Data Privacy Business Partners

I. What is the reason for this data privacy statement?

With this Data Privacy Statement, we, EDAG Engineering Group AG (hereinafter referred to as EDAG, we or us), will explain how we collect and otherwise process personal data when you purchase our products or services, when we enter into or conduct a business relationship with you or your employer as business partners, or when you have any other dealings with us.
As it is possible that additional data privacy statements (in particular for website visitors and applicants using the online recruiting portal) or other legal documents, for instance our general terms and conditions of business, might also apply, this statement might not in all cases give a definitive description of our data processing.
Personal data is any information that relates to an identified or identifiable person. Processing includes any handling of personal data, regardless of the means and processes used, in particular the retention, disclosure, retrieval, collection, deletion, storage, modification, destruction and use of personal data.
If you provide us with personal data of other persons (e.g. data of employees or family members), we assume that you have ensured that these persons are aware of this data privacy statement, that this personal data is correct and that you will only communicate their personal data to us if you have permission to do so.
We are generally subject to Swiss data protection legislation. For this reason, this data privacy statement is first and foremost designed to comply with the Swiss Data Protection Act (DSG). Whether, however, the EU General Data Protection Regulation (GDPR) or other data protection laws would be applicable depends on the specific circumstances of a particular case.
II. Who is responsible?

EDAG Engineering Group AG, is responsible for the data processing outlined here, unless otherwise stated in a given case.
If you have any questions regarding data protection, kindly send them to us at the following contact address:
EDAG Engineering Group AG
Schlossgasse 2
9320 Arbon
Schweiz
III. How do we collect your data?

As a general rule, we process the personal data we receive from our customers and other business partners in the course of our business relationship with them and other persons involved.
We might also obtain certain data from publicly accessible sources (e.g. debt collection or commercial registers, the press, Internet) or receive such data from our business partners, from authorities and other third parties (for instance credit agencies).
IV. What data do we process?
We process data that you directly transmit to us in connection with any use you make of our products and services and in connection with our business relationship (e.g. personal data and contact data), or that result from the use of our product and services or in connection with the handling of our business relationship (e.g. contract data). We also process data with which you provide us in connection with a job application (in this case, please see our separate data privacy statement): https://www.edag.com/en/legal/data-privacy.
In addition to this data, the categories of personal data relating to you which we might possibly receive from third parties include, in particular
- Information relating to your professional functions and activities (to enable us, for example, to conclude transactions and handle business with your employer with your help);
- Information about you in correspondence and meetings with third parties;
- Information from public registers and credit reports (insofar as we do business with you personally);
- Information that might come to our notice in connection with official and legal proceedings;
- Information about you given to us by persons in your environment (employers, consultants, legal representatives, etc.) to enable us enter into or perform contracts either with you or with your help (e.g. references, addresses for deliveries, powers, information on compliance with legal requirements, for instance anti-money laundering and export restrictions, information from banks, insurance companies, sales and other contractual partners of ours on the use or provision of services by you (e.g. payments made, purchases made));
- Information about you from the media and Internet (to the extent to which this is appropriate in any specific case, e.g. in the context of an application, press review, of marketing/sales, etc.), your addresses and, if applicable, interests and other socio-demographic data (for marketing).
V. For what reasons and on what legal basis do we process your data?
When we process personal data, this relates in particular to the conclusion and handling of contracts with our customers and business partners. In particular, this involves data processing within the context of rental contracts with our customers and the purchase of products and services from our suppliers and subcontractors (insofar as the GDPR is applicable, this concerns Art. 6 para. 1 point b of the GDPR).
It is also possible that your personal data might affected if you are working for one of our customers or business partners (insofar as the GDPR is applicable, this concerns Art. 6 para. 1 point f of the GDPR). In these cases, our legitimate interest is in handling the business relationship as well and efficiently as possible. We are also required to process certain data in order to meet our legal obligations both at home and abroad (insofar as the GDPR is applicable, this concerns Art. 6 para 1 point c of the GDPR).
In addition, where this is permitted and seems to us to be appropriate, we also process personal data for the following purposes in which we (and in certain cases also third parties) have a legitimate interest corresponding to the purpose (insofar as the GDPR is applicable, this concerns Art. 6 para. 1 point f of the GDPR):
- Offering and further developing our products, services and websites and other platforms on which we are present;
- Communication with third parties and processing their requests (e.g. job applications, media requests, public authorities, etc.);
- Testing and optimizing procedures for needs analysis for the purpose of direct customer contact, and collection of personal data from publicly available sources for the purpose of customer acquisition;
- Advertising and marketing (including the organization of events), unless you have objected to the use of your data. (If, as an existing customer, we send you advertising material, you can object to this at any time, and we will then put you on a restricted list to ensure that you will no longer receive advertising mail);
- Market and opinion research, media monitoring;
- Enforcing legal claims and defense in connection with legal disputes and official proceedings;
- Prevention and investigation of criminal offenses and other misconduct (e.g. carrying out internal investigations, data analysis to combat fraud);
- Guaranteeing our operations, in particular IT, our websites and other platforms;
- Other measures for IT, building and facility security and for protecting our employees and other persons and assets belonging to or entrusted to us (for example access controls, visitor lists, network and mail scanners, recording telephone calls);
- Purchase and sale of business units, companies or parts of companies and other transactions under company law and the associated transfer of personal data, also measures for business management and compliance with legal and regulatory obligations and with the EDAG Group's internal regulations.
Insofar as you have given us your consent to the processing of your personal data for one or more specific purposes (for example, when you register to receive newsletters or carry out a background check), we process your personal data within the scope of and on the basis of this consent, insofar as we have no other legal basis and require one (insofar as the GDPR is applicable, this concerns Art. 6 para. 1 point a of the GDPR). Consent which has been given may be withdrawn at any time, though this shall not affect data processing that has already been carried out.
VI. What happens to your data that has been collected or processed in connection with the use of our website / social networks or when registering via our recruiting portal?

