HB‑Therm procures and processes “personal data” which relates to you or to other persons (so-called “third parties”). The term “personal data” refers to data concerning certain or determinable natural persons which, either alone or in combination with relevant additional data, permits conclusions to be drawn in respect of the identity of such persons. In this instance, we use the terms “data” synonymously with the terms “personal data” or personally related data”.
Data controller and data protection officer
The data controller and data protection officer is Stefan Gajic, HB‑Therm AG, Data Protection Office, Piccardstrasse 6, 9015 St. Gallen, Switzerland, firstname.lastname@example.org, telephone +41 71 243 65 30.
HB‑Therm accepts no liability for the consequences of any actions or failures to act that have their basis in all or part of the information made available regarding the online services. HB‑Therm expressly excludes any liability for damages including consequential damages which are connected in any form with the online services.
Place of jurisdiction and applicable law
Place of jurisdiction is the place of the Registered Office of HB‑Therm AG. Legal relations are governed by Swiss substantive law. The UN Convention on Contracts for the International Sale of Goods (CISG) is excluded.
Name and contact details of the EU Representative
The EU Representative is HB‑Therm GmbH, Data Protection Office, Dammstraße 78, 53721 Siegburg, Germany.
Types of data
We process various categories of data on you. The most important categories are as follows.
Technical data: If you use our online services or other electronic offers (e.g. free Wi‑Fi), we collect the IP address of your end device alongside further technical data (content of the enquiry, access status, browser used, operating system, end device, region, date and time etc.) in order to ensure the functionality and security of these offers. This data also includes logs in which the use of our systems is recorded. We generally retain technical data for a period of 6 months. In order to ensure the functionality of these offers, we may also allocate an individual code to your end device (e.g. in the form of a cookie). The technical data in itself does not permit any conclusions to be drawn regarding your identity. It may, however, become linked with other data categories within the context of user accounts, registrations, access controls or the execution of contracts.
Registration data: Certain offers and services (online services) may only be used together with a user account or registration which may be set up with us directly. As part of this process, you must provide us with certain data (e‑mail address, telephone number, first name and surname, title, gender, function, language, information on your employer etc.). We collect data on the use of the offer or service. Registration data may be accrued for access controls for certain plants, buildings or rooms (name, point of contact at HB‑Therm, employer, date and time etc.). We generally retain registration data for a period of 12 months following end of use of the service or deletion of the user account.
Communication data: If you are in contact with us by e‑mail, by telephone, via a contact form, by letter or via another means of communication, we will record the data exchanged between you and us (content, name, nature, place and time of communication) including your contact details and peripheral data relating to the communication. If we wish to or need to ascertain your identity (e.g. in the event of a freedom of information request submitted by you, collection as a known consignor, application for media access etc.), we will collect data in order to identify you (e.g. copy of an identity card). We generally retain this data for a period of 12 months following last contact with you. This period of retention may be longer insofar as necessary for evidential reasons or for compliance with statutory or contractual provisions or by dint of technical requirements. e‑mails in mailboxes and items of written correspondence are generally retained for at least 10 years.
Contractual data: Contractual data is data which is accrued in connection with the conclusion or execution of a contract (e.g. information on agreements and performance to be provided or performance already rendered, data relating to the preliminary stages of the conclusion of a contract, information necessary or information used for execution and information regarding reactions). We collect this data from contractual parties and from third parties involved in execution of the contract as well as from third party sources and from other publicly accessible sources. We generally retain this data for a period of 10 years following the last contractual activity. Notwithstanding this, the minimum retention period is 10 years following end of contract. This period of retention may be longer insofar as necessary for evidential reasons or for compliance with statutory or contractual provisions or by dint of technical requirements.
Master data: We use the term master data for the basic data which we require alongside contractual data for execution of our contractual and other business relationships or for marketing and advertising purposes (name, contact details, information on your role and function, details of bank account(s), your date of birth, customer history, powers of attorney, signatory authorisations, declarations of consent, official documents). We process your master data if you are a customer or a business contact, if you are acting on behalf of a customer or business contact or if we wish to approach you for our own purposes. We receive master data from you, from bodies you work for or from third parties (e.g. our contractual partners, associations and publicly accessible sources). We generally retain this data for a period of 10 years following last contact with you. Notwithstanding this, the minimum retention period is 10 years following end of contract. This period of retention may be longer insofar as necessary for evidential reasons or for compliance with statutory or contractual provisions or by dint of technical requirements.
