DATA PROTECTION PROVISIONS
General Privacy Notice of Heidi Pay Switzerland AG
In this Privacy Notice we, Heidi Pay Switzerland AG (“HeidiPay”), describe how we collect and process your personal data. This Privacy Notice is not necessarily a comprehensive description such processing; other data protection statements (in particular in the context of the credit application process) may be applicable.
This Privacy Notice is aligned with the revised Federal Act on Data Protection («FADP»).
1. Identity and Contact Details of the Controller
The "controller" of data processing as described in this Privacy Notice (i.e., the responsible person) is Heidi Pay Switzerland AG, . You can notify us of any data protection related concerns using the following contact details: privacy@heidipay.com.
2. Collection of Personal Data
2.1 Definition of Personal Data
The term "personal data" as used in this Privacy Notice means any information relating to an identified or identifiable natural person (“data subject”).
2.2 Direct Collection from Data Subjects
If you provide us with personal data of other persons (e.g., family members, work colleagues), please make sure that they are aware of this Privacy Notice and only provide us with their data if you are authorized to do so and this personal data is correct.
2.3 Indirect Collection from Third Parties
To the extent we are permitted to do so and it is necessary for the respective purposes (Section 3), we obtain certain personal data about you from publicly available sources (e.g., debt collection register, land register, commercial register, press, internet) or we obtain such information from public authorities or other third parties (, Information Office for Consumer Credit [“IKO], Central Office for Credit Information [“ZEK”], tax offices, Child and Adult Protection Authorities [“KESB”], credit brokers, landlords, employers, banks, Compass Group Companies).
Apart from the data you provide to us directly, the categories of data we receive about you from third parties may include, but are not limited to,
- from public registers (e.g., authority to sign for the company you represent),
- related to your financial situation (e.g., income, budget, debts, credit rating),
- in connection with administrative or judicial proceedings,
- related to your professional role and activities (e.g., to enter into and perform contracts with your employer),
- about you in correspondence and conversations with third parties,
- about you provided to us by persons associated with you (family, consultants, legal representatives, etc.) for the purpose of entering into or performing contracts with you or with your involvement (e.g., references, powers of attorney),
- about legal requirements such as anti-money laundering and export restrictions,
- in connection with your orders and purchases of goods and/or services from our business partners (e.g., merchants) or a revocation or cancellation of such contracts,
- about you that can be found in the media or on the internet (e.g., in connection with media reports, marketing/sales, etc.), your address and any interests and other socio-demographic data (for marketing purposes),
3. Purposes of the Data Processing
We use the personal data we collect primarily to enter into and perform contracts with our customers and business partners, particularly in connection with the to our customers and the procurement of products and services from our suppliers and subcontractors, as well as to comply with the applicable domestic and foreign legal obligations (e.g., anti-money laundering obligations, reporting obligations under the Federal Law on Consumer Credit). You may be affected by our data processing activities both in your capacity as a customer of ours (e.g., borrower) and as an employee of a customer or business partner.
In addition, we may process your personal data and the personal data of third parties in accordance with applicable law and for the following purposes that are in our interest (and, as the case may be, in the interest of third parties),
- communicating with you (e.g., answering your queries and providing customer support);
- market research and product development (e.g., conducting customer surveys and studies as well as analyzing, optimizing, and developing our products and services, websites, apps and other platforms);
- advertising and marketing unless you have objected to the use of your data for this purpose (if you belong to our client base and receive our advertisement, by sending an email to privacy@heidipay.com or clicking on the unsubscribe link at the bottom of our marketing emails, and we will put you on a blacklist against further advertising mailings); our advertising may relate to both our own offers and offers from third parties such as other companies of the Compass Group. Advertising may also be personalized in order to send you only such information that may be of interest to you;
- communicating with third parties and processing their requests;
- assertion of legal claims and defense in legal disputes and official proceedings;
- prevention and investigation of crime and other misconduct (e.g., conducting internal investigations, data analysis to combat fraud);
- ensuring our operation, including our IT, our websites, apps and other devices;
- video surveillance to protect our domiciliary rights and other measures to secure our premises, facilities and assets as well as to protect our employees and other persons (e.g., access controls, visitor logs, network and mail scanners, telephone recordings);
- acquisition and divestment of business divisions, companies or parts of companies and other corporate transactions and the related transfer of personal data, as well as corporate governance measures and compliance with legal and regulatory obligations.
