Privacy policy

1. What is this privacy policy about?

The bcs steuerexperten ag (hereinafter also referred to as «we», «us») obtains and processes personal data relating to you or other persons (so-called «third parties»). We use the term «data» here synonymously with «personal data». Personal data means data relating to specific or identifiable persons (i.e. conclusions about their identity are possible on the basis of the data itself or with corresponding additional data). «Processing» means any handling of personal data, e.g. obtaining, storing, using, adapting, disclosing and deleting.

In this privacy policy we describe what we do with your data when you use our website www.bcs-steuern.ch (the «Website»), obtain our services or products, otherwise interact with us under a contract, communicate with us or otherwise deal with us. Where appropriate, we will inform you of additional processing activities not mentioned in this privacy policy.

If you transmit or disclose data about other persons such as family members, work colleagues, etc., we assume that you are authorised to do so and that this data is correct. By submitting data about third parties, you confirm this. Please also ensure that these third parties are informed about this privacy policy.

This privacy policy is designed to meet the requirements of the EU General Data Protection Regulation («GDPR»), the Swiss Data Protection Act («DPA») and the revised Swiss Data Protection Act («revDSG»). However, whether and to what extent these laws are applicable depends on the individual case.

2. Who is responsible for processing your data?

Responsible for the data processing described in this privacy policy is:

bcs steuerexperten ag
Bollhalder Werner, CEO
Sonnenstrasse 5
Postfach 138
CH-9004 St. Gallen
info@bcs-steuern.ch

If you have any questions about this privacy statement or other data protection concerns and/or wish to exercise your rights under para. 9, please contact us at the above address.

3. What data do we process?

We process different categories of data about you. The main categories are as follows:

  • Technical data: When you use our website, we collect the IP address of your terminal device and other technical data to ensure the functionality and security of this offer. This data also includes logs recording the use of our systems. We generally retain technical data for 24 months. In order to ensure the functionality of these offers, we may also assign an individual code to you or your end device (e.g. in the form of a cookie, see para. 10). The technical data in itself does not allow any conclusions to be drawn about your identity. However, in the context of user accounts, registrations, access controls or the processing of contracts, they can be linked to other data categories (and thus possibly to your person).
  • Registration data: Certain offers, e.g. of competitions and services (e.g. login areas of our website, newsletter dispatch etc.) can only be used with a user account or registration, which can take place directly with us or via our external login service providers. In doing so, you must provide us with certain data and we collect data on the use of the offer or service. If we issue you a voucher for one of our contractual partners, we may transmit certain of your registration data to the respective contractual partner or receive such data (cf. para. 6).
  • Communication data: If you are in contact with us via the contact form, by email, telephone or chat, by letter or by any other means of communication, we collect the data exchanged between you and us, including your contact details and the boundary data of the communication. If we want or need to establish your identity, we collect data to identify you (e.g. a copy of an ID card). We usually keep this data for 24 months from the last exchange with you. This period may be longer where this is necessary for reasons of proof or to comply with legal or contractual requirements, or for technical reasons. E-mails in personal mailboxes and written correspondence are generally kept for at least 10 years. Chats are generally kept for 2 years.
  • Master data: Master data is the basic data we need, in addition to contractual data (see below), to process our contractual and other business relationships or for marketing and promotional purposes, such as name, contact details and information about, for example, your role and function, your bank account(s), date of birth, customer history, powers of attorney, signature authorisations and consent forms. We process your master data if you are a customer or other business contact or work for one (e.g. as a contact person of the business partner), or because we want to address you for our own purposes or the purposes of a contractual partner (e.g. as part of marketing and advertising, with invitations to events, with vouchers, with newsletters, etc.). We receive master data from you yourself (e.g. when making a purchase or as part of a registration), from bodies for which you work or from third parties such as our contractual partners, associations and address dealers and from publicly accessible sources such as public registers or the Internet (websites, social media etc.). We generally keep this data for 10 years from the last exchange with you, but at least from the end of the contract. This period may be longer if this is necessary for reasons of proof or to comply with legal or contractual requirements or for technical reasons. For pure marketing and advertising contacts, the period is usually much shorter, usually no more than 2 years since the last contact.
  • Contract data: This is data that arises in connection with the conclusion or execution of a contract, e.g. information about contracts and the services to be provided or provided, as well as data from the run-up to the conclusion of a contract, the information required or used for the execution and information about reactions. We generally collect this data from you, from contractual partners and from third parties involved in the processing of the contract, but also from third party sources (e.g. providers of creditworthiness data) and from publicly accessible sources. We generally keep this data for 10 years from the last contractual activity, but at least from the end of the contract. This period may be longer if this is necessary for reasons of evidence or to comply with legal or contractual requirements or for technical reasons.
  • Behavioural and preference data: Depending on our relationship with you, we try to get to know you and better tailor our products, services and offers to you. To do this, we collect and use data about your behaviour and preferences. We do this by evaluating information about your behaviour in our area, and we may also supplement this information with information from third parties, including publicly available sources. Based on this, we can calculate, for example, the probability that you will use certain services or behave in a certain way. Some of the data processed for this purpose is already known to us (e.g. when you use our services), or we obtain this data by recording your behaviour (e.g. how you navigate on our website). We anonymise or delete this data when it is no longer meaningful for the purposes pursued, which may be up to 24 months depending on the nature of the data. This period may be longer if this is necessary for reasons of proof or to comply with legal or contractual requirements or if it is technically required. We describe how tracking works on our website in para. 10.
  • Other data: We also collect data from you in other situations. In connection with official or judicial proceedings, for example, data is collected (such as files, evidence, etc.) which may also relate to you. We may also collect data for health protection reasons (e.g. in the context of protection concepts). We may obtain or make photographs, videos and sound recordings in which you may be identifiable (e.g. at events). We may also collect data on who enters certain buildings or has corresponding access rights and when (incl. in the case of access controls, based on registration data or visitor lists, etc.), who participates in events or campaigns (e.g. competitions) and when, or who uses our infrastructure and systems. The retention period of this data depends on the purpose and is limited to what is necessary. This ranges from a few weeks for contact tracing data to visitor data, which is usually kept for 3 months, to reports on events with pictures, which can be kept for several years or longer.

