This Privacy Policy („Privacy Policy“) describes the principles based on which Swisspath AG, Seefeldstrasse 56, 8008 Zürich, Switzerland („Swisspath“, „we“ or „us“) processes personal data collected through this website, its other websites and/or any subsites of such (collectively „website“) or collected from you communicating or otherwise dealing with us. In addition, we may inform you about the processing of your personal data separately, for example in consent forms, terms and conditions, additional privacy notices, forms and other notices which shall apply additionally or (if indicated accordingly) instead of this Privacy Policy to such processing activities. This Privacy Policy informs you in particular about what personal data we collect, for which purposes it is processed, with whom it may be shared, for how long we retain it and which rights and options relating to the use of your personal data you may have. „Personal data“ means any and all information relating to an identified or identifiable natural person (individual) that – alone or in combination with additional data – allows to draw conclusions about the identity of such individual like for example name, address, e-mail address, an online identifier or the phone number. Please read this Privacy Policy carefully.

If you disclose personal data to us or share personal data with us about other individuals, such as family members, co-workers, etc., we assume that you are authorized to do so, and that the relevant personal data is accurate. When you share personal data about others with us, you confirm the aforementioned. Please make sure that these individuals have been informed about this Privacy Policy.

This Privacy Policy is aligned with the EU General Data Protection Regulation („GDPR“), the Swiss Federal Act on Data Protection („DPA“) and the revised Swiss Federal Act on Data Protection replacing the DPA upon its coming into force („revDPA“). However, the application of these laws depends on each individual case.

By submitting your personal data to us and/or visiting the website, you acknowledge and agree that:

• You have read and understood this Privacy Policy and agree to the use of your personal data as described herein;
• All of your information is, to the best of your knowledge and belief, correct, true, complete and accurate;
• Your personal data may be transferred and processed outside Switzerland and the EEA in countries that may not provide the same level of data protection as your home country, for the purposes and in the manner specified in this Privacy Policy.

1. Who controls the personal data

The controller of personal data collected through the website is Swisspath. Swisspath determines the purposes and means of the processing of your personal data and is therefore responsible for the processing and use of your personal data as described in this Privacy Policy. If you have any questions or concerns regarding privacy or how we process your personal data, kindly contact us at any time as follows:

Swisspath AG
Seefeldstrasse 56
8008 Zürich, Switzerland
Telefon: +41 44 454 26 26
Fax: +41 44 454 26 27
Email: info@swisspath.com.

We have appointed the following additional position:

Data Protection Representative in the EU according to article 27 GDPR:

Swisspath Yachting Ltd (Mallorca)
Carrer Joan Maria Thomàs, 2
07014 Palma, Balearic Islands, Spain
Phone: +34 971 579 263

2. How do we process personal data

Any personal data collected through the website is processed in accordance with the provisions of applicable data protection and privacy laws. We collect and process personal data carefully and for the purposes described in this Privacy Policy. In accordance with applicable law, we may also use your personal data in other ways as described in this Privacy Policy. In such event, we will provide specific privacy policies or notices at the time of collection and obtain your consent where necessary. We always seek, to the extent reasonably possible, to collect information on an anonymized or pseudonymized basis so we cannot recognize your identity.

3. What personal data do we collect via our website

We may collect the following personal data via our website:

3.1 Information provided by you

We collect information which you actively and voluntarily provide us through the website (for example by using the contact form), via our contact email address info@swisspath.com or any other Swisspath email address, by phone call, by letter or other means of communication. This may include the following personal data:

• Your name, first name, address, email address, phone number, business contact information, information about your business or other information about yourself or another person;
• Information that you provide when you apply for a job position, such as your name, email address, address, telephone number, date of birth, qualifications, competences, experience, skills, education, information relating to your employment history, third party references. This includes information provided via email, CVs or resumes, in person via telephone, at interviews and/or by any other method.

The providing of such personal data will always be voluntary based on your consent (i.e. you actively providing us such information). Without providing such information you may, however, not be able to use the services or purposes for which the information is requested.

We may in certain circumstances also collect personal data not directly provided by you, but from third parties to the extend relevant and permitted by applicable law, e.g. in connection with a job application. We may, subject to your consent, seek references about you from former employers or any other references provided by you.

