Privacy Statement

Updated 14.11.2023


1.    WHAT IS THE PURPOSE OF THIS PRIVACY POLICY?

Thommen Group (hereinafter also referred to as "we", "us") obtains and processes per-sonal data related to you or other individuals ("third parties"). We use the term "data" here synonymously with "personal data" or "personal information". 

In this privacy policy, we explain what we do with your data when you visit the websites of the Thommen Group's subsidiary companies (see Section 2) and their subsites (hereinafter collectively referred to as "websites") and engage with us or use our services online in this context. Where applicable, we will notify you in writing in a timely manner of any ad-ditional processing activities not mentioned in this privacy policy. In addition, we may provide you with specific information regarding the processing of your data separately, for instance, in consent forms, contractual terms, supplementary privacy policies, forms, and notices.

If you provide us with information about others, we will assume that you are authorized to do so and that the information is accurate. By sharing data about third parties, you con-firm this. Please also ensure that these third parties have been informed about this privacy policy.

This privacy policy has been drafted to comply with the requirements of the EU General Data Protection Regulation ("GDPR"), the Swiss Data Protection Act ("DSG") and the revised Swiss Data Protection Act ("revDSG"). However, the applicability of these laws may vary depending on the specific circumstances.

For more information about our use of cookies and similar technologies, please refer to our cookie policy at https://metallum.com/en/cookie-policy.

2.    WHO IS RESPONSIBLE FOR THE PROCESSING OF YOUR DATA?

Thommen Group AG is the controller responsible for data processing described in this privacy policy. However, this privacy policy also applies to cases in which the controller is not Thommen Group AG but another group company of the Thommen Group. An overview of the Thommen Group companies can be found here https://thommengroup.com/en/locations

Where your data is processed by a group company in connection with its own legal obligations or contracts, or if you share data or interact with such a group company, that group company will be the controller, e.g. for data processing when you visit the website of a specific group company (see below). It is important to note that if this group company subsequently shares your data with other group companies for their own purposes, these additional group companies also become controllers.

In Section 6, you will find further information regarding third parties with whom we cooperate and who are responsible for their own processing activities. If you have any questions, or wish to exercise your rights against these third parties, please contact them directly.

If you have any questions or concerns about data protection and/or wish to exercise your rights under Section 9, you can contact us using the following details:

Thommen Group AG
Alpenstrasse 12
CH-6300 Zug, Switzerland
dataprotection@thommengroup.com

We are here to assist you with any questions or issues related to the processing of your personal data at any time.

3.    WHAT DATA DO WE PROCESS?

We process different categories of data about you. The most important categories are as follows: 

  • Communication and master data: If you interact with us using the contact form, by e-mail, or other means of communication on our websites, we will collect the information exchanged between you and us, including your contact details and the metadata of the communication. Communication and master data are your name and contact details, the manner, place and time of the communication and typically also its content. This data may also contain information about third parties. If we want or need to establish your identity, we may collect data to identify you. We typically receive this data from you (e.g. through contact forms) or from publicly accessible sources such as public registers or the internet (websites, social media, etc.). We usually keep this da-ta for 12 months from the last interaction with you. This period may be longer, if this is necessary for evidentiary reasons, to comply with legal or contractual obligations or for technical reasons. Emails in personal mailboxes and written correspondence are typically retained for a minimum of 10 years. 
  • Contract data: These are data related to the conclusion or performance of a contract, e.g. information about contracts and services to be provided or already provided, as well as data from the pre-contractual stage, the information required or used for processing and information about responses. As a rule, we collect this data from you, from contractual partners and from third parties involved in the performance of the contract, but also from third-party sources (e.g. credit reference agencies) and from publicly accessible sources. We typically retain this data for a period of 10 years from the last contractual activity or, at a minimum, 10 years after the contract end date. This period may be longer, if this is necessary for evidentiary reasons, to comply with legal or contractual obligations or for technical reasons.
  • Registration data: You need to register to use certain features and services (such as job alerts or newsletter subscriptions), which you can do directly with us or through our external login service providers. You will need to provide us with certain information and we will collect information about your use of features or services. Registration data includes information that you provide on or through our websites, such as your name, address or email. 
  • Technical data: When you use our websites, we collect the IP address of your device and other technical data to ensure the functionality and security of these services. This data also includes logs that record the use of our systems. We typically retain technical data for [6] months. To ensure the functionality of these services, we can also assign an individual code to you or your device. Technical data cannot be traced back to you. However, when you use our contact forms or register for our newsletter on one of the websites, they may be linked to other categories of data (and potentially to you personally). 
  • Behavioral and preference data: Depending on our relationship with you, we strive to tailor our website and the services and offers available there to our customers and visitors. To do this, we collect and use data about your behavior and preferences. We do this by analyzing information about your behavior in our area, and we may also supplement this information with information from third parties including from publicly available sources. Based on this, we can calculate, for example, the likelihood of you using certain services or behaving in a particular way. We may already have some of the data processed for this purpose (e.g. when you use our services), or we obtain this data by documenting your behavior (e.g. how you navigate our websites). We anonymize or delete this data when it is no longer relevant for the purposes pursued, typically within up to 24 months. This period may be longer, if this is necessary for evidentiary reasons, to comply with legal or contractual obligations or for technical reasons. We explain how tracking works on our websites in Section Error! Reference source not found.. 

