Data protection

Data protection declaration of BHP - Brugger und Partner AG
Version: 31.08.2023

 

1 What is this privacy policy about?

BHP - Brugger und Partner AG (hereinafter also referred to as "BHP - Brugger und Partner AG", "we", "us") is a company based in Zurich. As a consulting firm, we specialize in strategy consulting and process support with a particular focus on sustainability aspects. We have core competencies in terms of content and methodology in the areas of "CSR & transformation processes", "location promotion & spatial development" and "policy development & international cooperation".

In the course of our business activities, we obtain and process personal data, in particular personal data about our customers, contracting parties, affiliated persons, authorities, professional and other associations, visitors to our website, participants in events, applicants and other bodies or their contact persons and employees (hereinafter also referred to as "you"). In this privacy policy, we provide information about this data processing. In addition to this privacy policy, we may inform you separately about the processing of your data (e.g. in the case of contractual conditions).</p

If you provide us with data about other persons (e.g. employees or other associated persons), we assume that you are authorized to do so and that this data is correct, and that you have ensured that these persons are informed about this disclosure, insofar as a legal obligation to provide information applies (e.g. by bringing this data protection declaration to their attention in advance).</p

2 Who is responsible for processing your data?
The data controller responsible for the processing described in this privacy policy is:

BHP - Brugger und Partner AG
Lagerstrasse 33
P.O. Box
8004 Zurich
info@bruggerconsulting.ch

3 For what purposes do we process which of your data?
When you use our services, use our website "www.bruggerconsulting.ch" (hereinafter "Website") or otherwise deal with us, we obtain and process various categories of your personal data. In principle, we may obtain and otherwise process this data for the following purposes in particular:

• Communication: We process personal data so that we can communicate with you and with third parties - such as customers or authorities - by email, telephone, letter or otherwise (e.g. to answer inquiries, as part of the consultation process and to initiate or process contracts). For this purpose, we process in particular the content of the communication, your contact details and the marginal data of the communication, but also image and audio recordings of (video) telephone calls. In the event of an audio or video recording, you are free to inform us if you do not wish to be recorded or to end the communication.
• Initiation and conclusion of contracts: With regard to the conclusion of a contract with you or your client or employer, we may in particular obtain and otherwise process your name, contact details, powers of attorney, information about third parties (e.g. contact persons), contract contents, date of conclusion and all other data which you provide to us or which we collect from public sources or from third parties (e.g. commercial register, media or from the Internet).
• Administration and processing of contracts: We obtain and process personal data so that we can comply with our contractual obligations towards our clients and other contracting parties (e.g. suppliers, service providers, project partners) and, in particular, provide and demand the contractual services. This also includes data processing for mandate management (e.g. consulting and correspondence) as well as data processing for the enforcement of contracts, accounting and public communication (if permitted). For this purpose, we process in particular the data that we receive or have collected as part of the initiation, conclusion and execution of the contract as well as data that we create as part of our contractual services or that we collect from public sources or other third parties (e.g. authorities, media or the Internet). This data may include, in particular, minutes of meetings and consultations, notes, internal and external correspondence, contractual documents, as well as other mandate-related information, proof of performance, invoices and financial and payment information.</li
• Operation of our website: In order to operate our website securely and stably, we collect technical data, such as IP address, information about the operating system and settings of your end device, region, time and type of use. We also use cookies and similar common technologies. For further information, see section 8.
• Improving our electronic offerings: In order to continually improve our website, we collect data about your behavior and preferences, for example, by analyzing how you navigate through our website.
• Security purposes and access controls: We obtain and process personal data in order to ensure and continuously improve the appropriate security of our IT and the associated infrastructure. This includes, for example, monitoring and controlling electronic access to our IT systems as well as analyzing and testing our IT infrastructures, system and error checks and creating backup copies.</li
• Job application: If you apply for a job with us, we obtain and process the relevant data for the purpose of reviewing the application, carrying out the application process and, in the case of successful applications, for the preparation and conclusion of a corresponding contract. In addition to your contact details and the information from the corresponding communication, we also process the data contained in your application documents and the data that we can additionally obtain about you, e.g. from job-related social networks, the Internet, the media and from references, if you consent to us obtaining references.

We also obtain personal data to comply with applicable laws (e.g. tax obligations) and in the area of risk management and corporate governance (including compliance). In addition, we may process personal data for the organization, implementation and follow-up of events, in particular participant lists and the content of presentations and discussions, as well as image and audio recordings made during these events. The protection of other legitimate interests is also one of the other purposes, which cannot be listed exhaustively.</p

4 Where does the data come from?
The majority of the data we process you provide to us yourself (e.g. in connection with our services, the use of our website, or communication with us).

