Politika ochrany osobných údajov spoločnosti Galliker Transport AG a spoločností skupiny

I. General

Galliker Transport AG and its group companies (hereinafter "Galliker/we/us") attach great importance to compliance with the relevant data protection regulations.

In this data protection declaration, we provide you with comprehensive information about how we handle your personal data and explain your rights in connection with the processing of personal data in our company. We regulate the processing of personal data of our employees, tenants and customers exclusively within the framework of the specific contracts.

A. Scope of Application

This data protection declaration applies to all processing activities relating to personal data:

Visit and use of the Galliker website by Internet users
Provision of services by Galliker to customers and end customers
Service procurement by Galliker from suppliers
Application process at Galliker for potential employees

Depending on the data processing, in addition to the applicable Swiss law, the Federal Act on Data Protection (FADP) of 25 September 2020, SR 235.1, European data protection law, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1-88, may also or exclusively apply. This applies in particular to the processing of personal data in one of our subsidiaries in the EU and in the context of the use of our website and the observation of the behaviour of data subjects who are in the EU (Art. 3 para. 2 lit. b GDPR).

Linked websites of other providers or websites that link to our website are not covered by this data protection declaration.

B. Contact Details of the Controller

a. Controller

Galliker Transport AG
Kantonsstrasse 2
CH-6246 Altishofen
dp.ch[at]galliker.com

In addition, the further national companies of Galliker Transport AG are each responsible for their own processing in the individual countries. Please refer to the imprint for contact details.

b. Representative in the EU for the Swiss Companies belonging to the Group

Galliker Transports SA
Avenue du Parc Industriel
B-4041 Herstal (Milmort)
Belgium
dp.be[at]galliker.com

c. Contact Details of the Data Protection Advisor for the Galliker Group

Galliker Transport AG
Kantonsstrasse 2
CH-6246 Altishofen
E-mail: dsb[at]galliker.com

C. Contact Details of the Supervisory Authorities

a. Swiss Supervisory Authority

Federal Data Protection and Information Commissioner
Feldeggweg 1
3003 Bern
Switzerland
Phone: [tel]41 58 462 43 95
Website: https://www.edoeb.admin.ch/edoeb/en/home.html

b. Supervisory Authority in the EU

De Gegevensbeschermingsauthoriteit / L'Autorité de protection des données / Data Protection Authority
Drukpersstraat 35
1000 Brussel
Belgium
Autorité de protection des données (l'ancienne Commission de la protection de la vie privée)
Rue de la Presse, 35, 1000 Bruxelles
Website: https://www.dataprotectionauthority.be/citizen

Processing Activities

Depending on your relationship with us, we process different personal data about you for different purposes and based on different legal bases.

A. Visit to our Website

Data processing	When you visit our website, the browser used on your device automatically sends information to the server of our website. This information is temporarily stored in a so-called log file. Our website is hosted on our own the servers of Nine Internet Solutions AG.
Personal data	The following data is collected without any action on your part and stored until it is automatically deleted: IP address of the requesting computer, Date and time of access, Name and URL of the retrieved file, Website from which the access is made (referrer URL), Browser type and browser version as well as other information transmitted by the browser (such as the operating system of your computer, the name of your access provider, geographical origin, language setting, etc.). the sub-websites that are accessed via an accessing system on our website, and other similar data and information used for security purposes in the event of attacks on our information technology systems.
Purpose	The data in question is processed for the following purposes: Ensuring a smooth connection to the website Ensuring a comfortable use of our website Evaluation of system security and stability and for other administrative purposes To improve and develop our business and services
Processor	Nine Internet Solutions AG, Badenerstrasse 47, 8004 Zürich ongoing GmbH ("ongoing"), Hinterbergstrasse 34, 6312 Steinhausen, Switzerland. Neos Foundation e.V., Tatzberg 47, DE-01307 Dresden
Ensuring Data Protection	Processing takes place in Switzerland. We have concluded a data processing agreement with our processors.
Processors Data protection declaration	https://www.nine.ch/en/privacy-policy https://www.neos.io/de/footer-content/privacy-statement.html
Legal basis	There is a legitimate private interest in the processing of your personal data in accordance with Art. 31 para. 1 FADP or Art. 6 para. 1 sentence 1 lit. f GDPR.
Necessity	This information is necessary for the functioning of the website.
Data retention period	At the end of your session, the data will be deleted, but we will retain the log in connection with user accounts in accordance with legal requirements.