3.2 Information automatically collected

Swisspath collects and stores information that your browser automatically transmits to us in „server log files“ when visiting our website. These may include the following data:

• Browser type and browser version
• Operating system used
• Referrer URL (the previously visited website)
• Host name of the accessing computer
• Date and time of the server request
• Internet Protocol address (IP address)
• Transmitted data volume
• Other similar data and information which serve to avert danger in the event of attacks on our IT systems.”

This data will not be combined with data from other sources. It is stored by us until they are automatically deleted within six months at the latest.

In order to ensure the functionality of the website, we may also assign an individual code to you or your terminal device (for example as a cookie, see Section 8).

4. For what purposes and on what legal basis do we process personal data about you

4.1 Purposes of processing

1. Information provided by you

We will use the information provided by you for the lawful purposes which were evident from the circumstance or indicated at the time of collection which may include the following purposes:

• communicating with you (e.g. about our services) and provide you with the best possible and personalized information you may require from us;
• for answering any questions or requests you may have about our services in the best possible manner, asking you questions and giving additional information tailored to your interests in connection with our services prior to entering into a possible contract relation;
• to consider your application in respect of a position for which you have applied;
• to consider your application in respect of other future positions in case your application was unsuccessful; in such an event, we will seek your consent for keeping your application on file after we have informed you about the rejection of your job application;
• to communicate with you in respect of the recruitment process, e.g. to obtain additional information where necessary, to provide you with information relating to your application;
• to contact third party references provided by you to evaluate your previous performances subject to your consent; and
• to fulfill and comply with legal and regulatory compliance obligations imposed on us, e.g. it is mandatory to check a successful applicant’s eligibility to work in a country before employment begins.

2. Information automatically collected

The data automatically collected as described above is processed for the purposes of proper functioning of our website, e.g. for establishing a connection, ensuring stability and uninterrupted system security, to improve our services, and for statistical purposes in the event of attacks on the network infrastructure on which the website is made available

4.2 Legal basis for processing

If and to the extent required under applicable data protection law (like under the GDPR), the legal basis for processing your personal data for the purposes described above may be based on the following legal grounds:

• your consent;
• for the performance of a contract with you or for the intention to enter into a contract, e.g. an employment contract;
• to comply with a legal obligation (e.g. for purposes of legal investigations or proceedings);
• for the purposes of our legitimate interests, for example for maintaining and improving our internal business administration, organization, operations, risk management, protection of systems and premises, prevention of fraud and other offences, for advertising and marketing activities, to guarantee an effective, efficient, secure and harmonized service, and/or in particular for pursuing the purposes and objectives set out in Section 4.1 and in implementing related measures.; or
• to comply with legal or other regulatory requirements and internal rules; and for establishing, exercise and/or defend actual or potential legal claims, investigations or similar proceedings.

Should the processing be based on your consent or our legitimate interests, you may withdraw consent or object to that processing at any time by contacting us by using the contact details set out in Section 1. The personal data processed before we receive your request may still be legally processed.

5. With whom do we share your personal data

We take necessary measures to ensure only our authorized personnel on a need to know basis will have access to your personal data to fulfill the purposes for which your personal data was collected.

We may share your personal data with the following categories of recipients in accordance with the purposes of processing as described herein:

• our affiliated companies that are in particular the following companies that may use the personal data according to this Privacy Policy for the same purposes as we use it (see Section 4):
  • Swisspath Aviation AG, Seefeldstrasse 56, 8008 Zürich, Switzerland;
  • Swisspath Capital AG, Seefeldstrasse 56, 8008 Zürich, Switzerland;
  • Swisspath Consulting AG, Seefeldstrasse 56, 8008 Zürich, Switzerland;
  • SWISSPATH HEALTH AG, Seefeldstrasse 56, 8008 Zürich, Switzerland;
  • Swisspath Yachting AG, Seefeldstrasse 56, 8008 Zürich, Switzerland;
  • Swisspath Yachting Ltd (Mallorca), Carrer Joan Maria Thomàs, 2, 07014 Palma, Balearic Islands, Spain; or
  • Fiducia Trustee (Zurich) GmbH, Seefeldstrasse 56, 8008 Zürich, Switzerland.
• our trusted third-party service providers, including processors (e.g. providers of IT services);
• website designers and developers;
• professional advisors and auditors;
• acquires or parties interested in acquiring business units, companies or other parts of Swisspath;
• governmental administrations, courts and other competent authorities;
• other parties in potential or actual legal proceedings.

