Privacy Policy

1. Processing of personal data
2. Duration of processing, retention period
3. Disclosure of personal data
4. Rights of data subjects
5. Server log files, data security
6. Functional technologies
7. Cookies and other tracking methods
8. Third-party services
9. Contact forms, comment function
10. Copyrights
11. Disclaimer
12. Up-to-dateness and changes

The website of the Careum Foundation and the affiliated companies also appearing on this website according to the Imprint are subject to Swiss law, in particular Swiss data protection law (the Federal Act on Data Protection; “FADP”). Foreign law may also apply, in particular the General Data Protection Regulation (“GDPR”) of the European Union (“EU”).

If you have any questions about data protection, please contact our data protection officer

Careum Foundation
Heinz Meier
Pestalozzistrasse 3
CH-8032 Zurich

Tel. +41 43 222 50 00
or by e-mail to: datenschutz@careum.ch

We have a data protection representative in the EU who serves as a contact for supervisory authorities and data subjects resident in the EU in accordance with Art. 27 of the GDPR:

VGS data protection partner UG
Am Kaiserkai 69
20457 Hamburg, Germany
https://www.datenschutzpartner.eu/ (in German)

Questions to the data protection officer

If you have any questions about our handling of data or data protection practices, please send us an e-mail or directly contact the data protection officer listed above. In order for us to respond to you as efficiently as possible, please provide as precise a description as possible of the information you would like to receive from us.

1. Processing of personal data

We process personal data in accordance with the FADP and the GDPR. The definitions set out in more detail below to clarify terminology refer to the definitions of the FADP on the one hand and the GDPR on the other.

“Personal data” therefore means any information relating to an identified or identifiable person.

A “data subject” is a natural person or legal entity about whom personal data are processed.

“Processing” covers any handling of personal data, regardless of the means and processes used, in particular, the storage, disclosure, procurement, deletion, saving, amendment, destruction and use of personal data.

Where the FADP applies, we process personal data in accordance with the principles of Art. 6 FADP or one of the justification grounds of Art. 31 FADP.

Where the GDPR applies, we process personal data in accordance with at least one of the following legal bases:

• Art. 6 para. 1 (a) GDPR (processing of personal data with the consent of the data subject)
• Art. 6 para. 1 (b) GDPR (in accordance with the processing of personal data necessary for the performance of a contract to which the data subject is party or in order to take steps prior to entering into a contract)
• Art. 6 para. 1 (c) GDPR (processing of personal data to fulfil a legal obligation to which we are subject because either EU law applies or the legal provisions of a country where the GDPR is applicable in whole or in part apply)
• Art. 6 para. 1 (d) GDPR (processing of personal data to protect the vital interests of the data subject or another natural person)
• Art. 6 para. 1 (f) GDPR (processing of personal data to protect our legitimate interests or those of third parties, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject)

2. Duration of processing, retention period

The duration of the processing of personal data is based on the purpose for which the personal data are required in the individual case. In the case of analyses, we store your data until the analysis has been completed. If statutory or other obligations require a longer retention period, we will adjust the processing and retention period in accordance with these regulations.

3. Disclosure of personal data

We may pass on and share your personal data to other companies affiliated with Careum Foundation (in particular to all companies that also appear on this website in accordance with the Imprint). We may also disclose your personal data to third parties who act for us or on our behalf so that they may further process the data in accordance with the purpose for which the data was originally collected or for other legally permissible purposes, such as providing services, performing contractually owed services or providing technical support.

4. Rights of data subjects

Visitors to our website or persons about whom we process personal data for other reasons are entitled to all the "rights of the data subject" in accordance with Art. 25, Art. 28, Art. 30 and 32 FADP, as well as those of Art. 12 - 23 GDPR, insofar as the GDPR is applicable. In particular, you may request information free of charge as to whether your personal data are being processed by us. If so, you can request information about the type, scope and other nature of our processing of your personal data. You can also restrict the processing of your personal data. You can exercise your right to data portability, have your personal data corrected or deleted, revoke consent given earlier to process your personal data or object to the processing of your personal data altogether.