B. Contacting us

Data processing	On our website, we offer you the opportunity to contact us directly by telephone, videoconference, e-mail or contact form. The reason for contacting us may be, for example, questions about transport and logistics services or questions on other topics or feedback. We do not record any conversations.
Personal data	The following details can be entered: First names and surnames E-mail address Address (optional) Telephone number (optional) Possibly your customer number Information that you provide in writing or verbally
Purpose	The data in question is processed for the following purposes: Contact us Answering your enquiry
Processor	Webex from Cisco Systems (Switzerland) GmbH ("Cisco"), Richtistrasse 7, 8304 Wallisellen, Switzerland Microsoft Teams and Microsoft Outlook from Microsoft Ireland Operations Ltd ("Microsoft"), South County Business Park, One Microsoft Place, D18P521, Leopardstown, Ireland Call manager from Recos IC AG ("Recos"), Schützenstrasse 7, 8853 Lachen, Switzerland.
Ensuring Data Protection	We have concluded an order processing contract with Recos. The transfer of European or Swiss personal data to Microsoft or Cisco may result in this data being transferred to their parent company in the USA or to third parties in a country that does not have an equivalent level of data protection. We have agreed with Microsoft and Cisco that a transfer to the USA will be based on the E.U.- US or Swiss - US Data Privacy Framework (hereinafter Data Privacy Framework) or, if the Data Privacy Framework is declared invalid or does not (yet) apply, based on so-called standard contractual clauses and appropriate and proportionate technical and organisational measures. By submitting your enquiry, you also consent to your personal data being transferred to insecure third countries in accordance with Art. 17 FADP and Art. 49 para. 1 lit. a GDPR.
Processors Data protection declaration	Cisco: https://www.cisco.com/c/en_uk/about/legal/privacy-full.html Recos: https://www.recos-ic.com/datenschutz_/ Microsoft: https://privacy.microsoft.com/en-gb/privacystatement
Legal basis	This data processing is carried out on the basis of contractual or pre-contractual measures in accordance with Art. 31 para. 2 lit. a FADP or Art. 6 para. 1 sentence 1 lit. b GDPR.
Necessity	This processing activity is not necessary for the functionality of the website.
Data retention period	The data stored for the purpose of making contact will be deleted after processing has been completed, unless we are legally obliged to retain the data for 5 or 10 years.

C. Cookies

a. Basics

We use cookies on our website. We use cookies to create anonymised aggregate statistics that show us how our website is used and to improve the content and function of our website.

A cookie is a small block of data that is stored by a website on a visitor's computer or mobile device. A cookie does not always mean that we can identify you. You can configure your browser settings so that no cookies are stored on your computer mobile device. The complete deactivation of cookies may mean that you cannot use all the functions of our website. We process this data in the interests of our web-based market presence.

b. Types of Cookies

Our website uses session cookies and persistent cookies.

Session cookies are used to increase the security of the use of our website, to make our information user-friendly and to analyse the use of our websites. A session cookie is automatically deleted when you close your browser or after a short time.

Persistent cookies are used to optimise user-friendliness and speed up the use of our website. When you visit our website again, it automatically recognises that you have already visited us and which entries and settings you have made so that you do not have to enter them again. Persistent cookies expire after a certain period of time.

c. Management, Deletion or Deactivation of Cookies

By default, most internet browsers automatically accept cookies. If you do not wish to store cookies from our website on your device, you can configure your browser settings so that you receive a warning before certain cookies are stored. You can configure your browser settings so that your browser blocks most of our cookies and only allows certain cookies or blocks all cookies. You can also withdraw your consent to certain cookies by deleting the cookies that have already been saved.

Further information on cookies can be found on the websites of the relevant browser platforms:

Internet Explorer: https://support.microsoft.com/en-in/help/278835/how-to-delete-cookie-files-in-internet-explorer
Mozilla Firefox: https://support.mozilla.org/en-US/kb/delete-cookies-remove-info-websites-stored
Google Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en
Safari: https://www.apple.com/legal/privacy/en-ww/cookies/
Opera: https://help.opera.com/en/latest/web-preferences/

Please note that the partial or complete deactivation of cookies may result in you not being able to use all the functions of our website.

d. Technically necessary Cookies

Session Identifier

We use cookies on our website to identify your user session. This allows us to save your settings across the website and offer you the desired user experience.

Cookies for logging your Consent

These cookies are used to save the user settings regarding cookies on our website. User settings that have already been configured during a previous visit are saved in this cookie.

e. Technically not necessary, optional Cookies

We collect your data using optional cookies only with your express consent, which you give us by accepting the cookies in the cookie settings displayed on our websites. You can customise your consent at any time via the cookie settings (link in the footer).

