BACK

Privacy Policy

This Privacy Policy explains how, where and for which purpose we process personal data, particularly in connection with our website (www.drogeriegstaad.ch) and our other services. This Privacy Policy further explains the rights of persons whose data we process.

Individual or additional offers and services may be subject to special, additional or further privacy policies as well as other legal documents, such as general terms and conditions (GTC), terms and conditions of use or terms and conditions of participation.

Our content is governed by Swiss data protection law as well as any other relevant foreign data protection laws, such as, in particular, those of the European Union (EU), namely the General Data Protection Regulation (GDPR). The European Commission recognises that Swiss data protection law provides adequate data protection.

1. Contact details

Entity responsible for processing personal data (controller):

Drogerie von Grünigen AG
Promenade 20
3780 Gstaad
Switzerland

data@drogeriegstaad.ch

Please note that there may be other controllers in individual circumstances.

2. Personal data processing

2.1 Terminology

Personal data refers to all information referring to a specific or determinable person. A data subject is a person whose personal data is being processed. Processing comprises all handling of personal data, regardless of the methods and processed applied, particularly the storage, disclosure, procurement, collection, erasure, saving, modification, destruction and use of personal data.

The European Economic Area (EEA) comprises the European Union (EU) as well as the Principality of Liechtenstein, Iceland and Norway. The General Data Protection Regulation (GDPR) calls the handling of personal data the processing of personal data.

2.2 Legal bases

We process personal data in accordance with Swiss data protection law, such as, in particular, the Federal Act of 19 June 1992 on Data Protection (FADP) and the Ordinance of 14 June 1993 to the Federal Act on Data Protection (OFADP).

If and insofar as the General Data Protection Regulation (GDPR) is applicable, we process personal data in accordance with at least one of the following legal bases:

• Art. 6 (1) lit. b GDPR for the processing of personal data necessary for the fulfilment of a contract with the data subject as well as for the implementation of precontractual measures.
• Art. 6 (1) lit. f GDPR for the processing of personal data necessary for maintaining our justified interests and those of third parties, unless the basic freedom and basic rights as well as interests of the data subject outweigh these. Justified interests are, in particular, our interest in providing permanent, user-friendly, secure and reliable contents and to be able to advertise this, if required, information security as well as protection against misuse and unauthorised use, the assertion of our own legal claims and compliance with Swiss law.
• Art. 6 (1) lit. c GDPR for the processing of personal data required for the fulfilment of a legal obligation to which we are subject in accordance with relevant applicable laws of the member states of the European Economic Area (EAA).
• Art. 6 (1) lit. e GDPR for the processing of personal data required for performing a task that is in the interest of the general public.
• Art. 6 (1) lit. a GDPR for the processing of personal data with consent from the data subject.
• Art. 6 (1) lit. d GDPR for the processing of personal data required for protecting vital interests of the data subject or another natural person.

2.3 Type, scope and purpose

We process personal data that is necessary for us to provide permanent, user-friendly, secure and reliable contents. Such personal data may fall into the categories of existing and contact data, browser and device data, content data, meta and marginal data as well as user data, location data, sales, contract and payment data.

We process personal data for the period required for the respective purpose(s) or required by law. Personal data that no longer needs to be processed is anonymised or erased. Data subjects have the general right to have their data erased.

We exclusively process personal data with consent from the data subject, unless the processing is permissible for other legal reasons, such as for the fulfilment of a contract with the data subject and for corresponding precontractual measures in order to maintain our outweighing justified interests as the processing is obvious from the circumstances, or following prior information.

Within this scope, we particularly process information voluntarily provided to us by the data subject themselves whilst contacting us – such as per letter, email, contact form, social media or phone – or whilst registering for a user account. We may store such information in an address book, customer relationship management system (CRM system) or similar tools. If you transfer personal data about third parties to us, you must ensure data protection for such third parties and also ensure that the personal data is accurate.

If you participate in our ValueCard loyalty points programme, we process your personal data for processing the programme. This includes your contact details as well as, in particular, information on your purchases (such as date and time, products, product categories, amounts, loyalty points) which you made under your customer number as well as information on the status of your ValueCard loyalty points account. We also process the information on your purchases for statistical analyses with the aim of improving our offer and to send you targeted advertising. You can object to the sending of targeted advertising at any time. For further details, please read the GTC of the ValueCard loyalty points programme.