Overview of your rights as a data subject:

• Right of access (Art. 15 GDPR, Art. 25 et seq. FADP),
• Right to rectification (Art. 32 para. 1 FADP) or right to rectification or erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to block disclosure (Art. 32 para. 2 lit. b FADP)
• Right to data portability (Art. 28 FADP resp. Art. 20 GDPR)
• Right to object to processing (Art. 32 para. 2 lit. a FADP resp. Art. 21 GDPR)

In order to exercise your personal rights, you must prove your identity beyond doubt by means of official documents. If you incur costs from exercising your rights, we will inform you in advance. Should the exercise of your above-mentioned rights conflict with any contractually agreed rights and obligations between you and us, this may result in consequences such as early termination of the contract, costs or other consequences, of which we will inform you in a given case.

Every data subject about whom we process personal data has the right to lodge a complaint with the responsible data protection authority (in Switzerland, the Federal Data Protection and Information Commissioner FDPIC) and the right to assert their claims in court.

5. Server log files, data security

5.1 Server log files

When you visit our website, the provider automatically collects and stores information in server log files, which your browser automatically transmits to us. The processing of this data is based on Art. 6 para. 1 FADP and Art. 25 FADP in conjunction with Art. Art. 31 para. 1 FADP in consideration of Art. 32 para. 2 lit. c FADP, respectively Art. 6 para. 1 lit. f GDPR. This is typically the following data:

• Browser type (including language and version)
• Operating system used
• Referrer URL (website from which the request originated)
• Host name of the accessing computer
• IP address
• Time zone difference to GMT time zone
• Content of the request
• Access status / http status code
• Volume of data transferred in each case
• Date and time of the server request

These data cannot be assigned to specific individuals. These data are not merged with other data sources. In particular, these data are processed for the following purposes:

• to ensure a proper connection to the website;
• to ensure the smooth use of our website;
• for the purpose of evaluating system security and stability;
• for other administrative purposes.

We reserve the right to check these data subsequently if we become aware of specific indications that the website is being used illegally.

5.2 Data security

We take appropriate technical and organisational security measures to protect your personal data stored by us against accidental, unlawful or unauthorised deletion, alteration, access, disclosure or use, as well as against partial or complete loss.

These security measures are regularly reviewed and adapted and improved in line with technological progress. These security measures include the use of recognised encryption methods (SSL or TLS).

If you register with us as a user, access to your user account is only possible after entering your personal password. You should always treat login and payment information confidentially and close the browser window and delete the history once you have finished communication with us.

Our employees and the service providers appointed by us are obliged by us to maintain confidentiality and to comply with the provisions of data protection law.

We do not accept any liability for the loss of data or their becoming known or used by third parties.

6. Functional technologies

Our website is hosted on servers of the Microsoft Corporation. The servers are located in Switzerland (Microsoft Azure, Switzerland North/Zurich zone)

We use Drupal 10 from the Drupal Association / Dries Buytaert, Drupal Maintainer, as our content management system (CMS) and for databases. This operates under the GNU General Public License, Version 2, and is hosted on Microsoft servers.

We use Shopware 6 from shopware AG as eCommerce software. Shopware 6 is also hosted by Nine Internet Solutions AG. 

We use various technologies (e.g. libraries, fonts) to ensure that our website functions properly. These are the JavaScript library JQuery from OpenJS Foundation in the US, the search function Elasticsearch from Elastic NV in the Netherlands, so-called icon fonts, embedded font directories and sharing mechanisms. All these technologies are hosted on Nine Internet Solutions AG's servers which we have chosen. As far as we know, no other data are transmitted to third parties with regard to these technologies used.

Mail dispatch

If e-mails are sent in connection with the website (e.g. for the purpose of password resets or automatic confirmations), this is done via a service provided by SendGrid, a company based in Ireland. The data is only used to process the contact and subsequent communication. SendGrid has access to the following information:

• Subject of the e-mail
• E-mail addresses of senders and recipients
• Content of the email (content and processed data therefore depend on the person sending the message)

7. Cookies and other tracking methods

7.1 General

This website uses cookies. Cookies are small text files that enable specific information relating to you to be stored on your device while you use our website. Cookies help, among other things, to make your visit to our website easier and more enjoyable, to improve our services, and to make it more effective and secure. We also use cookies to collect information in order to offer you advertising that may be of interest to you.

