With the following information, we would like to give you an overview of how we process your personal data and of what your rights are under data protection law. Specific data processed and the manner in which data is used essentially depend on the services agreed on in each case.

Data Protection of IAP

Recitals

a) Who Are We?
The IAP Institute of Applied Psychology is an institute of ZHAW Zurich University of Applied Sciences.

b) To Whom Does This Data Protection Statement Apply?
When we process personal data, this means that we collect, store, use, transmit, or delete it.

This Data Protection Statement applies to the personal data of the following individuals:

• Interested parties and clients of the IAP who are natural persons; and
• All other natural persons who are in contact with the IAP, such as authorized representatives, legal guardians, messengers, as well as representatives or employees of legal entities, but also visitors to our website and persons who register on our website or via our apps.
• This information also applies to legal entities until such time as this Data Protection Statement may be amended.

1. Who is responsible for data processing, and who can I contact?

Responsible unit:

ZHAW Zurich University of Applied Sciences
President’s Office
Gertrudstrasse 15
8401 Winterthur
datenschutz@zhaw.ch

2. What sources and data do we use?

In particular, we collect your personal data when you contact us, for instance as an interested party, an applicant, or a client. We process the personal data that we receive from our clients as part of our business relationship. We also process – to the extent necessary for the provision of our services – personal data that we lawfully obtain from publicly accessible sources (e.g. purchase of address data/foreign addresses for mailing campaigns, research on the Internet (e.g. for the search for keynote speakers or panel guests for events), etc.).

Relevant personal data are personal details (name, address and other contact data, date and place of birth, and nationality) and identification information (e.g. ID details). This may also include order data, data from the performance of our contractual obligations, marketing and sales data, documentation data, and other kinds of data comparable to the categories mentioned.

3. What do we process your data for (purpose of processing), and on what legal basis?

We process personal data in accordance with the provisions of the Information and Data Protection Act (Gesetz über die Information und den Datenschutz – IDG) of the Canton of Zurich, the Swiss Federal Act on Data Protection (FADP), and the EU General Data Protection Regulation (GDPR) – in each case inasmuch as the relevant regulations are applicable. Because the GDPR requires that each of these legal provisions be listed individually, the legal framework on which we will base our processing in each case is listed below, for cases subject to the GDPR. When processing personal data in accordance with the IDG or FADP, we will rely on the corresponding legal basis in these laws in each case.

a) Compliance with contractual obligations (Article 6 (1) b GDPR)

Data is processed in order to provide the services of IAP in the context of carrying out our contracts with our clients (e.g. in the area of continuing education and services in the fields of human resources, development, sport, leadership, coaching and change management, diagnostics, psychology of traffic and transportation and safety, occupational, student, and career counselling, clinical psychology, and psychotherapy), or to take steps prior to entering into a contract on request. The purposes of data processing mainly depend on the specific service, and may relate to activities such as training, diagnostics, consultation, and therapy. Further details regarding the purposes of data processing can be found in the relevant contract documents and the terms and conditions.

b) For the purposes of legitimate interests (Article 6 (1) f GDPR)

Where required, we process your data beyond the actual performance of the contract in order to protect our legitimate interests or those of third parties. Examples:

• Consultation and exchange of data with a view to providing the above services, such as in the case of assessments, where the IAP receives personal data and delivers the report/result to the contracting company, or in the case of an expert opinion about the withdrawal of a driver’s license, where the expert opinion is sent to the Road Traffic Office
• Reviewing and optimizing procedures for needs analyses for direct client contact
• Research
• Advertising or market and opinion research, where you have not objected to the use of your data
• Assertion of legal claims and defence in legal disputes
• Ensuring IT security and IT operations
• Prevention and investigation of criminal offenses
• Measures for building and plant security (e.g. access control)
• Measures to secure the right to enforce house rules
• Measures for business management and further development of services and products

c) Based on your consent (Article 6(1) a) GDPR)