We may also obtain data from publicly accessible sources (e.g. commercial registers, land registers, media or the internet including social media) or receive such data from (i) authorities, (ii) your employer or client who either has a business relationship with us or is otherwise involved, as well as from (iii) other third parties (e.g. customers, associations, contracting parties). This includes, in particular, the data that we process in the context of the initiation, conclusion and execution of contracts as well as data from correspondence and discussions with third parties, but also all other categories of data in accordance with Section 3.</p

5 To whom do we disclose your data?
In connection with the purposes listed in section 3, we transfer your personal data in particular to the categories of receiving parties listed below. If necessary, we will obtain your consent for this purpose.</p

Service providers: We work with service providers in Switzerland and abroad who process data that they have received from us or collected for us (i) on our behalf (e.g. IT providers), (ii) in joint responsibility with us or (iii) on their own responsibility. These service providers include, for example, IT providers, banks, insurance companies or other consulting firms. We generally agree contracts with these third parties on the use and protection of personal data. In particular, we may currently use offers from the following service providers:</p

• Microsoft
  Providing party: Microsoft Corporation (USA) / Microsoft Ireland Operations Limited (Ireland) for users in the European Economic Area (EEA), the United Kingdom and Switzerland.
  Privacy Notice: privacy.microsoft.com/en-en-en
  Purpose: Use of the Windows operating system and the office software package Office.
• SurveyMonkey
  Providing party: Momentive Inc., Momentive Europe UC.
  Privacy Notice: www.surveymonkey.de/mp/legal/privacy/
  Purpose: To conduct online surveys.
• Mural
  Providing party: Tactivos Inc. for users in the European Economic Area (EEA) and Switzerland.
  Privacy Notice: assets.website-files.com/62e11362da2667ac3d0e6ed5/6426e114f97c791539e0d7f9_Mural%20Global%20Multi-Product%20Privacy%20Statement.pdf
  Purpose: Digital workspace for collaboration in online workshops.
• Mentimeter
  Providing party: Mentimeter AB, Tulegatan 11, SE-113 86 Stockholm for users in the European Union
  Data protection information: www.mentimeter.com/de-DE/dpa-statement
  Purpose: Computer program or app for real-time feedback during a presentation.

Customers and other contractual parties: This initially refers to customers and other contracting parties of ours for whom a transfer of your data results from the contract (e.g. because you work for a contracting party or they provide services for you). This category of receiving parties also includes entities with which we cooperate. The receiving parties generally process the data under their own responsibility.</p

Authorities: We may disclose personal data to offices and other authorities in Switzerland and abroad if this is necessary for the fulfillment of our contractual obligations and in particular for the performance of mandates, or if we are legally obliged or entitled to do so or if this appears necessary to protect our interests. These receiving parties process the data under their own responsibility.</p

Other persons: This refers to other cases where the involvement of third parties arises from the purposes set out in section 3. This applies, for example, to persons involved in the consulting mandate, e.g. experts or speakers. As part of our business development, we may sell or acquire parts of our business or assets or enter into partnerships, which may also result in the disclosure of data (including your data, e.g. as a client or supplying party or as their representative) to the persons involved in these transactions.

All these categories of receiving parties may in turn involve third parties, so that your data may also become accessible to them. We can restrict processing by certain third parties (e.g. IT providers), but not by other third parties (e.g. authorities, banks, etc.).</p

6 Does your personal data also end up abroad?
We process and store personal data mainly in Switzerland and the European Economic Area (EEA), but potentially in any country in the world, depending on the case - for example via our service providers or the subcontracted party of our service providers. Your personal data may also be transferred to any country in the world as part of our work for clients.</p

If a receiving party is located in a country without adequate data protection, we contractually oblige the receiving party to comply with an adequate level of data protection, unless it is already subject to a legally recognized set of rules to ensure data protection. We may also disclose personal data to a country without adequate data protection without concluding a separate contract for this if we can rely on an exemption provision.

7 What rights do you have?
You have certain rights in connection with our data processing. Under applicable law, you may in particular request information about the processing of your personal data, have incorrect personal data corrected, request the erasure of personal data, object to data processing, request the disclosure of certain personal data in a commonly used electronic format or its
transfer to other controllers.

If you wish to exercise your rights against us, please contact us; our contact details can be found in section 2. In order to prevent misuse, we must identify you (e.g. with a copy of your ID, if necessary).

