2. who is responsible for processing your data?
Schmidhäusler Rechtsanwälte AG
3. for which purposes do we process which of your data?
Wenn Sie unsere Dienstleistungen in Anspruch nehmen, www.schmidhaeusler.ch verwenden (nachfolgend «Website»), oder sonst mit uns zu tun haben, beschaffen und bearbeiten wir verschiedene Kategorien Ihrer Personendaten. Grundsätzlich können wir diese Daten insbesondere zu den folgenden Zwecken beschaffen und sonst bearbeiten:
- Communication: We process personal data so that we can communicate with you as well as with third parties, such as parties to proceedings, courts or authorities, by e-mail, telephone, letter or otherwise (e.g. to answer inquiries, in the context of legal advice and representation as well as the initiation or execution of contracts). This includes providing our clients, contractors and other interested parties with information about events, changes in the law, news about our firm or the like. This can take the form of newsletters and other regular contacts (electronic, postal, telephone). You may refuse such communications or refuse or withdraw consent to such communications at any time. For this purpose we process esp. the content of the communication, your contact data as well as the boundary data of the communication, but also image and audio recordings of (video) phone calls. In the case of audio or video recording, we will notify you separately and you are free to inform us if you do not wish to be recorded or to terminate the communication. If we need or want to establish your identity, we will collect additional data (e.g. a copy of an ID).
- Initiation and conclusion of contracts: With regard to the conclusion of a contract, such as in particular a contract for the establishment of a mandate relationship, with you or your client or employer, which also includes the clarification of any conflicts of interest, we may in particular obtain your name, contact details, powers of attorney, declarations of consent, information about third parties (e.g. contact persons, family details as well as counterparties), contract contents, date of conclusion, creditworthiness data as well as all other data which you make available to us or which we collect from public sources or third parties (e.g. commercial register, credit agencies, sanctions lists, media, legal protection insurances or from the Internet).
- Administration and processing of contracts: We obtain and process personal data so that we can comply with our contractual obligations to our clients and other contractual partners (e.g. suppliers, service providers, correspondence law firms, project partners) and, in particular, so that we can provide and collect the contractual services. This also includes data processing for client management (e.g. legal advice and representation of our clients before courts and authorities and correspondence) as well as data processing for the enforcement of contracts (debt collection, legal proceedings, etc.), accounting and public communication (if permitted). For this purpose, we process in particular the data which we receive or have collected in the course of the initiation, conclusion and execution of the contract, as well as data which we create in the course of our contractual services or which we collect from public sources or other third parties (e.g. courts, authorities, counterparties, information services, media, detective agencies or from the Internet). Such data may include, in particular, minutes of conversations and consultations, notes, internal and external correspondence, contractual documents, documents that we prepare and receive in the course of proceedings before courts and authorities (e.g., statements of claim, appeals and complaints, judgments and decisions), background information about you, counterparties or other persons, as well as other mandate-related information, performance records, invoices, and financial and payment information.
- Improving our electronic offerings: In order to continuously improve our website and other electronic offerings, we collect data about your behavior and preferences, for example, by analyzing how you navigate through our website and how you interact with our social media profiles and [weitere elektronischen Angebote].
- security purposes as well as access controls: We obtain and process personal data to ensure and continuously improve the appropriate security of our IT and other infrastructure (e.g., buildings). This includes, for example, monitoring and controlling electronic access to our IT systems as well as physical access to our premises (including by means of procedures involving the processing of biometric data), analysis and testing of our IT infrastructures, system and error checks, and the creation of security copies. For documentation and security purposes (preventive and incident investigation), we also keep access logs or visitor lists in relation to our premises and use surveillance systems (e.g. security cameras). We will draw your attention to monitoring systems at the relevant locations by means of appropriate signs.
- Adherence to laws, directives and recommendations of authorities and internal regulations (“Compliance”): We obtain and process personal data to comply with applicable laws (e.g., anti-money laundering, tax obligations or our professional duties), self-regulations, certifications, industry standards, our corporate governance, and for internal as well as external investigations to which we are a party (e.g., by a law enforcement or regulatory agency or an appointed private entity).
