Privacy policy

1. What is this privacy policy about?

“Personal data” means all information that can be linked to a specific person, and “processing” means any handling thereof, e.g., collection, use and disclosure. We therefore process personal data frequently. In this privacy policy, we explain how we do this primarily in the context of our business activities and our corporate website. If you would like further information about our data processing, please feel free to contact us (section 2).

2. Who is responsible for processing your data?

For data processing under this privacy policy the following company is the “data controller” – i.e. the entity primarily responsible under data protection law (also referred to as “we”):

Zur Rose Group AG
Walzmühlestrasse 60
8500 Frauenfeld
Switzerland

If you have any questions about data protection, you are welcome to contact us at the following address:

Zur Rose Group AG
Datenschutz
Walzmühlestrasse 60
8500 Frauenfeld
Switzerland

datenschutz@zurrose.ch

We are the holding company of the Zur Rose Group, which is listed on the SIX Swiss Exchange. For details of data processing of the companies belonging to the Zur Rose Group, please refer to the respective company websites. For a summary, please click here.

3. What data do we process?

We primarily process the following categories of personal data: 

  • in the case of representatives, directors, officers and employees of suppliers and service providers within and outside of the Zur Rose Group, competitors and other companies, media, public authorities, associations and other bodies, e.g.:

    • contact details, in particular name and address;

    • information about the professional or business role (e.g., the role in a company or details regarding representation of a company) and interactions with us;

  • in the case of institutional investors: e.g., details of contacts (in particular names, contact details and details of their professional or business role);

  • in the case of private investors: e.g., name and contact details, shareholdings, transactions relating to our shares and voting record;

  • in the case of market participants: e.g., data on key persons, particularly the name, contact details, role or function and public statements;

  • in the case of other persons with whom we come into contact in certain situations, for instance, in the context of judicial or administrative proceedings or corporate transactions: e.g., name, details of the role of the persons concerned and the relationship with us, and details related to the particular situation.

You might provide us with data that also relates to other persons (e.g., about a deputy/representative, about other employees of a company, etc.). If you do so, we will take this as a confirmation that this data is correct. Since we often do not have direct contact with these third parties, we ask you to notify them about the fact that we are processing their data (e.g., by reference to this privacy policy). 

4. For what purposes do we process data?

We process the data specified in section 3 primarily for the following purposes:

  • compliance with legal and regulatory provisions, contracts and association rules, and internal policies and guidelines;

  • prevention of criminal offences and other transgressions, e.g. in the course of internal investigations;

  • conclusion, implementation and enforcement of contracts;

  • communication with data subjects;

  • corporate governance, including statistical evaluations;

  • contest participation, including market analyses; 

  • monitoring, controlling, analysing, securing and reviewing our IT infrastructure and backups and archiving;

  • participation in legal proceedings (e.g. judicial or administrative proceedings);

  • review and execution of corporate transactions (e.g., acquisition or sale of assets or companies);

  • providing newsletters

  • other purposes such as training and education, administration and protection of other legitimate interests.

5. To whom do we disclose data?

We may disclose data in particular to:

  • authorities, courts and other public bodies, e.g. to comply with legal obligations or orders;

  • service providers (e.g., IT, logistics and forwarding agents, consultants, attorneys, etc.);

  • group companies of the Zur Rose Group in order to maintain a joint partner database. Group companies may also use data received from other group companies for their own purposes. We may act as a joint controller with other group companies for purposes of data protection law. Please feel free to contact us for details on data protection rights as a data subject (we will coordinate with other group companies in this case); alternatively, you can contact the other group companies directly. For a list of group companies, please click here;

  • media and associations;

  • current and potential contractual partners and counterparties in corporate transactions;

  • other third parties, e.g. other parties in proceedings and external or internal investigations.

Unless notified otherwise, we will assume that such disclosures do not conflict with any confidentiality obligations.

Data recipients may be located outside of Switzerland. This particularly concerns group companies and service providers (especially IT service providers). They are located both within the EU and EEA and in other countries around the world. We may also transfer data to public authorities and other persons abroad if we are legally obliged to do so or, for example, in connection with a corporate sale or legal proceedings. Not all of these states have adequate levels of data protection. We compensate for the lower level of data protection by way of contractual provisions, in particular the Standard Contractual Clauses issued by the European Commission, which can be accessed here. In certain cases, we may also transfer data in accordance with data protection law requirements in the absence of such contractual provisions; e.g., on the basis of consent or where disclosure is necessary for the performance of a contract, for the establishment, exercise or enforcement of legal claims, or for overriding public interests.