Please note that conditions, exceptions or restrictions apply to these rights (e.g. for the protection of third parties or business secrets or due to our professional duty of confidentiality). We reserve the right to black out copies for reasons of data protection or confidentiality or to provide only excerpts.</p

8 How are cookies, similar technologies and social media plug-ins used on our website and other digital services?
When you use our website, data is generated that is stored in logs (in particular technical data). We may also use cookies and similar common technologies to recognize website visitors, evaluate their behavior and identify preferences. A cookie is a small file that is transmitted between the server and your system and enables the recognition of a specific device or browser.</p

You can set your browser so that it automatically rejects, accepts or deletes cookies. You can also deactivate or delete cookies in individual cases. You can find out how to manage cookies in your browser in your browser's help menu.</p

We also use social media plug-ins, which are software components that establish a connection between your visit to our website and a third party. The social media plug-in informs the third party that you have visited our website and may send the third party cookies that the third party has previously placed on your web browser. For more information on how third parties use your personal data collected through your social media plug-ins, please refer to their respective privacy policies.</p

We also use our own tools and services from third parties (which may in turn use cookies) on our website, in particular to improve the functionality or content of our website (e.g. integration of videos or maps) or to compile statistics. integration of videos or maps) or to compile statistics
Currently, we may in particular use offers from Google Analytics, whereby their contact details and further information on the individual data processing can be found in the respective privacy policy (data protection information: support.google.com/analytics/answer/6004245 ; information for Google accounts: policies.google.com/technologies/partner-sites?hl=en ). The provider is Google Ireland (based in Ireland); Google Ireland relies on Google LLC (based in the USA) as processor.

Some of the third parties we use may be located outside Switzerland. Information on the disclosure of data abroad can be found in section 6. In terms of data protection law, some of them are "only"
processors of our orders and some are responsible parties. Further information on this can be found in the data protection declarations of these service providers.

9 How do we process personal data on our pages on social networks?
We operate pages and other online presences on social networks and other platforms operated by third parties and process data about you in this context. In doing so, we receive data from you (e.g. when you communicate with us or comment on our content) and from platforms operated by third parties (e.g. statistics). The providers of the platforms can analyze your use and process this data together with other data that they have about you. They also process this data for their own purposes (e.g. marketing and market research purposes and to manage their platforms), and act as their own data controllers for this purpose. For more information on processing by the platform operators, please refer to the privacy policies of the respective platforms.</p

We use the LinkedIn platform, whereby the identity and contact details of the platform operator can be found in the privacy policy (www.linkedin.com; privacy policy: en.linkedin.com/legal/privacy-policy ).

We are entitled, but not obliged, to check third-party content before or after its publication on our online presences, to delete content without notice and, if necessary, to report it to the provider of the platform in question.</p

Some of the platform operators may be located outside Switzerland. Information on the disclosure of data abroad can be found in section 6.</p

 

10 Proto­logging
We may log at least the following information for each access to our website and our other online presence, provided that this information is transmitted to our digital infrastructure during such accesses: Date and time including time zone, IP address, access status (HTTP status code), operating­system including user­interface and version, browser including language and version, individual sub-page of our website accessed including amount of data­transferred, last website accessed in the same browser window (referrer).

.

We log such information, which may also constitute personal data, in log files. The information is required to provide our online presence in a permanent, user-friendly and reliable manner. The information is also required to ensure data security - also by third parties or with the help of third parties.</p

11 What else must be observed?
We do not assume that the EU General Data Protection Regulation ("GDPR") is applicable in our case. However, should this be the case in exceptional cases for certain data processing, this Section 10 shall also apply exclusively for the purposes of the GDPR and the data processing subject to it.

We base the processing of your personal data in particular on the fact that:

• it is necessary for the initiation and conclusion of contracts and their administration and enforcement (Art. 6 para. 1 lit. b GDPR) as described in Section 3;
• it is necessary for the purposes of the legitimate interests pursued by us or by third parties as described in para. 3, namely for communication with you or third parties, to operate our website, to improve our electronic offers and registration for certain offers and services, for security purposes, for compliance with Swiss law and internal regulations for our risk management and corporate governance and for other purposes such as training and education, administration, evidence and quality assurance, organization, implementation and follow-up of events and to safeguard other legitimate interests (see section 3) (Art. 6 para. 1 lit. f GDPR);
• it is required or permitted by law on the basis of our mandate or our position under the law of the EEA or a member state (Art. 6 para. 1 lit. c GDPR) or is necessary to protect your privacy or that of other interests or that of other natural persons (Art. 6 para. 1 lit. d GDPR);
• You have consented separately to the processing (Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. a GDPR)
.
• We would like to point out that we generally process your data for as long as our processing purposes (see section 3), the statutory retention periods and our legitimate interests, in particular for documentation purposes, require it or storage is technically necessary (e.g. in the case of backups or
  document management systems). If there are no legal or contractual obligations or technical reasons to the contrary, we will always delete or anonymize your data after the storage or processing period has expired as part of our normal processes and in accordance with our retention policy.

If you do not provide certain personal data, this may mean that it is not possible to provide the associated services or conclude a contract. We always indicate where personal data requested by us is mandatory.</p

If you do not agree with our handling of your rights or data protection, please let us know (see contact details in section 2). If you are in the EEA, you also have the right to lodge a complaint with the data protection supervisory authority in your country. A list of authorities in the EEA can be found here: edpb.europa.eu/about-edpb/board/members_en.

12 Can this privacy policy be amended?
This privacy policy is not part of any contract with you. We may amend this Privacy Policy at any time. The version published on this website is the current version.