If you visit our website for the first time or if new cookies need to be created due to deleted cookies, our cookie banner informs you about the options for the different cookie categories and you can choose which type of cookies should be collected:

• Functional cookies store your preferences.

These cookies are essential for the functioning of the website and cannot be disabled on our systems.

• Performance cookies show us how you are using this website.

We use these cookies to quantify visits and traffic in order to gauge and improve the performance of our website. They help us understand which pages are viewed often and for longer periods and which content our visitors to the website are most likely to access. It is our understanding that all the information generated by these cookies is pooled and is therefore anonymous.

• Targeting cookies help us share content that is relevant to you.

These cookies can be placed on our website by our (advertising) partners. They may be used by these companies to generate a profile of your interests and notify you of our services via relevant adverts on other websites. They also do not store direct personal information, but are based on the unique identification of your browser and Internet device. You may, however, be identified if you are logged into certain third-party services and your user data can be linked by said third party. If you do not allow these cookies, you will receive less targeted advertising.

The cookies are automatically deleted when the information is no longer needed. You can choose whether or not to allow certain types of cookies. For systemic reasons, functional cookies cannot be deactivated.

7.2 Types of cookies

We use transient and persistent cookies.

Transient cookies are automatically deleted as soon as you close your browser. This type of cookies includes, in particular, session cookies. These store a so-called session ID, which can be used to assign various requests from your browser to the joint session. This allows your computer to be recognised when you return to our website. Session cookies are rarely used and are deleted when you log out or close your browser.

Persistent cookies, on the other hand, are automatically deleted after a specified period, which may vary depending on the cookie. You can delete cookies at any time in the security settings of your browser.

7.3 Benefits and analysis

Cookies enable us to carry out certain analyses of our website, in particular to determine the frequency of use or the number of users of the pages or to analyse the way in which the pages are used.

Cookies are used in particular to make our website, the content and the offers more customer-friendly. For example, cookies may be required to use shopping baskets or payment functions. With the use of cookies, options or decisions you have made can also be used as settings to make your visit to our website more convenient. We may also use cookies to identify you for subsequent visits if you have an account with us.

Cookies are usually stored after the end of a browser session and can be accessed again when you return to the website. If you do not wish to do so, you can set your Internet browser to reject cookies. However, this may result in you not being able to use all the features of this website.

8. Third-party services

As mentioned at the beginning, we process personal data in accordance with the principle of necessity.

Selection of providers, server locations
In principle, we try to choose services from providers based in Switzerland or the EU. Where possible when concluding a contract with these third parties, we also choose server locations in Switzerland or EU countries. Where this is not possible, we access alternative providers outside Europe. As a result, we may transfer your data to the countries where the registered office of the service providers we use is located, including the US.

Especially for global service providers, server locations are now often no longer limited to individual locations, but are often made available as part of a Content Delivery Network or Content Distribution Network (“CDN”) via a group of geographically distributed and interconnected servers.

Consent to third-party services
Depending on the setting of your cookie preferences or explicit, active opt-in (sometimes also double opt-in), you consent to the use of the third-party services listed below in accordance with the collection and processing of information and personal data described for the respective service.

You can find out more about the data protection provisions and terms of use for the respective third-party service by clicking on the link listed in the table.

Legal basis for data transmission
If we transfer data to third parties, the relevant Swiss laws, in particular the Swiss Data Protection Act, form the legal basis. The provisions of the EU’s General Data Protection Regulation (GDPR) also apply as an alternative and subsidiary or, if applicable, to determine the situation. See also the justifications and legal bases of the DPA and the GDPR mentioned in section 1.

If you would like to know the exact legal basis for one of the third-party services listed in the table below, please contact us using the contact options mentioned at the beginning of this Privacy Policy.

