Data protection

I. Scope and Respective Controllers

This privacy policy informs you about the type, scope, and purposes of the processing of personal data (hereinafter referred to as “Data”) in connection with our services, namely in the field of recruitment and personnel placement, as well as our related online offering on the website www.avales.ch and its associated functions and contents as well as external online presences, such as our social media profiles (hereinafter collectively referred to as “Online Offering”).

Depending on which of our locations you obtain services from, an employee (together “We”) is responsible for data processing:
 
AVALES AG
Hagenholzstrasse 56
8050 Zurich

Phone +41 43 344 31 50

The operator of the website, and thus responsible for data protection in connection with the Online Offering, is Avales Wilhelm AG, Zurich.

Please note that the contents of our website are directed at users who have reached the age of 16. We do not knowingly collect personal data from children under 16 years of age. Persons who use our website or otherwise transmit personal data to us declare that they are 16 years of age or older or are acting with the consent of their legal guardian.

This privacy policy does not apply to other websites, in particular not to those of third-party providers, even if they are linked to the website www.avales.ch or we refer to them in any other way (so-called “Third-Party Sites”). Avales Wilhelm AG, Zurich can influence neither the content nor the data protection practices of Third-Party Sites and is therefore responsible for neither their content nor their data protection practices.

Imprint: www.avales.ch/impressum

---

II. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person (the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to that person.

“Processing” means any operation with personal data, irrespective of the means and procedures applied, in particular the collection, recording, storage, retention, use, modification, disclosure, archiving, deletion, or destruction of data.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of data.

“Processor” means a natural or legal person, public authority, agency, or other body which processes data on behalf of the controller.

---

III. Legal Bases

Insofar as a specific legal basis is required, our data processing is generally based on one or more of the following grounds, whereby it always depends on the individual case:

• Your consent.
• Necessity for the conclusion, performance, or fulfillment of a contract concluded with you, in particular the provision of our services.
• Necessity for compliance with a legal obligation to which we are subject.
• Necessity for the purposes of safeguarding our legitimate interests or those of third parties.
• Establishment, exercise, or defense of (alleged) legal claims and the like.

---

IV. Types and Origin of Processed Data

The types of data processed by us can be roughly divided into three groups:

A. Website User Data

This refers to data of visitors to our website and users of our online offerings. This may include, in particular, the following data:

• Inventory data (e.g., name, address).
• Contact data (e.g., e-mail, telephone number).
• Content data (e.g., text inputs, photographs, videos).
• Usage data (e.g., visited websites, interest in content, access times).
• Meta/communication data (e.g., device information, IP addresses).

B. Customer Data

This refers to the data of our customers who use our personnel consulting and recruitment services or are in contact with us regarding a possible use of these services. This may include, in particular, the following data:

• Inventory data of the customer and their contact persons (e.g., names, addresses).
• Contact data of the customer and their contact persons (e.g., e-mail, telephone numbers).
• Creditworthiness data.
• History of the business relationship (e.g., services provided, invoice data, correspondence, preferences and requirements regarding candidates, information on placed candidates).

C. Candidate Data

This refers to data of persons who wish to be placed by us for the filling of open positions at our customers. This may include, in particular, the following data:

• Inventory data (e.g., name, address).
• Contact data (e.g., e-mail, telephone numbers).
• Application data (e.g., information contained in the CV, certificates, diplomas, references, as well as all other information submitted in connection with an application).
• Data from the application process (e.g., evaluations, assessment reports, information on the conclusion of employment or a rejection).

Basically, we receive the data from you by you communicating it to us. We collect certain website user data as soon as you access our website and while you use our website, in particular through the use of cookies (more information on this can be found below in the section “Special Information Regarding IT Services”).

---

V. Purposes of Processing

A. Website User Data

We process website user data for the following purposes:

• Provision of the online offering, its functions, and contents.
• Enabling an optimal user experience of our website.
• Answering contact requests and communicating with users.
• Security measures.
• Analysis of the use of our website, reach measurement, marketing.