Many of the measures described in this para. 3 you disclose to us yourself (e.g. via forms, in the course of communication with us, in connection with contracts, when using the website, etc.). You are not obliged to do so, subject to individual cases, e.g. within the framework of binding protection concepts (legal obligations). If you wish to conclude contracts with us or claim services, you must also provide us with data, in particular master data, contract data and registration data, as part of your contractual obligation under the relevant contract. When using our website, the processing of technical data is unavoidable. If you wish to gain access to certain systems, you must provide us with registration data.

4. For what purposes do we process your data?

First and foremost, we process your data in connection with the provision of our services, communication with you and the conclusion, administration and processing of contractual relationships with our customers and other business partners as well as the operation of our website. We then process your data for marketing purposes and to maintain relationships, e.g. to send our customers and other contractual partners personalised advertising about our products and services. This may take the form of newsletters and other regular contacts (electronically, by post, by telephone), via other channels for which we have contact information from you, but also as part of individual marketing campaigns (e.g. events, competitions etc.) and may also include free benefits (e.g. invitations, vouchers etc.). You can refuse such contacts at any time (see at the end of this para. 4) or refuse or revoke your consent to be contacted for advertising purposes.

We may also process your data for other purposes insofar as this is permitted by law and we have a legitimate interest in the corresponding data processing (e.g. market and opinion research, offering and further developing our services, guaranteeing our operation, in particular of the IT and our website, and asserting legal claims).

We may use certain of your personal attributes for the purposes set out in this para. 4, if we want to determine preference data, but also to determine abuse and security risks, to carry out statistical evaluations or for operational planning purposes. For the same purposes, we can also create profiles, i.e. we can combine behavioural and preference data, but also master and contract data and technical data assigned to you, in order to better understand you as a person with your different interests and other characteristics.