Other data: We also collect data from you in other situations. Data (files, evidence etc.) which may relate to you is accrued in connection with official or court procedures. We may receive or produce photographs, videos or sound recordings in which you may be recognisable (e.g. at events, from security cameras etc.). We may also collect data regarding which persons enter certain buildings or rooms and when, data regarding which persons have relevant access rights, data regarding which persons attend events and when and data regarding which persons use our infrastructure and systems and when. The retention period for such data is governed by the purpose and is limited to the minimum duration necessary.
Many of the types of data stated are disclosed to us by you. You are not required to provide us with data except in certain individual cases. If you conclude contracts with us or wish to avail yourself of services, you must provide us with data within the scope of your contractual obligations and in accordance with the relevant contract, in particular master, contractual and registration data. The processing of technical data is unavoidable when using our website. You must provide us with registration data if you wish to receive access to certain systems or buildings.
Purpose of the processing of data
We process your data for the purposes explained below. The “processing” of data refers to any way in which data is handled (e.g. procurement, storage, retention, use, change, disclosure, archiving, deletion or destruction). Further purposes are described under “Online tracking” and “Social networks”.
Communication with you: We process your data for purposes within the context of which you communicate with us or we with you, in particular for responding to enquiries and for the assertion of your rights and in order to contact you in the event of queries. To this end, we use communication data and master data in particular and also use registration data within the context of the services you have accessed. We process communication data further so that we are able to communicate with you via e‑mail, telephone, messenger services, chat, social networks and letter. We retain this data in order to document our communication with you and for the purposes of training, quality assurance and enquiries.
Contractual relationships: We conclude contracts of varying kinds with our business customers, suppliers or other contractual partners. Within this context, we particularly process master data, contractual data and communication data. Depending on circumstances, we may also process registration data of customers or of persons.
Within the scope of the initiation of business, personal data, especially master data, contractual data and communication data is collected from possible customers or from other contractual partners or is accrued by dint of a communication. Some of this information is scrutinised to ensure compliance with statutory stipulations.
Within the scope of the execution of contractual relationships, we process data for the administration of the customer relationship, for the performance of contractual services (also encompassing the additional involvement of third parties) and for the provision of guidance and customer support. Such execution of contractual relationships further includes assertion of legal rights arising from contracts, bookkeeping, the termination of contracts and public communication.
Relationship management: Within the scope of relationship management, we may also operate a Customer Relationship Management System (“CRM”), in which we store the data on customers, suppliers and other business partners which is necessary for relationship management (e.g. data relating to contact persons, relationship history, products and services purchased or delivered, interactions, interests, preferences, marketing measures etc.).
Improvement of our services and of our operations, product development: We endeavour to improve our products and services (including online services and social networks) on an ongoing basis and to be able to react rapidly to changed requirements. For this reason, we analyse aspects such as how you navigate your way through our website. This provides us with indications of the market acceptance of existing products and services and of the potential of new products and services. To this end, we process master data, behavioural data and preference data in particular. However, we also use communication data, results from customer questionnaires, surveys, studies and other information. Wherever possible, we use pseudonymised or anonymised data for these purposes.
Access control and security purposes: We test and improve the appropriate security of our IT infrastructure and other infrastructure on an ongoing basis. We process data in order to carry out checks, controls, analyses and tests on our networks and IT infrastructure, to conduct system and error checks, for documentation purposes and within the scope of back-up copies. Access controls include both the controls of access to electronic systems and physical access controls. We are also introducing access logs and visitor lists and deploying surveillance systems for security purposes (for preventative purposes and in order to investigate incidents).