B. Customer Data

We process customer data for the following purposes:

• Establishment and management of the customer relationship.
• Communication with the customer.
• Personnel placement and other services within the scope of service provision.
• Invoicing, debt collection, credit assessment.
• Marketing, including invitations to events.

C. Candidate Data

We process candidate data for the following purposes:

• Review of application documents and clarification of suitability for one or more specific positions.
• Placement of the candidate with our customers for the positions desired by him/her.
• Communication with the candidate.

D. Further Purposes

We use your name and email address for sending our newsletter and information of a promotional nature. The details are explained below in the chapter “Newsletter”.

We may use all data for the protection of our rights against you or third parties, insofar as we have a legitimate interest therein; namely for the defense against lawsuits or for the enforcement of claims in court.

We will inform you separately about any further purposes, insofar as this is possible and we are obliged to provide information.

---

VI. No Automated Individual Decisions

We generally do not use automated individual decisions, including profiling. Should we nevertheless do so in individual cases, we will inform you separately.

---

VII. Data Processors and Third Parties

A. Disclosure to Third Parties

We pass on candidate data to our customers for the purpose of placing the candidate in the desired positions. Should a customer wish for an assessment of a candidate by third parties (e.g., Avales Wilhelm AG), we will only pass on the candidate data after prior information and consent of the candidate for the purpose of conducting the assessment.

Otherwise, we do not pass on the data processed by us to third parties; nor do we sell your data.

Exceptions may exist if we mandate third parties to protect our rights based on our legitimate interests (e.g., lawyers) or commission a debt collection agency, or if we are obliged by legal regulations or official orders to disclose data (for example to authorities).

B. Data Processors

For the handling of certain business processes that may involve the processing of data, we engage external third-party service providers (for example for the operation and design of our website, for the operation of our e-mail servers, for the storage of our business data, the analysis of the use of our website, etc.). The processing of your data by such data processors takes place on the basis of agreements that we have concluded with them, and in compliance with legal requirements.

A list of our current data processors can be found here.

Show Data Processors

Wilhelm Group

• Wilhelm Avales AG, Bern
• Wilhelm Avales AG, Basel
• Wilhelm Avales AG, St. Gallen
• Wilhelm Avales AG, Vaduz (FL)
• Wilhelm Avales AG, Zurich

Third-Party Providers

• Alphabet Inc.
• HR4you
• Keel Marktideen AG
• Level East AG
• MailChimp Inc.
• Microsoft

---

VIII. Transfers to Third Countries

The processing of data generally takes place in Switzerland and Liechtenstein as well as on servers in Germany. However, engaged service providers (see above) may be located abroad or process data abroad. This may involve countries whose legally guaranteed level of data protection is lower than in Switzerland, such as the USA. However, we generally do not pass on personal data to international organizations within the meaning of Art. 4 No. 26 GDPR.

Such a transfer of personal data to countries outside the European Union (EU) or the European Economic Area (EEA) takes place in accordance with Art. 16 ff. FADP (DSG) and Art. 44 ff. GDPR. This means in particular that either the transfer takes place to countries whose legislation, according to the finding of the Federal Council and the competent EU Commission, has a sufficient level of data protection, or that suitable legal safeguards are taken. Such safeguards primarily include the conclusion of an agreement with the data recipient abroad based on EU Standard Contractual Clauses.

Please note that under certain circumstances, due to legal regulations or official orders, we may be obliged to disclose data to recipients abroad (for example to authorities).

---

IX. Retention Period

A. General

We retain processed data as long as this is justified by the purpose of the data processing, required by applicable laws, or necessary due to any assertion of legal claims or defense against claims or due to official proceedings. As a rule, the retention period does not exceed 10 years, but may also cover a longer or significantly shorter period. After the expiration of the retention period, the relevant data will be deleted, destroyed, or anonymized.

B. Candidate Data

In the event of a rejection, candidate data will be deleted within 6 months from the time of rejection, with the exception of inventory and contact data. Upon the candidate’s request, we will keep the candidate data in our executive pool for the purpose of later job placement as long as no revocation occurs.

In the event of a successful placement, we retain the candidate data for 10 years.

