Version 1.0 from 14.02.2022
1. General information
Within the context of our business activities, we are subject to the Swiss data protection law, in particular the Federal Act on Data Protection (FADP) and, where applicable, foreign data protection law, in particular the General Data Protection Regulation (GDPR) of the European Union (EU).
Particularly the latter is only applicable to natural persons with domicile in an EU/EEA state. The EU recognises that Swiss data protection law ensures adequate data protection.
By using our services and our platform, you agree to the processing of the data collected about you in the manner and for the purpose as described below. Personal data of third parties may only be provided to us if you are authorised to do so and if such personal data is correct.
The masculine form of language we use is for simplification and applies equally to all other forms of gender expression.
2. Responsible for data protection issues
Contact person for data protection matters at art24 World AG is:
art24 World AG
Phone no.: +41 43 499 50 20
3. EU data protection representative
For natural persons with simple residency in countries of the European Economic Area (EEA) including the European Union (EU) and the Principality of Liechtenstein, as well as for the country-specific supervisory authorities provided for by the GDPR, we designate the following person as EU data protection representative according to Article 27 of the GDPR:
VGS Datenschutzpartner UG
Am Kaiserkai 69
For better understanding, we would like to start by clarifying the most important terms used in the following. In this regard, we adhere to the definitions from the Swiss Data Protection Act (Article 3 DPA).
- Personal data: all information relating to an identified or identifiable person.
- Persons concerned: natural or legal persons on whom data is being processed;
- Processing: any handling of personal data, regardless of the means and procedures used, in particular the acquisition, storage, use, reprocessing, disclosure, archiving or destruction of data;
- Responsible person: private person who decides alone or together with others on the purpose and means of processing;
- Processor: private person who processes personal data on behalf of the data controller.
5. Collection and processing of personal data
We process personal data that we receive from our users, visitors, customers, business partners, employees, authorities and other involved persons in the course of our business activities with them and third parties or that we collect in the course of operating our platform and other applications. In addition, we also collect publicly accessible data (e.g. from public registers, the Internet, the press, social media, etc.) if necessary and permissible for the fulfilment of our business activities.
6. Purpose of the data processing
We process the data collected in order to fulfil our legal and contractual obligations towards our users, visitors, customers, business partners, employees, authorities and other persons involved.
Furthermore, we process the data collected in order to improve the products and services you have requested, to manage your use of and access to our services, products and information, to maintain our business relationship with you, to carry out advertising and marketing measures ( provided that you have consented to the use of your personal data in this respect), to monitor and improve the performance of our services, to enforce legal claims or defend ourselves against them, to detect, prevent or resolve illegal activities as well as to generally guarantee our operations (in particular IT, platform, etc.). We only collect, use and disclose your personal data if this is permitted or required by law or if you have agreed to the disclosure of your data.
7. Legal basis of data processing
We process personal data in accordance with Swiss data protection law pursuant to Article 4 et seq. DSG (Article 6 revised FADP). Where a justification for processing your personal data is necessary, this is either based on your consent in accordance with Article 13 para. 1 FADP (Article 31 para. 1 revised FADP) or on a legal basis or on our predominant private interest on the data processing. Any processing of your personal data by other group companies is also based on Article 13 para. 2 FADP (Article 31 para. 2 revised FADP).
In addition, we process - insofar as and to the extent that the GDPR is applicable - personal data in accordance with the following legal basis in connection with Article 6 para. 1 GDPR:
- The person concerned has given his consent to the processing of personal data relating to him for one or more specific purposes (Article 6 para. 1 lit. a DSGVO) or
- the processing is necessary for the fulfilment of a contract to which the data subject is a party or for the execution of pre-contractual measures which are carried out at the request of the person concerned (Article 6 para. 1 lit. b DSGVO) or
- the processing is necessary for the fulfilment of a legal obligation to which we are subject as the responsible party (Article 6 para. 1 lit. c DSGVO) or
- the processing is necessary to protect the vital interests of the person concerned or of another natural person (Article 6 para.1 lit. d DSGVO) or
- the processing is necessary for the performance of a task which is in the public interest or in the exercise of official authority conferred on us as the responsible controller (Article 6 para. 1 lit. e DSGVO) or
- the processing is necessary for the purposes of protecting our legitimate interests as responsible controller or those of a third party, except where such interests are predominated by the interests or fundamental rights and freedoms of the person concerned which require the protection of personal data, in particular where the person concerned is a child (Article 6 para. 1 lit. f DSGVO).