In this context, please see our separate data privacy statement for visitors to our website and job applicants: https://www.edag.com/en/legal/data-privacy
VII. To whom do we disclose your data?
Within the course of our business activities and for the purposes given in section 5, we may also disclose your data to third parties, where this is permitted and seems to us to be appropriate. Such disclosure is effected either because these recipients process the data for us (i.e. order processors) or because they want to use it for their own purposes. The following categories of recipients in particular are involved here:
- Service providers of ours (e.g. trustees, printers, banks, possibly also providers of payment service, insurance companies, legal advisors, etc.), including order processors (e.g. IT and storage providers);
- Dealers, suppliers, subcontractors and other business partners;
- Customers;
- Domestic and foreign authorities, official administration offices or courts;
- Media;
- The public, including visitors to websites and social media;
- Competitors, industry organizations, associations, organizations and other bodies;
- Purchasers or parties interested in purchasing business units, companies or other parts of the Company;
- Other parties in potential or actual legal proceedings;
- Other companies in the EDAG Group;
As a general rule, these recipients are located in Switzerland and the European Economic Area (EEA), but may also be located anywhere in the world. In particular, you must expect your data to be transferred to all countries in which the EDAG Group is represented by group companies, branches or other offices (https://www.edag.com/en/edag-group/the-company-edag/locations), as well as to other countries in Europe and the USA where the service providers we use are located (e.g. Microsoft, Google).
If a recipient is located in a country without adequate legal data protection, we contractually oblige the recipient to comply with the applicable data protection requirements (for this purpose, we use the revised standard contractual clauses of the European Commission, which can be accessed here: eur-lex.europa.eu/eli/dec_impl/2021/914/oj, insofar as the recipient is not already subject to a legally recognized set of rules to ensure data protection and we cannot rely on an exemption clause. An exception may apply particularly in the case of legal proceedings abroad, but also in cases of overriding public interests or if the processing of a contract calls for such disclosure, if you have given your consent or if you have made the data in question generally accessible, and you have not objected to its being processed.
VIII. How long do we retain your data?