We choose our partners and data processors carefully and only upon sufficient guarantees they have appropriate technical and organizational measures in place. Our third-party partners are subject to confidentiality requirements and may use your personal data solely to the extent necessary to fulfill the purpose for which your personal data was collected, except as otherwise required by law

6. Transfer of personal data to countries outside the EEA

We may transfer, store and process your personal data in data locations around the world, where our affiliated companies or our third-party providers are located. Therefore, we may transfer your personal data outside Switzerland or the EEA if it is required for the data processing described in this Privacy Policy in accordance with applicable law.

If data is disclosed to countries that do not guarantee an adequate level of protection, Swisspath will ensure adequate protection of data disclosed by putting appropriate safeguards in place, such as contractual guarantees (e.g., on the basis of EU standard contractual clauses), binding corporate rules, or transferring data pursuant to explicit consent, conclusion or performance of a contract, or in connection with the determination, exercise or enforcement of legal claims. You may obtain more information about our appropriate safeguards by contacting us using the contact details set out in Section 1.

7. For how long do we keep information about you

We retain your personal data for as long as necessary to fulfill the purposes for which your personal data was collected. For this reason, we will delete or anonymize personal data (or equivalent) once they are no longer necessary to achieve the purposes, subject however (i) to any applicable legal or regulatory requirements to store personal data for a longer period (e.g. for tax or accounting reasons), or (ii) to establish, exercise and/or defend actual or potential legal claims, investigations or similar proceedings, including legal holds, which we may enforce to preserve relevant information.

On that basis, we normally process personal data subject to the following rules and obligations:

• For contract related personal data (including business records and communication), we retain personal data as long as the contractual relation is ongoing and for ten years after the termination of the contractual relationship;
• For unsuccessful job applicant’s data, we will hold personal data on file for six months after the end of the relevant recruitment process or, with applicant’s consent, we will keep personal data on file for additional twelve months for consideration for future job positions;
• For operational data containing data (e.g. protocols, logs), we retain personal data for a period of 3 – 12 months.

8. Do we use online tracking techniques?

We use various techniques on our website that allow us and third parties engaged by us to recognize you during your use of our website, and possibly to track you across several visits. This Section informs you about this.

In essence, we wish to distinguish access by you (through your system) from access by other users, so that we can ensure the functionality of the website and carry out analysis and personalization. We do not intend to determine your identity, even if that is possible where we or third parties engaged by us can identify you by combination with registration data. However, even without registration data, the technologies we use are designed in such a way that you are recognized as an individual visitor each time you access the website, for example by our server (or third-party servers) that assign a specific identification number to you or your browser (so-called „cookie“).

We use these technologies on our website and may allow certain third parties to do so as well. You can also set your browser to block or deceive certain types of cookies or alternative technologies, or to delete existing cookies. You can also add software to your browser that blocks certain third-party tracking. You can find more information on the help pages of your browser (usually with the keyword „privacy“) or on the websites of the third parties set out below.

We distinguish the following categories of „cookies“ (including other technologies such as fingerprinting):

• Necessary cookies: Some cookies are necessary for the functioning of the website or for certain features. For example, they ensure that you can move between pages without losing information that was entered in a form. They also ensure that you stay logged in. These cookies exist temporarily only („session cookies“). If you block them, the website may not work properly. Other cookies are necessary for the server to store options or information (which you have entered) beyond a session (i.e. a visit to the website) if you use this function (for example language settings, consents, automatic login functionality, etc.). These cookies have an expiration date of up to 24 months.
• Performance cookies: In order to optimize our website and related offers and to better adapt them to the needs of the users, we use cookies to record and analyze the use of our website, potentially beyond one session. We use third-party analytics services for this purpose. We have listed them below. Before we use such cookies, we ask for your consent. Performance cookies also have an expiration date of up to 24 months. Details can be found on the websites of the third-party providers.

