Data Privacy Policy

Data Privacy Policy

Find our contact details in our legal notice. If you have any questions about our data protection, please contact info@artaris.ch.

General Privacy Policy Artaris

1. What is this privacy policy about?

Artaris (hereinafter also "we", "us") obtains and processes personal data concerning you or also other persons (so-called "third parties"). We use the term "data" here synonymously with "personal data" or " person-related data".

The term "Artaris" (without specifying a company form) or "Artaris network" or "network companies" refers to a network of companies and hereafter jointly means the following companies:

ARTARIS AG (UID: CHE-245.203.960, responsible for the domains https://artaris.ch/ and https://artaris-treuhand.ch)
Oberer Graben 8
9000 St. Gallen

ARTARIS TAX AG (UID: CHE-471.917.606, responsible for the domain https://artaris-tax.ch/)
Oberer Graben 8
9000 St. Gallen

ARTARIS Advokatur AG (UID: CHE-278.142.727, responsible for the domain https://artaris-advokatur.ch/)
Oberer Graben 8
9000 St. Gallen

ARTARIS SOLUTIONS AG (UID: CHE-180.028.129, , responsible for the domain https://artaris-solutions.ch/)
Oberer Graben 8
9000 St. Gallen

"Personal data" refers to data relating to specific or identifiable persons, i.e. conclusions about their identity are possible on the basis of the data itself or with corresponding additional data. "Particularly sensitive personal data" is a category of personal data that is particularly protected by the applicable data protection law. Personal data requiring special protection includes, for example, data revealing racial and ethnic origin, health data, information on religious or philosophical beliefs, biometric data for identification purposes and information on trade union membership. Section 3 provides details of the data we process for the purposes of this privacy notice. "Processing" means any handling of personal data, such as obtaining, storing, using, adapting, disclosing and deleting it.

In this data protection declaration we describe what we do with your data when you use the websites of companies from the Artaris network, in particular the following websites or domains (hereinafter "Artaris websites"):

https://artaris.ch/
https://artaris-treuhand.ch/
https://artaris-tax.ch/
https://artaris-advokatur.ch/
https://artaris-solutions.ch/

We also describe in this Privacy Policy what we do with your information when you obtain our services or products, otherwise interact with us under a contract, communicate with us or otherwise deal with us. Where appropriate, we will provide you with timely written notice of additional processing activities not mentioned in this Privacy Policy. In addition, we may inform you separately about the processing of your data, e.g. in consent forms, contract terms, additional privacy statements, forms and notices.

If you transmit or disclose data to us about other persons, such as family members, work colleagues, etc., we assume that you are authorised to do so and that this data is correct. By submitting data about third parties, you confirm this. Please also ensure that these third parties have been informed of this privacy policy.

This privacy statement is designed to meet the requirements of the EU General Data Protection Regulation ("GDPR"), the Federal Data Protection Act ("FADP") and the revised Federal Data Protection Act ("revFADP"). However, whether and to what extent these laws are applicable depends on the individual case.

2. Who is responsible for the processing of your data?

For the data processing of Artaris described in this data protection declaration, the company on whose domain you are located is responsible in terms of data protection law (cf. above list in point 1), unless otherwise communicated in individual cases (e.g. in further data protection declarations, on forms or in contracts). Unless otherwise communicated, this data protection declaration also applies to cases in which not the company but another company from the Artaris network is the responsible party. This is especially the case where your data is processed by such a network company in connection with its own legal obligations or contracts or where you share data with such a network company. In these cases, that network company is the data controller and only if you share your data with other network companies for their own purposes (see section 7) will those other network companies also become data controllers.

You can contact us for your data protection concerns and to exercise your rights under section 11 as follows. Your concern will then be forwarded directly to the responsible person, if this is necessary.

