1. Controller / Data Protection Officer / Representative
Responsible for the data processing described here, unless otherwise stated in individual cases:
Swiss Tower Mills Minerals AG
If you have data protection concerns, you can contact us at the above contact address.
2. Collection and Processing of Personal Data
We primarily process personal data that we receive from our customers and other business partners, as well as from individuals involved in our business relationships, or that we collect from users while operating our websites, apps, and other applications. Where permitted, we also obtain certain data from publicly accessible sources (e.g., debt registers, land registers, commercial registers, press, internet) or receive such data from other companies, authorities, and third parties. In addition to the data you directly provide to us, the categories of personal data that we receive from third parties about you include information from public registers, information we learn in connection with official and judicial proceedings, information related to your professional functions and activities (so that we can, for example, conclude and process transactions with your employer with your assistance), information about you in correspondence and discussions with third parties, credit reports (if we conduct business with you personally), information about you provided by individuals in your environment (family, advisors, legal representatives, etc.) so that we can conclude or process contracts with you or involving you (e.g., references, delivery addresses, powers of attorney, information regarding compliance with legal requirements such as anti-money laundering and export restrictions, information from banks, insurance companies, distribution and other contractual partners of ours for the purpose of providing or receiving services by you (e.g., payments made, purchases made), information from media and the internet about your person (as far as this is relevant in specific cases, e.g., in the context of an application, press review, marketing/sales, etc.), your addresses, and possibly interests and other socio-demographic data (for marketing), data related to the use of the website (e.g., IP address, MAC address of the smartphone or computer, device and settings information, cookies, date and time of visit, pages and content accessed, functions used, referring website, location information).
3. Purposes of Data Processing and Legal Bases
The personal data we collect is mainly used to fulfill our contractual obligations to customers and business partners. This also includes the purchase of products and services from our suppliers and subcontractors. We also use this data to fulfill our legal obligations both domestically and abroad. If you are acting on behalf of such a customer or business partner, you may also be affected by this in your capacity. In addition, we process personal data about you and other individuals, to the extent permitted and appropriate, for the following purposes, for which we (and sometimes third parties) have a legitimate interest:
- Offering and improving our products, services, websites, apps, and other platforms where we are present;
- Communicating with third parties and handling their inquiries (e.g., applications, media inquiries);
- Testing and optimizing procedures for needs analysis for direct customer communication and collecting personal data from publicly accessible sources for customer acquisition;
- Advertising and marketing (including holding events), unless you have objected to the use of your data (if we send you advertising as an existing customer, you can object at any time, and we will then add you to a blocklist to prevent further advertising mailings);
- Market and opinion research, media monitoring;
- Asserting legal claims and defending against legal disputes and administrative proceedings;
- Preventing and investigating crimes and other misconduct (e.g., conducting internal investigations, data analysis to combat fraud);
- Ensuring the operation of our business, especially IT, our websites, apps, and other platforms;
- Video surveillance to safeguard property rights and other measures for IT, building, and facility security and protection of our employees and other individuals and assets owned or entrusted to us (e.g., access controls, visitor lists, network and mail scanners, telephone recordings);
- Purchase and sale of business units, companies, or parts of companies and other corporate transactions, including the transfer of personal data, as well as measures for corporate management and compliance with legal and regulatory obligations and internal regulations of STM.
If you have given us consent to process your personal data for specific purposes (e.g., when you sign up to receive newsletters or undergo a background check), we will process your personal data based on this consent unless we have another legal basis and need one. Consent given can be revoked at any time, but this does not affect data processing that has already occurred.
4. Cookies / Tracking and Other Technologies Related to the Use of Our Website
We typically use “cookies” and similar techniques on our websites that can identify your browser or device. A cookie is a small file sent to your computer or stored automatically on your computer or mobile device when you visit our website. When you revisit this website, we can recognize you, even if we do not know who you are. In addition to cookies used only during a session and deleted after your website visit (“session cookies”), cookies can also be used to store user settings and other information for a certain period (e.g., two years) (“persistent cookies”). However, you can configure your browser to reject cookies, store them only for a session, or delete them prematurely. Most browsers are preset to accept cookies. We use persistent cookies to store user settings (e.g., language, auto-login), to better understand how you use our offerings and content, and to display customized offers and advertisements to you (which can also happen on websites of other companies; however, they do not learn from us who you are, as they only see that the same user who was on our website is also on their website). Some cookies are set by us, and some are set by contractual partners we work with. Blocking cookies may cause certain functionalities (e.g., language selection, shopping cart, order processes) to no longer work. In our newsletters and other marketing emails, we sometimes include visible and invisible image elements that allow us to determine whether and when you opened the email so that we can measure and better understand how you use our offerings and tailor them to you. You can block this in your email program; most are preset to do so. By using our websites and consenting to receive newsletters and other marketing emails, you agree to the use of these techniques. If you do not wish to do so, you must configure your browser or email program accordingly. On our websites, we sometimes use Google Analytics or similar services. This is a service provided by third parties that can be located anywhere in the world (in the case of Google Analytics, it is Google Ireland (based in Ireland), which relies on Google LLC (based in the USA) as a data processor (both “Google”), www.google.com), which allows us to measure and evaluate website usage (not personally). For this purpose, persistent cookies are also used by the service provider. We have configured the service so that the IP addresses of visitors are shortened in Europe before being forwarded to the USA and cannot be traced back as a result. The service provider does not receive any personal data from us (and does not store IP addresses). We have turned off the “Data Sharing” and “Signals” settings. Although we can assume that the information we share with Google is not personal data for Google, it is possible that Google may draw conclusions from this data for its own purposes about the identity of visitors, create personal profiles, and link this data to the Google accounts of these individuals. If you have registered with the service provider yourself, the service provider knows you. The processing of your personal data by the service provider is then the responsibility of the service provider in accordance with its data protection regulations. The service provider only informs us about how our respective website is used (no information about you personally). On our websites, we also use so-called plugins from social networks such as Facebook, Twitter, YouTube, Pinterest, or Instagram. This is apparent to you in each case (typically through corresponding symbols). We have configured these elements to be deactivated by default. If you activate them (by clicking), the operators of the respective social networks can register that you are on our website, where you are, and can use this information for their purposes. The processing of your personal data is then the responsibility of this operator in accordance with its data protection regulations. We do not receive any information about you from them.
