Introduction
This privacy policy explains the nature, scope, and purpose of the processing of personal data (hereinafter referred to as “data”) as part of our services via a mobile application (hereinafter collectively referred to as the “online offering”). With regard to the terminology used, such as “processing” or “controller,” we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
Responsible Party
Our company SkillMatch (companies Damapril GmbH and Dinnova AG), Haselweg 8, 6005 Lucerne, kontakt@skillmatch.one, is responsible for data processing (Art. 5 para. j FADP, Art. 13 para. 1 lit. a GDPR).
Our data protection officer in accordance with Art. 37 GDPR is Dinnova AG, Bahnhofplatz 1, 8001 Zurich, contact@dinnova.ch. If you have data protection concerns, please contact us by mail or email at the above address.
Types of Data Processed
– Contact data (e.g., email, telephone numbers)
– Content data (e.g., text entries, photographs, videos)
– Meta/communication data (e.g., device information, IP addresses)
Categories of Data Subjects
Visitors and users of the online offering (hereinafter we also refer to the data subjects collectively as “users”).
Purpose of Processing
– Provision of the online offering, its functions, and contents
– Responding to contact inquiries and communication with users
– Security measures
– Reach measurement/marketing
Terminology Used
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers practically any handling of data.
“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Relevant Legal Bases
In accordance with Article 13 of the GDPR, we inform you of the legal bases for our data processing. For users from the scope of the General Data Protection Regulation (GDPR), i.e., the EU and the EEA, unless the legal basis is stated in this privacy policy, the following applies:
The legal basis for obtaining consent is Article 6(1)(a) and Article 7 GDPR
The legal basis for processing for the fulfillment of our services and performance of contractual measures as well as responding to inquiries is Article 6(1)(b) GDPR
The legal basis for processing to fulfill our legal obligations is Article 6(1)(c) GDPR
In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis
The legal basis for processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller is Article 6(1)(e) GDPR
The legal basis for processing to safeguard our legitimate interests is Article 6(1)(f) GDPR
Processing of data for purposes other than those for which it was collected is determined in accordance with the provisions of Art. 6(4) GDPR
Processing of special categories of data (under Art. 9(1) GDPR) is governed by the provisions of Art. 9(2) GDPR
Security Measures
We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, the implementation costs, the nature, scope, context, and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.
The measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as access, input, transmission, availability assurance, and separation. We have also established procedures to ensure the exercise of data subjects’ rights, data deletion, and response to data risks. Furthermore, we consider the protection of personal data already during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.
Cooperation with Processors, Joint Controllers, and Third Parties
If we disclose, transmit, or otherwise grant access to data to other persons and companies (processors, joint controllers, or third parties) in the context of our processing, this is done only on the basis of a legal permission (e.g., if data transmission to third parties, such as payment service providers, is necessary for contract fulfillment), users have given their consent, a legal obligation provides for it, or on the basis of our legitimate interests (e.g., when using agents, web hosts, etc.).
If we disclose, transmit, or otherwise grant access to data to other companies in our corporate group, this is done particularly for administrative purposes as a legitimate interest and additionally on a basis that complies with legal requirements.
Transfers to Third Countries
If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA), or the Swiss Confederation) or if this is done in the context of the use of services of third parties or disclosure or transmission of data to other persons or companies, this is only done if it is necessary for the fulfillment of our (pre)contractual obligations, based on your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to explicit consent or contractually required transmission, we process or leave the data only in third countries with a recognized level of data protection, including processors certified under the “Privacy Shield” in the USA or based on special guarantees such as contractual obligations through so-called standard protection clauses of the EU Commission, the existence of certifications, or binding internal data protection regulations (Articles 44 to 49 GDPR, EU Commission information page).
Rights of Data Subjects
You have the right to request confirmation as to whether relevant data are being processed and to obtain information about these data as well as further information and a copy of the data in accordance with legal requirements.
You have the right, in accordance with legal requirements, to request the completion or correction of data concerning you.
In accordance with legal requirements, you have the right to request the deletion of data concerning you without delay, or alternatively to request a restriction of the processing of the data in accordance with legal requirements.
You have the right to receive the data concerning you that you have provided to us in accordance with legal requirements and to request their transfer to other controllers.
In accordance with legal requirements, you also have the right to lodge a complaint with the competent supervisory authority.
Right of Withdrawal
You have the right to revoke your consent with effect for the future.
Right to Object
You may object to the future processing of your data at any time in accordance with legal requirements. The objection can be made in particular against processing for direct marketing purposes.
Deletion of Data
The data processed by us are deleted or their processing is restricted in accordance with legal requirements. Unless expressly stated in this privacy policy, the data stored by us are deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any legal retention obligations.
If the data are not deleted because they are required for other legally permissible purposes, their processing is restricted. This means the data are blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.
Changes and Updates to the Privacy Policy
We ask you to regularly inform yourself about the content of our privacy policy. We will adapt the privacy policy as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g., consent) or another individual notification.
Contact
When contacting us (e.g., via contact form, email, telephone, or social media), the user’s details will be processed to handle the contact request and its processing in accordance with Art. 6(1)(b) (in the context of contractual/pre-contractual relationships), Art. 6(1)(f) (for other inquiries) GDPR. User information may be stored in a Customer Relationship Management System (“CRM system”) or comparable request organization.
We delete the inquiries if they are no longer necessary. We review the necessity every two years; statutory archiving obligations also apply.