- Risk management and corporate governance: We obtain and process personal data as part of risk management (e.g., to protect against tortious activities) and corporate governance. This includes, among other things, our business organization (e.g. resource planning) and corporate development (e.g. acquisition and sale of business units or companies).
- Other purposes: Other purposes include, for example, training and educational purposes as well as administrative purposes (e.g. accounting). We may listen to or record telephone or video conferences for training, evidence, and quality assurance purposes. In such cases, we will notify you separately (e.g. by displaying a notice during the video conference in question) and you are free to let us know if you do not wish to be recorded or to terminate the communication (if you simply do not wish your image to be recorded, please turn off your camera). In addition, we may process personal data for the organization, implementation and follow-up of events, such as, in particular, lists of participants and the content of presentations and discussions, but also image and audio recordings made during these events. The protection of other legitimate interests is also one of the other purposes that cannot be named exhaustively.
Use of Microsoft 365
For our daily work we use Microsoft 365 and various applications included in it. Microsoft 365 is software produced by Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399 USA. However, our contractual partner is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (hereinafter “Microsoft”).
We maintain numerous services that are used in everyday office life, such as Word, PowerPoint, Excel, Outlook and Teams. Microsoft 365 also offers additional online services. These include several cloud services, such as OneDrive and Exchange Online, where data is stored on Microsoft servers instead of in-house. We use Office 365 E5.
A direct exchange of personal data between you and our Microsoft 365 applications will primarily take place during online meetings via the “Microsoft Teams” tool (see below) as well as during communication via e-mail. In most cases, you will not have to deal directly with the other functionalities of Microsoft 365. In exceptional cases, however, we may provide you with access to Microsoft 365 functions with your consent if this is necessary or useful for processing your mandate.
If we should exceptionally grant you direct access to Microsoft 365, even if only for a limited period of time, the following data will be processed from you:
- IP address used to access the Microsoft 365 applications.
- Your user name (access data to the Microsoft 365 applications), data within the scope of the so-called multifactor authentication that you yourself have stored in your Microsoft account (e. g. B. optionally the (private) cell phone number)
- Identifiers: Information about you that identifies you as a user, sender, recipient of data within Microsoft 365 applications. This includes in particular the following master data: Name, first name, business contact data such as telephone number, e-mail address, business fax number, if provided by you. Other data (such as a profile picture you have stored) can also be viewed in your profile at any time. This information is visible to you at all times in your profile, but especially in Outlook, and can be customized by you
- Data required for authentication and license use. In the Microsoft 365 applications, all user activities, such as time of access, date, type of access, indication of the data/files/documents accessed and all activities related to usage, such as creating, modifying, deleting a document, setting up a team (and channels in teams), making notes in the notebook, starting a chat, replying in the chat are processed
Otherwise, we process via Microsoft 365 all data that you provide to us by phone or e-mail when you contact us. If the data processing takes place in connection with a client relationship, we process the following data:
- Your name and contact information (including, but not limited to, name, address, telephone number, or email address).
- Information about the company you work for, your position or title
- Identification and background information that you provide to us or that we collect from you in the course of establishing the client relationship
- Billing and payment information
- Information that you have disclosed to us within the scope of and for the purpose of processing the mandate or that we create for you within the scope of our services, including mandate-related communication
- All other information relating to you which you provide to us in connection with the mandate
Currently, the following Microsoft 365 applications store data at rest in Switzerland: Exchange Online, SharePoint, OneDrive, Teams, Azure. However, data dormant in Switzerland may be transferred to other countries while using these applications. Microsoft 365 applications other than those mentioned above can also store data at rest outside of Switzerland. According to Microsoft, the data in this case is primarily stored on servers in the EU. For this data processing, we have concluded an order processing agreement with Microsoft in accordance with Art. 28 DSGVO and Art. 10a DSG. Accordingly, we have agreed extensive technical and organizational measures with Microsoft for Microsoft 365 that correspond to the current state of the art in IT security, e.g. with regard to access authorization and end-to-end encryption concepts for data lines, databases and servers. Microsoft also commits to us to be bound by professional secrecy and to implement appropriate safeguards. Microsoft has also added further protections to the EU standard contractual clauses incorporated into its contracts. According to the agreement, Microsoft undertakes to take action against any request from a government agency and to compensate users in the event of government access. Where data is transferred to third countries, Microsoft always uses state-of-the-art encryption and promises that the data will be returned to the internal EU storage location immediately after processing. Microsoft assures that, even if it is required by law to disclose the data to security authorities, it will not disclose the encryption key or allow the encryption to be circumvented.
