Data Privacy Statement
- Part 1 – Handling of personal data of website visitors
- Part 2 – Handling of personal data of applicants
- Part 3 – Handling of personal data of suppliers / service providers
Part 1 – Handling of personal data of website visitors
1. Information about the collection of personal data
(1) Hereinafter, we shall inform you about the collection of personal data when using our website. Personal data is all data that can be associated directly with you, e.g. name, address, e-mail addresses, user behaviour.
(2) The controller is Webcraft GmbH, Industriepark 206, 78244 Gottmadingen, [email protected] (please see our Legal Notice).
(3) You can reach our data protection officer at [email protected] or via our mailing address with the addition ‘Data Protection Officer’.
(4) Should we use commissioned service providers for individual functions pertaining to our offer or intend to use your data for advertising purposes, we will inform you in detail below about the respective processes. We shall also state the specified criteria for data storage.
2. Rights of the data subject
(1) Concerning us, you have the following rights with regards to your personal data
- Right to information,
- Right to rectification or erasure,
- Recht auf Einschränkung der Verarbeitung
- Right to object to processing,
- Right to data portability.
(2) In addition, you have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data by us.
3. Collection of personal data when visiting our website
(1) When using our website for information purposes only, i.e. if you do not register or otherwise provide us with information, we only collect personal data that your browser transmits to our server. When you view our website, we collect the following data that is technically necessary for us to display our website to you and to ensure stability and security (The legal basis is provided in Art. 6 (1.1) (f) GDPR.)
- IP address,
- Date and time of the request,
- Time zone difference to Greenwich Mean Time (GMT),
- Content of the request (specific page),
- Access status/HTTP status code,
- Amount of data transmitted in each case,
- Website from which the request originates,
- Browser,
- Operating system and its interface,
- Browser software language and version.
4. Further processing of personal data
(1) In addition to the purely informational use of our website, we offer various services you can utilise if interested. To do so, you generally must provide additional personal data which we use to deliver the respective service and for which the aforementioned data protection regulations are applicable.
(2) In some cases, we use external service providers to process your data. They have been carefully selected and commissioned by us, are bound by our instructions and are regularly monitored.
(3) Furthermore, we may pass your personal data on to third parties if we offer sales promotions, sweepstakes, conclusions of contracts or similar services in conjunction with our partners. To this end, you shall receive further information when you enter your personal data or below in the description of the offer.
(4) Should our service providers or partners be based in a country outside the European Economic Area (EEA), we will inform you of the consequences of this circumstance in the description of the offer.
5. Objection or revocation of consent to the processing of your data
(1) Provided you have given your consent to the processing of your data, you may revoke your consent at any time. Such revocation affects the legitimate processing of your personal data after you have brought it to our attention.
(2) Should we base the processing of your personal data on the balancing of interests, you may object to such processing. This is the case if the processing is not necessary, in particular, to fulfil a contract with you, which we shall outline in the following description of the functions. Should you wish to exercise your right to such objection, we ask that you explain the reasons why we should not process your personal data in the way we have done. In the event of your justified objection, we shall examine the situation and will either stop or adjust the data processing or provide you with compelling legitimate grounds on the basis of which we will continue the processing.
(3) You may, of course, at any time object to the processing of your personal data for advertising or data analysis purposes. You can inform us of your objection to advertising by using the following contact details
Part 2 – Handling of personal data of applicants
1. Preliminary remarks
(1) Personal data is all information that concerns you as a person. We process the data that you provide and transmit to us as part of your application, which usually includes:
First and last name, prefix and title
Your contact details, such as address, telephone number, fax number, e-mail address
Your application details, consisting of cover letter, curriculum vitae and the usual certificates and credentials
(2) The controller in accordance with Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is Webcraft AG, Weiherallee 11a, 8610 Uster, [email protected] (please see our Legal Notice).
(3) You can reach our data protection officer at [email protected] or via our mailing address with the addition ‘Data Protection Officer’.