Typically, you provide us with the data mentioned in this Section yourself. You are not obliged to do so. However, we can only provide you with certain services if you provide us with registration data. When using our websites, the processing of technical data is una-voidable. However, when it comes to behavioral and preference data, you generally have the option to object or withhold consent. Likewise, we can only respond to your queries if we process the relevant communication data and potentially also technical data - if you communicate with us online. Our websites cannot be used without us collecting technical data. 

The categories of personal data we receive from third parties about you include, but are not limited to, information from public records, information we learn in connection with official and legal proceedings, information from media and the internet about you (to the extent relevant, such as in the context of a job application), your address, and data related to the use of external websites and online services where such use can be attributed to you.

4.    FOR WHAT PURPOSES DO WE PROCESS YOUR DATA?

The purposes for which we process data are presented below. These purposes, as well as the underlying objectives, represent legitimate our interests and, where applicable, the interests of third parties. Further information on the legal basis for our processing is out-lined in Section 5.

We process data for the initiation, administration and processing of contractual relationships. We enter into various types of contracts with our customers, suppliers, subcontractors, or other contractual partners, such as project partners or parties involved in legal disputes. In this regard, we mainly process master data, contract data and communication data and, when applicable, customer registration data or data related to individuals receiv-ing services through the customer.

We process your data for communication purposes, especially to respond to inquiries, establish your rights and to contact you if you have any questions. To do this, we primarily use communication and master data, as well as registration data related to the services and offerings you have used. We retain these data to document our communication with you, for training purposes, quality assurance, and for any follow-up inquiries. 

We process data for marketing and relationship management purposes, for example, to send registered users and customers advertising materials promoting our products and services, as well as those of third parties (e.g. from advertising partners). This can be in the form of newsletters, for which we have your contact information, or as part of specific marketing campaigns, which may even offer complimentary services. You can object to, reject or opt-out from such communications at any time. We may also process your data to improve our services and operations. 

We continue to process data to optimize our online presence and operations. We strive to continually improve our websites and services and respond quickly to changing needs. This is why we analyze, for example, how you navigate through our websites and how they are used. This provides us with insights into the market acceptance of existing services and the market potential of new services. For this purpose, we process in particular communication and master data, but also behavioral and preference data and information from customer questionnaires, surveys and studies and other information, for example, from the media, social media, the internet and other public sources. 

We process personal data to ensure that we adhere to laws, regulations, and recommen-dations from authorities, as well as for compliance purposes. The legal obligations may include Swiss law, but also foreign regulations that apply to us, as well as self-regulation, industry standards, our own corporate governance policies and administrative orders and requests. 

We also process data for risk management purposes and as part of prudent corporate governance, including operational organization and corporate development. For these pur-poses, we process, in particular, master data, contract data, registration data, technical data, as well as behavioral and communication data. 

We can process your data for other purposes, for example, as part of our internal pro-cesses and administration or for quality assurance purposes, such as the administration and ongoing improvement of our IT infrastructure, the protection of our rights (e.g. to en-force claims in court or out of court and before authorities at home and abroad, or to de-fend against claims, for example, by securing evidence, legal clarifications and participa-tion in legal or official proceedings) and the evaluation and improvement of internal pro-cesses. 

5.    ON WHAT BASIS DO WE PROCESS YOUR DATA?

If we need your consent for specific processing, we will inform you separately about the relevant processing purposes Unless otherwise indicated or agreed, you can withdraw your consent at any time with effect for the future by sending us an email; you can find our contact details in Section 2. If you are registered, you may also initiate the withdrawal or contact us through the relevant website or other service (for example, by using a link to unsubscribe from receiving job alerts or our newsletter). Once we have received your con-sent withdrawal, we will no longer process your data for the purposes to which you originally consented, unless we have an alternative legal basis for doing so. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

If we do not ask for your consent to processing, we will base the processing of your per-sonal data on the fact that the processing is necessary for the initiation or performance of a contract with you (or the entity you represent) or a legitimate interest, we or third parties have to pursue especially the purposes and related objectives set out in Section 4 and to be able to implement appropriate measures. Our legitimate interests also include compliance with legal requirements to the extent they are not already recognized as a legal basis by the applicable data protection laws (e.g. the GDPR in the EEA and Switzerland), This includes the interest to understand our markets better and to manage our company and its online presence, including operations, safely and efficiently.