8. Processing time of personal data
We will process your personal data for as long as we are legally obliged to do so or for as long as our legitimate business interests require or as long as the purpose of collecting your data makes it necessary. The associated retention periods may result in your personal data or extracts from them being kept for several years after the end of the contractual relationship between you and us. If your personal data is no longer required for the above-mentioned purposes, it will be deleted or anonymised as far as possible.
9. Data processing in connection with the usage of our platform
The software Cookiebot is used for cookie consent. The following source code includes Cookiebot in our platform:
9.2. Contact form
You have the possibility to use a contact form to get in touch with us. The collection and transmission of the following data is possible:
- Email address
- Phone number
We have marked the mandatory fields (*). The provision of personal data in other fields or in the context of any other method of contact (e.g., by email, telephone) is voluntary. Within the area of application of the DSGVO, this data is processed for the purpose of initiating or fulfilling a contract (Art. 6 para. 1 lit. b DSGVO) or on the basis of our legitimate interest in processing the requests addressed to us (Art. 6 para. 1 lit. f DSGVO) or based on your consent (Art. 6 para. 1 lit. a DSGVO).
9.3. Platform hosting provider
We host our platform with a Swiss hosting provider with its headquarters and server location in Switzerland (VSHN AG). With each visit to our platform, the hosting provider automatically collects and stores information (server log files) which your browser transmits. This includes the name and URL of the accessed file, date and time, amount of data, web browser and web browser version, operating system, the domain name of your internet provider, the so-called referrer URL (the page from which you accessed our website) and the IP address. This usage data serves to identify technical problems, to ensure security and to statistically evaluate the use of our platform and thus the further development of our offer.
The mentioned data is processed by us for the following purposes:
- To ensure a smooth connection set-up to the platform,
- To ensure a comfortable usage of our platform,
- To evaluate the security and stability of the system and
- Evaluation of system security and stability and for other administrative purposes and in the event of an unlawful use of our platform or our services.
Within the area of application of the DSGVO, the processing of this data is based on our legitimate interest (Art. 6 para. 1 lit. f DSGVO) in accordance with the purposes listed above or your consent (Art. 6 para. 1 lit. a DSGVO).
9.4. User data
You can register to our platform ("user") in order to use further functions of our platform. The latest GTC are applicable and can be found at https://art24.world/legal/terms. The mandatory information requested during registration must be provided in full. Otherwise, registration is not possible. For important changes, for example in the range of services offered or in the case of technically necessary changes, we use the email address provided when you first registered in order to inform you this way.
For all purposes related to the fulfilment of the contract, we are entitled to collect, process and use personal data of the user and, if applicable, also of the user's employees, bodies or third parties involved. Your consent also includes the use for marketing purposes.
Users may process and use personal data of other users, which they legally collect in the course of using the platform, exclusively for the performance of their pre-contractual and contractual services. With disclose out the expressed permission of the user concerned, they are in particular prohibited from disclosing this data on to third parties (e.g., for marketing purposes).
The user explicitly authorises us to process his personal data and data related to him and to disclose it to third parties abroad and hence worldwide. These recipients may also be located in countries where there may not be an equivalent level of data protection. The user explicitly agrees to the transfer of data to these countries.
The user explicitly declares that consent for the processing of personal data as described above has been given and that the legal requirements for transfer to and processing through us have been fulfilled.
Within the scope of application of the GDPR, the processing of this data takes place either for the purpose of initiating and fulfilling a contract (Art. 6 para. 1 lit. b GDPR) or based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) or based on your consent (Art. 6 para. 1 lit. a GDPR).
We use the services of Datatrans. The provider is Datatrans AG, Kreuzbühlstrasse 26, 8008 Zurich, Switzerland ("Datatrans"). Datatrans follows the standards set by PCI-DSS, which are managed by the PCI Security Standards Council. PCI-DSS requirements help to ensure the secure handling of payment information.
Within the scope of application of the GDPR, the transfer of your data to Datatrans is based on the execution of the contract (Art. 6 para. 1 lit. b GDPR) as well as on our justifiable interest (Art. 6 para. 1 lit. f GDPR) in the use of reliable and secure payment processing.