In both cases, we pay attention to the proportionality and reliability of the results and take measures against misuse of these profiles or profiling. If these can have legal effects or significant disadvantages for you, we generally provide for a manual review.

5. On what basis do we process your data?

Insofar as you have given us consent to process your data for certain purposes (e.g. registration to receive newsletters or consent to other regular contacts, consent to automated data processing, where applicable), we process your data within the scope of and based on this consent, insofar as we have no other legal basis and we require such a basis. Consent that has been given can be revoked at any time, but this has no effect on data processing that has already taken place (see also para. 9).

Where we do not ask for your consent to process your personal data, we base the processing of your personal data on the fact that the processing is necessary for the initiation or performance of a contract with you (or the entity you represent) or that we or third parties have a legitimate interest in doing so, in particular in order to fulfil the obligations set out in para. 4 above and related objectives described above and to be able to take appropriate action. Our legitimate interests also include compliance with legal regulations, insofar as this is not already recognised as a legal basis by the respective applicable data protection law (e.g. in the case of the GDPR, the law in the EEA and in Switzerland). However, this also includes the marketing of our products and services, the interest in better understanding our markets and in managing and further developing our company, including operations, safely and efficiently.

6. Who do we disclose your data to?

In connection with our contracts, the website, our services and products, our legal obligations or otherwise in order to protect our legitimate interests and the other interests set out in para. 4 we also transfer your personal data to third parties, in particular to the following categories of recipients:

  • Service providers: We work with service providers in Switzerland and abroad who process data about you on our behalf or in joint responsibility with us or who receive data about you from us in their own responsibility (see para. 10).
  • Contractual partners including customers: This initially refers to customers and other contractual partners of ours, because this data transfer results from these contracts. For example, they receive registration data on issued and redeemed vouchers, invitations, etc. If you work for such a contractual partner yourself, we may also transfer data about you to them in this context. The recipients also include contractual partners with whom we cooperate.
  • Authorities: We may pass on personal data to offices, courts and other authorities in Switzerland and abroad if we are legally obliged or entitled to do so or if this appears necessary to protect our interests. The authorities process data about you that they receive from us on their own responsibility.
  • Other persons: This refers to other cases where the inclusion of third parties arises from the purposes pursuant to para. 4 results.

All these categories of recipients may in turn involve third parties, so that your data may also become accessible to them. We can restrict processing by certain third parties (e.g. IT providers), but not by other third parties (e.g. authorities, banks, etc.).

We also allow certain third parties to collect personal data from you on our website (e.g. providers of tools that we have embedded on our website). Insofar as we are not decisively involved in these data collections, these third parties are solely responsible for them. If you have any concerns and wish to assert your data protection rights, please contact these third parties directly (cf. para. 10).

7. How long do we process your data?

We process your data for as long as our processing purposes, the statutory retention periods and our legitimate interests in processing for documentation and evidence purposes or practical reasons require or storage is technically necessary. Further information on the respective storage and processing duration can be found under the individual data categories in para. 3 or for the cookie categories in para. 10. If there are no legal or contractual obligations to the contrary, we will delete or anonymise your data after the storage or processing period has expired as part of our normal processes.

Documentation and evidence purposes include our interest in documenting processes, interactions and other facts in case of legal claims, discrepancies, IT and infrastructure security purposes and evidence of good corporate governance and compliance. Retention may be technically necessary if certain data cannot be separated from other data and we therefore need to retain it with them (e.g. in the case of backups or document management systems).

8. How do we protect your data?

We take appropriate technical and organisational security measures to maintain the confidentiality, integrity and availability of your data, to protect it against unauthorised or unlawful processing and to protect against the risks of loss, accidental alteration, unauthorised disclosure or access.

9. What rights do you have?

Applicable data protection law grants you the right to object to or request restriction of the processing of your data in certain circumstances, in particular that for direct marketing purposes, direct marketing profiling and other legitimate processing interests.