2. Information on the processing of applicant data (data categories)
(1) The processed categories of personal data include your basic data (such as first name, surname, prefixes), contact details (like your private address, phone number (mobile / landline), e-mail address), all data resulting from your application documents (possibly health information, if included) and, if applicable, bank details (to reimburse travel expenses). Your personal data is usually collected directly from you as part of the application process. In addition, we may have received data from third parties (e.g. employment agencies).
(2) If there are discrepancies in your application documents regarding previous employments or other legitimate interests, we may also process data that we collect from previous employers.
(3)We process your personal data in compliance with the provisions of the GDPR and all other applicable laws. The exclusive purpose of such data processing is to reach a decision on entering into an employment relationship. To this end, the primary legal basis is Art. 6 (1) (b) GDPR. In addition, your separate consent in accordance with Art. 6 (1) (a) GDPR may be deemed as data protection permission where applicable. If you have given us permission to store your personal data beyond the application process for a specified period of time or to use the data for similar recruitment processes, the legal basis is Art. 6 (1) (a) GDPR. Should your application documents contain photographs, we see this as implied consent to the processing of the photo. The legal basis is Art. 6 (1) (a) GDPR. You have the right to withdraw your consent at any time.
(4) By reason of the European anti-terrorist regulations 2580/2001 and 881/2002, we are also obligated to compare applicant data against so-called ‘EU terrorist lists’ to ensure that no funds or other economic resources are made available for terrorist purposes. The legal basis is Art. 6 (1) (c) GDPR or, if applicable, Art. 6 (1) (f) GDPR.
(5) For the purpose of vetting applicants whose future employment has become a distinct possibility, the Human Resources department will create an application-related data record prior to the start of the employment relationship. This includes first and last name, address (street, postal code, city) and country.
In an online case-by-case review, the data is compared to the most recent valid consolidated list of persons, groups and organisations impacted by financial sanctions as published by the EU.
Upon request, the data subject must be given information about the data used for data comparison, the frequency and the applied software at any time. Should a match be found, the data subject will be informed immediately with a request for comment regarding the hit. The data subject has the right to review the respective data prior to commenting.
If there is no match, no data is stored by the screening software. In this case, only the process is documented for compliance reasons. In case of a match, the data is stored for documentation purposes in accordance with the mandated storage regulations. The data subject will be informed accordingly.
(6) Insofar as special categories of personal data (in particular health information, e.g. severe disability) are processed in accordance with Art. 9 (1) GDPR, it serves exclusively to fulfil our obligations in the context of the application process. Should we intend to process your personal data for a purpose not mentioned above, we shall inform you of our intent and the applicable legal basis prior to such processing.
3. Data transfer
(1) Within our company, only persons and departments who are responsible for the specific application process receive your personal data, namely the Human Resources department, the departments in which a position is to be filled, executives and potential supervisors. Service providers appointed by us and working on our behalf (so-called data processors, cf. Art. 28 GDPR) may also process data for said purposes.
4. Transmission to a third country
(1) We do not transmit any personal data to third parties outside the European Economic Area (EEA).
5. Storage period
(1) Provided that there is no statutory retention period, the data will be deleted as soon as storage is no longer required or the legitimate interest in storage has expired. Provided the applicant is not hired, this will occur in a timely manner.
(2) In certain cases, individual data may be stored for a longer period of time (e.g. travel expense claims). The duration of storage is then based on the statutory retention requirements, for example, the Tax Code, the Swiss Code of Obligations (Obligationenrecht - OR) or the Swiss Business Records Ordinance (Geschäftsbücherverordnung - BeBüV).
(3) In case you have given us your consent to store your personal data for a specified period beyond the application process, that storage period applies.
6. Data subject rights
(1) Concerning us, you have the right
to request information about your stored personal data and its origin, the processing purpose and the recipients or categories of recipients of said data (Art. 15 GDPR),
to request from us, under certain conditions, the correction, blocking (restriction of processing) or erasure of your personal data (Art. 16-18 GDPR),
to request the transfer of your data to another responsible authority (Art. 20 GDPR),
to object to data processing (Art. 21 GDPR) and
to complain to us or a competent data protection authority about the processing of your personal data (Art. 77 GDPR).
