Data Protection

1.1 Responsible for your personal data is FROX AG, Seestrasse 88, CH-8712 Stäfa, Phone +41 55 254 12 54

1.2 If you are in a pre-contractual or contractual business relationship with a subsidiary of FROX AG or are applying for a position at a subsidiary of FROX AG, the respective subsidiary is responsible for your personal data. This data protection declaration also applies to the corresponding personal data processing by the subsidiary.

1.3 The company data protection advisor is at the aforementioned address (see section 1.1) and at the email address datenschutz@frox.ch reachable.

1.4 If we require a representative in the EU, we have appointed Bucher & Suter AG, Stubenwald-Allee 19, D-64625 Bensheim, Tel. +49 6251 8622 500, info@bucher-suter.de as such .

1.5 If a subsidiary of FROX AG requires a representative in Switzerland for data protection purposes, the company specified in Section 1.1 is its Swiss representative.

2.1 Categories of personal data

When you access the website, the browser you use automatically sends information to our website server. This information is temporarily stored in a so-called log file. The following information is recorded and stored until it is automatically deleted:

• IP address, including country
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status/HTTP status code
• amount of data transferred in each case
• Website from which the request comes
• Browser
• Operating system and its interface
• Language and version of the browser software

In addition, when you visit our website, we automatically use cookies that are necessary for the website to function properly. Our Cookie Policy informs you which cookies we use and when they will be deleted.

2.2 Purpose of processing

We process the aforementioned data to ensure a smooth connection setup and user-friendly use of the website, to ensure network and information security, to evaluate system security and stability as well as for administrative purposes and as part of consent management (selected cookie settings). In addition, our users’ data is evaluated in an anonymous form. This allows us to better adapt our content and offers to the needs of our users.

You are not legally or contractually obliged to provide us with your personal data. However, we need the data to enable you to use the full functionality of our website.

2.3 Legal basis for processing

The legal basis for data processing is the protection of our legitimate interest. The legitimate interest follows from the aforementioned purposes for data collection. We do not use the data to draw conclusions about you personally.

2.4 Cookies

We use cookies and tracking services on the website. In this way, we want to ensure a needs-based design and the ongoing optimization of our website. In this context, we would like to point out that you can adjust your browser settings to exclude tracking. To do this, you must activate the “Do not track” function in your browser.

Only the cookies and tracking technologies necessary for the proper functioning of our website are automatically applied. You can set the remaining cookies and tracking technologies yourself or switch them off completely. You can change your choice at any time. You can find further explanations in our Cookie Policy.

2.5 Registration for our newsletter

If you have consented to receiving our newsletter - as well as to receiving invitations to events and other information relevant to you - we will use your name and email address to send you this information electronically. As a rule, we first have you confirm your details by email (double opt-in).

You can revoke your consent at any time with future effect and unsubscribe from our newsletter. To do this, either use the link at the end of each newsletter or alternatively the email address of the data protection advisor mentioned above (Section 1.3). This means that we will no longer continue the data processing based on this consent in the future and will delete the relevant data (we reserve the right to use your data for another legitimate purpose).

2.6 Use of our contact form

If you have any questions, we offer you the opportunity to contact us using a form provided on the website. It is necessary to provide data such as a valid email address, name, country, company/company, etc. so that we know who and where the request comes from and can answer it accordingly. Further information is voluntary. As a rule, we first ask you to confirm your details by email before contacting us (double opt-in).

Data processing for the purpose of contacting us is based on your consent.

The personal data we collect when using the contact form is stored in our marketing tool and in our customer management system and assigned to the responsible department. This guarantees that your request will be processed quickly and professionally. Once the purpose for which you contacted us has been fulfilled and there is no further legal basis for processing, your information will be deleted.

2.7 Social Plugins

It is in our legitimate interest to use social plug-ins from social networks on our website for advertising purposes. The plug-ins are marked with the image/icon of the corresponding platform. The responsibility for data protection-compliant operation must be ensured by the respective provider. The plug-ins are only activated when you click on the corresponding buttons. The plug-ins establish a direct connection between your browser and the servers of the respective social network (Facebook, X [formerly Twitter], Google, etc.). We have no influence whatsoever on the nature and extent of the data that the plug-in transmits to the servers of the respective social network.

If the plug-in is clicked, the respective network is informed that you are visiting our website. There is a possibility that your IP address will be stored by the network. If you are logged into your respective network account (Facebook, X [formerly Twitter], Google, etc.) while visiting our website, the information mentioned will be linked to it.

Further information about how the individual plug-ins work and what information is collected can be found on the website of the respective provider.

2.8 Analysis by Lead Forensics

For the purposes of marketing and optimization, we use products and services of the company Lead Forensics (3000 Lakeside Harbour, Western Rd, Cosham PO6 3EN, Great Britain) on our website. Lead Forensics determines the actual course of your visit to this website, including all the pages you have visited or looked at and how long you spent on this site. Insofar as IP addresses are collected, these are rendered anonymous immediately after collection. On behalf of the operator of this website, Lead Forensics then uses the information collected to analyze your visit, compile reports regarding the website activities and provide to the website operator further services connected with the website use and the Internet use. Further information about data protection can be found at https://www.leadforensics.com/cookie-policy/. Insofar as we process personal data, we do so on the basis of our legitimate interests in order to improve the design of our website. The legal basis for this is the safeguarding of legitimate interests pursuant to Art. 6 (1) letter f) of the GDPR. By deactivating the performance cookies, this collection of the above-mentioned data is prevented.