1. For Marketing Purposes

a. Google Tag Manager

Data processing	We use the Google Tag Manager ("GTM") from Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland on our website. GTM is a tag management system that integrates tags in a standardised manner via a user interface. Tags are short sections of source code that can track activities and access other systems in order to centrally control when certain systems are triggered. Google Analytics is integrated into GTM. This means that GTM is merely an interface between the website and the analytics software. You can prevent the setting of tags in your browser settings at any time. Further information on these systems and their data processing can be found in the following sections.
Personal data	GTM ensures the activation of other tools, which in turn collect personal data. Depending on the integrated tool, GTM collects: the IP addresses of website visitors passes the IP addresses to the analysis programmes.
Purpose	We process your personal data for marketing and analysis purposes. We evaluate your user behaviour, carry out conversion tracking, compile statistics and optimise our advertising channels and approaches.
Processor	Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland
Ensuring Data Protection	The transfer of European or Swiss personal data to Google may result in Google transferring data to its parent company in the USA or to third parties in a country that does not have an equivalent level of data protection. We have agreed with Google that a transfer to the USA will be based on the E.U.- US or Swiss - US Data Privacy Framework (hereinafter Data Privacy Framework) or, if the Data Privacy Framework is declared invalid or does not (yet) apply, based on so-called standard contractual clauses and appropriate and proportionate technical and organisational measures. By giving your consent via the cookie banner, you also consent to your personal data being transferred to insecure third countries in accordance with Art. 17 FADP and Art. 49 para. 1 lit. a GDPR.
Data Privacy Declaration of Processor	https://policies.google.com/privacy?hl=en
Legal basis	The use of GTM is based on our legitimate private interest in accordance with Art. 31 para. 1 FADP and Art. 6 para. 1 sentence 1 lit. f GDPR.
Necessity	This processing activity is not necessary for the functionality of the website.
Data retention period	Your data is stored on the end device for up to two years, unless it is renewed.

2. Integration of Media

a. YouTube

Data processing	In order to make our website more interesting for you, we integrate video components from YouTube on our website. According to YouTube, in "extended data protection mode" your data - in particular which of the YouTube-websites you have visited and device-specific information including the IP address - is only transmitted to the YouTube server in the USA when you watch the video. If you are logged in to YouTube at the same time, this information will be assigned to your YouTube member account. You can prevent this by logging out of your member account before visiting our website.
Personal data	If you are logged in to YouTube at the same time: When you access a sub-page that contains a YouTube video, the specific sub-page you visit is recognized. This information is assigned to the corresponding YouTube account
Purpose	Our interest lies in the smooth integration of the videos and the appealing design of our website.
Processor	Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
Ensuring Data Protection	The transfer of European or Swiss personal data to Google may result in Google transferring data to its parent company in the USA or to third parties in a country that does not have an equivalent level of data protection. We have agreed with Google that a transfer to the USA will be based on the E.U.- US or Swiss - US Data Privacy Framework (hereinafter Data Privacy Framework) or, if the Data Privacy Framework is declared invalid or does not (yet) apply, based on so-called standard contractual clauses and appropriate and proportionate technical and organisational measures. By giving your consent via the cookie banner, you also consent to your personal data being transferred to insecure third countries in accordance with Art. 17 FADP and Art. 49 para. 1 lit. a GDPR.
Data Privacy Declaration of Processor	https://www.youtube.com/howyoutubeworks/our-commitments/protecting-user-data/
Legal basis	Data processing is carried out with your express consent in accordance with Art. 31 para. 1 FADP or Art. 6 para. 1 sentence 1 lit. a GDPR, which you give via the cookie banner.
Necessity	The data mentioned are not necessary for the website functionality.
Data retention period	The data retention period is based on the information in Google's privacy policy.

b. Vimeo

Data processing	In order to make our website more interesting for you, we integrate video components with Vimeo on our website. If you are logged in to Vimeo at the same time, this information will be assigned to your respective Vimeo member account. You can prevent this by logging out of your member account.
Personal data	The following personal data is therefore processed each time you visit our website: Browser type Operating system Basic device information
Purpose	Our interest lies in the smooth integration of the videos and the appealing design of our website.
Processor	Vimeo.com, Inc. ("Vimeo"), 330 West 34th Street, 10th Floor, New York 10001, USA
Ensuring data protection	Vimeo processes your personal data in the USA. We have agreed with Vimeo that a transfer to the USA will be based on the E.U.- US or Swiss - US Data Privacy Framework (hereinafter Data Privacy Framework) or, if the Data Privacy Framework is declared invalid or does not (yet) apply, based on so-called standard contractual clauses as well as suitable and proportionate technical and organisational measures. By giving your consent via the cookie banner, you also consent to your personal data being transferred to insecure third countries in accordance with Art. 17 FADP or Art. 49 para. 1 lit. a GDPR.
Data Privacy Declaration of Processor	https://vimeo.com/privacy
Legal basis	Data processing is carried out with your express consent in accordance with Art. 31 para. 1 FADP or Art. 6 para. 1 sentence 1 lit. a GDPR, which you give via the cookie banner.
Necessity	The data mentioned are not necessary for the website functionality.
Data retention period	Vimeo stores your data for up to two years.

