Privacy Notice for Clients of Bureau Veritas Switzerland AG

PRIVACY NOTICE FOR CLIENTS OF BUREAU VERITAS SWITZERLAND AG pursuant to Article 19 of Federal Act on Data Protection (“FADP”)

This privacy notice is provided pursuant to art. 19 of Federal Act on Data Protection (“FADP”) in relation to the processing of Bureau Veritas Switzerland AG Clients’ personal data (the “Clients”).

1. Data processing controller

The Data Controller is Bureau Veritas Switzerland AG, with registered office in Grossächerstrasse 25, CH-8104, Weiningen, Switzerland; VAT no. CHE107701676 (hereafter “Bureau Veritas” or the “Controller”), part of the Bureau Veritas Group.

2. Erhobene Daten

The Data Controller processes your personal data collected through the contractual documentation and relating to the contract stipulated, such as identification data (including fist name, second name, date and place of birth, Tax Code and VAT number, company name) and contact data (such as address, e-mail and telephone number) and any information contained therein (the "Data").

3. Purpose and legal basis of the processing 

The Data is processed according to the following purposes and legal bases:

3.1 Execution of the contractual relationship
Data will be processed in order to correctly execute the contract with the Data Controller and, in particular:

(i) to allow effective management of the contractual relationship with the Data Controller;

(ii) to carry out the obligations deriving from the contract, such as, for example, for the purposes of keeping accounts.

Data provision for the above-mentioned purposes is mandatory and necessary for the proper execution of the aforementioned activities. In the event of a total or partial refusal to provide the Data for these purposes, the Data Controller will not be able to establish and execute the contractual relationship.

3.2 Compliance with legal obligations
The Data may also be processed to allow the Data Controller to fulfil the obligations established by law, by a regulation or by an order of Authorities.

The provision of Data for this purpose is necessary to follow up on the legal obligations to which the Data Controller is subject.

3.3 Overriding interest

(i) Legal protection
The Data will be processed to exercise the rights of the Data Controller, such as the right of defence in court. This overriding interest is to be considered prevailing because it corresponds to a constitutionally guaranteed right and, as such, is socially recognized as prevailing over the interests of the individual concerned. Data provision for this purpose is necessary to allow the Data Controller to defend itself in legal and out-of-court proceedings.

(ii) Information and promotional notifications
The Data will be processed in order to allow the Data Controller to contact Clients in order to send individual notifications, exclusively by e-mail, of an informative and promotional nature, on the basis of the contractual relationship already established with the same, and concerning products and/or services of the same type with respect to those being sold (Soft Spam), in accordance with the provisions of art. 3, par. 1, lett. o of the Unfair Competition Act (“UCA”) of 19 December 1986, Status as of 1 September 2023, and subsequent amendments, unless objected. The legal basis for this processing lies in the overriding interest of the Data Controller to maintain and strengthen the human and professional relationships established with Client. Overriding interest that does not affect the rights and freedoms of the Clients as it finds its respective balance in the interest and reasonable expectation of the Clients to receive information on products similar to those already purchased and on the activity of the Data Controller.

3.4 Consent

(i) Marketing activities
The Data may be processed by the Data Controller to send to Client through the channels authorized by them – such as, for example, mail, telephone or electronic notifications, such as e-mails – marketing notifications, having an advertising, informative and promotional nature of the products and services offered by Bureau Veritas. The legal basis of said processing is the consent given. Consent can always be freely revoked by using the appropriate "unsubscribe" link at the bottom of all notifications sent by e-mail or through the portal for the exercise of rights indicated in article 7 below. The provision of data is optional. Any refusal will result in the impossibility, even partial, of pursuing this purpose. 

(ii) Transfer of data to the Bureau Veritas Group companies to allow them to send their own advertising, informative and promotional material notifications 
Client Data may be transferred to Bureau Veritas Group companies and used for sending advertising, information and promotional material notifications by Bureau Veritas Group companies. The legal basis of said processing is the consent of the Client. Consent may always be revoked freely through the portal for the exercise of rights indicated in article 7 below. The provision of data is optional. Any refusal will result in the impossibility, even partial, of pursuing this purpose. 