As long as you have given us your consent to process your personal data for certain purposes (e.g. disclosure of data, evaluation of personal data for research and marketing purposes), the lawfulness of such processing is established on the basis of your consent. You have the right to revoke your consent at any time. This also applies to the revocation of declarations of consent that were issued to us before the GDPR came into force, i.e., before 25 May 2018. Revocation of consent does not affect the lawfulness of data processing undertaken before consent was withdrawn.

d) Based on statutory obligations (Article 6 (1) c GDPR) or in the public interest (Article 6 (1) e GDPR)

Furthermore, as an institute of ZHAW, we are subject to the provisions of the law on higher education as well as to the other legal requirements of Swiss law, which means that personal data may also be processed if this is required by law or if the processing is in the public interest. The basis for this is, in particular, Article 6 (a) of the Universities of Applied Sciences Act.

4. Confidentiality and security

Data you enter in a form is sent in unencrypted form. Therefore, it cannot be ruled out that data may be lost or seen by third parties, while being sent. Online transmission of personal data therefore occurs at your own risk.

The data transmitted by you will be stored on our servers, kept with all due care, and protected from access by third parties. Only those employees have access to your data who require it to perform their tasks.

The collected data is only gathered for the declared purpose in each case.

5. Newsletters

We would be pleased to inform you about current topics relating to the IAP and our products by means of our newsletters. To send you a newsletter, we will need at least your e-mail address, usually your name and gender, and, where necessary, your street address (in order to determine the applicable legal basis). If you would like to subscribe to one or more newsletters, you can enter this information in the fields provided. Once you have submitted this information, you will receive an e-mail from us sent to the e-mail address provided, with a confirmation link that you have to click to verify the e-mail address provided. You can unsubscribe from our newsletters at any time and thus revoke your consent to the further use of your data. You can unsubscribe from the mailing list via the link at the end of each IAP newsletter.

6. Who has access to my data?

Within the IAP, the offices that need your data to fulfil our contractual and legal obligations are given access to it. Service providers appointed by us (e.g. in accounting, the legal department, and the human resources department, and in systems such as CRM, contract management, etc.) and persons whose services are used to fulfil our obligations may also receive data for these purposes, provided they observe the respective duty of confidentiality. These include companies in the categories of IT services, logistics, printing services, telecommunication, advisory, consulting, sales, and marketing.

Regarding the forwarding of data to recipients outside the IAP, it must first be noted that, as the IAP, we are obliged to maintain confidentiality concerning all client-related facts and evaluations of which we gain knowledge. We may only pass on information about you if this is required by provisions of the law or by contractual regulations agreed upon in advance, and for which you have given your consent.

Subject to these conditions, recipients of personal data may be, for example:

• Public authorities and institutions (e.g. criminal prosecution authorities) where there is a legal or government obligation to provide the data;
• The ordering party of a specific expert opinion in order to fill a vacant position;
• Health insurance funds;
• Freelancers working on assignments, such as psychiatrists, coaches, advisors, project leaders, experts, supervisors, appraisers, translators, transcribers, trainees, lawyers, etc.; and
• Facilities within ZHAW for risk management based on legal or government obligations.

Other recipients of data may include instances for which you have given us your consent to transmit data to, or for which you have released us from the duty of confidentiality in an agreement or declaration of consent.

7. Is Data transmitted to a third country or to an international Organization?

Data is transmitted to offices in countries outside the EU (third countries) (e.g. as part of a research cooperation with foreign universities/organizations) if

• this is required by law, or
• you have given us your consent, or
• we have put appropriate guarantees in place through appropriate mechanisms (e.g. contracts).

8. For how long will my data be stored?

We process and store your personal data for as long as required to fulfil our contractual and legal obligations.

If data are no longer needed to fulfil our contractual and legal obligations, they are regularly deleted, unless their further processing – for a limited period – is necessary for the following purposes:

• To comply with commercial and tax archiving obligations, for example under the Swiss Code of Obligations (OR) and tax legislation. The time limits specified in these laws concerning storage and documentation are usually 10 years.
• To keep records within the context of statutory limitation periods. According to Article 127 et seqq. OR, these limitation periods can be up to 10 years. The retention period for degree certificates is even 50 years.