---

X. Rights of Data Subjects

You have various rights regarding our processing of data:

• Right of access: You can request information from us at any time as to whether and which data we process about you, for what purpose and based on which legal basis we do so, where the data comes from if we did not collect it directly from you, to which third parties we have disclosed your data, and to which countries we have transferred your data. The deadline for providing information is usually 30 days.
• Right to data portability: If we process certain data automatically and based on your consent or in direct connection with the conclusion or performance of a contract with you, you can request that the data be issued or transferred in a structured, common, and machine-readable format.
• Right to rectification: You can request the correction of your data from us at any time.
• Right to restriction of data processing: You have the right to request that a specific form of processing of your data, its processing for specific purposes, or its processing altogether be omitted. However, such a request only affects the future processing of your data and has no effect on the lawfulness of the previous processing.
• Right to deletion: You have the right to request the deletion or destruction of the data collected about you at any time. Such a request has no effect on the lawfulness of the previous processing of your data.

The exercise of such rights generally requires that you clearly prove your identity.

A restriction of data processing or a deletion of your data may under certain circumstances lead to you not being able to use certain contents or functions of the website www.avales.ch or to us not being able to provide certain services to you or only to a limited extent. This means, for example, that we may not be able to consider a candidate for a placement.

Please also note that in individual cases, the rights listed here may be restricted due to legal regulations or justifications on our part.

---

XI. Data Security

We take appropriate technical and organizational measures to achieve a level of data protection appropriate to the risk. In doing so, we take into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of data subjects.

Measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as access, input, disclosure, assurance of availability, and separation concerning the data. However, 100% security is not possible.

Candidates can submit their applications to us via an online form on our website. The data is transmitted to us in encrypted form according to the state of the art. Furthermore, candidates can submit their applications to us via email. However, we ask you to note that emails are generally not sent in encrypted form and candidates must ensure encryption themselves. We can therefore assume no responsibility for the transmission path of the application between the sender and the receipt on our server and therefore recommend using our online form. Alternatively, candidates have the option of sending us the application by post.

---

XII.  Special Information Regarding IT Services

A. Cookies and Objection

“Cookies” are small files that are stored on users’ computers. Different information can be stored within the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after their visit to an online offering. Temporary cookies, or “session cookies” or “transient cookies”, are cookies that are deleted after a user leaves an online offering and closes their browser. Such a cookie can store, for example, the content of a shopping cart in an online shop or a login status. “Permanent” or “persistent” cookies are those that remain stored even after the browser is closed. For example, the login status can be saved if users visit it after several days. Likewise, the interests of users can be stored in such a cookie, which are used for range measurement or marketing purposes. “Third-party cookies” are cookies that are offered by providers other than the controller who operates the online offering (otherwise, if they are only their cookies, they are called “first-party cookies”).

We may use temporary and permanent cookies.

If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offering.

A general objection to the use of cookies used for online marketing purposes can be declared for a large number of services, especially in the case of tracking, via the US site www.aboutads.info/choices/ or the EU site www.youronlinechoices.com. Furthermore, the storage of cookies can be achieved by switching them off in the browser settings. Please note that in this case, not all functions of this online offering may be used.

B.  Collection of Access Data and Logfiles

We, or our hosting provider, collect data on every access to the server on which this service is located (so-called server logfiles) based on our legitimate interests. Access data includes the name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address, and the requesting provider.

Logfile information is stored for security reasons (e.g., to investigate misuse or fraud) for a maximum period of 12 months and then deleted. Data whose further retention is necessary for evidentiary purposes is excluded from deletion until the final clarification of the respective incident.

C. Google Tag Manager

Google Tag Manager is a solution with which we can manage so-called website tags via an interface (and thus integrate e.g., Google Analytics and other Google marketing services into our online offering). The Tag Manager itself (which implements the tags) does not process personal data of users. With regard to the processing of users’ personal data, reference is made to the following information on Google services. Usage guidelines: www.google.com/intl/de/tagmanager/use-policy.html.

Please note that our influence on the processing of your personal data by Google is limited to making user settings. We can therefore assume no responsibility and in particular no liability for any further processing of your personal data by Google.

D. Google Analytics

In order to safeguard our legitimate interest in the analysis, optimization, and economic operation of our online offering, we use Google Analytics, a web analysis service of Google LLC (“Google”). Google uses cookies. The information generated by the cookie about the use of the online offering by users is usually transmitted to a Google server in the USA and stored there.

Google will use this information on our behalf to evaluate the use of our online offering by users, to compile reports on activities within this online offering, and to provide us with further services associated with the use of this online offering and internet usage. In doing so, pseudonymous user profiles of users can be created from the processed data.

We only use Google Analytics with IP anonymization activated. This means that the IP address of users is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.

The IP address transmitted by the user’s browser is not merged with other Google data. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent the collection of the data generated by the cookie and related to their use of the online offering to Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link: tools.google.com/dlpage/gaoptout.

For further information on data use by Google, setting and objection options, please refer to Google’s privacy policy (https://policies.google.com/technologies/ads) as well as the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).

Please note that our influence on the processing of your personal data by Google is limited to making user settings. We can therefore assume no responsibility and in particular no liability for any further processing of your personal data by Google.

E. Google AdWords and Conversion Measurement

In order to safeguard our legitimate interest in the analysis, optimization, and economic operation of our online offering, we also use the following services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).

We use the online marketing procedure Google “AdWords” to place ads in the Google advertising network (e.g., in search results, in videos, on websites, etc.) so that they are displayed to users who have a presumed interest in the ads. This allows us to display ads for and within our online offering more specifically in order to present users only with ads that potentially correspond to their interests. If, for example, a user is shown ads for products in which he was interested on other online offerings, this is referred to as “remarketing”. For these purposes, when our and other websites on which the Google advertising network is active are accessed, a code is executed directly by Google and so-called (re)marketing tags (invisible graphics or code, also referred to as “web beacons”) are integrated into the website. With their help, an individual cookie, i.e., a small file, is stored on the user’s device (comparable technologies can also be used instead of cookies). In this file, it is noted which websites the user has visited, what content he is interested in, and which offers the user has clicked on, as well as technical information on the browser and operating system, referring websites, visit time, and further information on the use of the online offering.

Furthermore, we receive an individual “conversion cookie”. The information obtained with the help of the cookie serves Google to create conversion statistics for us. However, we only learn the anonymous total number of users who clicked on our ad and were redirected to a page tagged with a conversion tracking tag. However, we do not receive any information that personally identifies users.

The data of users is processed pseudonymously within the Google advertising network. That is, Google does not store and process, for example, the name or email address of users, but processes the relevant data cookie-related within pseudonymous user profiles. That is, from Google’s point of view, the ads are not managed and displayed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. This does not apply if a user has expressly permitted Google to process the data without this pseudonymization. The information collected about users is transmitted to Google and stored on Google’s servers in the USA.

For further information on data use by Google, setting and objection options, please refer to Google’s privacy policy (https://policies.google.com/technologies/ads) as well as the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).

Please note that our influence on the processing of your personal data by Google is limited to making user settings. We can therefore assume no responsibility and in particular no liability for any further processing of your personal data by Google.

F.  Google Maps

We integrate the maps of the “Google Maps” service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The data processed by the Google Maps service may include, in particular, users’ IP addresses and location data, the collection of which is generally dependent on the settings of the user’s mobile device. The data may be processed in the USA. The responsibility for data processing lies with Google; their privacy policy can be found here: www.google.com/policies/privacy/, Opt-Out: adssettings.google.com/authenticated

G. Google reCAPTCHA

To protect your inquiries via internet form and to secure the ordering and payment process, we use the Google reCAPTCHA service on our website provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

Nature and purpose of processing: The query serves to distinguish whether the input is made by a human or abusively by automated, machine processing (so-called “bots”). This serves the security of our website, in particular:

• Protecting the contact form from spam.
• Protecting the shopping cart and the “checkout” process from fraudulent transactions and automated attacks (e.g., “carding” or “brute force” attacks).

