Privacy Policy
With this privacy policy, we provide information about the processing of personal data in connection with our activities and operations, including our website under the domain name www.iart.ch. In particular, we inform you about why, how, and where we process which personal data. We also inform you about the rights of individuals whose data we process.
For individual or additional activities and operations, we may publish further privacy policies or other information about data protection.
We are subject to Swiss data protection law as well as any applicable foreign data protection law, in particular that of the European Union (EU) with the European General Data Protection Regulation (GDPR).
With the decision of 26 July 2000, the European Commission recognised that Swiss data protection law ensures an adequate level of data protection. With the report dated 15 January 2024, the European Commission confirmed this adequacy decision.
1. Contact Addresses
Controller responsible for the processing of personal data:
iart ag
Freilager-Platz 3
CH-4142 Münchenstein/Basel
info@iart.ch
In individual cases, third parties may be responsible for the processing of personal data, or there may be joint responsibility with third parties.
Data protection representative in the European Economic Area (EEA):
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
info@datenschutzpartner.eu
The data protection representative serves as an additional point of contact for affected individuals and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) regarding GDPR-related inquiries.
2. Terms and Legal Bases
2.1 Terms
Data subject: A natural person about whom we process personal data.
Personal data: All information relating to an identified or identifiable natural person.
Special categories of personal data: Data concerning trade union, political, religious or ideological views and activities, health data, data regarding intimate life or ethnicity or race, genetic data, biometric data that clearly identify a natural person, data on criminal or administrative sanctions or prosecutions, and data on social welfare measures.
Processing: Any handling of personal data, regardless of the means and procedures used, for example querying, comparing, adjusting, archiving, storing, reading, disclosing, acquiring, collecting, deleting, revealing, organising, modifying, linking, destroying, and using personal data.
European Economic Area (EEA): Member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland and Norway.
2.2 Legal Bases
We process personal data in accordance with Swiss data protection law, in particular the Federal Act on Data Protection (Data Protection Act, FADP) and the Ordinance to the Data Protection Act (Data Protection Ordinance, DPO).
If and to the extent that the European General Data Protection Regulation (GDPR) is applicable, we process personal data according to at least one of the following legal bases:
Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data to fulfil a contract with the data subject or to carry out pre-contractual measures.
Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to protect legitimate interests – including those of third parties – unless overridden by the fundamental freedoms and rights as well as interests of the data subject. Such interests include, in particular, the sustainable, human-friendly, secure and reliable performance of our activities and operations, ensuring information security, protection against misuse, enforcement of our legal claims, and compliance with Swiss law.
Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to fulfil a legal obligation we are subject to under applicable law of EEA member states.
Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data for the performance of a task carried out in the public interest.
Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the data subject.
Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect the vital interests of the data subject or another natural person.
Art. 9 para. 2 et seq. GDPR for the processing of special categories of personal data, especially with the consent of the data subjects.
The GDPR refers to the processing of personal data as the processing of personal data and the processing of special categories of personal data as processing of special categories of personal data (Art. 9 GDPR).
3. Type, Scope and Purpose of the Processing of Personal Data
We process those personal data that are necessary to sustainably, humanely, securely and reliably perform our activities and operations. The personal data processed may in particular fall into the following categories: browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data and payment data.
We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect in the course of our activities and operations, provided such processing is legally permissible.
We process personal data, where necessary, with the consent of the data subjects. We may also process personal data without consent, for example to fulfil legal obligations or to protect overriding interests. We may request the consent of data subjects even when it is not required.
We process personal data for the period necessary for the respective purpose. In particular, we anonymise or delete personal data depending on statutory retention and limitation periods.
4. Disclosure of Personal Data
We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties include, in particular, specialised providers whose services we use.
We may disclose personal data, for example, to banks and other financial institutions, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and business information agencies, logistics and shipping companies, marketing and advertising agencies, media organisations, associations, social institutions, telecommunications companies, and insurance companies.
5. Communication
We process personal data to communicate with third parties. In this context, we particularly process data provided by a data subject during contact, for example by postal mail or email. We may store such data in an address book or comparable tools.
Third parties transmitting data about other individuals are obliged to ensure data protection for such data subjects. This includes, in particular, ensuring the accuracy of the transmitted personal data.
We use selected services from suitable providers to facilitate better communication with third parties.
We particularly use:
SuperOffice: Customer Relationship Management (CRM); Provider: SuperOffice AS (Norway); Privacy information: Privacy Policy, “Privacy”.
