Waldstein Art Consulting GmbH, Etzelstrasse 31, CH-8038 Zürich, Switzerland, registered in the commercial register of canton Zürich under the number CH-020.4.042.453-1, UID CHE-115.626.054, in the person of its authorised representative (the Controller or Waldstein), cares about the protection of the personal data of its customers and of the users of waldstein-art.ch (the Website).
Therefore, Waldstein hereby intends to inform you of the modalities, purposes and characteristics of the processing of personal data provided by visiting the Website, in accordance with the principle of lawfulness, fairness and transparency and in compliance with the provisions of the national legislation (Federal Data Protection Law – LPD – as well as other applicable provisions of Swiss law regarding data protection) and with European law (in particular the EU Regulation 2016/679, GDPR).
If you have any questions or requests regarding your personal data, please contact Waldstein at the following e-mail address: firstname.lastname@example.org.
What personal data we process and for what purposes
Automatically collected data
When you visit our Website, our servers temporarily record your access in a log file. Specifically, some technical data will be stored and automatically deleted after a maximum of 2 years, such as (i) the IP address of your computer, (ii) the owner of the IP address range, (iii) the date and time of the visit, (iv) the address of the webpage which led to the Website (HTTP referer), with the search term used, if applicable, (v) the name and URL of the recovered files, (vi) the status code (e.g. error codes), (vii) the operating system of your computer, (viii) the browser you use (type, version and language), (ix) the transmission protocol.
The collection and processing of these data is carried out in order to allow the use of our Website, to guarantee the security and the stability of the system, as well as to obtain anonymous, statistical information, which could be useful for internal purposes. Furthermore, these data may be used to establish responsibility in the event of the commission of computer crimes against our Website, of attacks targeting the network infrastructure or of other unauthorised or abusive use of our Website. The provision of the abovementioned personal data is compulsory if you want to navigate our Website.
The legal basis for the processing of these data lies in our overriding private interest within the meaning of Art. 13 par. 1 LPD, i.e. in our legitimate interest according to Art. 6 par. 1, let. f) GDPR.
Cookies and similar technologies
The legal basis for the processing of data collected through technical cookies lies in our overriding private interest within the meaning of Art. 13 par. 1 LPD, i.e. in our legitimate interest according to Art. 6 par. 1, let. f) GDPR to ensure the functionality of our Website; in case of installation of other cookies, the basis for the processing of your personal data is the consent you provide through the cookie banner.
Contacts: telephone, e-mail or regular mail
If you contact Waldstein by telephone, e-mail or regular mail, this will result in the acquisition by the Controller of the data and information you provide.
In order to answer your questions, you may be requested to provide us with further information (e.g. name and surname, address, e-mail, telephone number, etc.). In any case, in accordance with the principle of data minimisation, we will only collect the personal data strictly necessary to identify you and to process your requests in the best possible way. We recommend that you do not transmit special categories of data within the meaning of Art. 9 GDPR (e.g. data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, data concerning health, etc.).
The provision of these data is optional but the refusal to provide all or part of your data may result in the impossibility for Waldstein to process your requests.
The legal basis for the processing of the abovementioned data lies in your consent, according to Art. 13 par. 1 LPD and Art. 6 par. 1 let. a) GDPR. The Controller will provide the data subject with specific further information, if other purposes of the processing were to emerge.
Use of the form in the Contacts section
In the Contacts section of the Website you can find a form that allows you to get in touch with Waldstein. In the form, Waldstein requests your name, your surname and your e-mail address, and provides you with a space for a short message. You are free to choose the data you want to transmit by filling in the blank space; however, we recommend that you do not transmit special categories of data within the meaning of Art. 9 GDPR (e.g. data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, data concerning health, etc.).
The provision of data transmitted by filling in the form is optional, but the refusal to provide all or part of your data may result in the impossibility for Waldstein to process your requests.
The legal basis for the processing of the abovementioned data lies in your consent, according to Art. 13 par. 1 LPD and Art. 6 par. 1 let. a) GDPR. Your consent will be given by flagging the box at the bottom of the form. The Controller will provide the data subject with specific further information, if other purposes of the processing were to emerge.
How and for how long we store your data
Storage and security measures
Personal data can be stored in paper or electronic form, with the adoption of appropriate technical and organisational measures, to prevent any violation of personal data, such as loss of data, unlawful or incorrect use and unauthorised access. However, such measures might not be sufficient to limit or exclude risks of unauthorised access or dispersion of data, due to the peculiar nature of the communication channel.
