In this Data Protection Statement, we describe how the companies of the GESTIONA Legal Advanced Tech GmbH group (hereinafter collectively “GESTIONA Advanced Legal Tech GmbH”, “we” or “us”) collect and process personal data. This Data Protection Statement is not a comprehensive description; other data protection statements may regulate specific situations. Personal data refers to any information relating to an identified or identifiable person for the purposes of this statement.

1. Responsible Entity and Contact

The entity responsible for the data processing described here is GESTIONA Advanced Legal Tech GmbH, unless stated otherwise in specific cases. Requests related to data protection can be directed to us by mail or email, attaching a copy of the user’s identification or passport for verification purposes:

GESTIONA Advanced Legal Tech GmbH
Lange Gasse 90
CH-4052 Basel
Tel. +41 61 464 04 10
Email: info@gestiona.ch

2. Collection and Processing of Personal Data

We process personal data primarily in the following categories of processes:

  • Customer data for whom we provide or have provided services.
  • Personal data we receive indirectly from our clients when providing services.
  • During visits to our website.
  • When using our newsletter.
  • When participating in an event organized by us.
  • When we communicate or a visit occurs.
  • In any other contractual relationship, such as with a supplier, service provider, or consultant.
  • In job applications.
  • When required by legal or regulatory obligations.
  • When we exercise our due diligence obligations or other legitimate interests, such as preventing conflicts of interest, preventing money laundering or other risks, ensuring data accuracy, verifying solvency, ensuring security, or enforcing our rights.

For more detailed information, please refer to the description of the respective processing categories in section 5.

3. Categories of Personal Data

The personal data we process depends on your relationship with us and the purpose for which we process it. In addition to your contact details, we process other information about you or individuals related to you. This information may include specially protected personal data.

We collect the following categories of personal data, depending on the purpose for which we process them:

  • Contact information (e.g., name, surname, address, phone number, email).
  • Client information (e.g., date of birth, nationality, marital status, profession, title, position, passport/ID number, social security number).
  • Risk evaluation data (e.g., credit information, commercial registry data).
  • Financial information (e.g., bank account details).
  • Mandate data, depending on the assignment (e.g., tax information, statutes, minutes, projects, contracts, employee data (e.g., salary, social security), accounting data, beneficial owners, ownership relationships).
  • Website data (e.g., IP address, device information (UDI), browser information, website usage (analysis and use of plugins, etc.)
  • Application data (e.g., resume, work references).
  • Marketing information (e.g., newsletter subscription).
  • Security and network data (e.g., visitor lists, access controls, network and email scanners, phone call lists).

To the extent permitted, we also obtain certain data from publicly accessible sources (e.g., debt registers, property records, commercial registries, press, internet) or receive it from our clients and their employees, authorities, courts, and third parties. In addition to the data you provide directly, the categories of personal data we receive from third parties about you include, in particular, information from public records, information obtained in the context of administrative and judicial proceedings, information related to your professional functions and activities (so that, for example, we can conclude and process business with your employer with your assistance), information about you in correspondence and meetings with third parties, credit reports, information about you provided by people in your environment (family, advisors, legal representatives, etc.) so that we can conclude or process contracts with you or with your inclusion (e.g., references, your address for deliveries, powers of attorney), information to comply with legal requirements such as anti-money laundering and export restrictions, information from banks, insurers, distribution partners, and other contractual partners of ours for the provision or receipt of services (e.g., payments made, purchases made), information from the media and the internet about you (to the extent that this is appropriate in the specific case, for example, in the context of a job application, etc.), your addresses and possibly interests and other sociodemographic data (for marketing purposes), data related to website usage (e.g., IP address, MAC address of smartphone or computer, information about your device and settings, cookies, date and time of visit, pages and content viewed, functions used, referring website, location information).

4. Purposes of Data Processing and Legal Basis

4.1. Provision of Services

We primarily process the personal data we obtain in the context of our contractual relationships with our clients and other contractual relationships with business partners, as well as other individuals involved.

