DATA PROTECTION

1 What is this Privacy Policy about?

CIFA Mondiale AG, based in Baar (hereinafter also referred to as ‘we’, ‘us’), collects and processes personal data (hereinafter also referred to as ‘data’), in particular personal data about our customers, affiliated persons, contracting parties, visitors to our website, participants in events, recipients of newsletters and other bodies or their contact persons and employees (hereinafter also referred to as ‘you’). We provide information about this data processing in this privacy policy. In addition to this privacy policy, we may inform you separately about the processing of your data (e.g. in the case of forms or contractual terms).

If you provide us with data about other persons (e.g. family members), we assume that you are authorised to do so and that this data is correct, and that you have ensured that these persons have been informed of this disclosure, insofar as a legal obligation to provide information applies (e.g. by bringing this privacy policy to their attention in advance).

2 Who is responsible for processing your data?

The data controller responsible for the processing described in this privacy policy is

CIFA

Wylihof 7

4542 Luterbach

info@cifaworld.com

3 What categories of data do we process?

We process various categories of your personal data. The most important categories are as follows:

Master data: This is general personal data such as name, contact details, personal data, photos, customer history, authorisations, declarations of consent and information about their relationship with us (e.g. customer, supplier) as well as information about third parties (e.g. contact persons).

Contract and financial data: This is data that we obtain and process as part of the provision of our services and when concluding contracts, such as data on contractual services or concerning the provision of services, information on reactions (e.g. information on satisfaction) and on processing (e.g. customer service) as well as data in connection with the initiation and conclusion of contracts or financial data (e.g. creditworthiness).

Communication data: This is data that arises in connection with communication between us and with third parties (e.g. by email, telephone, letter or other means of communication). This includes, for example, the content of e-mails or letters, your contact details, marginal data of the communication or image and audio recordings of (video) telephone calls.

Registration data: This is data that is collected as part of a registration (e.g. newsletter), in competitions or when redeeming vouchers with us, or that you provide to us. This also includes access data in the context of access controls.

Technical data: This is data that is generated as part of the use of our electronic offers (e.g. website), such as IP address, information about the operating system of your end device, the region and the time of use. Technical data alone does not allow any conclusions to be drawn about your identity. However, it can be linked to other data categories (e.g. registration data) and thus possibly also to your person.

Behavioural and preference data: This is data about your behaviour and preferences, such as responses to electronic communications, navigation on the website, interactions with our social media profiles and details of participation in competitions or events etc., we may also supplement and link this with data from third parties (e.g. from publicly accessible sources).

Applicant data: This is data which we process as part of an application to us and which is contained in your application documents, among other things (e.g. professional background, training and further education, references). We may also obtain data from public sources, such as job-related social networks, the internet or the media.

Other data: This includes in particular data that is processed in connection with official or judicial proceedings (e.g. files, evidence, etc.), data that is collected due to health protection (e.g. protection concepts), photos, video or audio recordings that we produce or receive from third parties and in which you are recognisable (e.g. at events, through security cameras, etc.), access data or rights (e.g. visitor lists), participation in events.

4 For what purposes do we process which of your data?

If you purchase our services or products or use http:/www.cifaworld.com (hereinafter ‘website’), or otherwise have dealings with us, we process various categories of your personal data (see section 3). In particular, we may obtain and process this data for the following purposes

Communication: We process your data in order to communicate with you and third parties by email, telephone, letter or other means (e.g. to respond to enquiries, as part of a consultation or to initiate or process a contract). This may also include image and audio recordings of (video) telephone calls, e.g. for quality assurance purposes. In the event of an audio or video recording, we will inform you separately and you are free to inform us if you do not wish to be recorded or to terminate the communication. If we need or want to establish your identity, we will collect additional data (e.g. a copy of an ID card).

Initiation, conclusion, administration and fulfilment of contracts: We process personal data in connection with the provision of our services (e.g. delivery of products) or the initiation, conclusion, administration or fulfilment of contracts with our customers or other contractual partners (e.g. suppliers, service providers, project partners). In particular, this also includes processing to check creditworthiness, for customer support and for the provision and collection of contractual services (which also includes the involvement of third parties). This also includes the enforcement of legal claims arising from contracts (debt collection, legal proceedings, etc.), accounting, the termination of contracts and public communication.