On our platform, we offer you the possibility to subscribe to our newsletter, through which we will inform you regularly about offers, products and information.
In order to send you a personalised newsletter, we require your first and last name, email address as well as information that allows us to verify that you are the owner of the email address provided and that you agree to receiving the newsletter. This data will only be used for the purpose of sending you the newsletter. You are free to provide us with further information on a voluntary basis. This personal data will not be passed on to third parties outside our company respectively our group of companies. For your registration to the newsletter, we use the so-called double opt-in procedure. After your registration you will receive an e-mail in which we ask you to confirm your registration. The subscriptions to the newsletter are recorded. This includes the storage of the time of registration and confirmation as well as the IP address. In addition, any changes to your submitted data are logged.
You can withdraw your consent to the storage of your personal data and its use for the newsletter dispatch at any time. You will find a link to do so in every newsletter.
Within the scope of the GDPR, the processing of the data collected as part of your newsletter subscription is based on your consent (Art. 6 para. 1 lit. a GDPR).
9.7. Links to other websites
Our platform contains hyperlinks to third-party websites that are not operated or controlled by us. We are not responsible for their content or data protection practices.
9.8. Google Inc.
9.8.1. General information
Our platform uses functions and services of Google Inc. The company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services in the European area.
In addition to the following explanations, you will find further information in the Google privacy statement on data protection at Google: https://policies.google.com/privacy?hl=en-GB.
In the scope of application of the GDPR, the processing of this data is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in an appealing internet appearance as well as in increasing our reach or based on your consent (Art. 6 para. 1 lit. a GDPR).
9.8.2. Services used by Google
Our platform uses functions of the web analytics service Google Analytics, Google Tag Manager, Google AdSense and Google Ads. In addition, we use Google Maps to embed maps, Google Fonts to use fonts and Google reCAPTCHA to protect our platform from spam and misuse.
Google Tag Manager is a solution that allows us to manage website tags through one interface. Google Tag Manager is a cookie-less domain that does not collect any personal data. Google Tag Manager triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made on domain or cookie level, it remains in place for all tracking tags implemented with Google Tag Manager.
Furthermore, we use the advertising tool Google-Ads to promote our platform. For this purpose, we use the analysis service "Conversion Tracking" from Google on our platform. If you have accessed our platform via a Google ad, a cookie will be placed on your computer. These so-called "conversion cookies" lose their validity after 30 days and are not used for your personal identification. If you visit certain pages of our platform and the cookie has not yet expired, we and Google can recognise that you, as a user, have clicked on one of our ads placed on Google and have been redirected to our platform. The information obtained with the help of conversion cookies is used by Google to compile visitor statistics for our platform. Through these statistics, we can determine the total number of users who have clicked on our ad and which pages of our platform were subsequently accessed by the respective user. However, we do not receive any information that personally identifies users. You can prevent the installation of conversion cookies by setting your browser accordingly, for example by using a browser setting that generally deactivates the automatic setting of cookies or specifically only blocks cookies from the domain "googleadservices.com".
On our platform we use Google Maps to embed maps. By using Google Maps, data is transmitted to Google and may also be stored on Google servers in the USA.
Our platform uses so-called Web Fonts provided by Google to display fonts in a uniform manner. The Google Fonts are installed locally. There is no connection established to Google servers. You can find more information about Google Web Fonts under: https://developers.google.com/fonts/faq.
Furthermore, we use the Google service reCAPTCHA on our platform. The associated query serves the purpose of distinguishing whether entries (e.g., in the contact form) are made by a human or by automated machine processing. The query includes the dispatch of the IP address and any other data required by Google for the reCAPTCHA service to Google. For this purpose, your input will be transmitted to Google and used further there. Your IP address will, however, be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement of the European Economic Area (cf. also section 10.8.4 "IP anonymisation" below). Only in exceptional cases the full IP address will be transmitted to a Google server in the USA and shortened there. Google uses this information to evaluate your usage of the service. According to Google, the IP address transmitted by your browser as part of reCAPTCHA will not be merged with other Google data. By clicking on the query, you agree to this processing of your data, which means that the data processing is performed based on your consent.
