Privacy Policy
General Privacy Notice of CompagOs AG
In this Privacy Notice, we, CompagOs AG (“CompagOs“), explain how we collect and process your personal data. This is not necessarily an exhaustive description. We may inform you about additional data processing activities, e.g., in general terms and conditions, forms and notices.
This Privacy Notice is aligned with the requirements of the EU General Data Protection Regulation (“GDPR“) and the Swiss Federal Act on Data Protection (“FADP“). However, whether and to what extent these laws are applicable depends on the individual case.
1. Identity and contact details of the controller
The “controller” of data processing as described in this Privacy Notice (i.e., the responsible person) is CompagOs AG, c/o MAS Solutions GmbH, Rigistrasse 15C, 6331 Hünenberg.
You can send your data protection-related questions and/or requests to the following address: [email protected]
2. Collection and processing of personal data
2.1 Definition of personal data
The term “personal data” refers to all information relating to an identified or identifiable natural person (“data subject“).
2.2 Collection from data subjects
We primarily process personal data that we receive in the course of initiating or carrying out a business relationship with you or your employer or others represented by you, or that we collect from you as a user of our website and, where applicable, apps and other applications. This Privacy Notice also applies to applicants and employees. Additional internal information applies to the latter.
If you provide us with personal data of other persons (e.g., work colleagues), please make sure that these persons are aware of this Privacy Notice and only share their personal data with us if you are allowed to do so and if this data is correct.
2.3 Collection from third parties
To the extent permitted, we obtain certain personal data from publicly accessible sources (e.g., debt collection register, land register, commercial register, press, internet) or we obtain such information from public authorities or other third parties (e.g., business partners).
Apart from the personal data that you disclose to us directly (Section 2.2), the categories of personal data that we receive about you from third parties include, but are not limited to, information
- from public registers (e.g., information from the commercial register on your function within the company and your authority to sign for the company you represent);
- provided to us by persons associated with you (e.g., work colleagues, consultants, representatives, etc.) for the purpose of assessing, entering into or performing contracts with you (e.g., references, powers of attorney);
- from banks, insurance companies and distributors and other business partners for the use or provision of goods and/or services by you (e.g., payments, purchases etc.);
- from media and internet about your person (as far as this is indicated in the concrete case, e.g., in the context of an application, marketing/sales, press review etc.);
- in connection with the use of third-party websites and online offers where such use can be attributed to you;
- in connection with any administrative or legal proceedings.
Please note that our web server automatically logs every visit to our website in a temporary log file. User-specific data (e.g., information about your browser and your IP address) as well as technical data (e.g., name and URL of the referring website) are logged for the purpose of establishing the connection and optimizing the website visit, for which purpose “cookies” may be used (Section 4).
3. Data processing
3.1 Purposes of the data processing
We process your personal data primarily for the purpose of reviewing, concluding and fulfilling contracts with you or other persons who represent you (e.g., your employer), in particular in connection with the technology-based identification, research and evaluation of different forms of treatment for human diseases, particularly in the oncological field and against bone diseases, as well as the purchase of products and services from our suppliers and service providers. We also process personal data to review applications and to perform employment contracts if and insofar as this is necessary to assess the suitability of the applicant or to perform an employment contract. Your personal data may also be processed in order for CompagOs to comply with legal and regulatory obligations in Switzerland and abroad.
In addition, we may process personal data about you and other persons, to the extent permitted and as we deem appropriate, in particular for the following purposes in which we (and, as the case may be, third parties) have a legitimate interest:
- evaluation, improvement and further development of our offers, products, services and websites, apps and other platforms on which we are present;
- postal and/or electronic communication with you (e.g., to respond to your inquiries) and, where applicable, third parties (e.g., media inquiries)
- marketing, unless you have objected to the use of your data for this purpose. If you are part of our customer base and receive our advertising, you may object at any time by sending an e-mail to the address indicated in Section 1;
- offering services, unless you have objected to the use of your data for this purpose. If you are part of our customer base and receive such offers, you may object at any time by sending an email to the address indicated in Section 1.
