Athos Group Data Protection Policy

 

Introduction and objective

This Privacy Policy describes how Athos Trustees (Switzerland) AG (hereinafter referred to as "ATHOS") collects and processes personal data. This Privacy Policy is not exhaustive; other declarations regarding data protection may govern specific situations. For the purposes of this Privacy Policy, personal data refers to any information relating to an identified or identifiable individual.  

 

Data controller and Contact

Responsible for the data processing described herein is Athos Trustees (Switzerland) AG, unless otherwise specified in individual cases. Inquiries regarding data protection can be directed to us by mail or email, accompanied by a copy of the user's ID or passport for identification purposes, at the following address: Lindenstrasse 16, 6340 Baar, Switzerland / Tel: +41 41 729 63 63 / assistants@athos-group.com

 

Collection and Processing of Personal Data

We process personal data particularly in the following categories of processing:

  • Customer data from clients for whom we provide or have provided services.
  • Personal data indirectly obtained from our clients during service provision.
  • When visiting our website.
  • When participating in an event organized by us.
  • During communication or visits.
  • In other contractual relationships, e.g., as a supplier, service provider, or advisor.
  • In job applications.
  • When legally or regulatory obliged.
  • When fulfilling our due diligence obligations or other legitimate interests, e.g., to avoid conflicts of interest, prevent money laundering or other risks, ensure data accuracy, assess creditworthiness, ensure security, or enforce our rights. More detailed information can be found in the description of each category of processing in Section 5. 

 

Categories of Personal Data

The personal data we process depends on your relationship with us and the purpose for which we process it. In addition to your contact details, we also process further information about you or individuals associated with you. These may include particularly sensitive personal data.

We collect the following categories of personal data, depending on the purpose for which we process it: 

  • Contact information (e.g., name, address, telephone number, email)
  • Customer information (e.g., date of birth, nationality, marital status, profession, title, job position, passport/ID number, AHV number).
  • Risk assessment data (e.g., credit information, commercial register data).
  • Financial information (e.g., bank account data).
  • Mandate data, depending on the assignment (e.g., tax information, statutes, protocols, projects, contracts, employee data (e.g., salary, social insurances), accounting data, economically beneficial owners, ownership structures).
  • Website data (e.g., IP address, device information (UDI), browser information, website usage (analysis and use of plugins, etc.).
  • Application data (e.g., CV, certificates).
  • Marketing information (e.g., newsletter registration).
  • Security and network data (e.g., visitor lists, access controls, network and mail scanners, telephone call logs).

 

In compliance with applicable laws, we may also obtain certain data from publicly available sources (e.g., debt collection registers, land registers, commercial registers, press, internet) or from our clients and their employees, authorities, (arbitration) courts, and other third parties. In addition to data provided directly by you, the categories of personal data we receive from third parties about you include information from public registers, information we learn in connection with administrative and judicial proceedings, information related to your professional functions and activities (e.g., to conclude and process transactions with your employer), information about you in correspondence and meetings with third parties, credit reports, information about you provided by individuals in your environment (family, advisors, legal representatives, etc.) to conclude or process contracts with you or involving you (e.g., references, your delivery address, powers of attorney), information to comply with legal requirements such as anti-money laundering and export restrictions, information from banks, insurance companies, distribution, and other contractual partners of ours to claim or provide services through you (e.g., payments made, purchases made), information from media and the internet about you (where appropriate in individual cases, e.g., as part of an application, etc.), your addresses, and possibly interests and other sociodemographic data (for marketing), data related to website usage (e.g., IP address, MAC address of the smartphone or computer, device and settings information, cookies, date and time of visit, pages and content accessed, functions used, referring website, location data).

 

Purpose of Data Processing and Legal Basis

Provision of Services

We primarily process the personal data we receive in the course of our mandate relationships with our clients and other contractual relationships with business partners of these and other persons involved. The personal data of our clients include, in particular, the following information:

  • Contact information (e.g., name, address, telephone number, email, other contact information).
  • Personal information (e.g., date of birth, nationality, marital status, profession, title, job position, passport/ID number, AHV number, family relationships, etc.).
  • Risk assessment data (e.g., credit information, commercial register data).
  • Financial information (e.g., bank account data).
  • Mandate data (e.g., tax information, statutes, protocols, projects, contracts, employee data (e.g., salary, social insurances), accounting data, economically beneficial owners, ownership structures).

The purposes of processing result from the mandate agreement and include, in particular, providing the services negotiated therein, as well as the measures and activities required by this agreement, responding to inquiries, and ensuring the security of our systems.

Legal basis: The processing is necessary to fulfill the contract (Article 6(1)(b) GDPR). 