You can prevent the collection of your data through Google Analytics by clicking on the following link: https://tools.google.com/dlpage/gaoptout?hl=de. An opt-out-Cookie will be set which will prevent the collection of your data on future visits to this platform.
9.8.4. IP anonymisation
We have activated the "IP anonymisation" function on our platform. Through this, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google uses this information to evaluate your usage of the platform, to compile reports on platform activities and to provide us with further services related to platform usage and internet usage. According to Google, the IP address transmitted by your browser will not be merged with other Google data.
9.8.5. Browser plugin
You are able to prevent the storage of cookies by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all the functions of our platform to their full extent. You can also prevent the collection of data generated by the cookie and referring to your use of the platform (incl. your IP address) to Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de
10. Further data processing
10.1. General information
When you use our services or contact us, we collect and process - depending on the business case - the following general personal data about you:
- personal details
- contact details
- if needed, information in connection with the company for which you work
- oral, written and electronic information provided by you in connection with your person and your concern
- information in connection with the underlying business case respectively legal relationship between you and us
- the information and data deposited by you as a user in your user account (incl. payment details, communication data, etc.)
Within the scope of the GDPR, this data is either processed for the purpose of initiating and fulfilling a contract (Art. 6 par. 1 lit. b) GDPR) or based on our legitimate interest (Art. 6 par. 1 lit. f) in processing the requests addressed to us or based on your consent (Art. 6 par. 1 lit. a) GDPR).
10.2. Ways of contacting
If you contact us outside our platform (e.g., by email, telephone, post), your enquiry including all related personal data will be stored and processed by us for the purpose of processing your request. This data will only be passed on to third parties outside our group with your consent.
Within the scope of the GDPR, the processing of this data takes place for the purpose of initiating and fulfilling a contract (Art. 6 para. 1 lit. b GDPR) or based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in processing the enquiries addressed to us or based on your consent (Art. 6 para. 1 lit. a GDPR).
10.3. Cloud service provider
For the purpose of storing and processing your personal data, we use the services of the following external cloud service providers:
- Microsoft 365 (incl. Exchange, SharePoint, Teams, OneDrive): The provider of these services is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland ("Microsoft"). The data is stored exclusively on servers located in Switzerland, according to Microsoft (see here). Besides the present explanations, you will find further information on data protection in the Microsoft data protection declaration: https://privacy.microsoft.com/en-us/privacystatement.
- Microsoft Azure: The provider of these services is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Irland ("Microsoft"). In addition to the information provided here, you can find further information on data protection in the Microsoft data protection declaration: https://privacy.microsoft.com/en-us/privacystatement
- ASPSMS: The provider is VADIAN.NET AG, Katharinengasse 10, 9000 St. Gallen, Switzerland («ASPSMS»). We use the ASPSMS services to realise two-factor authentication by means of mTAN. In addition to the present explanations, you will find further information on data protection in the ASPSMS data protection declaration: https://www.aspsms.com/en/privacy/
- Sentry: The provider is Functional Software, Inc., 132 Hawthorne St, San Francisco, USA (“Sentry”). We use Sentry to record software errors. In addition to the present explanations, you will find further information on data protection in the Sentry data protection declaration: https://sentry.io/privacy/.
10.4. Applicant data
We accept applications by post, email or contact form. We treat your data strictly confidential. Your personal data will only be passed on within our company or group to persons who are entrusted with processing your application. By submitting your application to us, you expressly consent to the forwarding of your application documents to group companies.
We process the personal data sent to us as part of your application and the personal data collected as part of our application process to the extent that this is necessary to decide on the conclusion and execution of an employment contract.
Within the scope of the GDPR, this data is processed either for the purpose of initiating and fulfilling a contract (Art. 6 para. 1 lit. b GDPR) or based on your consent (Art. 6 para. 1 lit. a GDPR).
11. Data transmission to third parties
11.1. General information
Where necessary and to the extent legally permitted, we will also disclose your personal data to third parties in the context of our business activities. This includes, among others:
- our group companies
- our service providers (incl. processors), such as banks, IT providers etc.
- business partners, in particular external consultants, experts, etc.
- authorities and courts
Within the scope of the GDPR, such processing is based on the completion of a contractual relationship (Art. 6 para. 1 lit. b GDPR), our legitimate interests (Art. 6 para. 1 lit. f GDPR) or your consent (Art. 6 para. 1 lit. a GDPR).
