Privacy Notice
We respect your privacy and are committed to protecting it through compliance with this privacy policy ("Privacy Notice").
Pursuant to article 19 of the Data Protection Act (hereinafter also referred to as the "DPA") and article 13 of the Data Protection Ordinance (hereinafter also referred to as the "DPA"), House of Wealth SA, as better identified below, as the "Data Controller", provides information on the processing of personal data of users who consult and/or interact with the web services accessible by electronic means from the address: https://houseofwealth.ch/ (hereinafter also referred to as the "Site") corresponding to the home page of the official House of Wealth SA Site.
The Privacy Notice is provided only for this Site and not for any other websites that may be consulted by the user via links and is intended for users of this Site. The Site may contain links to sites, services and other Internet resources belonging to third parties.
In this case, the Owner is in no way responsible for the contents, security and usability of such sites and resources; in particular, the Owner does not verify the policy, nor does it issue guarantees on the protection of privacy and personal data by said third parties. In compliance with the obligations dictated regarding the protection of personal data, this Site respects and protects the confidentiality of its users.
Preamble
Personal data
Any information about a data subject that identifies him or makes him identifiable. House of Wealth SA collects various types of personal data through its website, including but not limited to: name, surname, email address, telephone number, IP address.
Processing
shall mean any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data subject
is the identified or identifiable natural person. By way of example (which is not exhaustive), the data subject is the user who navigates on the platform and sends, through it, a request for information.
1. Personal data controller and contact
The Data Controller is House of Wealth SA, Piazza Colombaro no. 6, 6952 Canobbio, represented by the persons entitled to sign in accordance with the entries in the Cantonal Commercial Register (CHE- 223.636.405) hereinafter also referred to as the "Company" or the "Data Controller".
The list of data processors and any authorised persons is kept at the Controller's registered office and made available upon request by the data subject.
2. Personal data subject to processing
The Site may collect the following categories of personal data for the purposes described in this policy:
- personal and contact information of the user (such as, for example: name, surname, e-mail)
- information relating to the user's professional and educational profile, level of education and work experience contained in the CV, cover letter and any school evaluations and information relating to training, further education and professional development courses attended, whether of a compulsory, complementary or motivational nature, contained in the documentation submitted through the Site for the purpose of submitting an application
- information concerning the use of the Site, i.e. data concerning web pages (such as, for example, IP addresses of the user's device, browser information and characteristics (type, language, plug-ins installed, etc., cookies, etc.), the use of web pages, the unique identifiers of the user's mobile device, the duration of the stay on the Site, the services used, the links and messages activated, the browser characteristics;
- security and network data (e.g. visitor lists, access controls, e-mail network scanners, telephone call lists)
- any further information transmitted via the Site.
- It is recommended not to transmit information and/or documents containing personal data worthy of special protection to the Controller's e-mail address, as this is an insecure means of communication that does not guarantee the protection of confidentiality.
The user is advised that the use of e-mail does not ensure the confidentiality and integrity of data in transit as many e-mail service providers are located or hold their data in countries that do not guarantee adequate protection of personal data, and the use of such an e-mail service results in the transfer and storage of data in a country that does not guarantee adequate protection of such data.
The user authorises the Controller to transmit by ordinary (non-secured) e-mail documents and/or information, including those containing personal and/or confidential data, using the e-mail address provided by the user in response to user requests received by telephone or e-mail. The user, in full awareness of the risks mentioned above, releases the Controller from any liability in the event of unauthorised access by third parties to the documents and/or personal and/or confidential information transmitted or received by e-mail by the Controller.
3. Purpose of processing
The Controller may process the user's personal data for the following purposes:
- Navigating this website (https://houseofwealth.ch)
Activities aimed at operating the Site. In the course of normal operation, the system acquires certain personal data whose transmission is implicit in the use of Internet communication. This category of data includes the IP addresses or domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment. - To contact the user in response to a request sent by e-mail, by filling in the contact form or by telephone, and in particular to:
- forward the requested informative material or other possible communications;
- inform you of changes to this Website or updates to the Services;
- Select personnel and handle requests from interested parties following open positions or spontaneous applications;
- To ascertain liability in the event of hypothetical computer crimes to the detriment of the site;
- For legal, administrative and audit purposes and in particular to:
- fulfil legal or regulatory responsibilities;
- carry out legal and regulatory compliance audits;
- make disclosures to authorities, regulators and government bodies;
- To assert or defend a right in judicial, extrajudicial or administrative proceedings.