Risk management: For these purposes, we process master data, contractual data, registration data and technical data in particular. However, we also use behavioural and communication data. Within the scope of the planning of our resources and the organisation of our operations, we need to evaluate and process data on the use of our services and of other offers. The same applies with regard to services rendered to us by third parties. Within the scope of corporate development, we may sell businesses, parts of businesses or companies to others. We may also acquire such businesses, parts of businesses or companies or enter into partnerships. Such circumstances may lead to the exchange and processing of data.
Further purposes: Further purposes include instruction and training, administrative purposes, maintenance of our rights and the evaluation and improvement of internal procedures. No exhaustive list can be provided of further purposes, which also include the safeguarding of legitimate interests.
Basis for data processing
To the extent that we ask for your consent for certain types of processing (e.g. the processing of personal data which is particularly sensitive and behavioural analysis on the website), we will inform you separately of the relevant purposes of processing. You may withdraw your consent with future effect at any time via written notification (by post) or, if nothing to the contrary has been stated or agreed, by notifying us via e‑mail. As soon as we receive your notification of withdrawal of consent, we will no longer process your data for the purposes to which you originally consented unless we have a different legal basis for so doing.
Where we do not seek your consent for processing, we base the processing of your personal data on the fact that such processing is necessary for the initiation or execution of a contract with you (or with the body which you represent) or on the fact that we or third parties have a legitimate interest in pursuing the purposes and associated objectives described above and in being able to carry out relevant measures. Our legitimate interests further encompass compliance with legal regulations insofar as these are not already recognised as a legal basis by the data protection law respectively applicable. Our legitimate interests also include the marketing of our products and services, our interest in gaining a better understanding of our markets and the safe and efficient management and further development of our company, including its operations.
If we receive sensitive data (health data, biometric data etc.), we may also process your data in accordance with other legal foundations. Other legal grounds may come into effect in individual cases. We will communicate these to you separately where necessary.
We may use your data to carry out an automatic evaluation of certain personal characteristics for the purposes described (“profiling”). We will do so, for example, in circumstances where we wish to determine preference data or in order to identify risks of improper use or security risks or for operational planning purposes. We will take due heed of the proportionality and reliability of results in all cases and will instigate measures to prevent improper use of these profiles or of a profiling procedure.
Disclosure of data
We also transmit your personal data to third parties in connection with our contracts, the online services, the social networks, our services and products and our legal obligations, in order to safeguard our legitimate interests and for the further purposes listed. Data is transmitted to the following recipients in particular.
Service providers: We work with service providers (e.g. IT providers, log‑in service providers, security firms, shipping companies, banks, insurance companies etc.) both domestically and abroad. These service providers act on our behalf or in joint responsibility with us to process data concerning you or receive data concerning you from us in their capacity as separate controllers. Microsoft and Google are key service providers with which we are involved in the IT sector.
Contractual partners including customers: The primary reference here is to customers and to our other contractual partners since data transmission results from these contracts. If you work for one of these contractual partners, we may also disclose data about you to such a partner within this context.
Authorities: We may disclose personal data to government agencies, courts and other authorities in Switzerland if we are legally obliged or entitled so to do or if such disclosure appears to be necessary in order to safeguard our legitimate interests. These authorities act as separate controllers in respect of data concerning you which they receive from us.
Further recipients: The reference here is to other cases in which involvement by third parties is a consequence of the purposes pursued.
Storage of data abroad
As already explained, we also disclose data to other bodies. Not all of these bodies are located in Switzerland. Place of storage is in Western Europe on HB‑Therm and Microsoft Azure servers. Established encryption mechanisms such as VPN and SSL are deployed when data is transmitted.
Period of data processing
We process your data for as long as is necessary for our processing purposes, for the legal retention periods and for our legitimate interests in processing for the purposes of documentation and evidence or if storage is a technical requirement. The sections on the individual “Types of data”, on “Data processing” and on “Google Analytics” contain further information on the respective duration of storage and processing. If there are no legal or contractual obligations to the contrary, we will delete or anonymise your data as part of our usual procedures once the storage or processing period has expired.
Documentation and evidence purposes include our interest in documenting processes, interactions and other facts and circumstances in the event of legal claims, inconsistencies, IT and infrastructure security requirements and our interest in demonstrating good corporate governance and compliance. Retention may be a technical requirement if certain data cannot be separated from other data, meaning that such data must be stored together.