We currently use (or in the future may use) offers from the following service providers and advertising partners (where they use data from you or cookies set on your computer for advertising purposes):

• Google Analytics: Google Ireland Ltd. (located in Ireland) is the provider of the service „Google Analytics“ and acts (or may act) as our processor. Google Ireland relies on Google LLC (located in the USA) as its sub-processor (collectively „Google“). Google collects information about the behavior of visitors to our website (duration, page views, geographic region of access, etc.) through performance cookies (see above) and on this basis creates reports for us about the use of our website. We have configured the service so that the IP addresses of visitors are truncated by Google in Europe before forwarding them to the USA and then cannot be traced back. We have turned off the „data sharing“ option and the „signals option“. Although we can assume that the information we share with Google is not personal data for Google, it may be possible that Google may be able to draw conclusions about the identity of visitors based on the data collected, create personal profiles and link this data with the Google accounts of these individuals for its own purposes. In any event, if you consent to the use of Google Analytics, you expressly consent to any such processing, including the transfer of your personal data (in particular website and app usage, device information and unique IDs) to the USA and other countries.
• Google Maps: This website uses the map service of Google Maps via an API. Google LLC (located in the USA) is the provider. The storage of your IP address is required if you want to use the functions of Google Maps. This information is normally transmitted to a server of Google in the USA and it will be stored there. Swisspath has no control over the data transmission. Google Maps is used to facilitate our location listed on our website.

9. Security

We have implemented various technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised use, disclosure or access, in particular where processing involves the transmission of data over a network, and against all other unlawful forms of processing and misuse.

Swisspath may use third party data processors to collect and process your personal data (see Section 5). Any data processors commissioned by us will only process your personal data in accordance with our instructions and are legally obliged to adhere to strict security procedures when handling personal data.

Unfortunately, transmission of information via the internet is not wholly secure. Although we do our utmost to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is done so at your own risk. Once we have received your information, we employ strict procedures and rigid security measures to try to prevent unauthorised access.

10. Children

Our websites are not intended for children and we do not knowingly collect personal data from children under the age of 16. If we are notified or otherwise learn that personal data of a child under the age of 16 has been improperly collected, we will take all reasonable steps to delete that personal data.

11. What are your rights

You may request information from Swisspath as to whether personal data concerning you is being processed and what personal data we process from you. In addition, you have the right to request the correction (if it is inaccurate), destruction, erasure, or restriction of personal data regarding yourself as well as to object to the processing of personal data. Should the processing of personal data be based on consent, you may withdraw consent at any time. However, please note that a withdrawal does not affect the legitimacy of the processing activities that took place before you withdrew your consent. You have the right to obtain certain personal data in a structured, common and machine-readable format which allows for further use and transfer. Requests in this respect shall be submitted to Swisspath using the contact details set out in Section 1. Please note that conditions, exceptions, or restrictions apply to the above rights under applicable data protection law (for example to protect third parties or trade secrets). We will inform you accordingly where applicable.

For any requests and any questions or concerns regarding this Privacy Policy or how we process your personal data, kindly contact us at any time by using the contact details set out in Section 1.

If you do not agree with the way we handle your rights or with our data protection practices, you are also entitled to lodge a complaint with the competent supervisory authority and seek a judicial remedy. If you are located in the EEA, the United Kingdom or in Switzerland, you also have the right to lodge a complaint with the competent data protection supervisory authority in your country. You can find a list of authorities in the EEA here: https://edpb.europa.eu/about-edpb/board/members_en. You can reach the UK supervisory authority here: https://ico.org.uk/global/contact-us/. You can reach the Swiss supervisory authority here: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html.

12. Changes to our Privacy Policy

This Privacy Policy may be changed from time to time and without prior notice or announcement. All changes to this Privacy Policy are effective when they are posted on the website unless indicated otherwise. When we change the policy in a material manner, we will let you know via email and/or a prominent notice on our website or in another appropriate manner prior to the change becoming effective and update the ‘effective date’ at the top of this page.