In individual cases, other legal reasons may apply, which we will communicate to you separately if necessary.

6.    WHO DO WE SHARE YOUR DATA WITH?

We may transfer your personal data to third parties in connection with our websites, our online services and products, our legal obligations or otherwise to protect our legitimate interests and the other specified purposes. In certain cases, these third parties process your data as processors, as joint controllers with us or as independent controllers.

The group companies of Thommen Group AG (see Section 2) may use the data for the same purposes as outlined in this privacy policy (see Section 4). The group companies will have access, in particular, to your master and communication data, registration data, as well as behavioral and preference data. If you wish to object to the disclosure and use of your data for marketing purposes, you can do this directly through us (Section 2), even if this concerns another group company because the data has already been transferred. We may also transfer your data to other group companies in connection with products and ser-vices, such as job applications and the use of our job alert tool.

We also work with service providers, both domestically and internationally, who process your data on our behalf or as joint controllers with us or who receive your data from us as independent controllers. These providers include IT service providers, shipping and logis-tics companies, advertising services, login providers, and address verification services. 

We may disclose personal data to authorities, courts, and other authorities, both domes-tically and internationally, if we are legally obligated or authorized to do so, or if it is deemed necessary to protect our interests. Authorities process your data they receive from us as independent controllers.

In addition, the involvement of other third parties is possible to fulfill the purposes set out in Section 4, for example, this could involve sharing content in our publications on our websites or in our newsletter (e.g. photos, quotes, or interviews).

All these categories of recipients may involve third parties, and your data may therefore be accessed by them. We can restrict the processing by certain third parties (e.g. IT provid-ers), but not others (e.g. authorities).

Even after your data has been disclosed in Switzerland and/or the rest of Europe, your da-ta will continue to be subject to adequate data protection. For provisions of Section 7 apply to disclosures in other countries. If you do not want certain data to be disclosed, please inform us so that we can assess whether and to what extent we can accommodate your request.

7.    CAN YOUR PERSONAL DATA BE TRANSFERRED ABROAD?

As explained in Section 6, we may transfer data to third parties, which are typically located in Switzerland or in Europe. In addition, we may in rare cases process data in other coun-tries worldwide.

If a recipient is located in a country without sufficient legal data protection, we require them to commit to upholding data protection standards. To facilitate this, we make use of the updated standard contractual clauses issued by the European Commission [https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?], unless the recipient adheres to a legally acknowledged framework for ensuring data protection, and we cannot rely on an exception. An exception may apply, for example, in the case of a foreign legal proceeding, as well as situations where there is a prevailing public interest, the data transfer is necessary for performance of a contract, based on your consent, or the data has been publicly disclosed by you, and you have not objected to the processing.

8.    HOW DO WE PROTECT YOUR DATA?

We take adequate technical and organizational protection measures to maintain the confidentiality, integrity and availability of your personal data, to protect it against unauthorized or unlawful processing and to counteract the risks of loss, accidental alteration, unwanted disclosure or unauthorized access. 

9.    WHAT RIGHTS DO YOU HAVE?

Under applicable data protection laws, you the right to object to the processing of your data in certain situations. This includes processing for direct marketing, direct advertising and profiling purposes and other legitimate interests in processing.

To make it easier for you to control the processing of your personal data, you have the following rights in connection with our data processing, depending on the applicable data protection laws: 

  • the right to obtain from us confirmation as to whether or not data are being processed and the types of data processed;
  • the right to obtain from us rectification of inaccurate data;
  • the right to request erasure of data;
  • the right to request that we release certain personal data in a commonly used electronic format or to have it transmitted to another controller;
  • the right to withdraw consent where our processing is based on your consent;
  • the right to receive, upon request, further information necessary to exercise these rights.

If you wish to exercise the above rights against us (or against any of our group compa-nies), please contact us directly by email unless otherwise stated or agreed; you can find our contact details in Section 2. To prevent misuse, we may need to identify you (e.g. us-ing a copy of your ID, if no other means are possible). 

You also have these rights against other entities that work with us as independent controllers - please contact them directly if you want to exercise your rights related to their processing.

Please note that these rights are subject to conditions, exceptions, or limitations as per applicable data protection laws (e.g. to protect third parties or trade secrets). We will in-form you accordingly if this comes into play.

If you do not agree with our handling of your rights or data protection, please let us know (Section 2). In particular, if you are located in the EEA, UK or Switzerland, you also have the right to lodge a complaint with your country's data protection supervisory authority. 

10.    IS THIS PRIVACY POLICY SUBJECT TO CHANGE?

This privacy policy does not form an integral part of a contract with you. We can change this privacy policy at any time. The version published on this website is the current version.