We further process personal data that we receive from third parties, procure from public sources or collect during the provision of our content, if and insofar as such processing is permissible by law.

Personal data from job applications is only processed insofar as it is required for assessing the suitability of the applicant for the vacancy or the subsequent fulfilment of the employment contract. The personal data required for the implementation of the recruiting process result from the requested and/or disclosed information, such as within the scope of a job description. Applicants have the option of sending further voluntary information to support their application.

2.4 Processing of personal data by third parties, including abroad

We may engage third parties to process personal data, or process personal data in collaboration with, or help from, third parties, or transfer personal data to third parties. Such third parties are, in particular, providers whose services we have purchased. We guarantee that such third parties also maintain an adequate level of data protection.

All of such third parties are generally based in Switzerland and the European Economic Area (EEA). Such third parties may also be located in other countries and global regions if their data protection laws provide adequate data protection according to the assessment of the Federal Data Protection and Information Commissioner (FDPIC) and – insofar as the General Data Protection Regulation (GDPR) is applicable – the European Commission, or if adequate data protection is guaranteed for other reasons, such as a corresponding contractual agreement, particularly on the basis of standard contractual clauses, or by means of a corresponding certification. Certification in accordance with the Privacy Shield can provide adequate data protection for third parties located in the United States of America (USA). In exceptional circumstances, such third party may be located in a country without adequate data protection if the data protection requirements are met, such as explicit consent from the data subject, for instance.

3. Rights of data subjects

Data subjects whose personal data is processed by us have the right granted to them by Swiss data protection law. This includes the right to be informed and the right to rectification, erasure or restrict processing of the processed personal data.

Data subjects whose personal data is processed by us may – if and insofar as the General Data Protection Regulation (GDPR) is applicable – request, free of charge, confirmation from us if we are processing their personal data and if yes, request information on the processing of their personal data, restrict the processing of their personal data, exercise their right to data portability and request the rectification, erasure (“right to be forgotten”), restriction or completion of their personal data.

Data subjects whose personal data is processed by us may – if and insofar as the GDPR is applicable – withdraw their consent at any time and with future effect and object at any time to the processing of their personal data.

Data subjects whose personal data is processed by us have the right to complain to a responsible supervisory authority. The Swiss data protection supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC).

4. Data security

We implement adequate and suitable technical and organisational measures for guaranteeing data protection and in particular data security. However, the processing of personal data on the internet can have security gaps despite such measures. We therefore cannot guarantee total data security.

Access to our online content is provided with transport encryption (SSL / TLS, particularly using the Hypertext Transfer Protocol Secure, or HTTPS). Most browsers display a padlock in the address bar when transport encryption is active.

Like all internet use, access to our online content is subject to mass monitoring without cause or suspicion as well as other monitoring by security authorities in Switzerland, the European Union (EU), the United States of America (USA) and other countries. We have no direct influence over the corresponding processing of personal data by secret services, police units and other security authorities.

5. Website use

5.1 Cookies

We may use cookies on our website. Both our own cookies (first-party cookies) and cookies of third parties whose services we have purchased (third-party cookies) are text files that are stored in your browser. Cookies cannot execute any programmes or transfer malware such as Trojans and viruses.

Cookies may be temporarily stored in your browser as session cookies or for a specific period as permanent cookies when you visit our website. Session cookies are automatically deleted when you close your browser. Permanent cookies make it possible, in particular, to recognise your browser when you next visit our website and thus measure the reach of our website, for instance. However, permanent cookies may also be used for online marketing.

You can deactivate and delete all or part of the cookies in your browser, but without cookies you may not be able to use all of the functions of our website. We actively request your consent for the use of cookies if and insofar as required.

5.2 Server log files

We can collect the following information for every access to our website, if it is transferred from your browser to our server infrastructure or if it can be determined by our webserver: Date and time, including time zone, internet protocol (IP) address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual subpages of our website accessed including data volume transferred, last website accessed in the same browser (referrer URL).