c. Google Maps

Data processing	On our website, we use Google Maps (API). Google Maps is a web service for displaying interactive (land) maps in order to visualise geographical information. By using this service, our location is shown to you and any directions are made easier.
Personal data	When using Google Maps, Google also collects, processes and uses data about the use of the map functions by visitors. This involves the following personal data: Location data Search history Device information usage data Cookies and device identifiers: Communication data if you are logged into your Google account, also the details you provided when registering, such as your surname, first name and email address. By clicking on the map, you will be redirected to the provider's website. We have no influence on the processing of personal data on third-party websites.
Purpose	The purpose of integrating Google Maps directly on our website is to make it easier for you to find our business premises and to simplify contact with you. We have no influence on the processing of personal data on third-party websites.
Processor	Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
Ensuring Data Protection	The transfer of European or Swiss personal data to Google may result in Google transferring data to its parent company in the USA or to third parties in a country that does not have an equivalent level of data protection. We have agreed with Google that a transfer to the USA will be based on the E.U.- US or Swiss - US Data Privacy Framework (hereinafter Data Privacy Framework) or, if the Data Privacy Framework is declared invalid or does not (yet) apply, based on so-called standard contractual clauses and appropriate and proportionate technical and organisational measures. By giving your consent via the cookie banner, you also consent to your personal data being transferred to insecure third countries in accordance with Art. 17 FADP or Art. 49 para. 1 lit. a GDPR.
Data Privacy Declaration of Processor	https://policies.google.com/privacy?hl=en
Legal basis	Data processing is carried out with your express consent in accordance with Art. 31 para. 1 FADP or Art. 6 para. 1 sentence 1 lit. a GDPR, which you give via the cookie banner.
Necessity	The data mentioned is not required for the website functionality.
Data retention period	The retention period depends on the information on the various types of data in Google's privacy policy.

D. Social Media

a. Instagram + Facebook

Data processing	To enable you to communicate with us, we operate a social media profile on Instagram at https://www.instagram.com/galliker_transport_ag and on Facebook at https://www.facebook.com/gallikertransportag/?locale=de_DE [NBZ1] . You can contact us via this profile. In addition, we have placed a social media button from Instagram on our website so that you are simply linked to our respective profile. This is not a plugin, but only an icon with a link. Instagram does not process any of your personal data on our website in this context.
Personal data	If you contact us via our social media profile or click on a social media button, the following information will be collected from you: User behaviour IP address Connection data Device and browser information Data about the content accessed when clicking on the social media button User name or first and last name Possibly pictures, data that you send us in the course of contacting us By clicking on the social media button, you will be redirected to the provider's website. We have no influence on the processing of personal data on third-party websites.
Purpose	If you contact us via our Social Media Profiles, we will process the data for the purpose of responding to your enquiry. The social media buttons are used to structure our website.
Processor	Meta Platforms Ireland Ltd ("Meta"), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Data transfer to third countries	We are joint controllers with Meta in accordance with Art. 26 GDPR, but only with regard to the collection and transmission of data. Meta is solely responsible for the subsequent processing of the information by Meta. We have concluded a joint controllership agreement with Meta to determine the respective responsibilities for the fulfilment of obligations under the GDPR. Accordingly, we are responsible for informing users of our website, while Meta is responsible for fulfilling requests regarding the rights of data subjects in accordance with Art. 15 to 21 GDPR. However, within the framework of joint controllership, you can in principle assert your data subject rights against each of the joint controllers. You can find out more about the joint controller agreement here: https://de-de.facebook.com/legal/controller_addendum The transfer of European or Swiss Personal Data to Meta may result in Meta transferring data to its parent company in the United States or to third parties in a country that does not have an equivalent level of data protection. We have agreed with Meta that a transfer to the USA will be based on the E.U.- US or Swiss - US Data Privacy Framework (hereinafter Data Privacy Framework) or, if the Data Privacy Framework is declared invalid or does not (yet) apply, based on so-called standard contractual clauses and appropriate and proportionate technical and organisational measures. By using the Galliker social media profiles, you also consent to your personal data being transferred to insecure third countries in accordance with Art. 17 FADP and Art. 49 para. 1 lit. a GDPR. Meta is solely responsible for the subsequent processing of the information by Meta.
Data Privacy Declaration of Processor	https://www.facebook.com/privacy/policy /
Legal basis	If you contact us via one of our social media profiles, we process your data based on our legitimate private interest in accordance with Art. 31 para. 1 FADP or Art. 6 para. 1 sentence 1 lit. f GDPR in order to provide a means of communication.
Necessity	This processing activity is not necessary for the functionality of the website.
Data retention period	Data processed in connection with your contact via our social media profile will be deleted after 1 year, unless we are obliged to retain the communication for 5 or 10 years.