4. Data Recipients

The Data will be processed by the Data Controller’s employees, specifically appointed as authorised data processors (such as, but not limited to, those in charge of the sales, legal and marketing departments), where necessary to carry out the activities referred to in article 3 above.

Personal Data may also be transferred to third parties where necessary for the establishment, management, execution and/or termination of the contractual relationship with the Data Controller. In this case, the third-party recipients of Personal Data – autonomous data controllers or duly appointed as data processors – belong to the following categories:

(i) external subjects operating as autonomous controllers such as, for example, Authorities and supervisory and control bodies and in general to subjects, including private individuals, entitled to request the data (such as accounting consultants, legal consultants), Public Authorities that make an express request for administrative or institutional purposes, in accordance with the provisions of current national legislation;

(ii) subjects outside the company who provide services to the company and who are useful for its activities (for example: IT service providers for the management of databases, including contacts and e-mails, digital service providers and IT consultants who provide technical assistance to the company, offices that provide payroll services, training institutions, banking and financial intermediaries); these subjects have received a specific assignment as data processors and their names are available upon request to the Data Controller, using the contact details indicated in article 7 below.

5. Data retention period

The Data processed for:

(i) the execution of the contractual relationship with the interested party and is retained for the entire duration of the contractual relationship and for the ordinary limitation period of 10 years provided for by the applicable regulations;

(ii) the fulfilment of legal obligations to which the Data Controller is subject are kept for the duration provided for by law (10 years for administrative-accounting obligations);

(iii) the overriding interest of the Data Controller, and specifically in the case of judicial litigation, will be kept for the entire duration of the same, until the expiration of the terms of practicability of appeals and for the purpose of sending commercial notifications until the request for opt-out by the data subject or for a period of 12 months from the last active contact with the data subject.

(iv) marketing activities will be retained for a period of time not exceeding 24 months from the granting of consent by the Client to carry out such processing, after which a request will be sent to confirm the wish to continue receiving such processing: in the event of refusal, the Data provided will be deleted; in the event of consent, it will be retained and processed for a further period of 24 months. Clients may, in any case, withdraw their consent as specified in article 3 of this privacy notice.

(v) the transfer of data to subsidiaries/parent companies and/or affiliates of the Bureau Veritas Group, will be kept for a period of time necessary to technically allow the correct transfer of data to third parties and subsequently as regulated in the information that will be issued by each owner.

6. Transfer of data to third countries

The Data Controller may disclose the Data to the European Union, accordingly to the European Commission Decision No 2000/518/EC of 26 July 2000 (as confirmed by the Report from the Commission to the European Parliament and the Council of 15 January 2024). The processing of the Data will be carried out at the Data Controller's offices and the Data will be stored in servers and/or archives in Switzerland, the European Union and in third countries. Data may be disclosed abroad only if the Swiss Federal Council has decided that the legislation of the State concerned or the international body guarantees an adequate level of protection, accordingly to art. 16 FADP. In the absence of a decision by the Federal Council, Data may be disclosed abroad only if an adequate level of data protection is guaranteed in accordance with the provisions of art. 16.1 FADP or by the exception of art. 17 FADP.

7. Rights of the data subject

Clients, as data subjects (i.e., subjects to whom the Data refers), are holders of rights conferred by the FADP. In particular, pursuant to articles 25, 28, 32 and 49 of FADP, data subjects have the right to request and obtain, at any time, access to their personal data, information on the processing carried out, the correction and/or updating of personal data. Additionally, they also have the right to object to the processing and to request data portability (i.e. to receive personal data in a structured, commonly used, machine-readable format). Finally, data subjects always have the right to revoke their consent at any time (this, in any case, will not affect the lawfulness of the processing carried out on the basis of the consent given before the revocation) and to lodge a complaint with a supervisory authority (in Switzerland: the Federal Data Protection and Information Commissioner).

The above-mentioned rights may be exercised at any time by simply sending a request to the Data Controller: