Thank you for your interest in our company. Data protection is a matter of great importance to us. Use of the website of the law firm Kaufmann Rüedi RechtsanwälteAG (hereinafter “firm”) is generally possible without providing any personal data. However, if a data subject wishes to use particular services of our firm via our website or otherwise, the processing of personal data may be necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain the consent of the data subject.
1. Description of terms
a) Personal data
Personal data are all information relating to an identified or identifiable natural person (here-inafter “data subject”). A natural person is deemed identifiable if he/she can be identified directly or indirectly, in particular by assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more particular characteristics that 2/12express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
b) Data subject
The data subject is any identified or identifiable natural person whose personal data are pro-cessed by the controller.
Processing means any operation or series of operations carried out with or without the aid of automated procedures in relation to personal data, such as the collection, recording, organisation, sorting, storage, adaptation or alteration, reading, retrieval, use, disclosure by transfer, dissemination or any other form of provision, comparison or linking, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of restricting their future processing.
Profiling is any form of automated processing of personal data involving the use of such per- sonal data to evaluate certain personal aspects relating to a natural person, in particular to ana- lyse or predict aspects relating to the performance of work, economic situation, health, per- sonal preferences, interests, reliability, behaviour, location or relocation of that natural person.
Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data are not assigned to an identified or identifiable natural person.
The controller is the natural or legal person, public authority, institution or other entity which alone or jointly with others decides on the purposes and means of the processing of personal data. Where the purposes and means of such processing are laid down by Swiss law or the law of the European Union, the controller or certain criteria of its appointment may be designated according to Swiss law or the law of the European Union.
A processor is a natural or legal person, public authority, institution or other entity that pro- cesses personal data on behalf of the controller.
A recipient is a natural or legal person, public authority, institution or other entity to which personal data are disclosed, regardless of whether the recipient is a third party or not. However, public authorities that receive personal data under Union or Member State law within the framework of a particular investigation are not regarded as recipients.
j) Third party
A third party is a natural or legal person, authority, institution or other entity other than the data subject, the controller, the processor and the persons authorised to process personal data under the direct responsibility of the controller or the processor.
Consent means any informed and unambiguous expression of will voluntarily given by the data subject in the particular case in the form of a declaration or other clear, affirmative act by which the data subject indicates that he/she agrees to the processing of his/her personal data.
2. Name and address of the controller
The controller as defined by the European General Data Protection Regulation and other provisions of a data protection nature is:
Kaufmann Rüedi Rechtsanwälte AG
Tel.: +41 41 417 10 70
3. Name and address of the Data Protection Officer
The Data Protection Officer for the controller is:
Dr. Markus Kaufmann
Kaufmann Rüedi Rechtsanwälte AG
Tel.: +41 41 417 10 70
Any data subject can contact our Data Protection Officer directly at any time with any questions or suggestions regarding data protection.
4. Cookies / tracking and other technologies relating to the use of our website
By using cookies, users of a website can be provided with more user-friendly services that would not be possible without cookies.
By means of a cookie, the information and offers on a website can be optimised in the user’s interest. Cookies make it possible, as already mentioned, to recognise the users of a website.
The data subject may prevent the setting of cookies by our website – where we use them – at any time by changing the settings of the Internet browser used, thus permanently objecting to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programs. This is possible in all common Internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, he/she may not be able to use all features of our website in full.
We may also use Google Analytics or similar services on our website. These are services pro- vided by third parties who may be located in any country of the world (in the case of Google Analytics it is Google LLC in the USA, www.google.com), with which we can measure and analyse the use of the website (not person-specific). For this purpose, permanent cookies are also used, which are set by the service provider. The service provider does not receive any personal data from us (and does not store any IP addresses), but can track the use of our website, combine this information with data from other websites that a user has visited and which are also tracked by the service provider, and use this information for its own purposes (e.g. managing advertising). If a user has registered with the service provider itself, the service provider also knows the user. The processing of personal data by the service provider is then the responsibility of the service provider in accordance with its data protection regulations.The service provider merely informs us how our website is used (no information about the user personally).
5. Collection of general data and information
Every time a data subject or an automated system accesses the firm’s website, the website may collect a range of general data and information. These general data and information are stored in the server’s log files. We may collect (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (“referrer”), (4) the subpages which are accessed on our website via an accessing system, (5) the date and time of access to the website, (6) an Internet Protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) other similar data and information used for security purposes in the event of attacks on our information technology systems.