Microsoft services: Providers: Microsoft Ireland Operations Limited (Ireland) for users in the EEA, Switzerland and the UK / Microsoft Corporation (USA) for users in the rest of the world; General privacy information: “Microsoft Privacy”, “Privacy and Data Protection”, Privacy Policy, “Data and Privacy Settings”.
6. Applications
We process personal data of applicants insofar as this is necessary to assess suitability for an employment relationship or for the subsequent execution of an employment contract. The required personal data arises in particular from the information requested, for example in a job advertisement. We may publish job advertisements with the help of suitable third parties, for example in electronic and printed media or on job portals and platforms.
We also process personal data that applicants voluntarily submit or publish, in particular as part of cover letters, CVs and other application documents, as well as online profiles.
If and insofar as the General Data Protection Regulation (GDPR) is applicable, we process personal data of applicants in particular according to Art. 9 para. 2 lit. b GDPR.
7. Data Security
We implement appropriate technical and organisational measures to ensure data security appropriate to the respective risk. With our measures, we particularly ensure the confidentiality, availability, traceability and integrity of processed personal data, although we cannot guarantee absolute data security.
Access to our website and other online presence is secured through transport encryption (SSL / TLS, particularly using Hypertext Transfer Protocol Secure, HTTPS). Most browsers warn when visiting websites without transport encryption.
Our digital communication – like all digital communication – may be subject to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We have no direct influence on the corresponding processing of personal data by intelligence services, police departments, and other security authorities. We also cannot rule out the possibility that an individual may be specifically monitored.
8. Personal Data Abroad
We generally process personal data in Switzerland and the European Economic Area (EEA). However, we may also export or transfer personal data to other countries for processing there or by third parties.
We may export personal data to any country on Earth – or elsewhere in the universe – provided the local laws ensure adequate data protection, according to a decision of the Swiss Federal Council and – if and insofar as the GDPR is applicable – a decision by the European Commission.
We may transfer personal data to countries without adequate data protection if safeguards are in place, especially based on standard contractual clauses or other appropriate guarantees. In exceptional cases, we may export personal data to countries without adequate or appropriate data protection if the special conditions under data protection law are fulfilled, such as the explicit consent of the data subjects or a direct connection to the conclusion or execution of a contract. Upon request, we will provide affected persons with information about any applicable safeguards or a copy thereof.
9. Rights of Data Subjects
9.1 Data Protection Rights
We grant all rights to data subjects in accordance with applicable data protection laws. In particular, data subjects have the following rights:
Access: Data subjects can request confirmation as to whether we process personal data about them and, if so, what data is involved. Data subjects also receive the information necessary to assert their rights and ensure transparency. This includes the processed personal data itself, as well as information about the purpose of processing, the storage period, any disclosure or export of data to other countries, and the origin of the data.
Rectification and Restriction: Data subjects can have incorrect personal data corrected, incomplete data completed, and the processing of their data restricted.
Erasure and Objection: Data subjects can request the deletion of their personal data (“right to be forgotten”) and object to the future processing of their data.
Data Portability: Data subjects may request the handover of their personal data or the transfer of their data to another controller.
We may defer, restrict or deny the exercise of these rights within the legally permitted scope. We may inform affected persons of any prerequisites that must be met to exercise their data protection rights. For example, we may refuse access on the grounds of confidentiality, overriding interests, or the protection of other persons. We may also refuse to delete personal data, especially due to statutory retention obligations.
In exceptional cases, we may charge a fee for the exercise of rights. We will inform data subjects of any potential costs in advance.
We are obliged to identify data subjects who request access or assert other rights using appropriate measures. Data subjects are required to cooperate.
9.2 Legal Remedies
Data subjects have the right to assert their data protection rights in court or to lodge a complaint with a data protection supervisory authority.
The data protection supervisory authority in Switzerland for private controllers and federal bodies is the Federal Data Protection and Information Commissioner (FDPIC).
European data protection supervisory authorities are members of the European Data Protection Board (EDPB). In some EEA member states, supervisory authorities are structured federally, especially in Germany.
10. Use of the Website
10.1 Cookies
We may use cookies. Cookies – whether our own (first-party cookies) or those of third parties whose services we use (third-party cookies) – are data stored in the browser. Such stored data does not have to be limited to traditional text-based cookies.
Cookies may be stored temporarily as “session cookies” or for a defined period as so-called permanent cookies. “Session cookies” are automatically deleted when the browser is closed. Permanent cookies have a defined storage period. Cookies can recognise a browser upon subsequent visits to our website and, for example, measure reach. Permanent cookies may also be used for online marketing purposes.