In connection with the foregoing data processing by Microsoft, access may also be provided by affiliates of Microsoft from outside the European Union. Exclusively for this case of access from outside the European Union in individual cases approved by us, we have concluded EU standard contracts (standard data protection clauses) with Microsoft. In order to guarantee an appropriate level of data protection when transferring personal data to a third country such as the USA in this specific case, we have agreed and implemented supplementary measures with Microsoft in the form of state-of-the-art technical and organizational measures such as access authorization and encryption concepts for data lines, databases and servers, as described above.
In particular, Microsoft collects and processes diagnostic data to keep Microsoft 365 secure and up to date, troubleshoot issues, and make product enhancements. By using Windows Restricted Traffic Limited Functionality, we restrict the connections of Microsoft 365 applications to Microsoft. This minimizes the diagnostic data shared with Microsoft.
We use the Microsoft Teams application to conduct conference calls, online meetings, video conferences and/or webinars. Microsoft Teams is part of Microsoft 365.
When using Microsoft Teams, different types of data are processed. The scope of the data also depends on the information you provide before or during participation in an online meeting.
The following personal data may be the subject of processing:
- User details: e.g. display name, e-mail address (if applicable), profile picture (optional), preferred language
- Meeting metadata: e.g., date, time, meeting ID, phone numbers, location, text, audio, and video data.
- Authentication data
- Log files, log data
- Contents of the online meeting (if you make a personal appearance with contributions)
- You may have the option to use the chat function in an online meeting. In this respect, the text entries you make are processed in order to display them in the online meeting. To enable the display of video and the playback of audio, the data from the microphone of your terminal device as well as from any video camera of the terminal device are processed accordingly during the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time via the Microsoft Teams application
- When dialing in with the telephone: information on the incoming and outgoing call number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be stored
If we want to record online meetings, we will transparently tell you before the online meeting and – if necessary – ask for consent. If necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will usually not be the case.
Note: To the extent that you access the Microsoft Teams website, Microsoft is responsible for data processing. Access to the website is only required to download the software for the use of Microsoft Teams.
You can also use Teams by entering the respective meeting ID and, if necessary, other access data for the meeting directly in the Teams app or by clicking on the link to the meeting that may have been sent to you.
4. where does the data come from?
- From you: The majority of the data we process is provided by you (e.g., in connection with our services, use of our website and apps, or communication with us). You are not obliged to disclose your data, with exceptions in individual cases (e.g. legal obligations). However, if you want to conclude contracts with us or use our services, for example, you must provide us with certain data. Also, the use of our website is not possible without data processing.
If you contact us by email, you are responsible for the message and/or content you send. We recommend that you do not send any confidential data. Personal data is only collected if you provide it to us voluntarily. Therefore, you are responsible for what data you submit to us. In order to answer your questions, we may ask you to provide us with additional information, such as your address, telephone number, etc. We only collect personal information from you when it is necessary to answer your questions or provide the services you have requested.
- From third parties: We may also obtain or receive data from publicly available sources (e.g., debt collection registers, land registers, commercial registers, media, or the Internet, including social media) from (i) Authorities, (ii) your employer or principal who is either in a business relationship with us or otherwise dealing with us, and from (iii) other third parties (e.g. clients, counterparties, legal protection insurers, credit reference agencies, address dealers, associations, contractual partners, Internet analysis services). This includes, in particular, the data we process in the course of initiating, concluding and executing contracts, as well as data from correspondence and discussions with third parties, but also all other categories of data pursuant to para. 3.