The personal data of our clients includes, in particular, the following information:

  • Contact information (e.g., name, surname, address, phone number, email, other contact details).
  • Personal information (e.g., date of birth, nationality, marital status, profession, title, job position, passport/ID number, social security number, family relationships, etc.).
  • Risk evaluation data (e.g., credit information, commercial registry data, sanctions lists, specialized databases, internet data).
  • Financial information (e.g., bank account details, investments, or holdings).
  • Mandate data, depending on the order (e.g., tax information, statutes, minutes, projects, contracts, employee data (e.g., salaries, social security), accounting data, beneficial owners, ownership relationships).
  • Website data (e.g., IP address, device information (UDI), browser information, website usage (analysis and use of plugins, etc.)).
  • Employment application data (e.g., CV, work references).
  • Marketing information (e.g., newsletter subscription).
  • Security and network data (e.g., visitor lists, access controls, network and email scanners, phone call records).

To the extent permitted, we also obtain certain data from publicly accessible sources (e.g., debt registers, property records, commercial registries, press, internet) or receive it from our clients and their employees, authorities, courts (arbitral), and other third parties. In addition to the data you provide directly, the categories of personal data we receive from third parties about you include, in particular, information from public records, information obtained in the context of administrative and judicial procedures, information related to your professional functions and activities (so that, for example, we can conclude and process business with your employer with your assistance), information about you in correspondence and meetings with third parties, credit reports, information about you provided by people in your environment (family, advisors, legal representatives, etc.) so that we can conclude or process contracts with you or with your inclusion (e.g., references, your address for deliveries, powers of attorney), information to comply with legal requirements such as anti-money laundering and export restrictions, information from banks, insurers, distribution partners, and other contractual partners of ours for the provision or receipt of services (e.g., payments made, purchases made), media and internet information about you (to the extent that this is appropriate in the specific case, for example, in the context of a job application, etc.), your addresses and possibly interests and other sociodemographic data (for marketing purposes), data related to website usage (e.g., IP address, MAC address of smartphone or computer, information about your device and settings, cookies, date and time of visit, pages and content viewed, functions used, referring website, location information).

4.2. Indirect Processing of Data Derived from Service Provision

When we provide services to our clients, it may happen that we also process personal data that we did not collect directly from the affected individuals or personal data of third parties. These third parties are typically employees, contacts, family members, or people who, for other reasons, have a relationship with the clients or the affected individuals. We need this personal data to fulfill contracts with our clients. We receive this personal data from our clients or from third parties hired by our clients. The third parties whose data we process for this purpose are informed by our clients that we are processing their data. Our clients may refer to this privacy statement for this purpose.

The personal data of individuals who have a relationship with our clients includes, in particular, the following information:

  • Contact information (e.g., name, surname, address, phone number, email, other contact information, marketing data)
  • Personal information (e.g., date of birth, nationality, marital status, profession, title, job designation, passport/ID number, social security number, family relationships, etc.)
  • Financial information (e.g., bank account details, investments, or holdings)
  • Mandate data, depending on the order (e.g., tax information, statutes, minutes, employee data [e.g., salaries, social security], accounting data)
  • Specially protected personal data: Among these personal data, there may also be specially protected data, such as health data, religious opinions, or social assistance measures, especially if we provide services in payroll processing or accounting.

We process this personal data based on the following legal grounds:

  • Conclusion or execution of a contract with the affected person or for their benefit (e.g., when we fulfill our contractual obligations)
  • Compliance with a legal obligation (e.g., when performing our functions as auditors or wealth managers or when we are required to disclose information).
  • Protection of legitimate interests, especially our interest in providing optimal service to our clients.

4.3. Use of Our Website

To use our website, it is not necessary to disclose personal data. However, the server logs a series of user information with each visit, which is temporarily stored in the server’s log files.

The use of this general information is not associated with any particular individual. The collection of this information or data is technically necessary to display our website and ensure its stability and security. This information is also collected to improve the website and analyze its usage.

This includes, in particular, the following information:

  • Contact information (e.g., name, surname, address, phone number, email).
  • Other information transmitted to us through the website.
  • Technical information automatically transmitted to us or our service providers, information about user behavior or website settings (e.g., IP address, unique device identifier, device type, browser, number of page clicks, newsletter opening, click on links, etc.).

We process this personal data based on the following legal grounds:

  • Protection of legitimate interests (e.g., for administrative purposes, improving our quality, analyzing data, or promoting our services).
  • Consent (e.g., in the use of cookies or the newsletter).

4.4. Use of the Newsletter

If you subscribe to our newsletter, we use your email address and other contact details to send you the newsletter. You can subscribe to our newsletter with your consent. The required data for sending the newsletter are your full name and email address, which we store after your registration. The legal basis for processing your data in relation to our newsletter is your consent to receive it. You can withdraw this consent at any time and unsubscribe from the newsletter.