When using these general data and information, the firm does not draw any conclusions about the data subject. Rather, this information is required to (1) correctly deliver the content of our website, (2) optimise the content of our website and advertising for this, (3) ensure the permanent proper functioning of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the information necessary for crim- inal prosecution in the event of a cyberattack. These data and information collected anonymously are therefore analysed by the firm statistically and also with the aim of increasing data protection and data security in our company in order ultimately to ensure an optimum level of protection for the personal data we process. The anonymous data in the server log files are stored separately from all personal data provided by a data subject.
6. Subscribing to our newsletter
On the firm’s website, users are given the opportunity to subscribe to our company’s newsletter. Which personal data are transmitted to the controller when ordering the newsletter is determined by the input mask used for this purpose.
The firm uses its newsletter to inform clients and business partners at regular intervals about company offers and legal news. The newsletter of our company can only be received by the data subject if the data subject has a valid e-mail address which he/she has provided to us for contact purposes.
When registering the e-mail address, we also store the IP address assigned by the Internet service provider (ISP) of the computer system used by the data subject at the time of registration as well as the date and time of registration. The collection of these data is necessary to be able to trace (potential) misuse of the e-mail address of a data subject at a later point in time and is therefore for the legal protection of the controller.
The personal data collected during registration will only be used for sending our newsletter and for professional contact. Furthermore, subscribers to the newsletter may be informed bye-mail if this is necessary for the operation of the newsletter service or for registration for this, as could be the case in the event of changes to the newsletter offer or changes in the technical conditions. The firm uses MailChimp as a marketing automation platform. By registering, the data subject acknowledges that the personal data he/she provides will be passed on to Mail- Chimp for processing in accordance with its data protection guidelines and conditions. Apart from this, the personal data collected during registration will not be passed on to third parties. The data subject can cancel their subscription to our newsletter at any time. The consent to the storage of personal data that the data subject gave us for registration can be withdrawn at any time via our website.
The firm uses MailChimp as a marketing automation platform. By clicking below to submit the form, the data subject acknowledges that the information he provides will be passed on to MailChimp for processing in accordance with its data protection guidelines and conditions.
7. Contact via the website
Due to legal regulations, the firm’s website contains information that allows you to contact our company quickly and electronically and to communicate directly with us, which also includes a general e-mail address. Where a data subject contacts the controller via e-mail or a contact form, the personal data transferred by the data subject will be stored automatically. Such personal data provided voluntarily by a data subject to the controller will be stored for the purpose of processing or contacting the data subject. These personal data are not passed on to third parties.
8. Storage of personal data
The firm processes and stores personal data for as long as this is necessary for the fulfilment of contractual and legal obligations or for purposes pursued with the processing, as well as in accordance with the legal storage and documentation obligations. It is possible that personal data may be stored for the period during which claims can be asserted against the firm (i.e. in particular during the statutory period of limitation) and insofar as the firm is otherwise legally obliged to do so or legitimate business interests require this (e.g. for evidence and documenta- tion purposes).
9. Rights of the data subject
a) Rigtht to confirmation
Every data subject has the right to request a confirmation from the controller of whether per- sonal data concerning him/her are processed. If a data subject wishes to exercise this right to confirmation, he/she may contact an employee of the controller at any time.
b) Right to information
Every data subject whose personal data are processed has the right to obtain, at any time and free of charge, information from the controller about his/her stored personal data and a copy of such information. Furthermore, the controller must provide the data subject with the fol- lowing information:
- the processing purposes
- the categories of personal data processed
- the recipients or categories of recipients to whom the personal data have been or are still being disclosed, in particular recipients in third countries or international organisations
- if possible, the planned duration of the personal data storage or, if this is not pos- sible, the criteria for determining this duration
- the existence of a right to rectification or erasure of the data subject’s personal data, a right to restriction of processing by the controller or a right to object to such processing
- the existence of a right to lodge a complaint with a supervisory authority
- where the personal data are not collected from the data subject: all available information about the origin of the data
- the existence of automated decision-making, including profiling, pursuant to applicable Swiss data protection regulations or Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved as well as the significance and envisaged consequences of such processing for the data subject.
Furthermore, the data subject has a right to information as to whether personal data have been transferred to a third country or to an international organisation. Where this is the case, the data subject also has the right to obtain information about the appropriate guarantees in connection with the transfer.