- statistics, conducting market and opinion research;
- assertion of legal claims and defence in connection with legal disputes and proceedings;
- prevention and investigation of criminal offences and other misconduct (e.g., conducting internal investigations, data analysis to combat fraud);
- ensuring the functionality and security of our operations, in particular IT, our websites, any apps and other platforms;
- video surveillance to safeguard domiciliary rights and other measures for IT, building and facility security as well as for the protection of our employees, customers and other persons as well as assets belonging to or entrusted to us (e.g., by means of visitor lists, access controls, network and mail scanners, telephone recordings);
- acquisition and sale of business divisions, companies or parts of companies and other transactions and the related transfer of personal data as well as measures for the business management of CompagOs.
3.2 Legal basis
Within the scope of the applicability of the FADP, we are generally not required to have a justification or legal basis for the processing of your personal data. If we are required to have a legal basis due to the applicability of the GDPR, we generally base the respective processing on one of the following legal bases, which usually also corresponds to the purpose according to Section 3.1:
If we do not ask for your consent for processing, we base the processing of your personal data on the fact that the processing is necessary for the conclusion and/or fulfilment of a contract with you (or the entity you represent, e.g., your employer) (Art. 6 para. 1 lit. b GDPR) or that we (or third parties) have a legitimate interest in pursuing the purposes mentioned in Section 3.1 (Art. 6 para. 1 lit. f GDPR). Our legitimate interests include, but are not limited to, the marketing of our products and services, the interest in better understanding our markets and the ability to manage and develop our business and operations safely and efficiently. We may also process your data on the basis of other legal bases, e.g., in the event of a legal obligation (Art. 6 para. 1 lit. c GDPR).
If you have given us your consent to process your personal data for specific purposes, we will process your personal data within the scope of and based on this consent (Art. 6 para. 1 let. a GDPR), unless we have another legal basis and require one. You can revoke any consent you have given at any time with effect for the future by sending an email to [email protected].
4. Cookies in relation to the use of our website
We use various technology solutions on our website that allow us and third parties commissioned by us to recognize you when you use our website and in some instances to track your activity across multiple visits.
The primary aim is to ensure that we are able to distinguish access by you (via your system) from access by other users so that we can ensure the functionality of the website and carry out evaluations and personalization. We have no intention of determining your identity as a result of this tracking activity, even where it would be possible for us or a third party commissioned by us to do so by considering the tracking data in combination with registration data. Even without the use of registration data, however, the technology used is designed in such a way that you will be recognized as an individual visitor each time you visit the page; our server (or the servers of third parties) assign a specific identification number to you/your browser for this purpose (known as a cookie). Cookies are individual codes that our server or a server of one of our service providers or advertising partners transfers to your system when you connect to our website and that your system (browser, mobile) accepts and stores until the programmed expiration time. Each time you access the website, your system transfers these codes to our server or the third-party server, meaning that you will be recognized even if your identity is unknown.
Other technology such as fingerprinting or pixel tags may also be used to recognize you (i.e. distinguish you from other users) with a greater or lesser likelihood. Fingerprinting involves collecting properties about the configuration of your end device or browser in order to distinguish your end device from other devices. These properties might include the browser you use, the screen resolution, the language selection, and other information that your system communicates to each server. The combination of properties creates something approximating a unique fingerprint. Pixel tags are small images or instances of program code that are generally invisible and are loaded from a server; they transfer certain information to the server operator, e.g. about whether and when a website was visited. Whenever you access a server (e.g. when using a website or because a visible or invisible image has been integrated into an email), your visits can be tracked. If we integrate offerings from an advertising partner or analysis tool provider into our website, they can follow you in the same way, although you cannot be identified as an individual.
We use this kind of technology on our website and we allow specific third parties to do likewise. However, depending on the purpose of these technologies (i.e. for performances and marketing cookies and other technologies for managing online advertising, see below), we may ask for consent before they are used. You can access your current settings here. You can program your browser to block or bypass specific cookies or alternative technology, or to delete existing cookies. You can also add a software extension to your browser that blocks tracking by specific third parties. For more information, please refer to the help pages of your browser, usually found under the keyword ‘data protection.’ Additionally, you can visit the websites of third parties listed below if we utilize their services.
Cookies (incl. other technologies, such as fingerprinting) are categorized as follows:
- Necessary cookies: Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data. These cookies can either expire at the end of a session or remain indefinitely.
- Analytics cookies: Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc. These cookies can either expire at the end of a session or remain indefinitely.
In addition to advertisement cookies, we may use other technology to manage online advertising on other websites, thereby reducing waste coverage. Operators are not given access to the personal email addresses of people who are not already known to them. With known email addresses, however, they can establish that the people in question are in contact with us and what content they have accessed.