Relationship management and for marketing purposes: We also process your personal data for relationship management and marketing purposes, namely to send our customers, other contractual partners and other interested parties personalised advertising (e.g. on our website, as printed matter, by email or via other channels) about products, services and other news from us and from third parties (e.g. from product partners), in connection with free services (e.g. invitations, vouchers) or as part of individual marketing campaigns (e.g. events, competitions). You can refuse such contacts at any time or refuse or revoke your consent to be contacted for advertising purposes by notifying us (see contact details in section 2).

Market research, improvement of our services and operations and product development: In order to continuously improve our products and services (including our website and other electronic offers), we collect data about your behaviour and preferences, for example by analysing how you navigate through our website, how you interact with our social media profiles or which products are requested and used by which groups of people and in what way. If necessary, we may supplement this information with data from third parties (including from publicly accessible sources).

Operation of our website: We also process personal data (in particular technical data) in order to operate our website securely and stably. For further information, see section 10.

Registration: In order to use certain offers and services (e.g. free WLAN, newsletter), you must register (directly with us or via our external login service providers). For this purpose, we process the data provided during the registration process. We may also collect personal data about you while you are using the offer or service.

Security purposes and access controls: We obtain and process personal data in order to ensure and continuously improve the appropriate security of our IT and other infrastructure (e.g. buildings). This includes, for example, monitoring and controlling electronic access to our IT systems and physical access to our premises, analyses and tests of our IT infrastructures, system and error checks and the creation of backup copies. For documentation and security purposes (preventive and to clarify incidents), we also keep access logs and visitor lists in relation to our premises and set security measures.

Compliance with laws, instructions and recommendations from authorities and internal regulations (‘compliance’): We may process personal data in the context of compliance with laws (e.g. combating money laundering, tax obligations or for the implementation of health and safety concepts). In addition, data may be processed during internal and external investigations (e.g. by a law enforcement or supervisory authority or an authorised private body). The legal obligations may relate to Swiss law, but also to foreign regulations to which we are subject, as well as to self-regulation, industry standards, our own corporate governance and official instructions and requests.

Risk management and corporate governance: We obtain and process personal data as part of risk management (e.g. to protect against criminal offences) and corporate governance. This includes our business organisation (e.g. resource planning) and corporate development (e.g. acquisition and sale of business units or companies).

Job application: If you apply for a job with us, we obtain and process the relevant data for the purpose of reviewing the application, carrying out the application process and, in the case of successful applications, for the preparation and conclusion of a corresponding contract.

Other purposes: What applies to profiling and automated decisions?

We evaluate certain of your personal characteristics for the purposes mentioned in Section 4 using your data in an automated manner (‘profiling’) if we want to determine preference data in order to identify abuse and security risks, carry out statistical analyses or for operational planning purposes. We may also create profiles for the same purposes.

In certain situations, for reasons of efficiency and consistency of decision-making processes, it may be necessary for us to automate discretionary decisions that affect you (‘automated individual decisions’). If these have legal effects or potentially significant disadvantages, we will inform you and offer you a human hearing as required by law.

6 Where does the data come from?

From you: You (or your end device) provide us with much of the data we process yourself (e.g. in connection with our services, the use of our website or communication with us). You are not obliged to disclose your data, with exceptions in individual cases (e.g. legal obligations). However, if you wish to conclude contracts with us or utilise our services, for example, you must disclose certain data to us.

From third parties: We may also obtain data from publicly accessible sources (e.g. debt collection register, commercial register, media or the internet incl. social media) or receive it from (i) public authorities, (ii) your employer or client who either has a business relationship with us or is otherwise involved with us, as well as from (iii) other third parties (e.g. booking platforms, credit agencies, address dealers, associations, contractual partners, internet analysis services). This includes the following categories in particular: General personal data (master data), contract data and other data, but also all other data categories in accordance with section 3 as well as data from correspondence and meetings with third parties. If you work for an employer or client or for someone else who has a business relationship with us or is otherwise in contact with us, they may also provide us with data about you.