b. LinkedIn

Data processing	To enable you to communicate with us, we operate a social media profile on LinkedIn at https://ch.linkedin.com/company/gallikertransportag. You can contact us via this profile. In addition, we have placed a social media button from LinkedIn on our website so that you can easily link to our profile. This is not a plugin, but only an icon with a link. LinkedIn does not process any of your personal data on our website in this context.
Personal data	If you contact us via our social media profile or click on a social media button, the following information will be collected from you: User behaviour IP address Connection data Device and browser information Data about the content accessed when clicking on the social media button User name or first and last name Possibly picture, data that you send us when contacting us By clicking on the social media button, you will be redirected to the provider's website. We have no influence on the processing of personal data on third-party websites.
Purpose	The social media buttons are used to structure our website. If you contact us via LinkedIn, we will process the data for the purpose of responding to your enquiry.
Processor	LinkedIn Ireland Unlimited Company ("LinkedIn"), Wilton Plaza, Gardner House, Dublin 2, Ireland
Ensuring Data Protection	The transfer of European or Swiss personal data to LinkedIn may result in the latter transferring data to its parent company in the USA or to third parties in a country that does not have an equivalent level of data protection. We have agreed with LinkedIn that a transfer to the USA will be based on the E.U.- US or Swiss - US Data Privacy Framework (hereinafter Data Privacy Framework) or, if the Data Privacy Framework is declared invalid or does not (yet) apply, based on so-called standard contractual clauses and appropriate and proportionate technical and organisational measures.
Data Privacy Declaration of Processor	https://www.linkedin.com/legal/privacy-policy?
Legal basis	If you contact us via our social media profiles, we process your data on the basis of our legitimate private interest in accordance with Art. 31 para. 1 FADP or Art. 6 para. 1 sentence 1 lit. f GDPR in order to provide a means of communication.
Necessity	This processing activity is not necessary for the functionality of the website.
Data retention period	Data processed in connection with your contact will be deleted after 1 year, unless we are obliged to retain the communication for 5 or 10 years.

c. TikTok

Data processing	To enable you to communicate with us, we operate a social media profile on TikTok at https://www.tiktok.com/@galliker_transport_ag. In addition, we have placed a social media button from TikTok on our website so that you can easily link to our TikTok profile. This is not a plugin, but only an icon with a link. TikTok does not process any of your personal data on our website in this context.
Personal data	If you contact us via our social media profile or click on a social media button, the following information will be collected from you: User behaviour IP address Connection data Device and browser information or app information Data on the content accessed User name or first and last name Possibly picture, data that you send us when contacting us By clicking on the button, you will be redirected to the provider's website. We have no influence on the processing of personal data on third-party websites.
Purpose	The TikTok social media button is used to structure our website. If you contact us via TikTok, we will process the data for the purpose of responding to your enquiry.
Processor	TikTok Technology Limited ("TikTok"), 10 Earlsfort Terrace, Dublin, D02 T380, Ireland
Ensuring Data Protection	TikTok processes your data on its servers in the USA, Malaysia and Singapore. The transfer of European or Swiss personal data to TikTok may result in the transfer of data to its parent company in the USA or to third parties in a country that does not have an equivalent level of data protection. We have agreed with TikTok that a transfer to the USA will be based on the E.U.- US or Swiss - US Data Privacy Framework (hereinafter Data Privacy Framework) or, if the Data Privacy Framework is declared invalid or does not (yet) apply, based on so-called standard contractual clauses and appropriate and proportionate technical and organisational measures.
Data Privacy Declaration of Processor	https://www.tiktok.com/legal/page/eea/privacy-policy/en
Legal basis	If you contact us via our TikTok profile, we process your data on the basis of our legitimate interest in accordance with Art. 31 para. 1 FADP or Art. 6 para. 1 lit. f GDPR to provide a means of communication.
Necessity	The data mentioned is not required for the website functionality.
Data retention period	Data processed in connection with your contact will be deleted after 1 year, unless we are obliged to retain the communication for 5 or 10 years.

E. Customers of Galliker

a. Customer Portal

Data processing	You have the option of creating a password-protected online customer account with us in the Galliker customer portal, provided that you have concluded a contract or accepted our GTC and a Data Processing Agreement with us. You can use the login data you have created to access the customer portal applications. We provide you with the following services and information in our customer portal: Galliker customer centre Track & Trace e-Delivery Note download Galliker VMS Galliker Photo Cloud Galliker Dock The customer account is used to administer the services you have purchased from Galliker. You can also retrieve and manage information on services and inventory data you have purchased in the past.
Personal data	The following data is processed during access via the website: E-mail address Password Other personal data may be processed as part of the individual services and are regulated in the data processing agreement.
Purpose	The purpose of this processing is the fulfilment of the contract and the simplified, more efficient and customer-friendly processing of services.
Order processor	Track & Trace / Galliker VMS: Bauer Software GmbH ("Bauer Software"), Alfred-Nobel-Allee 52, 66793 Saarwellingen, Germany Galliker Foto Cloud: komola GmbH ("komola"), Steintorwall 4, 38100 Braunschweig, Germany. Galliker Dock: Ehrhardt + Partner GmbH & Co KG ("Ehrhardt + Partner"), Alte Römerstraße 3, D-56154 Boppard-Buchholz, Germany.
Ensuring data protection	The data is processed in Switzerland and Germany. We have concluded data processing agreement with the order processors.
Data protection declaration of the processor	Bauer Software:https://www.vsb-soft.de/index-eng.php Ehrhardt + Partner: https://www.epg.com/gb/privacy-policy
Legal basis	This data processing is carried out on the basis of contractual or pre-contractual measures in accordance with Art. 31 para. 2 lit. a FADP or Art. 6 para. 1 sentence 1 lit. b GDPR.
Necessity	This processing activity is necessary for the processing of services. However, it is not necessary to create a customer account to use our website.
Data retention period	We retain the data used to process your order for at least the duration of the contract. We are legally obliged to retain business documents and accounting records for 10 years. We reserve the right to retain them for longer in order to assert our rights.