Artaris AG
Willy Ackermann
Oberer Graben 8
CH-9000 St. Gallen
info@artaris.ch

3. What data do we process?

We process different categories of data about you. The main categories are as follows:

• Technical data: When you use our Artaris websites or other electronic offers (e.g. free Wi-Fi), we collect the IP address of your terminal device and other technical data to ensure the functionality and security of these offers. This data also includes logs in which the use of our systems is recorded. We generally retain technical data for 6 months. In order to ensure the functionality of these offers, we may also assign an individual code to you or your end device (e.g. in the form of a cookie, see section 12). The technical data in itself does not allow any conclusions to be drawn about your identity. However, in the context of user accounts, registrations, access controls or the processing of contracts, they may be linked to other data categories (and thus possibly to your person).

• Registration data: Certain offers and services (e.g. login areas of our website, newsletter dispatch, free WLAN access, etc.) can only be used with a user account or registration, which can be made directly with us or via our external login service providers. In doing so, you must provide us with certain data and we collect data about the use of the offer or service. We generally retain registration data for 12 months after the end of the use of the service or the termination of the user account.

• Communication data: If you are in contact with us via an online contact form, email, telephone, letter or other means of communication, we collect the data exchanged between you and us, including your contact details and the marginal data of the communication. If we want or need to establish your identity, e.g. in the case of a request for information made by you, we collect data to identify you (e.g. a copy of an identity document). We usually keep this data for 24 months from the last exchange with you. This period may be longer where this is necessary for reasons of proof or to comply with legal or contractual requirements, or for technical reasons. E-mails in personal mailboxes and written correspondence are generally kept for at least 10 years. Recordings of (video) conferences are generally kept for 24 months.

• Master data: Master data is the basic data we need, in addition to contractual data (see below), to process our contractual and other business relationships or for marketing and promotional purposes, such as name, contact details and information about, for example, your role and function, your bank account(s), date of birth, customer history, powers of attorney, signature authorisations and consent forms. We process your master data if you are a customer or other business contact or work for one (e.g. as a contact person of the business partner), or because we want to address you for our own purposes or the purposes of a contractual partner (e.g. as part of marketing and advertising, with invitations to events, with newsletters etc.). We receive master data from you yourself (e.g. when making a purchase or as part of a registration), from bodies for which you work or from third parties such as our contractual partners, associations and address dealers and from publicly accessible sources such as public registers or the Internet (websites etc.). We may also process information about third parties within the scope of master data. As a rule, we keep this data for 10 years from the last exchange with you, but at least from the end of the contract. This period may be longer if this is necessary for reasons of proof or to comply with legal or contractual requirements or if it is technically required. For pure marketing and advertising contacts, the period is usually much shorter, usually no more than 2 years since the last contact.

• Contractual data: This is data that accrues in connection with the conclusion or processing of a contract, e.g. details about contracts and the services to be provided or provided, as well as data from the run-up to the conclusion of a contract, the details required or used for processing. This also includes information about third parties. We generally collect this data from you, from contractual partners and from third parties involved in the processing of the contract, but also from third party sources (e.g. providers of creditworthiness data) and from publicly accessible sources. We generally keep this data for 10 years from the last contractual activity, but at least from the end of the contract. This period may be longer if this is necessary for reasons of evidence or to comply with legal or contractual requirements or for technical reasons.

• Other data: We also collect data from you in other situations. In connection with official or judicial proceedings, for example, data is collected (such as files, evidence, etc.) which may also relate to you. We may also collect data for health protection reasons (e.g. in the context of protection concepts). We may obtain or make photographs, videos and sound recordings in which you may be identifiable (e.g. at events, through security cameras etc.). We may also collect data on who enters certain buildings when or has corresponding access rights (incl. in the case of access controls, based on registration data or visitor lists etc.), who participates in events or campaigns when or who uses our infrastructure and systems when. The retention period of this data depends on the purpose and is limited to what is necessary. This ranges from a few days for many of the security cameras and usually a few weeks for contact tracing data, to visitor data that is usually kept for 3 months, to event reports with images that can be kept for a few years or longer.