5. Data Disclosure and International Data Transfers
As part of our business activities and the purposes described in section 3, we also disclose information to third parties, either because they process it for us or because they want to use it for their own purposes. This concerns, in particular, the following entities:
- Service providers, including data processors;
- Retailers, suppliers, subcontractors, and other business partners;
- Domestic and foreign authorities, agencies, or courts;
- The public, including visitors to websites and social media;
- Competitors, industry organizations, associations, organizations, and other bodies;
- Buyers or potential buyers of business units, companies, or other parts of STM;
- Other parties in possible or actual legal proceedings;
- Other companies of STM;
All together referred to as recipients. These recipients may be located domestically or anywhere on Earth. You must particularly expect your data to be transferred to all countries where STM is represented by group companies, branches, or other offices, as well as to other countries in Europe and the USA, where the service providers we use are located (such as Microsoft, SAP, Amazon, Salesforce.com). If a recipient is located in a country without adequate legal data protection, we contractually obligate the recipient to comply with applicable data protection laws (for this purpose, we use the revised standard contractual clauses of the European Commission, which are available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj? .), to the extent that it is not already subject to a legally recognized data protection framework, and we cannot rely on an exemption provision. An exception may apply, in particular, in foreign legal proceedings, but also in cases of overriding public interests or if contract execution requires such disclosure, if you have consented, or if it concerns data made generally accessible by you, which you have not objected to processing.
6. Duration of Personal Data Retention
We process and store your personal data for as long as it is necessary for the fulfillment of our contractual and legal obligations or for the purposes pursued with the processing, i.e., for the duration of the entire business relationship (from initiation, execution to termination of a contract) and beyond, in accordance with statutory retention and documentation obligations. In this context, it is possible that personal data will be retained for the period in which claims can be asserted against our company and to the extent that we are otherwise legally obliged or have a legitimate business interest (e.g., for evidence and documentation purposes). As soon as your personal data is no longer required for the above-mentioned purposes, it will generally be deleted or anonymized to the extent possible. Operational data (e.g., system logs, logs) are subject to shorter retention periods of twelve months or less.
7. Data Security
We take appropriate technical and organizational security measures to protect your personal data from unauthorized access and misuse, such as issuing instructions, training, IT and network security solutions, access controls and restrictions, encryption of data carriers and transmissions, pseudonymization, and controls.
8. Obligation to Provide Personal Data
As part of our business relationship, you must provide the personal data that is necessary for establishing and conducting a business relationship and fulfilling the associated contractual obligations (you typically do not have a legal obligation to provide us with data). Without this data, we will generally not be able to enter into a contract with you (or the entity or person you represent) or process it. The website cannot be used either if certain data for ensuring data traffic (such as IP address) are not disclosed.
We process your personal data in part automatically with the aim of evaluating certain personal aspects (profiling). We use profiling, in particular, to inform and advise you about products in a targeted manner. For this purpose, we use evaluation tools that allow us to carry out needs-based communication and advertising, including market and opinion research. We generally do not use fully automated automatic decision-making for the establishment and execution of the business relationship or otherwise (as regulated, for example, in Article 22 GDPR). If we use such procedures in individual cases, we will inform you separately, as required by law, and explain your related rights.
10. Rights of the Data Subject
Under the applicable data protection law and as provided for therein (such as in the case of the GDPR), you have the right to information, correction, deletion, the right to restrict data processing, and, in particular, the right to object to our data processing, especially for the purposes of direct marketing, the profiling carried out for direct advertising purposes, and other legitimate interests in processing, as well as the right to receive certain personal data for transmission to another entity (so-called data portability). Please note, however, that we reserve the right to assert the legally specified restrictions on our part, for example, if we are obligated to retain or process certain data, have an overriding interest (to the extent we are entitled to do so), or require the data for asserting claims. If there are costs for you, we will inform you in advance. We have already informed you about the possibility of revoking your consent in section 3. Please note that exercising these rights may conflict with contractual agreements and may have consequences such as early contract termination or cost consequences. In such cases, we will inform you in advance, unless this is already regulated by contract. Exercising such rights typically requires clear proof of your identity (e.g., by providing a copy of an identity card where your identity is not otherwise clear or can be verified). To exercise your rights, you can contact us at the address provided in section 1. Every data subject also has the right to enforce their claims in court or to file a complaint with the relevant data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (https://www.edoeb.admin.ch).