9. Data protection rights

You have different rights depending on the specific applicable legal basis. If IDG or FADP is applicable, your rights are governed by those regulations.

Where actions are initiated, that fall under the scope of the GDPR, the data subject has the right to access in accordance with Article 15 GDPR, the right to rectification in accordance with Article 16 GDPR, the right to erasure in accordance with Article 17 GDPR, the right to restrict processing in accordance with Article 18 GDPR, the right to object in accordance with Article 21 GDPR, and the right to data portability in accordance with Article 20 GDPR. In addition, data subjects have the right to lodge a complaint with a competent data protection supervisory authority (Article 77 GDPR).

You have the right to revoke your consent to the processing of personal data by us at any time. This also applies to the revocation of declarations of consent that were issued to us before the GDPR came into force, i.e. before May 25, 2018. Please note that consent may only be revoked with effect for the future. Processing of data that took place before the revocation will not be affected by this revocation.

10. Am I obliged to provide data?

As part of our business relationship, you must provide the personal data required to establish and implement such a relationship and to fulfil the contractual obligations that it entails, as well as any personal data that we are required to collect by law. Without this information, we will generally not be able to conclude or execute the contract with you.

11. To what extent is there automated decision-making?

Generally, we do not use any fully automated decision-making to establish and implement the business relationship in accordance with Article 22 GDPR. Should such a procedure be applied in individual cases, we will inform you of this separately if the law so requires.

12. Does profiling take place?

We do partly process your data automatically in order to evaluate certain personal aspects (profiling). We use profiling in the following cases, for example:

• Test procedures, for example for assessments relating to security-relevant occupations
• We use evaluation tools to provide you with targeted information and advice on products. These allow us to provide needs-based communication and advertising, including market and opinion research.

13. Tracking cookies

The IAP uses tracking cookies. These register your IP address, the website from which you access our website, the type of browser software used, and the pages of the IAP website that you visit, including date and duration. Such tracking data do not allow conclusions to be drawn about individual users, so no individuals can be identified based on this data.

Cookies are files that are stored on a computer system via an internet browser. The data subject can at any time prevent the storage of cookies by our website by making an appropriate adjustment to the settings in the internet browser used, thus permanently blocking cookies from being set. Furthermore, cookies that have already been set can be deleted at any time via the internet browser or other software programs.

14. Plug-ins on social media platforms

Plug-ins of various third-party social media platforms (Facebook, Twitter, etc.) are integrated within the IAP website. When you access a website that contains plug-ins from such third-party providers, these plug-ins can automatically transmit data to these third-party providers. If the visitor to the website is logged onto the network of the respective third-party provider at the same time, their visit to the website can be assigned to that person’s user account, depending on the provider. The IAP has no control on the way in which such data is transmitted.

15. Information about the “like” button

On our website, use is made of the “like” button or forwarding function of Facebook, Twitter, LinkedIn, and Xing. If you are a member of Facebook, Twitter, LinkedIn, or Xing, you can indicate in your profile on those sites that you like our website or share it.

Facebook is operated by Facebook Incorporated (Facebook Inc.), a company based in the United States. Twitter and LinkedIn are also operated by companies based in the United States. Xing is operated by a company based in Germany. When visiting websites with a “like” button or the aforesaid forwarding function, your browser establishes a direct connection with the servers of Facebook Inc., Twitter, LinkedIn, or Xing. This means that Facebook Inc., Twitter, LinkedIn, and Xing are able to obtain user data about you and specifically to store such data. If you are logged into the respective platform while accessing the website, it can also assign your user data to your profile.

As soon as you press the “like” button or initiate the aforesaid forwarding function, we no longer have any influence on the user data that Facebook Inc., Twitter, LinkedIn, and Xing may collect about you. For more information about the purpose, scope, and method of processing of data collected, please refer to the respective data use guidelines of the above-mentioned platforms.

16. Amendments to the Data Protection Statement

We reserve the right to amend this Data Protection Statement at any time. The date of the last update can be found at the end of this Data Protection Statement.

As at: June 2019