 

Consent

If you have given us consent to process personal data for specific purposes, we will process the personal data covered by the consent in compliance with the purposes stated in the declaration of consent and to the extent agreed therein.

Legal basis: Consent (Article 6(1)(a) GDPR). 

 

Legal Obligations

We are subject to various legal obligations, i.e., statutory requirements (e.g., commercial and tax laws, anti-money laundering regulations, sanctions regulations). The purposes of processing include, among other things, the fulfillment of tax control and reporting obligations, as well as the assessment and management of risks in the context of the aforementioned legal requirements.

Legal basis: Legal obligation (Article 6(1)(c) GDPR) in conjunction with the relevant statutory provisions. 

 

Legitimate Interests

We process personal data based on a balance of interests. The purposes of processing include, among other things:

  • Assertion of legal claims and defense in legal disputes;
  • Ensuring IT security and IT operations;
  • Prevention and investigation of criminal offenses;
  • Measures for business management and further development of services and products;
  • Marketing activities, unless you have objected to the use of your data;
  • Measures to ensure the company's internal security and to fulfill company policies;
  • Preventive measures for physical security (e.g., access controls);
  • Measures for building and plant security (e.g., access controls);
  • Ensuring the integrity, availability, and confidentiality of data;
  • Ensuring company compliance (compliance with legal requirements and internal company policies);
  • Measures for business management and further development of services and products;
  • Other internal administrative purposes.

Legal basis: Legitimate interests (Article 6(1)(f) GDPR). 

 

Categories of Recipients

Within ATHOS, access to your data is provided to those areas or persons who require it to fulfill contractual and legal obligations and to safeguard our legitimate interests. Processors employed by us may also receive data for these purposes. These can be companies in the categories of IT services, logistics, printing services, telecommunications, advice, and consulting and sales and marketing. 

In addition, recipients of personal data may include:

  • Public authorities and institutions (e.g., tax authorities, supervisory authorities, law enforcement agencies) in the presence of a legal or regulatory obligation.
  • Banks, financial service providers, payment service providers, insurance companies in the presence of a contractual relationship.
  • Other companies in the course of business relationships with us, insofar as this is necessary for the execution of the contract or for the performance of a contract or for our legitimate interests.
  • In addition, we will only pass on data to other recipients if you have consented to the transmission or if we are authorized to transmit due to legal provisions and/or official orders. 

 

Data Transfers to Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of services of third parties or disclosure or transfer of data to third parties, this will only be done to fulfill our (pre)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or allow data to be processed in a third country if the special requirements of Art. 44 et seq. GDPR are met. This means, for example, processing is carried out on the basis of special guarantees, such as the officially recognized determination of a data protection level corresponding to the EU (e.g., for the USA by the "Privacy Shield") or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses"). 

 

Duration of Storage of Personal Data

The duration of the storage of personal data is determined by the respective legal retention period (e.g., commercial and tax retention periods). After the expiry of this period, the corresponding data is routinely deleted if it is no longer required for the fulfillment or initiation of the contract and/or if we no longer have a legitimate interest in further storage. 

 

Your Rights as a Data Subject

You have the right to request information about your personal data processed by us. In the case of a request for information that is not made in writing, we ask for your understanding that we may require you to provide evidence that proves that you are the person you claim to be. Furthermore, you have the right to rectification or deletion or to restriction of processing, as far as you are legally entitled to do so. Furthermore, you have the right to object to the processing within the scope of the legal requirements. The same applies to a right to data portability. 

 

Revocation of Consent

If you have given us consent to process personal data for specific purposes, you have the right to revoke your consent at any time with future effect. The legality of the processing carried out on the basis of the consent until the revocation is not affected by this. 

 

Right to Object

 You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, which is carried out on the basis of Article 6(1)(f) GDPR (data processing based on a balance of interests). If you object, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claim. 

We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the different likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk. Measures shall include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as access, input, disclosure, availability, and separation. Furthermore, we have established procedures that guarantee the exercise of data subject rights, the deletion of data, and reaction to data threats. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software, and procedures, in accordance with the principle of data protection through technology design and data protection-friendly default settings. 

 

Amendment of the Privacy Policy

We reserve the right to amend this Privacy Policy to adapt it to changes in the law, changes to our services or data processing, or changes in the data protection landscape. However, this only applies with regard to declarations on data processing. If user consent is required or if components of the Privacy Policy contain provisions of the contractual relationship with the users, the changes will only be made with the consent of the users. 

 

Terms used

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. 

 

Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is: 

Athos Trustees (Switzerland) AG

Lindenstrasse 16

6340 Baar Switzerland 

If you have any questions regarding data protection, you can contact:

assistants@athos-group.com