7 To whom do we disclose your data?

In connection with the purposes listed in section 4, we may transfer your personal data to the following categories of recipients in particular:

Service providers: We work with service providers in Germany and abroad who (i) process data on our behalf (e.g. IT providers), (ii) on our joint responsibility or (iii) on their own responsibility, which they have received from us or collected for us. These service providers include, for example, IT providers, advertising service providers, banks, insurance companies, debt collection agencies, credit reference agencies, address verifiers, consulting firms or lawyers). For the processing of bookings, we work together with Booking.com, whose privacy policy is available at the following link: https://www.booking.com/content/privacy.de.html. We generally enter into contracts with these third parties regarding the use and protection of personal data.

Customers and other contractual partners: This initially refers to customers and other contractual partners of ours for whom a transfer of your data results from the contract (e.g. because you work for a contractual partner or they provide services for you). This category of recipients also includes contractual partners with whom we co-operate or who advertise for us. The recipients generally process the data under their own responsibility.

Authorities: We may pass on personal data to offices, courts and other authorities in Switzerland and abroad if we are legally obliged or authorised to do so or if this appears necessary to protect our interests. These recipients process the data under their own responsibility.

Other persons: This refers to other cases where the involvement of third parties arises from the purposes set out in section 4. This concerns, for example, delivery addressees or payment recipients specified by you, third parties in the context of agency relationships (e.g. your lawyer or your bank) or persons involved in official or court proceedings. If we work with the media and transmit this material (e.g. photos), you may also be affected. As part of our corporate development, we may sell or acquire businesses, parts of businesses, assets or companies or enter into partnerships, which may also result in the disclosure of data (including your data, e.g. as a customer or supplier or as their representative) to the persons involved in these transactions. In the course of communication with our competitors, industry organisations, associations and other bodies, data relating to you may also be exchanged.

All these categories of recipients may in turn involve third parties, so that your data may also become accessible to them. We can restrict processing by certain third parties (e.g. IT providers), but not by other third parties (e.g. authorities, banks, etc.).

We also allow certain third parties to collect personal data from you on our website and at events organised by us on their own responsibility (e.g. media photographers, providers of tools that we have integrated on our website, etc.). Insofar as we are not decisively involved in this data collection, these third parties are solely responsible for it. If you have any concerns and wish to assert your data protection rights, please contact these third parties directly. We have listed them in section 10.

8. does your personal data also end up abroad?

We process and store personal data mainly in Switzerland and the European Economic Area (EEA), but in exceptional cases - for example via subcontractors of our service providers - potentially in any country in the world.

If a recipient is located in a country without adequate data protection, we contractually oblige the recipient to comply with an adequate level of data protection (we use the revised standard contractual clauses of the European Commission, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?; including the supplements necessary for Switzerland), unless the recipient is already subject to a legally recognised set of rules to ensure data protection and we cannot rely on an exemption provision. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests, if the performance of a contract that is in your interest requires such disclosure, if you have given your consent, or if it is not possible to obtain your consent within a reasonable period of time and the disclosure is necessary to protect your life or physical integrity or that of a third party, or if it concerns data that you have made generally accessible and whose processing you have not objected to.

9.what rights do you have?

You have certain rights in connection with our data processing. In accordance with applicable law, you may in particular request information about the processing of your personal data, have incorrect personal data corrected, request the erasure of personal data, object to data processing, request the disclosure of certain personal data in a commonly used electronic format or its transfer to another controller.

If you wish to exercise your rights against us, please contact us; our contact details can be found in section 2. In order for us to rule out misuse, we must identify you (e.g. with a copy of your ID, if necessary).

Please note that conditions, exceptions or restrictions apply to these rights (e.g. to protect third parties or business secrets). We reserve the right to black out copies for reasons of data protection or confidentiality or to supply only extracts.

10.how are cookies and similar technologies used on our website?

When using our website (including newsletters and other digital offers), data is collected that is stored in logs (in particular technical data). We may also use cookies and similar technologies (e.g. pixel tags or fingerprints) to recognise website visitors, evaluate their behaviour and identify preferences. A cookie is a small file that is transmitted between the server and your system and enables a specific device or browser to be recognised.

You can set your browser so that it automatically rejects, accepts or deletes cookies. You can also deactivate or delete cookies in individual cases. You can find out how to manage cookies in your browser in your browser's help menu.