We store such information, which can also constitute personal data, in server log files. The information is required for us to provide permanent, user-friendly and reliable online content as well as for ensuring data security and therefore, in particular, the protection of personal data – including by third parties or with the help of third parties.

5.3 Tracking pixels

We may use tracking pixels on our website. Tracking pixels are also called web beacons. Tracking pixels, including those of third parties whose services we have purchased, are small, usually invisible images that are automatically accessed when visiting our website. Tracking pixels can be used for collecting the same information as in server log files.

6. Notifications and messages

We send notifications and messages, e.g. newsletters, via email and other communication channels, such as instant messaging.

6.1 Success and reach analyses

Notifications and messages may contain web links or tracking pixels that record if an individual message was opened and which web links were clicked during this process. Such web links and tracking pixels can also record the use of notifications and messages by individual persons. We require this statistical record of the use for analysing our success and reach in order to send effective and user-friendly as well as permanent, secure and reliable notifications and messages based on the recipients’ requirements and read behaviour.

6.2 Consent and objection

You must always explicitly consent to the use of your email address and other contact details, unless their use is permissible on the grounds of other legal reasons. We use the double opt-in method whenever possible for any consent required for the receipt of email newsletters, meaning that you receive an email with a web link that you must click to confirm to prevent misuse by unauthorised third parties. We may log such consent including internet protocol (IP) address as well as date and time for reasons of evidence and security.

You can unsubscribe from notifications and messages, such as newsletters, at any time. We reserve the right to send notifications and messages that are of crucial importance for the provision of our contents. By unsubscribing, you can object, in particular, to the statistical recording of the use for success and reach analyses.

6.3 Notification and message service providers

We send notifications and messages via, or with the help of, third-party service providers. Cookies may also be used during this process. We also guarantee an adequate level of data protection for such services.

We use MailChimp for sending and managing newsletters. MailChimp is a service provided by The Rocket Science Group LLC, USA. For further information on the type, scope and purpose of the data processing, please read the MailChimp Privacy Policy and the page on MailChimp, the Privacy Shield and the GDPR.

7. Third-party services

We purchase third-party services for providing permanent, user-friendly, secure and reliable contents. Such services also serve to embed contents in our website. These services, e.g. hosting and storage services, video services and payment services, require your internet protocol (IP) address as they would otherwise not be able to transfer the corresponding contents. Such services may be located outside of Switzerland and the European Economic Area (EEA) as long as an adequate level of data protection is guaranteed.

Third parties whose services we purchase may also process aggregated, anonymised or pseudonymised data in connection with our contents as well as from other sources – which may include cookies, log files and tracking pixels – for their own security-relevant, statistical and technical purposes.

7.1 Audio and video conferencing

We use audio and video conferencing services in order to communicate with our customers and other persons. These services enable us, in particular, to hold audio and video conferences, virtual meetings and consultations as well as training, e.g. webinars. We do not record these audio and video conferences.

We only use services that provide an adequate level of data protection. Any terms and conditions of the services used, such as terms and conditions of use or privacy policies apply in addition to this Privacy Policy. We use Gruveo, a service provided by Gruveo s.r.o in Slovakia, for video consultations. For details on the type, scope and purpose of the data processing, please read Gruveo’s Privacy Policy.

7.2 Payments

We use payment service providers for securely and reliably processing customer payments. We only use payment service providers that provide an adequate level of data protection. The terms and conditions of the respective payment service providers, such as general terms and conditions (GTC) or privacy policies, apply to the processing.

7.3 Success and reach analyses

We use Matomo, a free-of-charge open source software, on our own server infrastructure for measuring the reach of our online contents. Cookies are also used during this process. Your internet protocol (IP) address is anonymised prior to being analysed.

7.4 Appointments

We use Calendly for agreeing and managing customer appointments. Calendly is a service provided by Calendly LLC, USA. For details on the type, scope and purpose of the data processing, please read  Calendly’s Privacy Policy.

8. Final provisions

We reserve the right to amend and add to this Privacy Policy at any time. We will provide information on such amendments and addendums in a suitable format, particularly by publishing the respective current Privacy Policy on our website.

This is an unofficial translation from the original German document (“Datenschutzerklärung”) available on our website.