b. Customer Care and Customer Acquisition

Data processing	Galliker processes the personal data of customers and potential customers in customer care and acquisition.
Personal data	The following personal data is processed: First name and surname of employees of customers or potential customers Contact details of potential customers
Purpose	Processing is carried out for the purpose of customer care (dispatch of calendars) and for acquisition purposes (business cards, trade fairs, marketing measures).
Order processor	SuperOffice AG, Uferstrasse 90, 4057 Basel
Ensuring data protection	The data is processed in Switzerland. We have concluded an data processing agreement with the order processor.
Data protection declaration of the processor	https://www.superoffice.ch/uber-uns/privacy/
Legal basis	This data processing is carried out on the basis of contractual or pre-contractual measures in accordance with Art. 31 para. 2 lit. a FADP or Art. 6 para. 1 sentence 1 lit. b GDPR.
Necessity	The processing activity is necessary for the provision of services and to ensure the continuation of operations through customer acquisition. However, the processing activity is not necessary for the use of our website.
Data retention period	We retain the data for processing a service provided for at least the duration of the contract. We are legally obliged to retain business documents and accounting records for 10 years. We reserve the right to retain them for longer in order to assert our rights.

F. End Customers

Data processing	If Galliker provides a service (in particular deliveries) directly to the customer's end customer, Galliker may process the end customer's personal data. Galliker's customer guarantees that Galliker is authorised to process the end customer's data.
Personal data	Galliker processes the following data for this purpose: First name and surname of the end customer Contact details of the end customer
Purpose	The processing is based on the following purposes: Contract fulfilment Operation
Order processor	Track & Trace / Galliker VMS: Bauer Software GmbH ("Bauer Software"), Alfred-Nobel-Allee 52, 66793 Saarwellingen, Germany
Ensuring data protection	The data is processed in Switzerland and Germany. We have concluded an data processing agreement with the processor.
Data protection declaration of the processor	Bauer Software: https://www.vsb-soft.de/index-eng.php
Legal basis	Data processing is carried out for the purpose of fulfilling the contract with our customer on the basis of Art. 31 para. 2 lit. a GDPR or Art. 6 para. 1 sentence 1 lit. b GDPR regarding contractual measures.
Necessity	This processing activity is necessary for the provision of services. However, the processing activity is not necessary for the use of our website.
Data Retention Period	We retain the data for processing a service provided for at least the duration of the contract. This may also affect end customer data. We are legally obliged to retain business documents and accounting records for 10 years. We reserve the right to retain data for longer periods in order to assert our rights

G. Suppliers

Data processing	Coordination and agreement between Galliker and its suppliers is necessary for the procurement of services and ultimately for the mutual fulfilment of the contract. For their part, Galliker's suppliers are requested to inform their employees about their rights and obligations in the area of data protection.
Personal data	Galliker processes the following data for this purpose: First name and surname of the supplier's employees Contact details of the supplier's employee
Purpose	The processing is based on the following purposes: Contract fulfilment Operation
Order processor	Customize AG, Neuwiesenstrasse 20, 8400 Winterthur
Ensuring data protection	The data is processed in Switzerland. We have concluded a Data Processing Agreement with the processor.
Data protection declaration of the processor	https://customize.ch/datenschutz/
Legal basis	This data processing is carried out on the basis of contractual or pre-contractual measures in accordance with Art. 31 para. 2 lit. a FADP or Art. 6 para. 1 sentence 1 lit. b GDPR.
Necessity	This processing activity is necessary to obtain a service. However, the processing activity is not necessary for the use of our website.
Data Retention Period	We retain the data relating to a purchased service for at least the duration of the contract. We are legally obliged to retain business documents and accounting records for 10 years. We reserve the right to retain them for longer in order to assert our rights.