If a data subject wishes to exercise this right to information, he/she may contact an employee of the controller at any time.
c) Right to rectification
Every data subject whose personal data are processed has the right to request the immediate rectification of incorrect personal data concerning him/her. Furthermore, taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
If a data subject wishes to exercise this right to rectification, he/she may contact an employee of the controller at any time.
d) Right to erasure (right to be forgotten)
Every data subject whose personal data are processed has the right to request that the controller erase his/her personal data immediately, provided that one of the following reasons applies and to the extent that the processing is not necessary:
- The personal data have been collected or otherwise processed for purposes for which they are no longer necessary.
- The data subject withdraws his/her consent on which the processing pursuant to applicable Swiss data protection regulations or Art. 6 (1) a GDPR or Art. 9 (2) a GDPR was based and there is no other legal basis for processing.
- The data subject lodges an objection to the processing pursuant to applicable Swiss data protection regulations or Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or the data subject lodges an objection to the processing pursuant to applicable Swiss data protection regulations or Art. 21 (2) GDPR.
- The personal data have been processed unlawfully.
- The erasure of the personal data is required for the fulfilment of a legal obligation pursuant to Swiss law or the GDPR.
- The personal data have been collected in relation to information society services offered pursuant to applicable Swiss data protection regulations or Art. 8 (1) GDPR.
Where one of the above-mentioned reasons applies and a data subject wishes to have personal data stored by the firm erased, he/she may contact an employee of the controller at any time. The employee of the firm will arrange for the request for erasure to be complied with without delay.
Where the personal data have been made public by the firm and our company as the controller is obliged to erase the personal data pursuant to applicable Swiss data protection regulations or Art. 17 (1) GDPR, the firm will take reasonable steps, including technical measures, taking into account the available technology and the implementation costs, to inform other controllers who process the published personal data that the data subject has requested the erasure of all links to these personal data or of copies or replications of these personal data by these other controllers, provided that processing is not necessary. The employee of the firm will take the necessary steps in individual cases.
e) Right to restriction of processing
Every data subject whose personal data are processed has the right to ask the controller to restrict the processing if one of the following conditions is met:
- The accuracy of the personal data is disputed by the data subject for a period of time that enables the controller to verify the accuracy of the personal data.
- The processing is unlawful, the data subject rejects the erasure of the personal data and instead requests that the use of the personal data be restricted.
- The controller no longer needs the personal data for the processing purposes, but the data subject needs them to establish, exercise or defend legal claims.
- The data subject has lodged an objection to the processing pursuant to applicable Swiss data protection regulations or Art. 21 (1) GDPR and it has not yet been determined whether the controller’s legitimate reasons outweigh those of the data subject.
If one of the above-mentioned conditions applies and a data subject wishes to request a re-triction of personal data stored by the firm, he/she may contact an employee of the controller at any time. The employee of the firm will initiate the restriction of the processing.
f) Right to data portability
Every data subject whose personal data are processed has the right to receive the personal data relating to him/her that he/she provided to a controller, in a structured, common and machine-readable format. In addition, the data subject has the right to pass these data on to an- other controller without obstruction by the controller to whom the personal data were provided, provided that the processing is based on consent pursuant to applicable Swiss data protection regulations or Art. 6 (1) a GDPR or Art. 9 (2) a GDPR or on a contract pursuant to Art. 6(1) b GDPR and that the processing is carried out using automated methods, provided that the processing is not necessary for the performance of a task in the public interest or in the exer- cise of official authority vested in the controller.
Furthermore, in exercising his/her right to data portability pursuant to applicable Swiss data protection regulations or Art. 20 (1) GDPR, the data subject has the right to request that the personal data be transferred directly from one controller to another controller, to the extent that this is technically feasible and provided that this does not affect the rights and freedoms of other persons.
To exercise the right to data portability, the data subject may contact an employee of the firm at any time.
g) Right to object
Every data subject whose personal data are processed has the right, for reasons arising from his/her particular situation, to object at any time to the processing of his/her personal data, which are processed pursuant to applicable Swiss data protection regulations or Art. 6 (1) e or f GDPR. This also applies to profiling based on these provisions.
In the event of an objection, the firm will no longer process the personal data unless we can demonstrate compelling legitimate reasons for the processing which override the interests, rights and freedoms of the data subject, or the processing serves to establish, exercise or defend legal claims.