You provide us with much of the data mentioned in this section 3 yourself (e.g. via forms, in the course of communication with us, in connection with contracts, when using the website, etc.). You are not obliged to do so, subject to individual cases, e.g. within the framework of binding protection concepts (legal obligations). If you wish to conclude contracts with us or claim services, you must also provide us with data, in particular master data, contract data and registration data, as part of your contractual obligation under the relevant contract. When using our website, the processing of technical data is unavoidable. If you wish to gain access to certain systems or buildings, you must provide us with registration data.

Unless this is inadmissible, we also take data from publicly accessible sources (e.g. debt enforcement registers, land registers, commercial registers, the media or the Internet) or receive data from other companies within our network, from public authorities and from other third parties (such as credit agencies, address dealers, associations, contractual partners, Internet analysis services, etc.).

4. For what purposes do we process your data?

We process your data for the purposes we explain below. Further information for the online area can be found in sections 12 and 13. These purposes or the underlying objectives represent legitimate interests of us and, where applicable, of third parties. You will find further information on the legal basis for our processing in section 5.

We process your data for purposes related to communication with you, in particular to respond to enquiries and assert your rights (section 11) and to contact you in the event of queries. In particular, we use communication data and master data for this purpose. We keep this data to document our communication with you, for quality assurance and for follow-up enquiries.

We process data for the purpose of establishing, managing and processing contractual relationships.

We process data for marketing purposes and to maintain relationships, e.g. to send our customers and other contractual partners personalised advertising on products and services from us and from third parties. This may take the form of newsletters and other regular contacts (electronically, by post, by telephone), via other channels for which we have contact information from you, but also as part of individual marketing campaigns (e.g. events etc.) and may also include free services (e.g. invitations etc.). You can refuse such contacts at any time (see at the end of this section 4) or refuse or withdraw your consent to be contacted for advertising purposes. With your consent, we can target our online advertising on the Internet more specifically to you (see section 12).

We continue to process your data for market research, to improve our services and operations and for product development.

We may also process your data for security and access controlpurposes.

We process personal data to comply with laws, directives and recommendations from authorities and internal regulations ("Compliance").

We also process data for the purposes of our risk management and prudent corporate governance, including business organisation and development.

We may process your data for other purposes, e.g. as part of our internal processes and administration or for quality assurance purposes.

5. On what basis do we process your data?

As far as we ask you for your consent for certain processing (e.g. for the processing of particularly sensitive personal data, for marketing mailings and for advertising control and behavioural analysis on the website), we will inform you separately about the corresponding purposes of the processing. You may withdraw consent at any time with future effect by written notice (by post) or, where not otherwise stated or agreed, by email; you will find our contact details in section 2. For withdrawal of your consent for online tracking, see section 12. Where you have a user account, withdrawal or contacting us may also be possible via the relevant website or other service. Once we have received notification that you have withdrawn your consent, we will no longer process your data for the purposes to which you originally consented, unless we have another legal basis for doing so. The revocation of your consent will not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Where we do not ask you for your consent for processing, we base the processing of your personal data on the fact that the processing is necessary for the initiation or execution of a contract with you (or the entity you represent) or that we or third parties have a legitimate interest in doing so, in particular in order to pursue the purposes and related objectives described above under section 4 and to be able to implement appropriate measures. Our legitimate interests also include compliance with legal regulations, as far as this is not already recognised as a legal basis by the respective applicable data protection law (e.g. in the case of the GDPR, the law in the EEA and in Switzerland). However, this also includes the marketing of our products and services, the interest to better understand our markets and to safely and efficiently manage and develop our business, including operations.

If we receive sensitive data (e.g. health data, information on political, religious or ideological views or biometric data for identification purposes), we may also process your data on the basis of other legal grounds, e.g. in the event of disputes due to the need for processing for a possible lawsuit or the enforcement or defence of legal claims. In individual cases, other legal grounds may come into play, which we will communicate to you separately where necessary.

6. What applies to profiling and automated individual decisions?

We do not engage in profiling and do not process data for automated individual decisions.