If we transfer data to third parties in a country without an adequate level of data protection, we ensure an adequate level of protection as required by law through the use of corresponding agreements (e.g. through the use of so-called standard contractual clauses of the European Commission) or in turn rely on the legal justification mentioned in section 1.

Encryption
In general, we always transfer personal data to third parties in encrypted form. If there are exceptions, these are explicitly mentioned.

Third-party data protection provisions
With regard to the services used, we have no influence on the effective handling of personal data by the representative third-party providers. With regard to their handling of data, their currently applicable data protection regulations are binding for you. We can only determine which cookies are set and which actions are triggered for third-party services based on the cookie settings you select.

Overview and information to third-party providers
The third-party providers used in accordance with their services are listed below. We will tell you which services we use from which companies in which countries and provide you with a link to the data protection regulations currently applicable to the best of our knowledge. If you have any further questions about any of the services listed below, please contact us using the contact options mentioned at the beginning of this Privacy Policy.

8.1 Third-party data storage (settings)

We use CookiePro to store your settings on how cookies are to be used. CookiePro is a SaaS solution from OneTrust, one of the world’s leading providers and used by many large companies.

8.2 Services offered by Google/Alphabet companies

Our website uses various services provided by subsidiaries of the US company Alphabet Inc. (see table). These services all refer to the same data protection provisions, which can be found at https://policies.google.com/privacy.

If the IP anonymisation function is activated, your IP address will be truncated by Google before it is transmitted to the US. The entire IP address is only transmitted to a Google server in the US and shortened there in exceptional cases. Google uses this information to evaluate your use, to provide analytics services about these activities, and to provide us with other services, such as map services.

8.3 Calendar functions, appointment entries

We use the Microsoft Bookings service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland, as an integrated online appointment and booking tool.

We process personal and other data to find and confirm an appointment and to contact you, such as your name, telephone number, e-mail address, the reason for your enquiry and any comments you have made, as well as the time of the appointment request and the agreed appointment.

The connection to bookings is only established if you expressly agree to the use of the appointment scheduling tool. For appointment scheduling, your entries in the appointment scheduling form are transmitted to Microsoft. For more information on how Microsoft handles your data, please refer to Microsoft’s Privacy Policy (see link below). Microsoft explains, “All data are stored within the Microsoft 365 platform and in Exchange. Bookings follows all data retention policies set by Microsoft, which are the same as all Office apps.” and: “All customer data (including information provided by customers at the time of booking) are collected in Bookings and stored in the app and thus also in Exchange.”

8.4 Customer Relations Management (CRM) 

We use CRM tools from various providers for the companies appearing together on this website.

Our CRM tools are used when you register for an event with us, when you subscribe to a newsletter or when you receive a newsletter as an existing or new customer. You can find more information on data processing for newsletters in section 8.10. When you register for events, we process the personal data you provide. This data (e.g. name, telephone number, email address and address) is required for registration, confirmation of participation or registration and for contacting you.

The connection to the CRM tools used in each case is only established if you use a corresponding form to register for an event on our website.

We only merge this personal data with other data sources about you if you agree to this or have consented to the use of the corresponding cookies. Data is passed on to third parties so that we can enable the third-party providers to send you e-mails relevant to the event in accordance with the table below. We are not responsible for the processing of your data by the respective third-party provider. The terms of use and data protection provisions of the respective provider apply.

8.5 Web shop, services subject to a charge

We use Shopware as an eCommerce tool for our publishing shop. As an ERP system, we use Tocco, for example, for the purchase of educational offers or for event registration. We use Phiatos for logistics and specialized software for publishing purposes. Only our supporters (the provider and our DevOps organisation) and we have access to the applications. Application access is personalised and password-protected. There is a password security check. Two-factor authentication may be used.

In order for you to be able to use our eShop properly, session cookies are stored on your device when you visit our website. When you place an order, the personal data entered in the order form are transmitted to us by your browser and stored in our systems. Your IP address and the time of your order are also stored. All of this is necessary in order to be able to place an order and for the security of our systems.