11.2. Order processing contracts
Where necessary, we have concluded corresponding order processing contracts with our data processors. The data processors agree to comply with data protection and data security regulations. In addition, they grant us comprehensive inspection and control rights as well as rights of information, rectification and deletion.
11.3. Notice on data transfer to the USA
As stated in this privacy declaration, we also use, among other things, tools and services from companies based in the USA. This allows your personal data to be transferred to the US servers of the respective companies. We would like to point out that the USA is currently not considered a safe third country within the meaning of EU and Swiss data protection law. In this regard, there is a risk that US authorities will access the personal data without you being able to defend yourself as a person effected. We have no influence over these data processing activities. By accepting this privacy declaration, you expressively consent to the transfer of your personal data to the USA.
In the scope of application of the GDPR, this data transfer is based on your consent (Art. 6 para. 1 lit. a GDPR).
12. Social networks (social media)
12.1. General information
We maintain the publicly accessible profiles on social networks as listed below. For this purpose, you will find linked graphics to the different networks on our platform. By clicking on one of these graphics, you will be redirected to the selected social network. After forwarding, the network collects and processes your information in the following manner.
By visiting our social network profiles, personal data about you may be collected. For example, if you are logged into your accounts on the social networks and visit our profile at the same time, the portal operator may be able to assign this visit to your user account. Even if you have logged out of your account or if you do not have an account with the respective portal, your personal data may be collected. Such a collection of data can take place, for example, through the setting of cookies or web beacons. Based on the data collected this way, the portal operators can create user profiles and display advertisement based on your interests. For further information, please consult the respective data protection declarations of the portal operators.
Within the scope of the GDPR, the use of social networks and the associated data processing is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR). In particular, we want to use it to present ourselves on the internet and to increase our reach.
12.2. Facebook fan page
We use functions of the Facebook fan page service. These functions are offered by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland. As operator of the Facebook fan page, we and the operator of the social network Facebook are joint data controllers.
12.3. Facebook pixel
We use Facebook's visitor action pixel to measure conversions. The provider of this service is Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. The collected data is, however, according to Facebook, also transferred to the USA and other third countries.
With the help of this service, the behaviour of platform visitors can be tracked after they have been redirected to our platform by clicking on a Facebook ad. The purpose of this measure is to evaluate the effectiveness of Facebook ads for statistical and market research purposes and to be able to optimise future advertising and marketing activities based on this.
LinkedIn uses advertising cookies. If you would like to deactivate them, please follow this link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
In addition to linked graphics, we also use plugins from YouTube, a site operated by Google. The operator of the site is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When you visit one of our pages equipped with a YouTube plugin, a connection to YouTube's servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out from your YouTube account.
12.7. Google My business
We use Google My business by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland("Google"). When you visit and interact with our Google My Business listing, Google also collects your IP address and other information that is collected in the form of cookies on your terminal device. This information is collected for statistical purposes. The data collected about you in this context will be processed by Google and may also be transmitted to the USA. The use of Google My Business is at your own responsibility.
13. Your rights as a person concerned
Provided that the legal requirements are fulfilled, you as the data subject have the right,
- to receive, upon request and free of charge, information on whether and if so, which personal data we process about you
- on the rectification of incorrect personal data
- on the processing restriction of your personal data auf die
- to block your personal data auf
- to delete your personal data, provided this does in no way conflict with a legal obligation to keep data
- on data portability auf
- to withdraw consent given for the processing of your personal data with effect for the future
- object to the processing of your personal data
If you assume that your data has been processed unlawfully, you can file a complaint with the responsible supervisory authority. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
If you wish to correct, block, delete or obtain information about the personal data stored about you, or if you have any questions regarding the collection, processing or use of your personal data, or if you wish to revoke consent you have given, you can contact the above mentioned data protection officer (figure 2) or the EU data protection representative (figure 3) or the UK data protection representative (figure 4) at any time.
14. Data security
To secure your data, we maintain technical and organisational security measures in line with the current state of the art. Communication via our platform is encoded through the use of the SSL/TLS encryption protocol. However, we would like to point out that even encrypted data transmission on the Internet always entails security risks. Seamless protection of the data against access by third parties cannot be guaranteed.