7. Who do we disclose your data to?

In connection with our contracts, website, services and products, legal obligations, or otherwise to safeguard our legitimate interests and the additional purposes listed in section 4, we may disclose your personal data to third parties, particularly to the following categories of recipients:

• Network companies: A list of our network companies can be found in section 1. The network companies may use the data for the same purposes as stated in this privacy policy (see section 4). We may also disclose health data to our network companies. All data collected by Artaris Advokatur AG, especially data that falls under professional confidentiality, will only be processed and administered by Artaris Advokatur AG and will not be shared with other network companies.

• Service providers: We work with service providers in Switzerland and abroad who process data about you on our behalf or receive data about you from us in joint responsibility or on their own responsibility (e.g. IT providers, lawyers, tax consultants, trustees, auditors, shipping companies, advertising service providers, login service providers, cleaning companies, security companies, banks, insurance companies, debt collection agencies, credit agencies, or address verification services). This may also include health data. For service providers involved in the website, please refer to section 12. The central service provider in the IT sector for us is Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.

Here is an overview of the main pages regarding data protection for Google products:

o General information on data protection (Google's Privacy Policy): https://policies.google.com/privacy

o Tips for individual products:
https://policies.google.com/technologies/product-privacy

o Use of cookies by Google:
https://policies.google.com/technologies/cookies

o Google's privacy and advertising tools:
https://policies.google.com/technologies/ads

o Ad settings:
https://adssettings.google.com/authenticated

o YouTube Terms of Service:
https://youtube.com/static?gl=DE&template=terms&hl=de

Please also check the privacy settings of your own Google account - here you have the opportunity to instruct Google exactly which data may be collected once you are logged in with your Google account.

This website uses Google Analytics. Google Analytics uses cookies. The information generated by the cookie about your use of this website (including your IP address) will be transmitted to and stored by Google on servers in the United States.

Google will use this information to evaluate your use of the website, compile reports on website activity for website operators, and provide other services related to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.

By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above (Google Analytics terms).

You can find various information about privacy at Google at the following link: https://support.google.com/analytics/answer/6004245

If you do not want to be tracked by Google Analytics on this or other websites, you can download an add-on for various browsers at https://tools.google.com/dlpage/gaoptout.

For further information on the use of this add-on, please refer to https://developers.google.com/analytics/devguides/collection/gajs.

Our websites are hosted and backed up by METANET AG, Josefstrasse 218, 8005 Zurich, Switzerland. The domains are registered with various domain registration offices in Switzerland.

Contractual partners including customers: This refers to customers (e.g., service recipients) and other contractual partners of ours because this data transmission results from these contracts. If you are acting on behalf of such a contractual partner, we may also disclose data about you to them in this context. Recipients also include contractual partners with whom we cooperate or who advertise for us, and to whom we therefore transmit data about you for analysis and marketing purposes.

Authorities: We may disclose personal data to authorities, courts, and other governmental bodies in Switzerland and abroad if we are legally obligated or entitled to do so, or if it appears necessary to protect our interests. The authorities process data about you received from us independently.

Other individuals: This refers to other cases where involving third parties arises from the purposes mentioned in section 4, e.g., service recipients, media, and associations in which we participate or if you are part of one of our publications.

All these categories of recipients may involve third parties, so your data may also be accessible to them. We can restrict the processing by certain third parties (e.g., IT providers), but not by others (e.g., authorities, banks, etc.).

We reserve the right to disclose this data even if it concerns confidential data (unless we have expressly agreed with you not to disclose this data to certain third parties, unless we are legally obligated to do so). Regardless of this, your data remains subject to adequate data protection even after disclosure in Switzerland and the rest of Europe. The provisions of section 8 apply to disclosure to other countries. If you do not want certain data to be disclosed, please let us know so that we can examine whether and to what extent we can accommodate your request (section 2).

We also allow certain third parties to collect personal data from you on our website and at our events (e.g., media photographers, providers of tools that we have integrated into our website, etc.). To the extent that we are not materially involved in these data collection activities, these third parties are solely responsible. For inquiries and the exercise of your data protection rights, please contact these third parties directly. See section 12 for the website.