To help you control the processing of your personal data, you also have the following rights in connection with our data processing, depending on the applicable data protection law:

  • The right to request information from us as to whether and what data we process from you
  • The right to have us correct data if it is inaccurate
  • The right to request the deletion of data
  • The right to request that we provide certain personal data in a commonly used electronic format or transfer it to another controller
  • The right to withdraw consent insofar as our processing is based on your consent
  • The right to obtain, on request, further information necessary for the exercise of these rights

If you wish to exercise any of the above rights against us, please contact us in writing, our contact details can be found in para. 2. In order for us to be able to exclude misuse, we must normally identify you (e.g. with a copy of your identity card, if this is not otherwise possible).

Please note that these rights are subject to conditions, exceptions or limitations under applicable data protection law (e.g. to protect third parties or trade secrets). We will inform you accordingly if necessary.

10. How do we use online tracking and online advertising techniques?

We use various technologies on our website that enable us and third parties we engage to recognise you when you use our website and, in some circumstances, to track you across multiple visits.

In essence, this is so that we can distinguish accesses by you (via your system) from accesses by other users, so that we can ensure the functionality of the website and carry out evaluations and personalisations. In doing so, we do not want to infer your identity, even if we can do so insofar as we or third parties engaged by us can identify you through a combination with registration data. Even without registration data, however, the technologies used are designed in such a way that you are recognised as an individual visitor each time you access the site, for example by our server (or the servers of the third parties) assigning you or your browser a specific identification number (so-called «cookie»).

Cookies are individual codes (e.g. a serial number) that our server or a server of our service provider or advertising partner transmits to your system when you connect to our website and that your system (browser, mobile) accepts and stores until the programmed expiry time. With each subsequent access, your system transmits these codes to our server or the server of the third party. In this way, you are recognised even if your identity is unknown.

Other techniques may also be used to make you more or less likely to be recognised (i.e. distinguished from other users), e.g. «fingerprinting». Fingerprinting combines your IP address, the browser you use, the screen resolution, the language choice and other information that your system communicates to each server), resulting in a more or less unique fingerprint. In this way, cookies can be dispensed with.

Whenever you access a server (e.g. when using a website or an app or because an image is visibly or invisibly integrated in an email), your visits can therefore be «tracked» (traced). If we integrate offers from an advertising contractor or provider of an analysis tool on our website, they may track you in the same way, even if you cannot be identified in individual cases.

We use such techniques on our website and allow certain third parties to do so as well. You can program your browser to block, deceive or delete existing cookies from certain cookies or alternative techniques. You can also enhance your browser with software that blocks tracking by certain third parties. You can find more information about this on the help pages of your browser (usually under the keyword «data protection») or on the websites of the third parties that we list below.

With your consent (cf. para. 5) you can use the entire functionality of the website. Otherwise, only the essential cookies that are absolutely necessary and required for the website to function properly will be set.

10.1 Google Tag Manager

This website uses the «Google Tag Manager» service of Google Ireland Limited.

Information on the handling of user data can be found in the privacy policy:

policies.google.com/privacy?hl=de&gl=ch

10.2 Google Analytics

This website uses the «Google Analytics» service of Google Ireland Limited.

Information on the handling of user data can be found in the privacy policy:

policies.google.com/privacy?hl=de&gl=ch

10.3 Google Maps

This website uses the «Google Maps» service of Google Ireland Limited.

Information on the handling of user data can be found in the privacy policy:

policies.google.com/privacy?hl=de&gl=ch

11. Which other offers from third parties do we use?

We use offers from third parties for sending messages and use external payment service providers. Based on our legitimate interests, we may transfer personal data to these third parties.

11.2 Microsoft 365

This website uses the «Microsoft 365» service of Microsoft Corporation.

You can find more information on this in the privacy policy:

privacy.microsoft.com/en/privacystatement

12 Can this privacy policy be changed?

This Privacy Policy does not form part of any contract with you. We may amend this privacy policy at any time. The version published on this website is the current version.

Last updated: October 2023