We primarily use reCAPTCHA v3, which works in the background and analyzes user interactions without interaction (invisibly). If the system detects a risk, it automatically switches to reCAPTCHA v2, where the user has to solve an image task or click a checkbox (“I am not a robot”) (fallback solution).

For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics (e.g., IP address, duration of stay, mouse movements, or clicks). This analysis begins automatically as soon as the website visitor accesses a corresponding subpage.

Legal basis: The processing is carried out on the basis of Art. 6 Para. 1 lit. f GDPR. The website operator has a legitimate interest in protecting its web offers from abusive automated spying, spam, and fraud (especially during the payment process via PayPal/WooCommerce).

Recipients: The collected data is transmitted to Google and processed there.

Third country transfer: Data processing may also take place in the USA. Google relies on the EU-US Data Privacy Framework (DPF) for data transfers to the USA, provided the company is certified, or on standard contractual clauses of the EU Commission. Further information on Google reCAPTCHA and Google’s privacy policy can be found at the following links: https://policies.google.com/privacy?hl=en and https://www.google.com/recaptcha/about/.

---

XIII. Newsletter

A. Registrations and Right to Revoke at Any Time

We use your name and your e-mail address to send our newsletter and other information of a promotional nature. We only do this with your consent: Registration for our newsletter takes place in a so-called double opt-in procedure. This means that after registration you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that no one can register with someone else’s e-mail address. Registrations for the newsletter are logged because we have a legitimate interest in being able to prove the registration process in accordance with legal requirements. This includes the storage of the time of registration and confirmation, as well as the IP address. Changes to your data stored with the shipping service provider are also logged.

You can unsubscribe from receiving our newsletter at any time, i.e., revoke your consent. You will find a link to unsubscribe from the newsletter at the end of each newsletter. In the event of a revocation, we store the necessary data to be able to prove that you agreed to the shipment until the revocation, as we have a legitimate interest in being able to provide this proof.

B. Sending via External Service Provider

The newsletters are sent via the shipping service provider “MailChimp”, a newsletter shipping platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. You can view the privacy policy of the shipping service provider here: mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with the European data protection level (https://www.privacyshield.gov).

The shipping service provider may use the data of the recipients in pseudonymous form, i.e., without assignment to a user, to optimize or improve its own services, e.g., for the technical optimization of the shipping and the presentation of the newsletter or for statistical purposes. However, to our knowledge, the shipping service provider does not use the data of our newsletter recipients to write to them itself or to pass on the data to third parties.

C. Performance Measurement

The newsletters contain a so-called “web beacon”, i.e., a pixel-sized file that is retrieved from our server when the newsletter is opened, or if we use a shipping service provider, from their server. Within the scope of this retrieval, technical information, such as information on the browser and your system, as well as your IP address and time of retrieval are initially collected.

This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or the access times. The statistical surveys also include determining whether the newsletters are opened, when they are opened, and which links are clicked. Although this information can be assigned to individual newsletter recipients for technical reasons, it is neither our endeavor to observe individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

Unfortunately, a separate revocation of the performance measurement is not possible; in this case, the entire newsletter subscription must be canceled.

---

XIV. Online Presence in Social Media

We maintain online presences within social networks and platforms in order to communicate with customers, interested parties, and users active there and to inform them about our services there. When calling up the respective networks and platforms, the terms and conditions and the data processing guidelines of their respective operators apply, who are responsible for data processing.

Unless otherwise stated in our privacy policy, we process the data of users if they communicate with us within the social networks and platforms, e.g., write posts on our online presences or send us messages.

---

XV. Updates to this Privacy Policy

From time to time, we update this privacy policy at our discretion. In such a case, we will make the updated version of this privacy policy available on our website. The updated privacy policy applies only to data processing that takes place after the effective date of the updated version. Please check our website for any updates. By continuing to use our website and disclosing your personal data after the publication of the updated version of this privacy policy, you accept the changes made.

---

XVI. Contact

The Data Protection Officer and your contact person for data protection concerns is:
Andreas Rudolph, Co-owner and Managing Director of Avales AG
Andreas Rudolph

August 1, 2023