4. Legal basis and justification
In accordance with Art. 6 DPA, the Controller shall process the user's personal data within the applicable legal framework. The relevant legislation is the Federal Data Protection Act (DPA). Where required, and depending on the purpose of the processing activity, the processing of your personal data may be based on the following legal basis/justifications:
- to re-contact the user in response to the request submitted as well as for processing relating to recruiting activities, personnel selection: overriding interest of the controller, sub specie execution of pre-contractual-contractual measures (Arts. 6 (c)(7) and 31 (c)(1) DPA as well as Art. 6 (b) GDPR);
- with regard to navigation data on this website, to ascertain liability in the event of hypothetical computer crimes to the detriment of the website, for administrative or audit purposes, to assert or defend a right in judicial, extrajudicial, or administrative proceedings: overriding interest of the data controller - legitimate interest of the data controller (Art. 31 (c)(2) DPA and Art. 6 (f) GDPR) without unduly prejudicing the interests or fundamental rights and freedoms of the user and insofar as such personal data are necessary for the intended purpose
- with regard to processing carried out for legal purposes: legal obligation (Art. 31 (1) DPA and Art. 6 (c) GDPR);
- in some cases, if necessary for the performance of a task carried out in the public interest.
5. Methods of processing personal data
In relation to the purposes described above, personal data are processed by means of manual, computerised and telematic tools, in any case, in such a way as to guarantee the security and confidentiality of the data. It may be collected, recorded, stored, organised, processed, profiled for organisational purposes, selected, extracted, compared, interconnected, communicated, blocked, deleted, destroyed.
6. Period of retention of personal data
In compliance with the provisions of Art. 6 (4) DPA, the Data Controller will store the user's personal data based on the principle of necessity of processing for the period necessary to carry out the above-mentioned purposes.
In particular:
- with regard to navigation data: for the period inherent to the navigation session;
- with regard to personal data and contact data issued at the time of the contact request: for the period of time necessary to fulfil the request made and, in any case, no longer than 7 days from the contact request or, if earlier, until the revocation of consent by the data subject
- as to the personal data contained in curricula: for a period not exceeding 12 months from the collection;
In any case, the processed data shall be kept for the entire duration of any extrajudicial and/or judicial proceedings, until the expiry of the time limit for judicial remedies and/or appeals. A check on the obsolescence of the retained data in relation to the purposes for which they were collected is carried out periodically and, once the aforementioned retention periods have expired, the data are deleted or anonymised. Therefore, the right of access, the right to erasure, the right to rectification and the right to data portability cannot be applied after the retention period has expired.
7. Data Security
All Company personnel who have access to personal data are required to comply with internal rules and procedures concerning the processing of personal data in order to protect them and guarantee their confidentiality. The Data Controller has also implemented appropriate technical and organisational measures to protect personal data against destruction, loss, modification, misuse, unauthorised, accidental or unlawful disclosure or access, as well as against all other unlawful forms of processing (by way of example, disclosure of directives, training, IT and network security solutions, access controls and restrictions, encryption of data carriers and data transmissions, pseudonymisation and controls).
8. Recipients of Personal Data
The Controller may transmit your personal data to third parties only if this is necessary to provide the requested service, if there is a legal or administrative obligation to do so, or if there is an overriding interest in the transmission of personal data. As part of the management of the Site, the Controller may share your personal data with the following categories of recipients: data processors; individuals acting under the authority of the Controller and the Data Processor for the purposes set out above; firms or companies in the context of assistance and consultancy relationships (e.g. legal); individuals who have the authority to process your personal data. legal); persons who have the right to access your data due to legal provisions, secondary or EU regulations; competent authorities for the fulfilment of legal obligations and/or provisions of public bodies upon request; service providers (e.g. IT service providers, hosting providers, suppliers, consultants, lawyers, insurance companies; third parties within the framework of legal or contractual obligations, such as authorities, state institutes, courts.
Third-party service providers are therefore required to comply with a number of technical and organisational security measures, regardless of their location, including measures relating to: (i) information security management; (ii) information security risk assessment; and (iii) information security measures (e.g. physical access controls, logical access controls; malware and hacking protection; data encryption measures; backup and recovery management measures). The third parties described above must process the personal data shared under this provision in accordance with the purpose for which such data was originally collected and at least to the same level of protection as in Switzerland.