We do not merge this personal data with other data sources. Data are only passed on to third parties if this is necessary for the fulfillment of the contract (e.g. to payment service providers, IT service providers or shipping companies). Unfortunately, it is not possible to place an order in our online shop without your personal data.

Users have the option to create a user account for using our eShop, where they can, for example, view and save their orders. During the registration process, the user must enter the mandatory information required for the user account (first and last names, address, email, country, phone number, salutation). The user accounts are not public and, to the best of Careum's knowledge, cannot be indexed by search engines. Users can terminate their user accounts at any time. After termination, only those data that are legally required to be retained for a certain period will continue to be stored. This is in accordance with the applicable data protection laws, particularly Art. 6(4) of the Swiss Federal Data Protection Act (DSG) or Art. 6(1)(c) of the General Data Protection Regulation (GDPR). Once deleted, data cannot be restored.

8.6 External payment service providers

We use Wallee and Wordline Saferpay as payment service providers. Users and we can make payment transactions via its platforms. The data processed by the payment service provider includes master data, e.g. name and address, bank data, account numbers, credit card numbers, passwords, TANs and checksums, as well as contract details, totals and recipient-related information, all of which are necessary to complete the transaction. However, the data entered by you as a user will only be processed and stored by Wallee and Wordline Saferpay and any third parties authorised by them. We do not receive any information about your account details or credit card details, instead only information about the payment status. Please refer to the General Terms and Conditions and Privacy Policy of Wallee and Saferpay. 

8.7 Tracking, analysis

We analyse user behaviour on the pages of our website using various Google services; see our notes above. On the other hand, we use analysis options using so-called heat maps. Hotjar is used. Analysing these heat maps allows us to find out which elements and content our users spend the most time with. It can also be seen, for example, which buttons users click and how often. Hotjar also allows us to obtain feedback directly from the users of our website. This gives us valuable information to make our website even faster, more informative and more customer-friendly.

With Hotjar, we can only track which buttons are clicked or how far you scroll. Areas of the website where your personal data or that of third parties are displayed or entered are automatically hidden by Hotjar and are therefore not traceable.

8.8 Social media (plugins, pixels)

Subject to your cookie settings, we use social media tracking technologies. These allow us to identify you as a visitor to our website and, depending on your browser history, draw conclusions about your preferences. The resulting profile of these service providers allows marketing activities to be tailored to the user. It allows us to create targeted online campaigns and user-appropriate marketing activities according to the presumed interest of our users. We can also track the effectiveness of the advertisements for statistical and market research purposes. If you do not want these third parties to associate or otherwise track the personal data collected through our website with any account you have with such providers, you must log out of their services before visiting our website.

8.9 Video platforms and tools

We use services from various third-party providers to integrate video content in accordance with the table below. When accessing the corresponding pages or videos, your browser loads the code from these providers that is necessary for viewing the video. For this purpose, the browser you use must connect to the servers of these providers. By doing so, they may gain knowledge that our website has been accessed via your IP address. If you do not want these third parties to associate or otherwise track the personal data collected through our website with any account you have with such providers, you must log out of their services before visiting our website.

8.10 Newsletter and email marketing

We use newsletter tools from various providers. This is because the companies mentioned in the Imprint, which appear together on this website, have different newsletter activities.

Existing and new customers automatically receive our newsletter for information purposes as part of their legitimate interest in our offers.

If you subscribe to a newsletter from us, the personal data you provide when registering, as well as your IP address and the time of registration, are transmitted to us by your browser and stored in our systems. Our newsletters are free of charge and are for information purposes.

We use the “double opt-in” procedure to verify that you have actually registered. Once you have subscribed to the newsletter, we will send you a confirmation e-mail to the e-mail address you provided. We record the ordering of the subscription, the sending of our confirmation e-mail to you and the receipt of your reply e-mail. No further data are collected. These data are collected via the corresponding newsletter tool and stored by the respective provider.

The processing of your personal data serves to send the newsletter, which may be personalised. In this case, personalisation means that we can take into account the interests you have indicated and your previous use when compiling the newsletter.

We do not merge this personal data with other data sources. Data are passed on to third parties so that we can enable the third-party providers to send you the newsletter in accordance with the table below. We are not responsible for the processing of your data by the respective third-party provider.