We will process and store your personal data for as long as is necessary for us to fulfill either our contractual and legal obligations or the purposes for which the data is being processed (e.g. as long as there is an interest in our newsletters and you do not unsubscribe from them). We will, for example, process your personal data for the duration of the entire business relationship (from the initiation and fulfillment of a contract through to its termination) and beyond in accordance with the legal retention and documentation obligations. It is possible that personal data will be retained for the period during which claims can be asserted against our company, or if we are otherwise legally obliged to do so, or legitimate business interests require us to do so (e.g. for evidence and documentation purposes). As soon as your personal data is no longer required for the above-mentioned purposes, it will, as a general rule and wherever possible, be deleted or anonymized.
IX. How do we protect your data?

We take appropriate technical and organizational measures to protect your personal data. This applies in particular to protecting it from unauthorized access and misuse, and includes such measures as issuing instructions, training, IT and network security solutions, access controls and restrictions, encryption of data carriers and transmissions, pseudonymization, monitoring.
Despite the fact that we take these security precautions, the processing of personal data – especially when using the Internet – is always associated with certain risks and security gaps, which means that there can be no absolute guarantee of data security.
X. Why do you have to provide us with certain data?

As a rule, we are unable to enter into and conduct a contractual relationship with you, or the entity or person you represent, and to fulfill our contractual and sometimes legal obligations without certain personal data. For this reason, we need you to provide us with certain personal data which is necessary to establish and conduct our contractual relationship and to meet the contractual obligations this entails. Also, the website cannot be used if certain information required to safeguard data traffic (the IP address, for instance) is not disclosed.
XI. Do we carry out profiling or make automated decisions?

In certain cases, processing of your personal data is partially automated; we do this with the aim of evaluating certain personal aspects (this is known as profiling). We use profiling to provide you with specific information about products and/or services and to optimize the advice we offer. To this end, we use evaluation tools which enable us to ensure that communication and advertising - including market and opinion research - meet requirements.
We do not, however, make any use of fully automated decision-making processes (as set out in Art. 22 of the GDPR).
XII. What rights do you have in connection with your data?

Within the scope of the data protection legislation applicable to you and to the extent provided for therein (in the case of the GDPR, for example), you have the right to information, rectification, deletion, the right to restrict data processing and the right to object to our processing your data, in particular for the purpose of direct marketing, profiling for direct advertising and other legitimate interests in the processing, and to the release of certain personal data for transfer to another party.
Please note, however, that we reserve the right to assert the restrictions prescribed by law if, for example we are obliged to retain or process certain data, have an overriding interest in it (as long as we can prove this) or require it to exercise claims.
We will inform you in advance of any costs you will incur. We have already informed you of the possibility of revoking your consent in section 5. Please note that exercising these rights could conflict with contractual agreements, and that this can have consequences such as the early termination of the contract or additional costs. Should this be the case, we will inform you in advance if contractual arrangements have not been made.
If you wish to exercise such rights, we must be able to identify you accordingly, by means of a copy of your identity card, for example, unless your identity can be clearly verified by other means.
To enforce your rights, you can contact us at the address given in section 1.
In addition to being able to exercise these rights directly with us, every data subject is entitled to enforce claims in court, or to file a complaint with the competent data protection authority. In Switzerland, the competent data protection authority is the Federal Data Protection and Information Commissioner (abbreviated to EDÖB): http://www.edoeb.admin.ch.
XIII. What else you need to know ...

This data privacy statement can be revised and amended at any time without advance notice. The most recent version published on our website is the valid version. If the data privacy statement is part of an agreement with you, we will notify you of any changes by email or other appropriate means, in particular publication on our website, in the event of an update.