4.5. Participation in Events

When you participate in an event organized by us, we collect personal data to organize and carry out the event and possibly to send you additional information afterward. We also use your information to inform you about future events. It is possible that during these events, photographs or videos may be taken of you, and we may publish this visual material either internally or externally.

This includes, in particular, the following information:

  • Contact information (e.g., name, surname, address, phone number, email).
  • Personal information (e.g., profession, role, title, company, dietary habits).
  • Images or videos.
  • Payment information (e.g., bank details).

We process this personal data based on the following legal grounds:

  • Compliance with a contractual obligation with the affected person or for their benefit, including the preparation of the contract and its possible execution (facilitating participation in the event).
  • Protection of legitimate interests (e.g., organizing events, disseminating information about our event, providing services, efficient organization).
  • Consent (e.g., for sending marketing information or creating visual material).

4.6. Direct Communication and Visits

When you communicate with us (e.g., by phone, email, or chat) or when we communicate with you, we process the personal data necessary for this. We also process this personal data when you visit us. In this case, you may be required to provide your contact details before your visit or at reception. These details are kept for a certain period to protect our infrastructure and information.

For teleconferences, online meetings, video conferences, and/or webinars (“online meetings”), we use the services of “Zoom” or “Microsoft Teams”.

In particular, we process the following information:

  • Contact information (e.g., name, surname, address, phone number, email)
  • Secondary communication data (e.g., IP address, duration of communication, communication channel)
  • Recordings of conversations, for example, in video conferences
  • Other information that the user uploads, provides, or creates during the use of the video conferencing service, as well as metadata used for maintaining the provided service. You can find more information about the processing of personal data by “Zoom” or “Microsoft Teams” in their privacy policies.
  • Personal information (e.g., profession, role, title, company)
  • Date and purpose of the visit.

We process this personal data based on the following legal grounds:

  • Compliance with a contractual obligation with the affected person or for their benefit, including the preparation of the contract and its possible execution (providing a service)
  • Protection of legitimate interests (e.g., security, traceability, as well as managing and administering customer relationships).

4.7. Applications

You may submit your job application by mail or through the email address provided on our website. The application documents and all personal data provided to us are treated with strict confidentiality, not disclosed to third parties, and only processed for the purpose of handling your job application with us. Unless you consent otherwise, your application file will be returned or deleted/destroyed after the application process is completed, unless it is subject to a legal retention requirement. The legal basis for processing your data is your consent, the execution of the contract with you, and our legitimate interests.

In particular, we process the following information:

  • Contact information (e.g., name, surname, address, phone number, email)
  • Personal information (e.g., profession, role, title, company)
  • Application documents (e.g., cover letter, references, diplomas, resume)
  • Evaluation information (e.g., personnel consultant’s evaluation, references, assessments)

We process this personal data based on the following legal grounds:

  • Protection of legitimate interests (e.g., hiring new employees)
  • Consent.

4.8. Providers, Service Providers, and Other Contractual Partners

When we enter into a contract with you to provide a service for us, we process personal data of you or your employees. We need this data to communicate with you and use your services. We may also process this personal data to verify if there is a conflict of interest related to our activity as auditors or asset managers, and to ensure that the collaboration does not involve unwanted risks, such as money laundering or sanctions.

In particular, we process the following information:

  • Contact information (e.g., name, surname, address, phone number, email)
  • Personal information (e.g., profession, role, title, company)
  • Financial information (e.g., bank account details)

We process this personal data based on the following legal grounds:

  • Conclusion or execution of a contract with the affected person or for their benefit, including the preparation of the contract and its possible execution
  • Protection of legitimate interests (e.g., prevention of conflicts of interest, protection of the company, and legal resources)

5. Web and Newsletter Analytics

To gather information on the use of our website, improve our online offerings, and also target you with advertisements on third-party websites or social media, we use the following web analytics tools and retargeting technologies: Google Analytics.

These tools are provided by external vendors. Typically, the information collected for this purpose regarding the use of a website is transmitted to the external vendor’s server using cookies or similar technologies. Depending on the external vendor, these servers may be located abroad.

The transmission of data is generally carried out with IP addresses being anonymized, which prevents the identification of individual devices. The transfer of this information by external vendors only occurs based on legal regulations or as part of data processing on behalf of the controller.