5. to whom do we disclose your data?
In connection with the provisions set forth in para. 3, we transfer your personal data in particular to the categories of recipients listed below. If necessary, we obtain your consent for this or have our supervisory authority release us from our professional duty of confidentiality.
- Service providers: We cooperate with service providers at home and abroad who (i) on our behalf (e.g. IT provider), (ii) in joint responsibility with us or (iii) process on their own responsibility data they have received from us or collected on our behalf. (These service providers include, for example, IT providers, banks, insurance companies, debt collection companies, credit reporting agencies, address checkers, other law firms or consulting companies). We usually agree on contracts with these third parties regarding the use and protection of personal data.
- Clients and other contractual partners: First of all, this refers to clients and other contractual partners of ours for whom the transfer of your data arises from the contract (e.g. because you are working for a contractual partner or he is providing services for you). This category of recipients also includes entities with which we cooperate, such as other law firms in Germany and abroad, or legal expenses insurance companies. The recipients process the data under their own responsibility.
- Authorities and courts: We may disclose personal data to offices, courts and other authorities in Switzerland and abroad if this is necessary for the fulfillment of our contractual obligations and, in particular, for the performance of our mandate, or if we are legally obliged or entitled to do so, or if this appears necessary to protect our interests. These recipients process the data under their own responsibility.
- Counterparties and persons involved: To the extent necessary for the performance of our contractual obligations, in particular for the management of the mandate, we also disclose your personal data to counterparties and other involved persons (e.g. guarantors, financiers, affiliated companies, other law firms, respondents or experts, etc.).
- Other persons: This refers to other cases where the inclusion of third parties arises from the purposes pursuant to para. 3 results. This applies, for example, to delivery addressees or payment recipients specified by you, third parties in the context of agency relationships (e.g. your lawyer or your bank) or persons involved in official or legal proceedings. We may also disclose your personal data to our supervisory authority, in particular if this is necessary in individual cases for the release from our professional duty of confidentiality. If we cooperate with media and transmit material to them (e.g. photos), you may also be affected. As part of our business development, we may sell or acquire businesses, operations, assets or companies, or enter into partnerships, which may also result in the disclosure of information (including information about you, for example, as a client or supplier or as their agent) to those involved in these transactions. In the course of communication with our competitors, industry organizations, associations and other bodies, data concerning you may also be exchanged.
All these categories of recipients may in turn involve third parties, so that your data may also become accessible to them. We can restrict processing by certain third parties (e.g. IT providers), but not by other third parties (e.g. authorities, banks, etc.).
6. does your personal data also end up abroad?
We process and store personal data primarily in Switzerland and the European Economic Area (EEA), but potentially in any country in the world, depending on the case – for example, through subcontracted processors of our service providers or in proceedings before foreign courts or authorities. Even in the course of our work for clients, your personal data may end up in any country in the world.
If a recipient is located in a country without adequate data protection, we contractually obligate the recipient to maintain an adequate level of data protection (for this purpose, we use the European Commission’s revised standard contractual clauses, which are available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj? including the supplements required for Switzerland), insofar as it is not already subject to a legally recognized set of rules to ensure data protection. We may also disclose personal data to a country without adequate data protection without entering into a separate contract if we can rely on an exemption provision to do so. An exception may apply namely in the case of legal proceedings abroad, but also in cases of overriding public interests or if the performance of a contract which is in your interest requires such disclosure (e.g., if we disclose data to our correspondence offices), if you have consented, or if it is not possible to obtain your consent within a reasonable period of time and the disclosure is necessary to protect your life or physical integrity or that of a third party, or if it concerns data made generally available by you, the processing of which you have not objected to. We may also rely on the exception for data from a register provided for by law (e.g. HR) to which we have been legitimately granted access.
7. what rights do you have?
You have certain rights in connection with our data processing. In accordance with applicable law, you may, in particular, request information about the processing of your personal data, have inaccurate personal data corrected, request the deletion of personal data, object to data processing, request the release of certain personal data in a common electronic format or its transfer to other data controllers.