Where the firm processes personal data in order to carry out direct marketing, the data subject has the right to object at any time to the processing of personal data for the purpose of such marketing. This also applies to profiling to the extent that it is connected with such direct marketing. If the data subject objects to processing for direct marketing purposes to the firm, the firm will no longer process the personal data for these purposes.
In addition, the data subject has the right, for reasons arising from his/her particular situation, to object to the processing of his/her personal data which the firm carries out for scientific or historical research purposes or for statistical purposes pursuant to applicable Swiss data protection regulations or Art. 89 (1) GDPR, unless such processing is necessary to fulfil a task in the public interest.
To exercise the right to object, the data subject may contact an employee of the firm directly. Furthermore, the data subject may exercise his/her right to object in connection with the use of information society services by means of automated procedures using technical specifica- tions.
h) Automated decisions in individual cases including profiling
Every data subject whose personal data are processed has the right not to be subject to a deci- sion based exclusively on automated processing — including profiling — which has legal effect against him or significantly affects him in a similar manner, provided that the decision is (1) not necessary for the conclusion or fulfilment of a contract between the data subject and the controller, or (2) is admissible under Swiss or European Union law to which the controller is subject, and such law contains appropriate measures to safeguard the rights, freedoms andlegitimate interests of the data subject, or (3) is made with the data subject’s express consent.
Where a decision (1) is necessary for the conclusion or fulfilment of a contract between the data subject and the controller or (2) is made with the express consent of the data subject, the firm will take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention on the part of the controller, to express his/her point of view and to contest the decision.
If the data subject wishes to exercise rights with regard to automated decisions, he/she may contact an employee of the firm at any time.
i) Right to withdraw the data protection consent
Every data subject whose personal data are processed has the right to withdraw consent to the processing of personal data at any time.
If the data subject wishes to exercise his/her right to withdraw consent, he/she may contact an employee of the controller at any time.
10. Legal basis of processing
Art. 4 Swiss Data Protection Act (Datenschutzgesetz – DSG) or Art. 6 (1) a GDPR serves our company as a legal basis for processing where we obtain consent for a specific processing purpose. Where the processing of personal data is necessary for the fulfilment of a contract to which the data subject is a party, as is the case, for example, with processing necessary for the provision of a service, the processing is based on Art. 4 Swiss Data Protection Act or Art. 6(1) b GDPR. The same applies to such processing that is necessary to carry out pre- contractual measures, for example in the case of enquiries about our services. Where our company is subject to a legal obligation which requires the processing of personal data, for example to fulfil tax obligations, the processing is based on Art. 4 Swiss Data Protection Act or Art. 6 (1) c GDPR. In rare cases, the processing of personal data may become necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured on our premises and his/her name, age, health insurance information or other vital information had to be passed on to a doctor, a hospital or other third party. Processing would then be based on Art. 4 Swiss Data Protection Act or Art. 6 (1) d GDPR. Finally, processing can be based on Art. 4 Swiss Data Protection Act or Art. 6 (1) f GDPR. Processing which is not covered by any of the aforementioned legal bases is based on this legal basis if processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not outweigh these. We are permitted to carry out such processing in particular because it has been specifically mentioned by the European legislator, which took the view that a legiti- mate interest could be assumed if the data subject is a customer of the controller (Recital 47, Clause 2, GDPR).
11. Legitimate interests in the processing pursued by the controller or a third party
If the processing of personal data of natural persons residing in the European Union is based on Art 6. (1) f GDPR, it is in our legitimate interest to conduct our business for the well-being of all of our employees and our shareholders.
12. Legal or contractual regulations on the provision of personal data; necessity for the conclusion of the contract; obligation of the data subject to provide personal data; possible consequences of failure to provide personal data
The provision of personal data may be required by law (e.g. tax regulations) or may result from contractual regulations (e.g. information about the contractual partner). In some cases, a data subject may need to provide us with personal data, which must subsequently be processed by us, for the conclusion of a contract. For example, the data subject is obliged to pro- vide us with personal data if our company enters into a contract with him/her. Failure to provide personal data would mean that the contract could not be concluded with the data subject. Prior to the provision of personal data by the data subject, the data subject must contact one of our employees. Our employee will inform the data subject on a case-by-case basis whether the provision of personal data is required by law or contract or necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and what consequences the failure to provide personal data would have.
13. Existence of automated decision-making
As a responsible company, we do not carry out automatic decision-making or profiling.