Protection of your data
We instigate appropriate security measures in order to maintain the confidentiality, integrity and availability of your personal data, to protect it against unauthorised or unlawful processing and to mitigate the risk of loss, accidental alteration, unintended disclosure or unauthorised access.
Technical and organisational security measures may also include the encryption and pseudonymisation of data, logging, access restrictions, the storage of back-up copies, the issuing of instructions to our employees, the conclusion of confidentiality agreements and monitoring activities.
Applicable data protection law grants you the right to object to the processing of your data in some circumstances, in particular to processing for the purposes of profiling and to other legitimate interests in processing.
In order to assist you with control of the processing of your personal data and depending on the applicable data protection law, you enjoy the following rights with regard to our data processing.
- to request information from us on which of your data we hold and process;
- to ask us to correct data which is inaccurate;
- to require the deletion of data;
- to request that we provide certain personal data in a commonly used electronic format or the transfer of such data to another controller;
- to withdraw your consent in circumstances where our processing is based on such consent;
- to receive, upon request, further information that is necessary for the exercising of the above rights;
- in the case of automated individual decision-making, to state your point of view and to require that such a decision is checked by a natural person.
If you wish to assert the above-mentioned rights vis-à-vis us, please contact us in writing, or, if nothing to the contrary has been stated or agreed, notify us via e‑mail. In order for us to be able to exclude misuse, we will need to identify you (for example by means of a copy of your identity, unless identification is not possible otherwise).
Please note that prerequisites, exceptions or restrictions may apply to these rights pursuant to the applicable data protection law.
In particular, we may need to continue to process and to store your personal data in order to fulfil a contract with you, in order to protect our own legitimate interests, such as the assertion, exercising or defence of legal claims, or in order to comply with legal obligations. Insofar as legally permitted, in particular to protect the rights and freedoms of other data subjects and to safeguard legitimate interests, we may also reject a subject request in whole or in part by redacting contents which concern third parties or our trade secrets.
Please notify us if you do not agree with the way in which we handle your rights or data privacy. If you are located in the EEA or in Switzerland, you also have the right to lodge a complaint with the competent data protection supervisory authority in your country.
For our online services, we use various techniques that allow us and third parties engaged by us to recognise you during your use of the services and, in certain circumstances, to track you across several visits.
The core objective is to distinguish visits by you (via your system) from visits by other users so that we can ensure the functionality of the website and carry out analysis and personalisation. It is not our intention to determine your identity during this process, even though this would be possible to the extent that we or third parties engaged by us are able to identify you by establishing combinations with registration data. Nevertheless, even in the absence of registration data, the technologies we deploy are designed to recognise you as an individual visitor each time you access the website. For example, our server (or a third-party server) will assign a specific identification number to you or your browser (a so-called “cookie”).
We use such techniques for our online services and also permit certain third parties to do the same. You may programme your browser to block or deceive certain types of cookies or alternative technologies, or to delete existing cookies. You can also add software to your browser that blocks certain third-party tracking. More information is available on the help pages of your browser.
The following categories of cookies are differentiated.
Necessary cookies: Some cookies are necessary for the functioning of the online services or for the functioning of certain features. They ensure that you can move between pages without the loss of information entered into a form. They also ensure that you remain logged in. These cookies exist only temporarily (“session cookies”). If you block them, the online services may not work. Other cookies are necessary in order to enable the server to store decisions or information which you have entered for a period extending beyond one session, if you opt to use these functions. These cookies have an expiration date of up to 24 months.
Social networks: We may collect data concerning you as described in the section on “Types of data” via social networks. We receive this data from you and from the platforms if you enter into contact with us via our social networks. At the same time, these platforms evaluate your use of our online presence and link this data with further data which the platforms hold on you.
We process this data as described in the section on “Purpose”, in particular for communication and marketing purposes and for market research. We or the operators of the platforms may delete or restrict content from you or about you in accordance with their terms and conditions of use.
Last update: 2023-08-30