We are the responsible party for the processing of personal data collected through your use of our website www.merrylynn.com as per the applicable data protection laws, in particular the Swiss Data Protection Act (DPA) and – if applicable to your personal data – the European General Data Protection Regulation (GDPR).
We have our domicile at Hädrichstrasse 13, 8047 Zurich, Switzerland. For any queries regarding your personal data, please contact us at the following address: [email protected]
1. COLLECTION AND PROCESSING OF PERSONAL DATA
We primarily collect and process personal data that we obtain from our clients and other business partners as well as other individuals in the context of our business relationships with them or from users when operating our websites, apps and other applications. We only process personal data if this is necessary to provide a functional website or to provide our clients or other business partners with our contents, programs and services. The processing of personal data only takes place based on the appropriate legal basis and as permitted by law.
1.2 Legal basis for processing under GDPR
Insofar as we are required to obtain the consent of the data subject for the processing of personal data, we will obtain prior consent from our clients or other business partners and Art. 6 para. 1 lit. a GDPR serves as the legal basis for the processing of the corresponding data.
If the processing of personal data required for the performance of a contract between our company and our clients or other business partners, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual services or measures.
Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6 para 1lit. d GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDRP serves as the legal basis.
1.3 Duration of processing
We only store personal data that we obtain from our clients or other business partners for as long as necessary to serve the purpose of the processing and we delete personal data or block access to it as soon as such purpose ceases to apply.
However, personal data may be stored if requested by the applicable law (e.g. book keeping or mandatory archiving purposes). The data will also be blocked or deleted if a storage period prescribed by the applicable law expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
2. WEBSITE ACCESS AND LOGFILES
2.1. Automated data processing
Every time our website is visited, our system automatically collects data and information about the computer system used to access our website.
The following data is collected:
- Browser information (type and version)
- Operating system
- Internet service provider
- IP address
- Date and time of access
- Websites from which our website has been reached
- Websites accessed by the user via our website
The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
For data processing subject to GDPR, the legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.
2.2 Cookies, tracking and technologies relating to the use of our website
In addition, we also use temporary cookies that are stored on the user’s end device for a specified period of time to optimize user-friendliness. If a user visit our site again to use our services, it will automatically recognize that the user in question has already been with us and what entries and settings the user has made so that the user does not have to enter them again.
Within the scope of the GDPR, the data processed by cookies for the above-mentioned purposes is justified in order to protect our legitimate interests and those of third parties pursuant to Art. 6 para. 1 sentence 1 letter f GDPR.
Most browsers automatically accept cookies. However, all users can configure their browser so that no cookies are stored on their computer or a message always appears before a new cookie is created. However, the complete deactivation of cookies can lead to the fact that users cannot use all functions of our website.
We use Google Analytics and Kajabi on our websites. These are services provided by third parties, which may be located in any country (visit Google policies for more information on Google Analtytics) and allow us to measure and evaluate the use of our website (without identifying individuals). Permanent cookies, which are placed by the service provider, are also used for this purpose. Although such service providers do not receive personal data from us (and do not retain any IP addresses), they may track the user’s use of the website, combine this information with data from other websites the user has visited, which are also tracked by service providers, and use this information for their own purposes (e.g. to manage advertising). If the user has registered with the service provider concerned, the service provider will also know the user’s identity. The service provider concerned will then be responsible for processing the user’s personal data in accordance with the applicable data protection provisions. Service providers only provide information on how a particular website is used (but not any personal details).
We also use plugins from social networks such as Facebook, Twitter, YouTube, Google+, LinkedIn, Xing or Instagram on our websites. This will be evident to the user, as the relevant symbol will typically be displayed. We have configured these elements to be disabled by default. However, if the user enables these (by clicking on them), the social network operators may register that the user is on our website and where the user is on our website and may use this information for their own purposes. The operator concerned will then be responsible for processing the user’s personal data in accordance with the applicable data protection provisions. In such case, we will not receive any information from the operator concerned.
2.3 Purpose of processing
The data is stored in log files to ensure the functionality of the website. In addition, the data serves us to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
For data processing subject to GDPR, these purposes are our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.
2.4 Duration of processing
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, the data will be deleted when the respective session has ended. If the data is stored in log files, deletion occurs after seven days at the latest. Further storage is possible. In this case, the IP address of the user is deleted or anonymized.
2.5. No objection
The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the user’s part.