Cookies can be disabled or deleted at any time in the browser settings. Without cookies, our website may no longer function fully. Where necessary, we actively request the explicit consent for the use of cookies.
10.2 Logging
We may log the following information for each access to our website and other online presence, insofar as this information is transmitted to our digital infrastructure: date and time including time zone, IP address, access status (HTTP status code), operating system including interface and version, browser including language and version, accessed sub-pages including data volume transferred, and the last page visited in the same browser window (referrer).
We log such information, which may also constitute personal data, in log files. This data is necessary to ensure the continuous, user-friendly and reliable provision of our online presence. It is also required to ensure data security – including through third parties or with the help of third parties.
10.3 Tracking Pixels
We may include tracking pixels (also known as web beacons) in our online presence. These are typically small, invisible images or JavaScript scripts that are automatically loaded when our online presence is accessed. Tracking pixels – including those from third parties – can collect the same information as log files.
11. Notifications and Messages
11.1 Performance and Reach Measurement
Notifications and messages may include web links or tracking pixels that record whether an individual message was opened and which links were clicked. These may record usage in a personalised manner. We use this data for statistical performance and reach measurement, so that we can send messages in a way that is effective, user-friendly, secure and reliable.
11.2 Consent and Objection
You generally must consent to the use of your email address and other contact details unless it is legally permissible without consent. We may use a double opt-in procedure to obtain such consent. In this case, you receive a message with instructions to confirm the subscription. We may log obtained consents, including IP address and time stamp, for evidence and security purposes.
You may object to receiving messages (e.g. newsletters) at any time. This objection also covers performance and reach measurement. Required messages related to our activities and operations remain unaffected.
11.3 Service Providers for Notifications and Messages
We send notifications and messages with the help of specialised service providers.
12. Social Media
We are present on social media and other online platforms to communicate and inform interested individuals about our activities and operations. In this context, personal data may also be processed outside Switzerland and the EEA.
The terms and conditions, privacy policies and other provisions of the respective platform providers apply. These terms explain the rights of data subjects, such as the right of access.
For our social media presence on Facebook, LinkedIn and Instagram, including “Page Insights”, we are – if and insofar as the GDPR applies – jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta group (including in the USA). Page Insights show how visitors interact with our Facebook presence. We use them to provide our presence effectively and in a user-friendly manner.
Further information regarding the nature, scope and purpose of data processing, data subject rights and contact details of Facebook and its Data Protection Officer can be found in Facebook’s privacy policy. We have signed the “Controller Addendum” with Facebook, which particularly states that Facebook is responsible for fulfilling data subject rights. More information about Page Insights can be found under “Page Insights Information”.
13. Third-Party Services
We use third-party services to carry out our activities sustainably, user-friendly, securely and reliably. These services may embed functions or content into our website. This may technically require the third-party provider to temporarily collect user IP addresses.
For security, statistical and technical reasons, these third parties may process data in aggregated, anonymised or pseudonymised form.
We use:
Google services: Google LLC (USA) / Google Ireland Limited (Ireland) for EEA and Switzerland users
Microsoft services: Microsoft Ireland Operations Limited (Ireland) / Microsoft Corporation (USA)
13.1 Digital Infrastructure
We use providers like Amazon Web Services (AWS) to access storage and hosting infrastructure. AWS: Amazon Web Services Inc. (USA) or Amazon Web Services EMEA SARL (Luxembourg).
13.2 Audio and Video Conferences
We use providers to hold virtual meetings, online classes, or webinars. Please consider muting your microphone by default and blurring or replacing your background.
13.3 Online Collaboration
We use Microsoft Teams and Miro for digital collaboration.
13.4 Maps
We embed Google Maps and the Google Maps Platform.
13.5 Digital Content
We embed digital content such as videos via Vimeo.
13.6 Advertising
We use targeted advertising (e.g. LinkedIn Ads, Meta Ads) to reach interested audiences and track conversions via tools like Meta Pixel or LinkedIn Insight Tag.
14. Performance and Reach Measurement
We aim to measure the success and reach of our activities. We may analyse third-party links, A/B test different content versions, and use results to fix errors or improve user experience.
This often involves anonymised or pseudonymised data, IP masking, cookies and the creation of pseudonymised user profiles.
We use in particular:
Google Marketing Platform, including Google Analytics and cross-device tracking
Google Tag Manager for integrating and managing services used for analytics and performance measurement
15. Final Notes on the Privacy Policy
This privacy policy was created using the privacy policy generator from Datenschutzpartner.
We may update this privacy policy at any time. We will inform you of updates appropriately, especially by publishing the current version on our website.