We may also include other third-party offerings on our website, in particular from social media providers. This content is disabled by default. As soon as you activate it (e.g. by clicking a button), the providers in question can establish that you are on our website. If you have an account with the social media provider, they can link this information with you and thus track your use of online offerings. These social media providers process the data under their own responsibility.
We currently use offerings from the following service providers and advertising partners (where they use data from you or cookies placed with you for advertising management):
- Google Analytics: Google Ireland (based in Ireland) is the provider of the Google Analytics service and acts as our processor. In this context, Google Ireland uses Google LLC (based in the US) as its processor (collectively: “Google”). Google uses tracking cookies and similar technologies (see above) to track the behavior of visitors to our website (duration, frequency of pages accessed, geographical origin of access, etc.) and, on this basis, creates reports for us on the use of our website. We have configured the service so that the IP addresses of Google visitors in Europe are truncated before being forwarded to the US and cannot be tracked. We have activated the “data transfer” and “signals” settings. Although we can make an assumption that the information we share with Google is not personal data for Google, it is possible that Google could use this data for its own purposes to draw conclusions about the identity of visitors, create personal profiles, and link this data to the Google accounts of the people in question. If you agree to the use of Google Analytics, you explicitly consent to such processing, which also allows the transfer of personal data (in particular usage data for the website, device information, and individual IDs) to the US and other countries. Information about data protection with Google Analytics can be found here: https://support.google.com/analytics/answer/6004245. If you have a Google account, you can find further information about Google’s processing activities here: https://policies.google.com/technologies/partner-sites?hl=en.
- Google reCAPTCHA: This website uses the reCAPTCHA service of Google Inc. The query serves the purpose of distinguishing whether the input is made by a human or by automated, machine processing. The query includes sending the IP address and any other data required by Google for the reCAPTCHA service to Google. For this purpose, your input is transmitted to Google and used there. However, your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of this website to evaluate your use of this service. The IP address transmitted by your browser as part of reCaptcha will not be merged with other Google data. Your data may also be transmitted to the USA. An adequacy decision of the European Commission, the “Privacy Shield”, is in place for data transfers to the USA. Google participates in the “Privacy Shield” and has submitted to the requirements. By clicking on the query, you consent to the processing of your data. The processing is carried out on the basis of Art. 6 (1) lit. a GDPR with your consent. You can withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. You can find more information about Google reCAPTCHA and the associated privacy policy at: https://policies.google.com/privacy.
5. Data that we process on our social network pages
We may run pages and other online presences (“fan pages,” “channels,” “profiles,” etc.) on social networks and other platforms operated by third parties via which we collect the data about you that is detailed below. We receive this data from you and from the platforms when you contact us via our online presence (e.g. when you communicate with us, comment on our content, or visit our online presence). The platforms also evaluate your use of our online presences and link this data to other data about you that is known to the platforms (e.g. your behavior and your preferences). They also process the data for their own purposes under their own responsibility, in particular for marketing and market research purposes (e.g. to personalize advertising) and to manage their platforms (e.g. what content they display to you).
We receive data about you when you communicate with us via online presences, view our content on the corresponding platforms, visit our online presences, or are active in your use of our online presences (e.g. when you publish content, submit comments). These platforms also collect technical data, registration data, communication data, and behavioral and preference data, etc. either from you or about you. These platforms also conduct regular statistical analyses of the way in which you interact with us, how you use our online presences, our content, or other parts of the platform (what you view, comment on, like, share, etc.) and link this data to other information about you (e.g. age, gender, and other demographic information). This allows them to create profiles about you and draw up statistics about the use of our online presences. They use this data and the profiles to show you personalized advertising and content on the platform from us or from other parties and to control the behavior of the platform. They also use the data for market research and user research and to provide us and other entities with information about you and the use of our online presence. We have partial control over the evaluations that these platforms create regarding the use of our online presences.
We process this data for the purposes outlined in Section 3.1, i.e. in particular for communication and marketing purposes (including advertising on these platforms) and for market research. Information about the relevant legal bases can be found in Section 3.2. We are entitled to share content published by you (e.g. comments on an announcement) – in our advertising material on the platform or elsewhere, for instance. We and the operators of the platforms may also delete or restrict content from or to you in accordance with the usage guidelines (e.g. inappropriate comments).
