Data Protection Policy
1. Scope and Purpose
This data protection policy (“Data Protection Policy“) applies to Inrate AG or Inrate SA (“Inrate“) when it processes personal data of customers, partners, contractors, agents and other third par- ties (“Partners” or “you“).
This Data Protection Policy sets forth Inrate’s obligations with respect to data protection and the rights of Partners with respect to their personal data under the Federal Act on Data Protection (“FADP“) and the General Data Protection Regulation (“GDPR“), as amended from time to time (collectively, the “Data Protection Legislation”).
The data protection statement defines “personal data” as any information relating to an identified or identifiable natural person (a partner); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
This data protection statement sets out the procedures to be followed when handling personal data from partners.
2. How to Contact us?
Please contact us if you have any questions about this data protection policy or the personal data we hold about you. You can contact us by email: info@inrate.com
3. Why do we Process your Personal Data and on What Legal Basis?
We process your personal data in order to fulfil our obligations under the relevant contract we have entered into with you, or in order to protect other legitimate interests or to comply with a legal obligation that Inrate has in relation to the relevant contract.
4. What Information do we Collect About You?
The following personal data may be collected, stored and processed by Inrate: Name, telephone number(s), postal address, email address and any other information about you that you have provided to us.
5. How do we Collect Personal Data About You?
In general, Inrate may collect your personal information in the following ways:
- a. when you submit forms or applications to us;
- b. when you make enquiries to us;
- c. when you ask to be added to an email or other mailing list;
- d. when you respond to our initiatives; and
- e. when you provide us with your personal data for any other reason.
6. Data Protection Principles
The purpose of this data protection statement is to ensure compliance with the data protection policy. The Data Protection Policy sets out the following principles that everyone who handles personal data must comply with. All personal data must be:
- a. processed lawfully, fairly and in a transparent manner in relation to the partner;
- b. collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
- c. be adequate, relevant and limited to what is necessary for the purposes for which they are processed;
- d. All reasonable steps shall be taken to ensure that personal data which are inaccurate in relation to the purposes for which they are processed are erased or rectified without undue delay;
- e. kept in a form which permits identification of the partner for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer if the personal data are processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, provided that the appropriate technical and organizational measures are taken to protect the rights and freedoms of the partner as provided for in the data protection statement;
- f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
7. What are your Rights?
According to the data protection policy you have the following rights:
- a. the right to be informed about the collection and use of personal data by Inrate;
- b. the right to access the personal data that Inrate holds about you;
- c. the right to rectification if personal data Inrate holds about you is inaccurate or incomplete;
- d. the right to be forgotten – i.e. the right to ask Inrate to delete all personal data held about you;
- e. the right to restrict (i.e. prevent) the processing of the personal data;
- f. the right to data portability (obtaining a copy of the personal data for reuse by another service or organization);
- g. the right to object to the use of personal data by Inrate for specific purposes; and
- h. rights in relation to automated decision making and profiling (if applicable).
8. Technical and Organizational Measures
Inrate ensures that all its employees, agents, contractors or other parties working on its behalf comply with and implement the appropriate technical and organizational measures.
9. Transfer of Personal Data to a Country Outside the EEA
Inrate ensures that all its employees, agents, contractors or other parties working on its behalf comply with and implement the appropriate technical and organizational measures.
- 9.1. Inrate generally processes all personal data in Switzerland.
- 9.2. Inrate may from time to time transfer personal data to countries outside Switzerland or the EEA (“transfer” includes remote access).
- 9.3. The transfer of personal data to a country outside the EEA will only take place if one or more of the following apply:
- a. the transfer takes place to a country, a territory or one or more specified sectors of that country (or an international organization) which, in the opinion of the Swiss Federal Council or the European Commission, ensures an adequate level of protection for personal data;
- b. the transfer takes place to a country (or an international organization) that provides adequate safeguards in the form of a legally binding agreement between public authorities or bodies, binding corporate rules, standard data protection clauses adopted by the European Commission, compliance with a code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office), certification under an approved certification scheme (as provided for in the data protection statement), contractual clauses agreed by the relevant supervisory authority, or the transfer of data to a third country. (e.g. the Information Commissioner’s Office), certification under an approved certification procedure (as provided for in the data protection statement), contractual clauses agreed and approved by the competent supervisory authority, or provisions in administrative agreements between authorities or bodies approved by the competent supervisory authority;
- c. the transfer is made with the informed consent of the partner(s) concerned.
10. Notification of Data Protection Breaches
- 10.1. All personal data breaches must be reported immediately to Inrate’s Data Protection Officer.
- 10.2. If there is a personal data breach that may pose a risk to the rights and freedoms of the partner (e.g. financial damage, breach of confidentiality, discrimination, damage to reputation or other significant social or economic damage), the Data Protection Officer must ensure that the FDPIC is notified of the breach without delay and, if appropriate, that an EU authority is notified without delay and in any event within 72 hours of becoming aware of the breach.
- 10.3. If a personal data breach is likely to result in a high risk to the rights and freedoms of the partners, the Data Protection Officer shall ensure that all partners concerned are informed of the breach immediately and without undue delay.
11. Revocation of Consent
If consent has been given, partners have the right to withdraw such consent at any time by written notice or email to Inrate’s Data Protection Officer.
12. Changes to this Data Protection Statement
Inrate reserves the right to change this Data Protection Policy from time to time. The most recent version will be posted on Inrate’s website(s).