Neither the technical data collected by us nor cookies generally contain any personal data. However, personal data that we or third-party providers commissioned by us store about you (e.g. if you have a user account with these providers) may be linked to the technical data or to the information stored in and obtained from cookies and thus possibly to your person.

We may also use social media plug-ins. These are small pieces of software that establish a connection between your visit to our website and a third-party provider. The social media plug-in informs the third-party provider that you have visited our website and may send the third-party provider cookies that it has previously placed on your web browser. For more information on how these third-party providers use your personal data collected via their social media plug-ins, please refer to their respective privacy policies.

We also use third-party services (which may themselves use cookies) on our website, in particular to improve the functionality or content of our website (e.g. integration of maps) or to compile statistics.

In particular, we may currently use offers from the following service providers and advertising partners, whereby their contact details and further information on the individual data processing can be found in the respective privacy policy:

Google Analytics

Provider: Google Ireland Ltd.

Further information on data protection regarding Google Analytics: https://support.google.com/analytics/answer/6004245

Google Maps

Provider: Google LLC

Some of the third-party providers we use are located outside Switzerland. Information on the disclosure of data abroad can be found in section 8. In terms of data protection law, some of them are ‘only’ processors on our behalf and some are controllers. Further information on this can be found in the data protection declarations.

11 How do we process personal data on our pages in social networks?

We operate pages and other online presences on social networks and other platforms operated by third parties and process data about you in this context. We receive data from you (e.g. when you communicate with us or comment on our content) and from the platforms (e.g. statistics). The providers of the platforms can analyse your use and process this data together with other data that they have about you. They also process this data for their own purposes (e.g. marketing and market research purposes and to manage their platforms), and act as their own data controllers for this purpose. For further information on processing by the platform operators, please refer to the privacy policies of the respective platforms.

We currently use the following platforms, whereby the identity and contact details of the platform operator can be found in the privacy policy in each case:

Instagram

https://www.instagram.com/cifaworld

We are authorised, but not obliged, to check third-party content before or after it is published on our online presences, to delete content without notice and, if necessary, to report it to the provider of the platform in question.

Some of the platform operators may be located outside Switzerland. Information on the disclosure of data abroad can be found in section 8.

12.what else should be considered?

We do not assume that the EU General Data Protection Regulation (‘GDPR’) is applicable in our case. However, should this be the case in exceptional cases for certain data processing, this section 12 applies exclusively for the purposes of the GDPR and the data processing subject to it.

We base the processing of your personal data in particular on the fact that it is necessary for the initiation and conclusion of contracts and their administration and enforcement (Art. 6 para. 1 lit. b GDPR; see para. 3), it is necessary for the legitimate interests of us or third parties, namely for communication with you or third parties, to operate our website, to improve our electronic offers and registration for certain offers and services, for security purposes, for compliance with Swiss law and internal regulations, for our risk management and corporate governance (Art. 6 para. 1 lit. f GDPR; see para. 3) and for other purposes such as training and education, administration, evidence and quality assurance, organisation, implementation and follow-up of events and other legitimate interests (section 4), which are required or permitted by the law of the EEA or a member state. of a member state, it is necessary to protect your vital interests or those of other natural persons, it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us, you have consented to the processing separately, e.g. via a corresponding query on our website (Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. a GDPR).

Please note that we generally process your data for as long as required by our processing purposes (see section 4), the statutory retention periods and our legitimate interests, in particular for documentation and evidence purposes, or if storage is technically necessary (e.g. in the case of backups or document management systems). If there are no legal or contractual obligations or technical reasons to the contrary, we will generally delete or anonymise your data after the storage or processing period has expired as part of our normal processes.

If you do not provide certain personal data, this may mean that it is not possible to provide the associated services or conclude a contract. As a matter of principle, we indicate where personal data requested by us is mandatory.

The right to object to the processing of your data set out in section 9 applies in particular to data processing for the purpose of direct marketing.

If you do not agree with our handling of your rights or data protection, please let us know (see contact details in section 2). If you are located in the EEA, you also have the right to lodge a complaint with the data protection supervisory authority in your country. A list of authorities in the EEA can be found here: https://edpb.europa.eu/about-edpb/board/members_de.

13.can this privacy policy be amended?

This privacy policy is not part of any contract with you. We may amend this privacy policy at any time. The version published on this website is the current version.

4542 Luterbach, 19 April 2024