interest you) which we derive from the information provided by you or from the above mentioned data. We do not carry out profiling. The following personal data is particularly relevant for these purposes:
- name, title, age, year of birth;
- contact details;
- professional data (e.g. function, position; your business website, your business email; professional qualifications, education and specialization);
- information on interactions with us, such as topics discussed, questions asked about our company and products, events you have attended, your feedback on the events, etc.
We use your personal data for customer-friendly and efficient management of customer data as well as for displaying content that is tailored to your interests on our website or in communication with you. The processing is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f EU-GDPR as well as for the fulfillment of a contract pursuant to Art. 6 para. 1 lit. b EU-GDPR. You have the right to object to this data processing at any time (see Part A. Section IX.).
If you have given us your consent or we have a legitimate interest, we may send you information about us and our services, such as information about events or current legal developments that may interest you. For this purpose, we use the data stored in the central data processing system. This processing is based either on your consent pursuant to Art. 6 para. 1 lit. a EU-GDPR or on our legitimate interests pursuant to Art. 6 para. 1 lit. f EU-GDPR (especially in the case of existing business relationships). You have the right to revoke your consent at any time or to object to the data processing (see Part A. Section XIII.).
G. Use of Microsoft 365 for online meetings, telephone communication and data processing in delivery of services
We use Microsoft 365 and various applications contained therein for our daily work. Microsoft 365 is a software of Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399 USA. However, our contracting party is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (hereinafter “Microsoft”).
Microsoft 365 contains numerous services that are used in everyday office work, such as Word, PowerPoint, Excel, Outlook, and Teams. Microsoft 365 also offers additional online services, including the cloud service OneDrive, where data is stored on servers of Microsoft instead of within our own company. We use Office 365 E1.
Direct exchange of personal data between you and our Microsoft 365 applications typically occurs during online meetings via the “Microsoft Teams” tool (see Section E.)) and in communication via email. In most other functionalities of Microsoft 365, you and your personal data are not typically directly involved. In exceptional cases, however, with your consent, we may grant you access to functions of Microsoft 365 if this is necessary or reasonable for the provision of our services to you.
In the event that we should grant you temporary direct access to Microsoft 365, the following data of yours will be processed:
- IP address used to access Microsoft 365 applications;
- your username (access data to Microsoft 365 applications), data within the context of the so-called multi-factor authentication that you have stored in your Microsoft account (e.g. optional [private] mobile number);
- identification features: Information about you as a user, sender, recipient of data within the Microsoft 365 applications. This includes, in particular, the following master data: name, first name, business contact information such as telephone number, email address, business fax number, if provided by you. Further data (such as a profile picture you have uploaded) are also visible in your profile at any time. This information is visible in your profile, but especially in Outlook, and can be customized by you individually;
- data required for authentication and licensing use. In the Microsoft 365 applications, all user activities, such as time of access, date, type of access, information on the data/files/documents accessed, and all activities related to use, such as creating, modifying, deleting a document, setting up a team (and channels in teams), creating notes in the notebook, starting a chat, replying in a chat, are processed.
Otherwise, we process through Microsoft 365 all data that you provide us by phone or email when contacting us. If data processing is related to a mandate relationship, we process the data listed in Section F.
The aforementioned Microsoft 365 applications, namely Exchange Online, SharePoint, OneDrive, Teams, and Azure, store data at rest in Switzerland. However, it is possible that data may be transferred to other countries during the use of these applications. Data that is at rest in Switzerland may be transferred to other countries during the use of these applications. Additionally, other Microsoft 365 applications not listed above may also store data at rest outside of Switzerland. According to Microsoft, in such cases, the data is primarily stored on servers located in the EU. We have entered into a data processing agreement with Microsoft in accordance with Article 28 EU-GDPR to ensure that data processing adheres to applicable IT security standards. Accordingly, we have agreed with Microsoft to comprehensive technical and organizational measures for Microsoft 365 that comply with current IT security standards, such as access authorization and end-to-end encryption concepts for data transmission, databases, and servers. Microsoft is also bound by professional secrecy and has implemented corresponding protective measures. Furthermore, Microsoft has expanded the EU standard contractual clauses included in its contracts with additional protective provisions. Microsoft undertakes to act against any request by a government agency and to compensate users in the event of government access. If data is transferred to third countries, Microsoft uses encryption that complies with current IT security standards and ensures that the data is immediately returned to the EU internal storage location after processing. Microsoft also ensures that, even if it is legally obligated to disclose data to security authorities, it will not disclose the encryption key or enable the circumvention of encryption.