4. Recipients of Personal Data
In the course of our business and in accordance with the purposes of the data processing set out in Section 3, we may disclose your personal data to third parties where such disclosure is permitted and where we consider it appropriate for them to process the data on our behalf and, as the case may be, for their own purposes. The following categories of recipients may be involved:
- merchants (e.g., in the context of credit agreements);
- financial institutions (e.g., domestic and foreign banks);
- credit agencies (e.g., for queries and reportings);
- service providers (e.g., IT providers, web-hosting agencies, marketing agencies);
- credit brokers, suppliers, subcontractors and other business partners;
- domestic and foreign authorities or courts;
- competitors, industry organizations, associations, and other bodies;
- audit firms, consultants, lawyers;
- acquirers or parties interested in the acquisition of (parts of) HeidiPay;
- other parties to potential or pending legal proceedings.
5. Transfer of Data Abroad
The recipients pursuant to Section 4 are generally located in Switzerland or the European Economic Area (EEA). Exceptionally, however, they may also be in any other country in the world, e.g., in the US, where some of our service providers are located. These countries may not have laws that ensure an adequate level of data protection from a FADP perspective. If we disclose your personal data to a recipient in a country without adequate statutory data protection, we will ensure adequate data protection by means of appropriate contracts (EU Standard Contractual Clauses which the Federal Data Protection and Information Commissioner has approved, issued or recognized in advance) or by relying on a statutory exception (e.g. your consent, necessity for contract performance or for the establishment, exercise or enforcement of legal claims or an overriding public interest).
6. Data Retention
We process and store your personal data as long as it is necessary for the fulfilment of our contractual obligations and compliance with legal obligations or other purposes pursued with the processing (Section 3), for example, for the duration of the entire business relationship (i.e. from the initiation, during the performance of the contract until to its termination) and beyond that in accordance with the statutory retention and documentation obligations. It is possible that personal data will be retained for the time during which claims can be asserted against our company or if other legitimate business interests require this (e.g. for evidence and documentation purposes). As soon as the purposes and/or laws no longer require it, your data will be deleted or made anonymous.
7. Data Security Measures
We take appropriate measures in order to maintain the confidentiality, integrity and availability of your personal data as well as the traceability of its processing, and to protect it against unauthorized or unlawful processing, and to mitigate the risk of loss, accidental alteration, unauthorized disclosure or access.
8. Profiling
We may process your personal data in part automatically in order to evaluate certain personal aspects (profiling). Profiling enables us in particular to inform you more specifically about products that may be relevant to you. For this purpose, we may use analytical tools that enable us to identify your potential interests to target you with advertising. We may also use profiling in order to decide, on the basis of an individual credit assessment, whether and on what terms we enter into a credit agreement with you. In order to improve the quality of our analyses, we may also link personal data from various sources as a basis for profiling, e.g. data that you disclose to us and data that we receive from third parties (e.g. credit agencies).
9. Your rights
You can revoke consent you may have given to the processing of your personal data at any time with effect for the future by writing to the address given in section 1.
You have the right to access, rectification and erasure as well as the right to receive certain personal data for the purpose of transfer to another controller. Please note that we reserve the right to invoke the restrictions provided for by law, for example if we are obliged to retain or process certain personal data, if we have an overriding interest or need the data to assert claims.
The exercise of such rights usually requires that you clearly prove your identity by providing us with a copy of your ID. To exercise your rights, you can contact us at the address indicated in Section 1.
As a data subject, you also have the right to enforce your claims in court or to file a complaint with the competent data protection authority. The competent data protection authority is the Federal Data Protection and Information Commissioner.
10. Amendments
We may amend this Privacy Notice at any time without prior notice. The current version published on our website shall apply.
Version effective as from September 1, 2023