9. Transfer of personal data outside the Swiss Confederation
The personal data of users, in addition to being kept in Switzerland, may be transferred to the USA as the Data Controller uses the Google Analytics application for its website, i.e. a website analysis service of Google LLC, Mountain View, California, USA, although Google Ireland Limited is responsible for Europe and Switzerland.
For the sake of completeness, we point out that, pursuant to Arts. 16 and 17 DPA, the transfer of personal data may only be communicated abroad if the Federal Council has found that the legislation of the recipient state or international organisation guarantees adequate data protection, or if the data subject has given his or her consent; the disclosure is in direct connection with the conclusion or execution of the contract; the disclosure is necessary for the protection of an overriding public interest or to ascertain, exercise or assert a right before a court or a competent foreign authority; the disclosure is necessary to protect the life or physical integrity of the data subject or a third party; the data subject has made the personal data accessible to anyone; the data originates from a register provided for by law that is accessible to the public or to persons with an interest worthy of protection.
The Company also specifies that users' personal data will not be transferred to third countries that do not have the same data protection laws as the country where the information was initially provided. For this reason, the Data Controller has taken steps to expressly request that Microsoft's M365 servers be located in Switzerland (Geneva and/or Zurich).
10. Rights of the data subject
In accordance with the DPA, the Controller grants the user the following rights (non-exhaustive list):
- to undergo transparent processing (Arts. 19-21 DPA)
- to obtain confirmation as to whether or not personal data are being processed and, if so, to obtain access to the personal data - including a copy thereof - and communication of, inter alia, the following information: the purpose of the processing, the categories of personal data processed, the recipients to whom the data have been or will be disclosed, the period of data retention, (right of access – Art. 25 DPA)
- obtain, without undue delay, the rectification of inaccurate personal data and/or the supplementation of incomplete personal data (right of rectification – Art. 32 (1), (3) and (4) DPA)
- obtain, without undue delay, the deletion of personal data (right to erasure - Article 32 (2)(c) DPA);
- receive personal data in a structured, commonly used and machine-readable format, transmit them to another data controller without hindrance and, where technically feasible, have personal data transmitted directly from the individual company to another data controller, if the processing is based on consent and is carried out by automated means (right to data portability – Art. 28 DPA)
- object to the processing at any time, on grounds relating to their situation (right to object – Arts. 30 (2)(b) and (3) DPA). If this right is exercised, the data controller will refrain from further processing of personal data, provided that there are no compelling legitimate grounds for processing nonetheless;
- obtain restriction of processing (right to restriction of processing) where the accuracy of personal data is contested (for the period necessary for the data controller to verify the accuracy of the personal data) or where the data subject has objected to the processing (pending verification as to whether the data controller's legitimate reasons prevail over those of the data subject)
- to assert one's own point of view with regard to automated decisions and in particular to demand a review of the decision by a human being (right not to be subjected to an automated individual decision – Art. 21 DPA)
- to lodge a complaint with the competent authority (in Switzerland the Federal Data Protection and Information Commissioner - FDPIC)
- if neither the correctness nor the inaccuracy of personal data can be proven, request the addition of a note to indicate the objection;
- request that the rectification, destruction, blocking, especially communication to third parties, in addition to the note on the objection or ruling be communicated to third parties or published;
- have the processing of personal data declared unlawful.
11. How to exercise rights
To exercise your rights, you may send a request by contacting the Controller by e-mail or by post (enclosing a copy of your identity card or passport for identification purposes) to the following addresses: House of Wealth SA, Piazza Colombaro no. 6, 6952 Canobbio - email address: privacy@houseofwealth.ch.
The Data Controller will comply with any such requests, revocations or objections as required by applicable data protection regulations, unless the Data Controller is obliged to retain/process certain data in the presence of an overriding interest or is required to assert certain rights.
12. Personal Data Protection Contact Person
The Data Controller has appointed a data protection contact person, who can be contacted at the address of the Data Controller indicated above (House of Wealth SA, Piazza Colombaro No. 6, 6952 Canobbio) or by sending an e-mail to privacy@houseofwealth.ch.
13. Modification of the data protection declaration
The Controller reserves the right to change, update, add or remove parts of this policy at its own discretion and at any time.
Effective date: 01/07/2024