In connection with the aforementioned data processing by Microsoft, access may also be granted to affiliated companies of Microsoft from outside the European Union. For this specific case of access from outside the European Union, which we have approved on a case-by-case basis, we have entered into EU standard contracts (standard data protection clauses) with Microsoft. To ensure an adequate level of data protection for the transfer of personal data to a third country such as the USA in this specific case, we have agreed with Microsoft and implemented additional measures in the form of technical and organizational measures in line with the state of the art, such as access authorization and encryption concepts for data transmission, databases, and servers, as described above.
The legal basis for the processing of personal data in the context of Microsoft Teams is described under Section E. The legal basis for all other data processing in Microsoft 365 is primarily processing for pre-contractual actions and for the performance of a contract, i.e., the provision of services to you, according to Art. 6 para. 1 lit. b EU-GDPR. If you contact us outside of a contractual relationship (by phone or email), our legal basis is our legitimate interest in the correct response to and administration of your request, in accordance with Art. 6 para. 1 lit. f EU-GDPR. You may object to this data processing at any time (see also Part A. Section XIII.).
Microsoft collects and processes diagnostic data in particular to keep Microsoft 365 secure and up to date, to solve problems, and to make product improvements. By using Windows Restricted Traffic Limited Functionality, we limit the connections of the Microsoft 365 applications to Microsoft. This minimizes the diagnostic data shared with Microsoft.
H. Use of Microsoft Teams
We use the application Microsoft Teams to conduct telephone conferences, online meetings, video conferences, and/or webinars (hereinafter referred to as “online meetings”). Microsoft Teams is part of Microsoft 365.
Various types of data are processed when using Microsoft Teams. The scope of the data processing depends, among other things, on the information you provide before or during your participation in an online meeting.
The following personal data may be subject to processing:
- User information, such as display name, email address (if provided), profile picture (optional), preferred language;
- Meeting metadata, such as date, time, meeting ID, phone numbers, location, text, audio, and video data;
- Authentication data;
- Log files, protocol data;
- Content of the online meeting (if you appear in a personal capacity with contributions);
- You may use the chat function during an online meeting. In this case, the text input you make will be processed to display it during the online meeting. To enable video display and audio playback, data from your device’s microphone and any video camera on the device will be processed during the meeting. You can turn off or mute the camera or microphone at any time through the Microsoft Teams application;
- When dialing in by phone: Incoming and outgoing phone numbers, country name, start and end time. Additional connection data, such as the IP address of the device, may be stored if necessary;
- If we want to record online meetings, we will inform you transparently before the online meeting and, if necessary, ask for your consent. If it is necessary for the purposes of recording the results of an online meeting, we will record the chat contents. However, this will usually not be the case.
The processing of personal data in the context of meetings or telephone communications in the context of a contractual relationship with us is based on pre-contractual measures and the fulfillment of the contract in accordance with Art. 6 para. 1 lit. b EU-GDPR. If it is a contact outside of a customer relationship, the data processing is based on our legitimate interest in accordance with Art. 6 para. 1 lit. f EU GDPR to respond quickly to your request and process your inquiry. If the data processing is based on our legitimate interest, you have the right to object to this processing at any time (see Part A. Section XIII.).
Note: Microsoft is responsible for the processing of personal data when you access the Microsoft Teams website. Access to the website is only necessary to download the software for using Teams.
You can use Teams by entering the meeting ID and any other access information directly in the Teams app or by using the provided link to the meeting.