H. Applicants

a. Application

Data processing	You have the option of applying to us via our web-based application tool (at jobs.galliker.com), by post or by e-mail. Our web-based application tool includes an online application form. We use Refline for this form. The application data you provide is stored on a secure Refline server and can be viewed by us. Your data will only be stored if you are offered employment with us. In connection with apprenticeships in Switzerland, we use the service www.yousty.ch. Our vacancies are advertised on the platform. You have the opportunity to upload your application documents to the platform. You have the option of applying to us by e-mail. In these cases, we process all the data that you send us with your application dossier and use MS Outlook for this purpose (you can find more information on the handling of your personal data when using MS Outlook above under "II Processing activities, B. Making contact").
Personal data	The following information may be processed when you submit an application: Applicant master data (first and last name, e-mail address, telephone number, address, date of birth, citizenship) Qualification data (cover letter, letter of motivation, CV, previous activities, professional qualifications and competences) Voluntary information, such as title, photo, applicant source or other information that you voluntarily provide us with in your application Other data/data categories, e.g. publicly accessible, work-related data, e.g. a public profile on social media networks.
Purpose	The purpose of processing the personal data provided is to check your enquiry regarding the initiation of an employment contract.
Order processor	Refline AG ("Refline"), Bösch 65, 6331 Hünenberg, Switzerland Yousty AG ("Yousty"), Limmatstrasse 21, 8005 Zurich, Switzerland
Ensuring data protection	We have concluded an data processing agreement with Refline. Yousty is an independent Controller by its own definition.
Data protection declaration of the processor	https://refline.ch/de/datenschutz/ https://www.yousty.ch/de-CH/privacy
Legal basis	This data processing is carried out on the basis of contractual or pre-contractual measures in accordance with Art. 31 para. 2 lit. a FADP or Art. 6 para. 1 sentence 1 lit. b GDPR. Furthermore, the processing of your personal data for the assertion, exercise or defence of legal claims is in our overriding private interest in accordance with Art. 31 para. 1 FADP or Art. 6 para. 1 sentence 1 lit. f GDPR. If the applicants are minors or dependants, we assume that the application documents have been transmitted with the permission of the legal representatives in each case.
Necessity	The data mentioned is not necessary for the functionality of the website.
Data retention period	The data retention for the purpose of the application will be in accordance with the relevant legal provisions and for as long as is necessary to fulfil the aforementioned purposes. In the event that the application is unsuccessful, we will store your personal data for 6 months for the assertion, exercise or defence of our legal claims.

c. JobMail

Data processing	You have the option of registering for a job newsletter "JobMail" on our website. This newsletter informs you about current vacancies and related information. Registration for the newsletter is only possible with a double opt-in: After you have registered on our website, you will receive an e-mail in which you must click on the confirmation to receive a newsletter. If you do not wish to do this, ignore the confirmation e-mail. If you wish to unsubscribe from the newsletter at a later date, you can click on the unsubscribe link that is sent to you with every e-mail newsletter.
Personal data	We collect the following information for the registration and dispatch of the newsletter: First name and surname E-mail address We then process data that can be used to determine whether a newsletter message has been opened and which links, if any, have been clicked on. Technical information is also recorded, such as Time of the call IP address Browser type Click behaviour Operating system
Purpose	The personal data in question is processed for the purpose of sending the newsletter and analysing the newsletter.
Order processor	Refline AG ("Refline"), Bösch 65, 6331 Hünenberg, Switzerland
Ensuring data protection	We have concluded an data processing agreement with Refline.
Data protection declaration of the processor	https://refline.ch/de/datenschutz/
Legal basis	The provision of your data is voluntary. Your personal data will be processed with your express consent in accordance with Art. 31 para. 1 FADP or Art. 6 para. 1 sentence 1 lit. a GDPR, which you give by double opt-in.
Necessity	This processing activity is not necessary for the functionality of the website.
Data Retention Period	The data retained for the purpose of the newsletter subscription will be stored by us until you unsubscribe from the newsletter. After you unsubscribe, your data will be deleted from our servers and from the Refline servers, unless we have the data in connection with other lawful processing activities.

d. Talent Pool

Data processing	With your consent, you have the option of having your application documents stored in our talent pool. For open positions, we would then ask you whether you might be interested in a position. When we place your documents in the talent pool, you will receive an e-mail asking you to submit a double opt-in. You will receive an e-mail in which you must click on the confirmation to receive job offers. If you do not wish to do this, ignore the confirmation e-mail. If you wish to unsubscribe from the talent pool at a later date, you can click on the unsubscribe link that is sent to you with every enquiry.
Personal data	We collect the following information for the registration and dispatch of the newsletter: Applicant master data (first and last name, e-mail address, telephone number, address, date of birth, citizenship) Qualification data (cover letter, letter of motivation, CV, previous activities, professional qualifications and competences) Voluntary information, such as title, photo, applicant source or other information that you voluntarily provide us with in your application Other data/data categories, e.g. publicly accessible, job-related data, e.g. a public profile on social media networks. We then process data that can be used to determine whether a message has been opened and which links, if any, have been clicked on. Technical information is also recorded, such as Time of the call IP address Browser type Click behaviour Operating system
Purpose	The purpose of processing the personal data provided is to inform you about vacancies at Galliker.
Order processor	Refline AG ("Refline"), Bösch 65, 6331 Hünenberg, Switzerland
Ensuring data protection	We have concluded an data processing agreement with Refline.
Data protection declaration of the processor	https://refline.ch/de/datenschutz/
Legal basis	The provision of your data is voluntary. Your personal data will be processed with your express consent in accordance with Art. 31 para. 1 FADP or Art. 6 para. 1 sentence 1 lit. a GDPR, which you give by double opt-in.
Necessity	This processing activity is not necessary for the functionality of the service.
Data Retention Period	The data retained for the purpose of the talent pool will be with us until you unsubscribe. After deregistration, your data will be deleted from our servers and from the Refline servers, unless we have the data in connection with other lawful processing activities.