6. How do we protect data?

We take appropriate technical, organisational and physical measures to protect data. When disclosing data via the internet or via email, it should be noted that even in the case of encrypted data transmission, the sender and recipient of a message remain unencrypted and visible. It cannot be ruled out that such data may be viewed by third parties. Data sent over a public network may be routed through a third country which does not provide an appropriate level of protection, even if the sender and receiver are located in the same state.

7. How do we process data in the context of our website?

Each time our website is accessed, certain data is generated for technical reasons that is temporarily stored in log files (log data), in particular the IP address of the terminal device, information about the internet service provider and the operating system of your terminal device, information about the referring URL, information about the browser used, date and time of access, and the content accessed when visiting the website. We use this data to make our website usable, to ensure system security and stability and to optimise our website as well as for statistical purposes.

Our website also uses cookies, i.e. files automatically stored by your browser on your terminal device. This allows us to distinguish individual visitors but usually without identifying them. Cookies may also contain information on pages accessed and the duration of the visit. Certain cookies (“session cookies”) are deleted when the browser is closed. Other cookies (“permanent cookies”) are retained for a certain period of time so that we can identify visitors on a later visit. We may also use other technologies, for example to store data in the browser but also to distinguish recurring visitors.

You can configure your browser in the settings to block certain cookies or similar technologies or to delete cookies and other stored data. For more information, please refer to the help pages of your browser (usually under the heading “data protection”).

These cookies and other technologies may also originate from third-party companies that provide us with certain functionality. These may also be located outside Switzerland and the EEA (see section 7). For example, we use analysis services to enable us to optimise [and personalise] our website. [Cookies and similar third-party technologies also allow third-party service providers to address you with individualised advertising on our websites or other websites, as well as on social networks that also work with this third party, and measure how effective advertisements are (e.g., whether you arrived on our website via an advertisement and what actions you then take on our website).] For this purpose, the third-party service providers in question may keep details of the use of the website and link these with other information from other websites. This allows them, for example, to record user behaviour across several websites and devices in order to provide us with statistical analyses on this basis. Service providers may also use this information for their own purposes, e.g. for personalised advertising on their own websites or other websites. If a user is registered with the service provider, the latter may link the user data to the relevant person.

We use Google Analytics, an analysis service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA, USA) and Google Ireland Ltd. (Google Building Gordon House, Barrow St, Dublin 4, Ireland) on our website. Google collects certain information about the behaviour of users on the website and about the terminal device used. Visitors’ IP addresses are truncated in Europe before being forwarded to the USA. Google provides us with analyses based on the recorded data, but also processes certain data for its own purposes. You can find information on data protection at Google Analytics here, and if you have your own Google account, you can find further information here.

8. For how long do we process personal data?

We process your personal data for as long as this is necessary for the purpose of processing (in the case of contracts, usually for the duration of the contractual relationship), as long as we have a legitimate interest in the storage (e.g., in order to enforce legal claims, for archiving purposes and/or to ensure IT security) and as long as data is subject to a statutory retention obligation (a ten-year retention period applies, for example, for certain data). Upon expiry of such periods, we will delete or anonymise your personal data.

9. Any other points to take into account?

Depending on the applicable law, data processing may only be permitted if the applicable law specifically allows it. This applies, for example, under the GDPR, insofar as it applies. In this case, we base the processing of your personal data on the fact that it is necessary for the preparation and performance of contracts, that it is necessary for legitimate interests pursued by us or by third parties, e.g. for statistical analyses, that it is required or permitted by law, or that you have consented separately to the processing. The corresponding provisions can be found in Article 6 and 9 GDPR.
Please note that you are under no obligation to disclose data to us, except in certain cases (e.g., if you have to comply with a contractual obligation and data is disclosed to us in that context). However, we need to process data when entering into and performing contracts for legal and other reasons. It is also not possible to use our website without data being processed (see section 6).

10. What are your rights?

You have certain rights under the applicable data protection law, which allows you to obtain further information regarding our data processing and to influence it: 

  • you may request further information about our data processing. We are happy to answer any questions you may have. You may also submit a so-called “subject access request” if you wish to receive further information and a copy of your data;

  • you may object to our data processing;

  • you may request that we correct or amend inaccurate or incomplete personal data or that we add a note of objection;

  • you may also receive the personal data you have provided to us in a structured, commonly used and machine-readable format, provided that the relevant data processing is based on your consent or is necessary for the performance of the contract;

  • in the event that we process data on the basis of your consent, you may withdraw your consent at any time. Withdrawal is only valid for the future, and we reserve the right to continue to process data on a different basis in the event of withdrawal.

If you wish to exercise your right to withdraw consent, please feel free to contact us (section 2). As part of this process, we will typically have to check your identity (e.g., by way of a copy of an ID card). 

You are also free to lodge a complaint with the competent supervisory authority against our processing of your data; in Switzerland this is the Federal Data Protection and Information Commissioner (FDPIC).