(2) We comply with all rights to which you are entitled promptly and free of charge. Should you have any further questions, please contact us or our data protection officer directly using the aforementioned contact details.
Part 3 – Handling of personal data of suppliers / service providers
1. Data Processing Controller and Data Protection Officer
(1) The controller is Webcraft AG, Weiherallee 11a, 8610 Uster, [email protected] (please see our Legal Notice).
(2) You can reach our data protection officer at [email protected] or via our mailing address with the addition ‘Data Protection Officer’.
2. Purpose of processing, legal basis for the collection and processing of data
(1) Your personal data will be processed for the payment of invoices issued by the supplier / service provider for deliveries and services afforded. The legal basis is Art. 6 (1) (b) GDPR.
Relevant personal data are:
Information about the person or company (surname, first name, company name, legal structure)
Contact details (address, telephone number, e-mail address)
Bank details
(2) In addition, the data is compared against sanctions and terrorist lists to comply with anti-terrorist regulations. The applicable legal basis is Art. 6 (1) (c) GDPR in conjunction with EU regulations 2580/2001 (anti-terrorism), 881/2002 (Al-Qaida), 553/2007 (Al-Qaida), 753/2011 (Taliban) und §17 of the Foreign Trade Law (Aussenwirtschaftsgesetz - AWG). There are also other general and country-specific EU embargo regulations which, in their appendices, list persons and organisations for which there are restrictions. By comparing these lists, it is ensured that no economic resources or financial benefits go to these companies and consequences under criminal law are avoided for our company.
(3) For the data comparison, a list is created internally, using the company’s internal data processing systems, which contains personal data that is restricted to the necessary minimum. This includes the company name, legal structure, address (street / postal code / city) and country.
Reviewed are
Monthly, the data of all suppliers / service providers contained in the list (master address check).
Consistently, new data saved to the list as well as any mutation of existing data for the relevant supplier / service provider (online case-by-case review).
In the process, the compiled list is compared to the most recent valid consolidated list of persons, groups and organisations impacted by financial sanctions as published by the EU.
(4) The data comparison is carried out by the company BEO GmbH as a data processor in accordance with Art. 28 GDPR. A data processing agreement has been entered into with BEO GmbH. The data processor is obligated by contractual guarantees to ensure the protection of your personal data with technical and organisational measures.
The review is recorded. Should a match be found, the company in question will be informed immediately with a request for comment regarding the hit. It has the right to review the respective data prior to commenting. If there is no match, no data is stored by the screening software. In this case, only the process is documented for compliance reasons. In case of a match, the data is stored for documentation purposes in accordance with the mandated storage regulations. Hits identified as ‘false positives’ may be saved on a whitelist to avoid repeating the inaccurate assessment.
3. Transfer of data and storage period
(1) Within our company, your data is received by those departments that require said data to fulfil contractual or legal obligations or to fulfil their respective tasks.
(2) In addition, the following entities may receive your data:
Data processors appointed by us (Art. 28 GDPR), particularly within the scope of IT services and logistics, who process your data for us in accordance with our directions.
Public entities and institutions as required by law or regulation.
Our respective officers, employees, agents, authorised representatives, chartered accountants, service providers.
(3) Where required, we shall process and store your personal data for the duration of the business relationship, which also includes, for example, the initiation and execution of a contract.
(4) In addition, we are subject to various storage and documentation obligations resulting from the Commercial Code (Handelsgesetzbuch - HGB) or the Tax Code (Abgabenordnung - AO). Those mandated storage and documentation periods are two to ten years.
(5) Lastly, the storage period is also assessed according to the statutory periods of limitations which, for example, are generally 3 years based on §§ 195 ff. of the Civil Code (Bürgerliches Gesetzbuch - BGB) but, in certain cases, may also be extended to up to 30 years.
4. Data subject rights
(1) You have the right to information according to Art. 15 GDPR, the right to correction according to Art. 16 GDPR, the right to erasure according to Art. 17 GDPR, the right to restriction of processing according to Art. 18 GDPR and the right to data portability according to Art. 20 GDPR. In addition, there exists the right to lodge a complaint with a supervisory authority. (Art. 77 GDPR).