3.1 Categories of personal data

We primarily process the following personal information:

• Master data (such as name and – if necessary, e.g. for creating a user account – date of birth), contact details (such as address details, telephone, email address, place of work, business card), signatures that you place under documents, powers of attorney submitted
• User accounts for the use of our systems, data required to grant access to our business premises
• Your role and your employer and – to the extent that this is relevant to the business relationship – your professional activities, experiences, qualifications and references as well as information about the services you have provided for us
• In certain cases (e.g. as part of cooperation with financial institutions) and only if lawful, we also receive debt collection or criminal record information from you (e.g. if the project in which you are involved requires such proof and we are the responsible person for this information); As a rule, this data is transmitted directly from you to the relevant organization and is therefore not processed by us
• Information about you in correspondence, email correspondence and meetings, opinions from you as well as your feedback, assessments and minutes made and collected in the course of business activities
• Data from consultants and partners of you and, if applicable, their employees
• in certain cases also financial data (such as bank account details, payment method and payment service provider) so that a payment can be made, or data from your insurance institution for the purpose of claims management
• Information in the context of judicial and out-of-court proceedings
• publicly available data

3.2 Origin of data

We receive your data from you directly or from the company that employs you. We also retrieve data from public registers or databases (such as commercial registers, the Internet). To the extent permitted, we also receive data about you from other companies in the Noser Group (recommendations, referrals, etc.), from authorities and other third parties.

3.3 Purpose of processing

We use the personal data collected to carry out our business activities. In particular, this includes the following areas:

• Conclusion and processing of contracts, including correspondence, invoicing, contract management, project development and management, protection and management of contractual claims (this also includes the use of IT tools and cloud solutions)
• Establishing and maintaining business relationships, including marketing (delivery of information about our offerings, invitations to events in our business area, greeting cards), maintaining contacts, correspondence, customer management, customer satisfaction surveys (this also includes the use of IT tools and cloud solutions as well as the implementation of webinars, training and education)
• Managing permissions and using our IT systems and internal tools
• Handling of damage and insurance claims
• Carrying out restructuring and company acquisitions and sales
• Securing our business activities and group management, such as: B. Storage, accounting, consulting with specialists on business incidents, fulfilling information obligations to administrative bodies and authorities, measures within the group, ensuring compliance, ensuring secure access to buildings and access to systems

3.4 Legal basis for processing

In most cases, you are not legally required to share your personal information with us. However, in some cases, failure to provide certain data may result in a breach of contract.

The legal basis for processing your personal data is primarily the negotiation, fulfillment and processing of contracts concluded with you or your employer.

We are also legally obliged to collect and process certain data, such as: B. for bookkeeping and accounting purposes.

Furthermore, processing your data may be necessary to protect our legitimate interests. This is the case, for example, when we

• approach our existing customers and partners as well as new customers as part of marketing campaigns,
• protect and enforce our legal rights,
• ensure the security and availability of our IT systems and other infrastructure,
• Execute or optimize business processes (including management and administration of the company and the group) as well as company acquisitions and restructurings,
• Share information with our service providers to perform certain tasks on our behalf.

Before we process data based on our legitimate interests, we ensure that your right to data protection does not outweigh our legitimate interests.

If you send your application via the website (job portal), please also note the information regarding the processing of your personal data as part of your website visit (see Section 2 of this data protection declaration).

4.1 Categories of personal data

We primarily process the following personal information:

• Salutation, first and last name
• Contact details such as telephone, address and email address
• the CV you created and the information attached to it, such as training details, skills and professional experience, qualifications and certificates; We provide learners with enclosed Multicheck and Stellenwerk tests
• When you contact us by email or via a contact form, the data you provide (your email address, if applicable your name, your telephone number, CV, personal request) will be stored and processed by us in order to answer your questions or to process your request.
• With your explicit consent, we carry out aptitude tests, such as behavioral profile analyzes (VPA); With the invitation to carry out the test, you will also receive specific information about the specifics of data processing in these cases
• other information that you voluntarily provide to us

At this point we would like to explicitly point out to you that if you enter into an employment relationship with us and provide services for our customers, the following personal data will be required from you in particular:

• Image for an employee professional profile with which you are presented to our customers for the purpose of providing services
• for certain orders: a current criminal record extract and/or debt collection register extract; If possible, this will be sent directly from you to our customers; we do not store this data

The provision of this data is necessary for the exercise of your employment law obligations.

4.2 Purpose of processing

All data is stored for the purpose of processing the application process in relation to your possible employment. To the extent permitted, they will be evaluated and processed for communication with you, to check qualifications and suitability, for a possible job interview and to assess whether an employment relationship is established or not.