3. USER’S RIGHTS
The user has the following rights under the applicable data protection laws:
3.1. Right of information
The user can request us to confirm whether user's personal data is being processed by us
If such processing has taken place, the user can request the following information from us:
(a) the purposes for which the personal data are processed;
(b) the categories of personal data being processed;
(c) the recipients or categories of recipients to whom the user's personal data have been or are still being disclosed;
(d) the planned duration of the storage of the user's personal data or, if specific information on this is not possible, criteria for determining the storage period;
(e) the existence of a right to rectification or deletion of personal data concerning the user, a right to limitation of processing by the controller or a right to object to such processing;
(f) the existence of a right of appeal to a supervisory authority;
(g) any available information on the origin of the data if the personal data are not collected from the data subject;
(h) if the processing is subject to GDPR, the existence of automated decision-making including profiling in accordance with Art. 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.
The user has a right to request information as to whether the user's personal data is transferred to a third country or to an international organization. In this context, the user may request to be informed of the appropriate guarantees in connection with the transmission.
3.2. Right to rectification
The user has a right of rectification and/or completion if the user's personal data processed are incorrect or incomplete. We shall make the correction without delay.
3.3. Right of restriction
Under the following conditions, the user may request that the processing of the user's personal data be restricted:
(a) if the user disputes the accuracy of the user's personal data for a period that enables us to verify the accuracy of the personal data;
(b) the processing is unlawful and the user refuses to delete the user's personal data and instead requests that the use of the personal data be restricted;
(c) we no longer need the personal data for the purposes of the processing, but the user does need them to assert, exercise or defend legal claims; or
(d) if the user has filed an objection to the processing pursuant to Art. 21 para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the person responsible outweigh the user's reasons.
If the processing of the user's personal data has been restricted, such data may only be processed – apart from being stored – with the user's consent or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or on grounds of an important public interest.
3.4. Right to deletion
3.4.1 Obligation to Delete Personal Data
The user may request us to delete the user's personal data without delay and we are obliged to delete this data without delay if one of the following reasons applies:
(a) the user's personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
(b) the user revokes his/her consent, on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, and there is no other legal basis for the processing.
(c) the user files an objection against the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate reasons for the processing, or the user files an objection against the processing pursuant to Art. 21 para. 2 GDPR.
(d) the user's personal data have been processed unlawfully.
(e) the deletion of user's personal data is necessary to fulfil a legal obligation to which we are subject.
(f) the user's personal data were collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR.
If we have made the user's personal data public and are obliged to delete it pursuant to Art. 17 para. 1 GDPR, we shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform those responsible for data processing who process the personal data that the user, as the data subject, has requested the deletion of all links to this personal data or of copies or replications of this personal data.
The right to deletion does not exist insofar as the processing is necessary
(a) to exercise freedom of expression and information;
(b) for the performance of a legal obligation required for processing under the applicable law or for the performance of a task in the public interest or in the exercise of official authority conferred on the controller;
(c) for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;
(d) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, insofar as the right mentioned under 3.4.1 is likely to make it impossible or seriously impair the attainment of the objectives of such processing, or
(e) to assert, exercise or defend legal claims.
3.5. Right to notification
If the user has exercised his/her right to have us correct, delete or limit the processing, we are obliged to inform all recipients to whom the user's personal data have been disclosed of this correction or deletion of the data or restriction on processing, unless this proves impossible or involves a disproportionate effort.
3.6. Data portability
The user has the right to receive the user's personal data that he/she has provided to us in a structured, common and machine-readable format. In addition, the user has the right to pass this data on to another person in charge without obstruction by us, provided that
(a) processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and
(b) processing is carried out by means of automated methods.
In exercising this right, the user also has the right to request that the user's personal data be transferred directly from us to another data controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.
3.7. Right to objection
The user has the right to object at any time, for reasons arising from the user's particular situation, to the processing of the user's personal data based on Article 6 para 1 lit. e or f GDPR; this also applies to profiling based on these provisions.
In such case we shall no longer process the user's personal data, unless we can prove compelling reasons worthy of protection for the processing, which outweigh the user's interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If the user's personal data are processed for direct marketing purposes, the user has the right to object at any time to the processing of the user's personal data for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct marketing. If the user objects to the processing for direct marketing purposes, the user's personal data will no longer be processed for these purposes.
3.8. Right to withdraw consent
The user has the right to revoke his/her declaration of consent at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.
3.9. Right of appeal to supervisory authority
Without prejudice to any other administrative or judicial remedy, the user has the right of appeal to a supervisory authority, if the user believes that the processing of the user's personal data is contrary to the applicable law.
© Bovet Coaching Services, May 2021