You can unsubscribe from our newsletter at any time and revoke your consent to the retention of your personal data in this regard. You can revoke/unsubscribe by clicking on the link provided in each newsletter e-mail or by sending an e-mail to the contact details provided in the imprint.

8.11 Application and HR management

We use gateway.one and REFLINE services for services in relation to career development, application management and HR management.

We make transparent reference to the use of gateway.one on the corresponding pages and incorporate this tool by linking to the gateway.one website. All information you provide on this website is subject to the data protection provisions of GATEWAY Solutions AG and we have no influence whatsoever on how they handle your data.

REFLINE is operated simultaneously on our website. In this way, we manage the HR recruiting process for advertised positions. This involves the collection of personal data that you provide when you apply for a position (e.g. personal details, CV, other PDFs of graduation certificates, references and more). We have access to these data as part of our contractual relationship with Refline AG. However, the information and content are not uploaded to our servers, but to those of Refline AG. Their servers are operated and maintained by Refline AG itself in a highly secure data centre at EveryWare in Zurich.

The uploaded data are not directly encrypted on the server, nor are they visible, but instead stored cryptically as binary data. The data are stored in an object database (ZODB), which cannot be accessed without access to the entire application. This database is based on a memory-mapped file and only the application can load the data. There is no interface with which the database can be accessed.

All of this information and personal data are only stored by us for as long as required by the relevant staffing process.

By submitting their application to us, applicants agree to the processing of their data for the purposes of the application process in accordance with the nature and scope set out in this Privacy Policy and to the use of REFLINE as a recruitment tool.

We also use the Dualoo tool in some cases. This is offered via external links. All user interactions take place outside of our control.

8.12 Target-group-specific marketing

In some cases, we use the services of Adform, a provider for more precise, target-group-specific advertising (so-called targeting) by Google’s Tag Manager. This only happens if you have agreed to the use of corresponding cookies in your cookie settings. The use of these marketing services allows us to create user-related advertising and to display interest-relevant advertising to you.

9. Contact forms, comment function

9.1 Contact forms

If you use the contact forms on our website or send us an e-mail, we process your personal data. This information as well as your IP address and the date and time of the contact request are transmitted by your browser or

e-mail client and stored in our systems. Your request cannot be answered without such processing of your personal data. The collection of technical data is necessary to prevent misuse of the contact form and to ensure the security of our systems.

The personal data are erased periodically. We do not merge this personal data with other data sources. Data will not be passed on to third parties unless necessary to answer your enquiry.

9.2 Comment function

You may comment on blog posts on our website, provided you log in with your user name and e-mail address. If you submit such a comment, your personal data (e-mail address, selected user name, website, if applicable) as well as your IP address and the time the comment is sent by your browser will be transmitted to us and stored in our systems. The storage of the IP address and the time the comment was made serves to guarantee the security of our systems. Your personal data will be stored for as long as is necessary for the comment function. We do not merge this personal data with other data sources. Data will not be passed on to third parties.

10. Copyrights

The entire content of this website is either copyrighted Copyright ©2021 Careum Foundation and affiliated companies according to the Imprint, or the Careum Foundation has received a licence to use the non-copyrighted parts of the website. Subject to strict reservation of all rights. We also refer to our Terms of Use for this website.

11. Disclaimer

With regard to our liability in relation to the use of this website, we refer to our Terms of Use.

12. Up-to-dateness and changes

Due to the further development of our website, the implementation of new technologies, changes to our internal processes or the adaptation to changed legal framework conditions, it may be necessary to amend this Privacy Policy. We therefore reserve the right to amend this Privacy Policy at any time in compliance with data protection regulations and laws.

As the Privacy Policy may change, we recommend that you visit this page from time to time to find out about the current status of the Privacy Policy.

The latest version of the Privacy Policy can be accessed on our website without restriction at any time.

The currently valid Privacy Policy is written in German. The translated versions we may also provide are only for information and better comprehensibility. In the event of disputes, the German text is legally binding and takes precedence over the other language versions.