8. Do your personal data also go abroad?

As explained in section 7, we also disclose data to other entities, and these entities are not only located in Switzerland. Therefore, your data may be processed in both Europe and the United States, and in exceptional cases, in any country worldwide.

If a recipient is located in a country without adequate legal data protection, we contractually require the recipient to comply with applicable data protection laws (for this purpose, we use the revised standard contractual clauses of the European Commission, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?). This applies unless the recipient is already subject to a legally recognized framework for data protection and we cannot rely on an exemption. An exception may apply, for example, in foreign legal proceedings, but also in cases of overriding public interests or if contract performance requires such disclosure, if you have given your consent, or if it concerns data made generally accessible by you and to which you have not objected to processing.

Please note that data exchanged over the internet is often routed through third countries. Therefore, your data may also be transferred abroad even if the sender and recipient are located in the same country.

9. How long do we process your data?

We process your data for as long as necessary to achieve our processing purposes, comply with legal retention periods, and serve our legitimate interests in processing for documentation and evidentiary purposes, or if storage is technically necessary. Further information on the respective storage and processing periods can be found for each data category in section 3 or for cookie categories in section 12. In the absence of legal or contractual obligations, we delete or anonymize your data after the expiration of the storage or processing period within the scope of our usual procedures.

10. How do we protect your data?

We implement appropriate security measures to maintain the confidentiality, integrity, and availability of your personal data and to protect them against unauthorized or unlawful processing, as well as the risks of loss, accidental alteration, unauthorized disclosure, or unauthorized access.

11. What rights do you have?

Applicable data protection laws grant you certain rights under specific circumstances to object to the processing of your data, particularly for purposes of direct marketing and other legitimate interests in processing.

To facilitate your control over the processing of your personal data, you have the following rights in connection with our data processing, depending on applicable data protection law:

• The right to request information from us about whether and which data we process about you;
• The right to have data corrected if it is inaccurate;
• The right to request the deletion of data;
• The right to request the release of certain personal data in a commonly used electronic format or its transfer to another data controller;
• The right to revoke consent to the extent that our processing is based on your consent;
• The right to request further information necessary for exercising these rights.

If you wish to exercise any of the above rights against us (or against any of our network companies), please contact us in writing, at our premises or, unless otherwise stated or agreed, by email; Our contact details can be found in Section 2. In order to prevent misuse, we must identify you (e.g. with a copy of your ID, unless this is otherwise possible).

You also have these rights vis-à-vis other bodies that work with us on their own responsibility - please contact them directly if you wish to exercise rights in connection with their processing. Information on our important cooperation partners and service providers can be found in Section 7, further information in Section 12.

Please note that for these rights under applicable data protection law, there may be conditions, exceptions, or limitations (e.g., to protect third parties or trade secrets). We will inform you accordingly if necessary.

If you are not satisfied with how we handle your rights or data protection, please notify us or our data protection officer (section 2). Especially if you are located in the EEA, the United Kingdom, or Switzerland, you also have the right to lodge a complaint with the data protection supervisory authority in your country.

You can find a list of authorities in the EEA here: https://edpb.europa.eu/about-edpb/board/members_en

You can reach the supervisory authority of the United Kingdom here: https://ico.org.uk/global/contact-us/

You can reach the Swiss supervisory authority here: https://www.edoeb.admin.ch/edoeb/en/home/theedoeb/contact.html

12. Do we use online tracking and online advertising techniques?

On our website, we use various techniques that allow us and third parties we engage to recognize you during your use and potentially track you across multiple visits. In this section, we provide you with information about this.

Essentially, we aim to distinguish your access (via your system) from the accesses of other users so that we can ensure the functionality of the website and perform evaluations and personalizations. We do not intend to infer your identity, although we can do so to the extent that we or the third parties we engage can identify you through the combination with registration data. Even without registration data, the employed techniques are designed to recognize you as an individual visitor with each page view, for example by assigning a specific identification number (a "cookie") to you or your browser.