To this end, we recommend that you periodically check that you are equipped with adequate software devices, to protect incoming and outbound network data transfer (such as updated antivirus systems) and that your Internet service provider has adopted adequate measures for the security of network data transfer (such as firewalls and spam filters).
Waldstein employees and contractors who process your personal data have been duly authorised to do so and are obliged to maintain confidentiality and to comply with the applicable data protection laws.
Data retention period
As far as navigation data are concerned, these will be stored for a maximum period of 2 years.
The personal data provided by telephone, e-mail, regular mail or by filling in the Contacts form will be stored for the time strictly necessary to process your request.
In the event that the processing should become necessary to exercise further legitimate interests of the Controller (e.g. to prevent abuse and fraud or to establish, exercise or defend a legal claim) or to comply with legal obligations, the retention might have a different duration, depending on the applicable law.
Once the aforementioned reasons for processing have ceased to apply, the data will be deleted, destroyed or stored anonymously.
To whom we communicate your data
- Waldstein’s internal staff, duly authorised to process personal data;
- contractors, such as third party technical service providers, hosting providers, IT technicians and consultants, from time to time appointed, if necessary, as processors according to Art. 28 et seq. GDPR;
- persons to whom the right to access the data is granted by law, regulations or orders.
Waldstein remains at your disposal to provide you, if required, with an updated list of data processors.
Your data will not be transferred, disseminated or sold to third parties.
Otherwise, the Controller informs you that the transfer will be carried out in accordance to Art. 6 LPD and to Chapter V GDPR, e.g. (i) with your explicit consent, (ii) on the basis of standard data protection clauses adopted by the European Commission or (iii) by carrying out the transfer in countries that have adopted adequate data protection standards.
What are your rights
For a better understanding of your rights under the data protection law, we invite you to read articles 15 et seq. of the GDPR in full. For your convenience, an excerpt of these provisions is provided below.
- Right of access(art. 15 GDPR): you can obtain confirmation as to whether or not your personal data are being processed and, where that is the case, access to the personal data and to further information regarding the processing.
- Right to rectification(art. 16 GDPR): you can obtain the rectification or the completion of inaccurate or incomplete personal data processed by the Controller.
- Right to erasure (“right to be forgotten”)(art. 17 GDPR): you can obtain the erasure of your personal data without undue delay, where one of the following grounds applies: (i) the data are no longer necessary in relation to the purposes for which they were collected, (ii) your consent has been withdrawn and there is no other ground for the processing, (iii) the data subject has objected to the processing, (iv) the personal data have been unlawfully processed, or (v) the personal data have to be erased for compliance with a legal obligation.
- Right to restriction of processing(art. 18 GDPR): you can obtain restriction of processing of your personal data when one of the following applies: (i) the data subject contests the accuracy of personal data, for a period enabling the Controller to verify the accuracy of such data; (ii) the processing is unlawful and the data subject opposes the erasure of the data, requesting the restriction of their use instead; (iii) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; (iv) the data subject has objected to processing pursuant to Art. 21, par. 1, GDPR, pending the verification whether the legitimate grounds of the Controller override those of the data subject.
- Right to data portability(art. 20 GDPR): you have the right (i) to receive your personal data in a structured, commonly used and machine-readable format, (ii) to have the personal data transmitted directly from one controller to another, where technically feasible, as well as (iii) to transmit those data to another controller without hindrance from the Controller.
- Right to object(art. 21 GDPR): you have the right to object at any time, on grounds relating to your particular situation, to processing of your personal data which is based on the legitimate interest of the Controller, including profiling, or on the performance of a task carried out in the public interest or in the exercise of official authority, unless there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- Right not to be subject to automated decision-making, including profiling(art. 22 GDPR): you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
- Right to withdraw your consent (art. 7, par. 3, GDPR): you can withdraw your consent without affecting the lawfulness of processing based on consent before its withdrawal.
Lastly, we would like to inform you that you have the right to lodge a complaint with the supervisory authority, which in Italy is the Data Protection Authority (Garante per la Protezione dei Dati Personali) and in Switzerland is the Federal Data Protection and Information Commissioner (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter | Preposé federal à la protection des données et à la transparence | Incaricato federale della protezione dei dati e della trasparenza).
Last update: 23 October 2020