If you wish to exercise your rights against us, please contact us; you will find our contact details in para. 2. so that we can exclude misuse, we must identify you (e.g. with a copy of your ID, if necessary).
Please note that conditions, exceptions or limitations apply to these rights (e.g., to protect third parties or trade secrets or due to our professional duty of confidentiality). We reserve the right to black out copies for reasons of data protection or confidentiality or to supply only excerpts.
8. how are cookies, similar technologies and social media plug-ins used on our website and other digital services?
When using our website, data is generated that is stored in logs (in particular technical data).
Thus, the provider of this website automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:
- the name of your internet service provider
- Your IP address (under certain circumstances)
- the version of your browser software
- the operating system of the computer with which URL is accessed
- the date and time of access
- Place of access
- the web page from which you are visiting URL
- the search words you used to find URL.
This data cannot be assigned to specific persons. This data is not merged with other data sources. We reserve the right to check this data retrospectively if we become aware of specific indications of unlawful use.
You can set your browser to automatically reject, accept or delete cookies. You can also disable or delete cookies on a case-by-case basis. You can find out how to manage cookies in your browser in the help menu of your browser.
Both the technical data we collect and cookies generally do not contain any personal data.
- Google Analytics
Provider: Google Ireland Limited
Information for Google accounts: https://policies.google.com/technologies/partner-sites?hl=de
- Google Maps
Our website uses the offer of Google Maps. This allows us to show you interactive maps directly in the website and enables you to use the map function comfortably. To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transferred to a Google server in the USA and stored there.
Google Maps is used in the interest of an appealing presentation of our online offers and to make it easy to find the places we indicate on the website.
Provider: Google Ireland Limited
Some of the third-party providers we use may be located outside of Switzerland. For information on data disclosure abroad, please refer to para. In terms of data protection law, they are in part “only” order processors of us and in part responsible entities. Further information on this can be found in the data protection declarations.
9. what else needs to be considered?
We do not assume that the EU General Data Protection Regulation (“GDPR“) is applicable in our case. However, if this should be the case for certain data processing in exceptional cases, this section shall additionally apply exclusively for the purposes of the GDPR and the data processing subject to it. 9.
We base the processing of your personal data in particular on the fact that
- it as in para. 3 described is necessary for the initiation and conclusion of contracts and its administration and enforcement (Art. 6 para. 1 lit. b DSGVO);
- it is necessary for the protection of legitimate interests of us or of third parties as described in para. 3 described above, namely for communication with you or third parties, to operate our website, to improve our electronic offerings and registration for certain offers and services, for security purposes, for compliance with Swiss law and internal regulations for our risk management and corporate governance and for other purposes such as training and education, administration, evidence and quality assurance, organization, implementation and follow-up of events and to protect other legitimate interests (see Section 3) (Art. 6 para. 1 lit. f DSGVO);
- it is required or permitted by law on the basis of our mandate or position under the law of the EEA or a member state (Art. 6(1)(c) DSGVO) or is necessary to protect your vital interests or those of other natural persons (Art. 6(1)(d) DSGVO);
- you have separately consented to the processing, via a corresponding declaration on our website (Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. a DSGVO).
We would like to point out that we generally process your data for as long as our processing purposes (cf. Section 3), the statutory retention periods and our legitimate interests, in particular for documentation and evidence purposes, require or storage is technically necessary (e.g. in the case of backups or document management systems). If there are no legal or contractual obligations or technical reasons to the contrary, we generally delete or anonymize your data after the storage or processing period has expired as part of our usual processes and in accordance with our retention policy.
If you do not provide certain personal data, this may mean that it is not possible to provide the related services or conclude a contract. We generally indicate where personal data requested by us is mandatory.
If you do not agree with our handling of your rights or data protection, please let us know (see contact details in section 2). If you are in the EEA, you also have the right to complain to the data protection supervisory authority in your country. A list of authorities in the EEA can be found here: https://edpb.europa.eu/about-edpb/board/members_de.