III. Disclosure of Data to Third Parties

Your personal data will not be transferred to third parties for purposes other than those listed or to processors or controllers other than those listed and their subcontractors.

IV. Cross-border Disclosure to Third Countries without an adequate Level of Data Protection

No disclosure is made to third countries without an adequate level of data protection or only subject to suitable guarantees, e.g. under the contractual obligation to maintain an adequate level of data protection (as standard contractual clauses). Personal data is only transferred to third countries if the data protection requirements of Art. 9 and 16 FADP or Art. 44 et seq. GDPR are met.

A country qualifies as a third country if there is no equivalent level of data protection to Swiss or EU law. The Federal Council (Ordinance on Data Protection (GDPR), SR 235.11, Annex 1) or the EU Commission designates countries with an adequate level of data protection (in the respective adequacy decision pursuant to Art. 45 GDPR).

There is a Data Privacy Framework between the EU and the USA. This framework ensures a GDPR-compliant transfer to the USA and correspondingly compliant data processing, in which all rights under EU law of the data subject can be safeguarded. Whether the specific data processor in the USA participates in this framework can be clarified on the website: www.dataprivacyframework.gov/s/. In addition, you will find further information on the processing of user data in the specific data protection declarations of the data processor.

The Swiss-U.S. Framework has not yet entered into force. Therefore, your data may be subject to a level of data protection during data transfer that is not comparable to that in Switzerland. We have therefore concluded standard contractual clauses with our suppliers and taken technical and organisational measures. By giving your consent via the cookie banner or be using our service or contact possibilities, you also consent to your personal data being transferred to insecure third countries in accordance with Art. 17 FADP and Art. 49 para. 1 lit. a GDPR. Swiss citizens have no effective means of legal protection against such access in the USA.

In this data protection information, we inform you when and how we transfer personal data to the USA or other insecure third countries.

V. Data Security

We take appropriate technical and administrative measures to ensure that your personal data cannot be accessed or stolen by unauthorised third parties. In particular, we take appropriate technical (e.g. firewall, password protection, SSL encryption, etc.) and organisational (e.g. restriction of authorised persons, training of authorised persons, etc.) measures to ensure that only authorised persons have access to this data. Our data processing and security measures are continuously improved in line with technological developments.

We use SSL encryption for security reasons and to protect the transmission of confidential content, such as the requests you send to us as the Website operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL encryption is activated, the data you transmit to us cannot be read by third parties.

VI. Your Rights

As a data subject, you may assert various claims against us in accordance with the applicable national and international law. We may process your personal data again to fulfil these claims. Depending on the applicable law, data subjects may assert the following rights:

Right to information	To request information about your personal data processed by us. In particular, information in accordance with Art. 25 ff. FADP or Art. 15 GDPR may contain information: on the purposes of processing the category of personal data the categories of recipients to whom your data has been or will be disclosed the planned storage period the existence of a right to rectification, erasure, restriction of processing or objection the existence of a right of appeal the origin of your data if it was not collected by us the existence of automated decision-making, including profiling and, where applicable, meaningful information about its details
Right of rectification	To immediately request the correction of incorrect or incomplete personal data retained by us (Art. 32 para. 1 FADP or Art. 16 GDPR).
Right to restriction of processing	To request the restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful, but you refuse to delete it and we no longer need the data, but you need it for the assertion, exercise or defence of legal claims or you have objected to the processing in accordance with Art. 21 GDPR (Art. 32 FADP or Art. 18 GDPR);
Right to data disclosure and transfer	To receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format or to request that it be transmitted to another Controller (Art. 28 FADP and Art. 20 GDPR);
Right of cancellation	To request the deletion of your personal data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims (Art. 32 FADP in conjunction with Art. 28 ZGB or Art. 17 GDPR);
Revocation of consent	To revoke your consent once given to us at any time. As a result, we may no longer continue the data processing that was based on this consent in the future (Art. 30 para. 2 lit. b FADP and Art. 7 para. 3 GDPR);
Right of objection	To object to the processing if your personal data are processed on the basis of legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR (Art. 21 GDPR) and if there are reasons for this arising from your particular situation or if the objection is directed against direct advertising. In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation;
Complaint to the supervisory authority	To lodge a complaint with a supervisory authority (see above) (Art. 49 FADP or 77 GDPR).

VIII. Relevance and Amendment of this Data Protection Declaration

We reserve the right to amend this data protection declaration at any time or to adapt it to new processing methods. The current data protection declaration can be accessed here at any time. Older versions of the data protection declaration can be accessed here.

Status, 8 May 2024