We use such techniques on our website and allow certain third parties to do the same. Depending on the purpose of these techniques, we may ask for your consent before using them. You can program your browser to block certain cookies or alternative techniques, deceive them, or delete existing cookies. You can also enhance your browser with software that blocks tracking by certain third parties. Further information can be found on the help pages of your browser (usually under the keyword "privacy") or on the websites of the third parties listed below. If you do not want to be tracked by Google Analytics on this or other websites, you can download an add-on for various browsers at https://tools.google.com/dlpage/gaoptout. For more information on using this add-on, please refer to https://developers.google.com/analytics/devguides/collection/gajs.

Currently, we use offerings from the following service providers and advertising partners (to the extent that they use data from you or cookies set by you for advertising purposes):

• Google Analytics: Google Ireland (based in Ireland) is the provider of the "Google Analytics" service and acts as our data processor. Google Ireland relies on Google LLC (based in the United States) as its data processor (both "Google"). Google tracks the behavior of visitors to our website (duration, frequency of page views, geographic origin of access, etc.) through performance cookies (see above) and creates reports on the use of our website based on this information. We have configured the service so that Google truncates the IP addresses of visitors from Europe before forwarding them to the United States, making them untraceable. We have turned off the "data sharing" and "signals" settings. Although we assume that the information we share with Google is not personal data for Google, it is possible that Google may draw conclusions about the identity of visitors, create personal profiles, and link this data to the Google accounts of these individuals for its own purposes. If you consent to the use of Google Analytics, you explicitly agree to such processing, which also includes the transfer of personal data (including usage data for the website and app, device information, and individual IDs) to the United States and other countries. You can find information about the privacy of Google Analytics here [https://support.google.com/analytics/answer/6004245], and if you have a Google account, you can find further information about Google's processing here [https://policies.google.com/technologies/partner-sites?hl=en].

13. What data do we process on our social media pages?

We may operate pages and other online presences on social media and other platforms operated by third parties ("fan pages," "channels," "profiles," etc.) and collect the data described in section 3 and below about you there. We receive this data from you and the platforms when you interact with us through our online presence (e.g., when you communicate with us, comment on our content, or visit our presence). At the same time, the platforms analyze your use of our online presence and link this data with other data known to the platforms about you (e.g., your behavior and preferences). The platforms also process this data for their own purposes, particularly for marketing and market research purposes (e.g., personalizing advertisements) and to control their platforms (e.g., which content they display to you).

We process this data for the purposes described in section 4, particularly for communication, marketing purposes (including advertising on these platforms, see section 12), and market research. You can find information on the respective legal bases in section 5. Content published by you (e.g., comments on an announcement) may be further disseminated by us (e.g., in our advertising on the platform or elsewhere). We or the platform operators may also delete or restrict content by or about you in accordance with the usage policies (e.g., inappropriate comments).

For further information on the processing by the platform operators, please refer to the privacy policies of the platforms. There, you will also find information on the countries in which they process their data, the rights to access, delete, and other data subject rights you have, and how you can exercise them or obtain further information. Currently, we use the following platforms:

LinkedIn: Here we operate the pages https://www.linkedin.com/company/artaris-group/mycompany/ and https://www.linkedin.com/company/artaris-solutions, as well as possibly other pages. The responsible entity for operating the platform for users from Europe is LinkedIn Ireland Unlimited Company, Dublin, Ireland. Their privacy policy can be found at https://www.linkedin.com/legal/privacy-policy?. Some of your data is transferred to the United States.

In terms of your privacy, we kindly ask you not to transmit sensitive data within these channels (e.g., as a comment) since we have no influence on how the individual networks handle this data. Instead, we would be happy to contact you directly via email or telephone.

If you provide us with information about you and your request (e.g., name, contact details, etc.) within the social networks that are relevant to us and our business activities (e.g., for contacting and initiating a customer relationship, support inquiries, etc.), we will process this information as described in the "Contacting Artaris" section.

14. Can this privacy policy change?

This privacy policy is not part of a contract with you. We reserve the right to make changes to this privacy policy at any times. The current version can always be found on our website.

Last update: July 2023