For this purpose, the stored data is processed in the applicant management system we use. From there, the HR department and the line managers potentially responsible for the application or their deputies have access to your data. Your application data will be processed and stored using our internal applications (office management system, client or applicant management system, etc.), which can also be cloud applications.

If you send us an unsolicited application via email or contact form, we will process your application like an application that reaches us via the job portal.

4.3 Legal basis for processing

The legal basis for processing your personal data is the preparation and review of an employment relationship (implementation of pre-contractual measures) at your request, as well as the protection of our legitimate interests in carrying out efficient applicant management. If we should include your data in our talent pool, we will do so with your consent, which you can revoke at any time.

When you submit an application, you give us your data voluntarily, whereby only as much data is requested as is necessary to process your application. Mandatory information is marked with an asterisk (*), all other information is optional.

If you provide us with references as part of the application process, we assume that, if this information contains data about a natural person, you have obtained their consent for us to process their data. We will only request these references with your consent, which we will obtain separately.

4.4 Deletion

If the application process does not lead to employment, we will delete your data no later than 6 months after notifying you of the completion of the application process, unless a statutory period specifies a longer retention period or we are permitted to store your data to fulfill legal obligations or to defend or assert legal claims .

If you have consented to further processing of your data, such as inclusion in a talent pool, we will store and process your data in accordance with the consent you have given.

If the application process leads to employment, your data will be transferred to the personnel database and a personnel file as part of the employment relationship and processed in accordance with the legal regulations for the employment relationship.

The transfer of personal data constitutes data processing. That is why we only pass on your personal data to third parties to the extent that there is a corresponding legal basis for doing so (as described in Sections 2 to 4, the legal bases we use are usually a contract with you, a legal obligation, our legitimate interest or your consent). In our work, we use professional support from external service providers who provide us with various consulting, IT or other services required for our work. We select our service providers carefully. You are bound to our instructions.

Your personal data may be shared with the following service providers, companies and authorities:

• Companies that provide services for us on a contractual basis, such as IT hosting and maintenance suppliers (including cloud service providers such as HubSpot, Microsoft, Atlassian, Cisco, etc.), marketing agencies, consultants, banks, insurance companies, mail delivery service providers, etc., including their order processors
• other sub-suppliers and business partners whose services we may lawfully purchase or with whom we have a joint business relationship
• Authorities, law enforcement bodies, courts, where necessary for the purposes set out above, required by law or necessary for the legal protection of our legitimate interests in compliance with applicable law

Your personal data may also be passed on in the following cases:

• the data of customers, suppliers, partners or counterparties can be processed as part of M&A transactions.
• Where permitted, personal data will be shared with other Noser Group companies for the purposes of group administration and management.
• Additionally, as a customer/supplier/partner, your data may be shared with other partners and customers if the business relationship, project or normal market practice requires this.

We process and store personal data primarily in Switzerland and the European Economic Area (EEA). However, it is possible that we need to transfer personal data to business partners or service providers who are based outside the EEA, including the USA, or who process data in a country outside the EEA, including the USA.

If we process personal data abroad or transfer it abroad, this will occur if the necessary requirements of data protection law are met and an appropriate level of protection for the personal data is therefore ensured (through an adequacy decision, standard contractual clauses, an applicable data protection framework such as the EU US Data Protection Framework, explicit consent of those affected, etc.). You can obtain detailed information about this and, in particular, a copy of the specific guarantees available at any time from the contact person mentioned in section 1.3.

Your data will be stored for as long as (i) is necessary for the purpose of processing and/or (ii) there is a legal obligation to store the data, such as: B. legal retention requirements for business documents, and/or (iii) storage is necessary for the assertion, exercise or defense of legal claims. As soon as we no longer need your personal data for any of the above purposes, it will, where practical, be deleted or anonymized. Additional information on deletion periods and deletion procedures can be found in the information on individual data categories (described in Sections 2 to 4).

The data protection law applicable to you and the specific data processing grants you certain rights. These rights may differ in Switzerland, the EU and other countries. If you have any questions regarding the existence or exercise of these rights, you can contact the contact person specified in Section 1.3 at any time.

As a rule, you as the person affected have the following rights:

• To request information about your personal data processed by us
• to request the correction of incorrect or the completion of your personal data stored by us
• to revoke your consent to us at any time; This means that we are no longer allowed to continue data processing based on this consent in the future
• to request the deletion of your personal data stored by us; Deletion is not possible in all cases and can be lawfully refused in certain cases
• to request the restriction of the processing of your personal data under certain conditions
• if your personal data is processed on the basis of legitimate interests: to object to the processing
• to receive the personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transmitted to another location, provided that the requirements for this are met
• to complain to the relevant supervisory authority

We use appropriate technical (such as securing IT systems and building security) and organizational (such as internal guidelines, training, instructions) security measures to protect your data against accidental or intentional manipulation, partial or complete loss, to protect against destruction or unauthorized access by third parties. Our security measures are continually adapted in line with technological developments.

This data protection declaration is currently valid and is valid as of September 2023. Due to the further development of our business activities or due to changed legal or official requirements, it may become necessary to change this data protection declaration. We therefore recommend that you check this data protection declaration on our website at regular intervals.