For further information about the processing activities of the platform operators, please refer to the privacy policies of the platforms. These policies also include details of the countries in which they process your data, what rights you have to access and deletion, and what other rights you have as a data subject, plus details of how you can exercise these rights or obtain further information. We currently use the following platforms:
- LinkedIn: We have a profile on LinkedIn at: https://www.linkedin.com/company/compagos. The controller of the platform is LinkedIn Ireland Unlimited Company or LinkedIn Corporation. Details of their privacy policies are available at: https://www.linkedin.com/legal/privacy-policy.
6. Recipients of personal data
We may disclose your personal data to third parties in the course of our business activities and in pursuit of the purposes described in Section 3.1. These third parties process your data either on our behalf and according to our instructions (“processors”) or on their own responsibility. These third parties include the following:
- service providers (e.g., IT providers, cloud providers, web hosting agencies, accountants);
- suppliers, subcontractors and other business partners;
- employers, landlords and other third parties (e.g., reference providers);
- domestic and foreign offices and authorities (in the context of implementing employment contracts, e.g., social insurance) or courts;
- the media;
- the public, including users of our websites and social media;
- competitors, industry associations, organizations and other bodies;
- potential acquirers of our company or parts thereof;
- parties and other involved persons in legal or regulatory proceedings.
together “recipients“.
7. Data abroad
The recipients pursuant to Section 6 are generally located in Switzerland but may also be located abroad. In particular, you must expect your data to be transferred to countries in the EEA and to the USA, where some of the service providers we use are located (e.g., Microsoft).
If a recipient is located in a country without adequate statutory data protection, we contractually oblige the recipient to comply with the applicable data protection (we use the revised Standard Contractual Clauses of the European Commission, which are available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?), unless the recipient is already subject to a legally recognized set of rules to ensure data protection and we cannot rely on an exception. Such an exception may exist in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the conclusion or execution of the contract requires such disclosure, if you have expressly consented to the disclosure or if it concerns data that you have made generally accessible and whose processing you have not objected to.
8. Duration of the retention of personal data
We process and retain your personal data as long as it is necessary for the fulfilment of our contractual obligations and compliance with legal obligations or other purposes pursued with the processing (Section 3.1), for example, for the duration of the entire business relationship (i.e. from the initiation, during the performance of the contract until to its termination) and beyond that in accordance with the statutory retention and documentation obligations. It is possible that personal data will be retained for the time during which claims can be asserted against our company or if other legitimate business interests require this (e.g., for evidence and documentation purposes). As soon as the purposes and/or laws no longer require it, your data will be deleted or made anonymous. For technical data (e.g., system protocols, logs), shorter retention periods of twelve months or less generally apply.
9. Data security
We take appropriate technical and organizational measures to protect your data from loss and unauthorized access and misuse. These measures may include employee training, IT and network security solutions, access controls and restrictions, pseudonymization of personal data (e.g., when disclosing personal data to service providers), and regular checks.
10. Automated individual decision-making
In general, we do not carry out automated individual decision-making, i.e., decisions that are based exclusively on automated processing (without human influence) and that are associated with a legal consequence for you (e.g., refusal to conclude a contract) or which significantly affect you in any other way. Should we exceptionally make such decisions, you will be informed in advance.
11. Your rights
To the extent provided for by applicable data protection law, you have the right to access, rectify and erase of your personal data, the right to restrict data processing as well as the right to object to processing, in particular for direct marketing purposes, and other legitimate interests in processing as well as the right to receive certain personal data for the purpose of transmission to another controller. Please note that we reserve the right to assert the restrictions provided for by law, for example if we are obliged to store or process certain data, have an overriding interest or need the data to assert claims. We have already informed you about the possibility of withdrawing your consent in Section 3.2. Please note that exercising your rights may contradict our contractual agreements and this may have consequences such as premature termination of a possible contract.
The exercise of such rights usually requires that you clearly prove your identity by providing us with a copy of your ID. To exercise your rights, you can contact us at the address indicated in Section 1.
As a data subject, you also have the right to enforce your claims in court or to file a complaint with the competent data protection authority. The competent data protection authority is the Federal Data Protection and Information Commissioner.
12. Amendments
We may amend this Privacy Notice at any time without prior notice. The current version published on our website shall apply.
Version valid from 21.10.2024