5.1. Google Analytics

We use Google Analytics on our websites, a web analytics service by Google LLC, Mountain View, California, USA, with Google Limited Ireland (“Google”) as the responsible entity for Europe. To deactivate Google Analytics, Google provides a browser add-on at https://tools.google.com/dlpage/gaoptout?hl=de. Google Analytics uses cookies, which are small text files that store information related to the user on the user’s device. These cookies allow Google to analyze the use of our web offer. The information collected by the cookies regarding the use of our websites (including your IP address) is typically transmitted to a Google server in the USA and stored there. We note that on this website, Google Analytics has been extended with the code “gat._anonymizeIp();” to ensure the anonymous collection of IP addresses (called IP masking). When anonymization is active, Google shortens IP addresses within the member states of the European Union or other states party to the Agreement on the European Economic Area, so that your identity cannot be determined. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. Google may associate your IP address with other Google data. Google has committed to adhering to the EU Standard Contractual Clauses for data transfers to the USA.

6. Data Transfer and Transmission

We only share your data with third parties if necessary for the provision of our service, if these third parties are providing a service for us, if we are legally or authoritatively required to do so, or if we have a predominant interest in the transfer of personal data. We will also transfer personal data to third parties if you have given your consent or have requested us to do so.
Not all personal data is transmitted encrypted by default. Unless explicitly agreed otherwise with the client, accounting data, payroll administration data, payslips, and salary certificates are transmitted unencrypted.

The following categories of recipients may receive personal data from us:

  • Branches, subsidiaries, or sister companies.
  • Service providers (e.g., IT providers, hosting providers, suppliers, consultants, lawyers, insurers).
  • Third parties in the context of our legal or contractual obligations, authorities, state institutions, courts.

With service providers who process personal data on our behalf, we sign contracts that require them to ensure data protection. Our service providers are primarily located in Switzerland or the EU/EEA. Some personal data may also be transferred to the USA (e.g., Google Analytics data) or, in exceptional cases, to other countries around the world. If it is necessary to transfer data to other countries that do not have an adequate level of data protection, this will be done based on the EU Standard Contractual Clauses (e.g., in the case of Google) or other appropriate instruments.

7. Duration of Retention of Personal Data

We process and store your personal data as long as necessary to fulfill our contractual and legal obligations or any other processing purpose, i.e., for example, throughout the duration of the entire business relationship (from initiation, execution to termination of a contract) and beyond in accordance with legal retention and documentation obligations. Personal data may be retained for the period during which claims may be made against our company (i.e., especially during the statutory limitation period) and to the extent that we are legally required to do so or have legitimate business interests that require retention (e.g., for purposes of proof and documentation). Once your personal data is no longer necessary for the aforementioned purposes, it will be deleted or anonymized as far as possible. For operational data (e.g., system logs, logs), shorter retention periods of twelve months or less generally apply.

8. Data Security

We take appropriate technical and organizational security measures to protect your personal data against unauthorized access and misuse, such as issuing instructions, training, IT and network security solutions, access controls and restrictions, encryption of transmissions and storage media, pseudonymization, and audits.

9. Obligation to Provide Personal Data

In the context of our business relationship, you are required to provide the personal data necessary to initiate and carry out a business relationship and fulfill the associated contractual obligations (you generally do not have a legal obligation to provide us with data). Without this data, we will not be able to enter into or perform a contract with you (or the entity or person you represent). Similarly, it will not be possible to use the website if certain data is not disclosed to ensure data traffic (such as the IP address).

10. Your Rights

In relation to our processing of personal data, you have the following rights:

  • Right of access to the personal data we store about you, the purpose of processing, the source, and the recipients or categories of recipients to whom the personal data is disclosed.
  • Right to rectification if your data is incorrect or incomplete.
  • Right to restrict the processing of your personal data.
  • Right to request the deletion of personal data processed.
  • Right to data portability.
  • Right to object to data processing or withdraw consent for the processing of personal data at any time without the need to provide a reason.
  • Right to lodge a complaint with a competent supervisory authority, if legally provided.

To exercise these rights, please contact the address provided in Section 1. Please note that we reserve the right to impose applicable legal restrictions, for example, if we are required to retain or process certain data, have a legitimate interest in doing so (to the extent we can invoke it), or need the data to enforce claims. If costs apply to you, we will inform you in advance.

11. Changes to the Privacy Policy

We expressly reserve the right to modify this privacy policy at any time. Last modification: August 2023.