This Privacy Notice reflects the ELCA Group privacy practices and standards as of the effective date
Effective: December, 1st 2022
Who We Are
ELCA is one of the biggest independent Swiss full-service providers for business and technology solutions, and a leader in the fields of IT business consulting, software development and maintenance, and IT systems integration. ELCA solutions reduce complexity and increase innovation cycles, improve business outcomes and customer satisfaction.
The privately-owned company, with more than 2000 experts, has branches in Lausanne, Zurich, Rapperswil, Geneva, Bern, Basel, Amsterdam, Paris, Madrid, Granada (https://www.elca.ch), Mauritius (https://www.elca.ch/en/elca-mauritius) and Ho Chi Minh City (https://www.elca.vn/en, offshore development), and sales offices (Secutix) in several locations in EU and US, all operating according to a common process framework. Because we have engineering, product, and support operations distributed in the various locations mentioned and due to our broad range of services offered, Personal Data may be processed in, or accessed from these locations depending on each service, product or solution.
Most information is hosted by ELCA Cloud Services in Switzerland; however, depending on the region from which it is originating from, some information will be hosted at Amazon Web Services in the US (Virginia), EU (Dublin & Frankfurt), Oracle Cloud Infrastructure in US (Ashburn), UK (London), EU (Milan) and AU (Sydney), Microsoft Azure in CH and Salesforce in EU (Frankfurt & Paris). In addition, through our remote work environment, we may have employees or contractors who access the data from other countries.
If you have a privacy question or a question about this notice, you may contact the ELCA privacy team at firstname.lastname@example.org. We appreciate the opportunity to address your questions and concerns.
Our Data Values
- Embedding privacy. We strive to embed privacy into our strategy and operations to continually manage privacy compliance and risk.
- Responsible use. We help to promote responsible data use among our businesses and suppliers.
- Purpose driven. We only collect, use, and share the information needed to provide and operate our solutions and to help our customers meet their accountability and regulatory compliance needs.
- Always improving. We process data about the use of our solutions and the way we operate our own business in order to help us better understand the needs of our customers, prospects, and other stakeholders, and to continue to improve user experience, features, and functionality of our solutions.
Depending on your location, you may have basic rights under privacy and data protection laws related to the data we process about you. You may exercise those rights by emailing email@example.com.
These rights are free in most cases, and we will aim to respond to your request within 30 days or the specific timeframe required by the applicable laws. We will honor the requests you make related to your rights as the law allows, which means in some cases there may be legal or other official reasons that we may not be able to address the specific request you make related to your rights. The rights relate to:
Access to the personal data we process about you;
Correction of inaccurate or incomplete personal data about you;
Deletion of personal data about you;
Restriction, temporarily or permanently, on our processing of some or all personal data about you;
Transfer of personal data to you or a third party where we process the data based on your consent or a contract with you, and where our processing is automated; and
Opt-out or object to our use of personal data about you, where either:
- our use is based on your consent or our legitimate interests, or
- you do not want us to share with third-parties data related to cookies and similar technologies for website functionality or advertising purposes.
When you submit an individual rights request, you are consenting to us using your information to respond to your request. We will communicate with you via email. If you wish to withdraw your consent for us to respond to your request, you may do so via that email.
Your Personal data
See chart below followed by more information in expandable sections.
What is Personal Data?
The data we process (collect, use, and share) about you depends on who you are and how we interact with you. Personal Data is data that identifies you or that makes you identifiable. It includes data that could be used to identify, locate, track, or contact you. Listed below is a reference chart to indicate the activities in which we collect personal data on or from you. These activities may overlap, for example, a customer may visit our website. Below the chart, we provide more specific information on these activities.
If you provide any personal data to us online, such as by filling out a form, attending an event, or through cookies (tracking technologies), we only use this information with your consent. You may withdraw your consent at any time by clicking the “unsubscribe” link in the email communications we send to you or via the Cookie Preferences manager.
There is information provided to us anytime you visit our websites or engage in other online activities, such as using our services and solutions. In most cases, this information is collected based on our legitimate interests in making sure our website or other online activities function properly or that we are providing the user experience to you that we wish to provide. If it is based on our legitimate interest, we have determined that our business interest in gathering this information does not have a significant impact on your rights. In other activities, we may rely on your consent. If so, you can refuse consent or change your mind. These options are discussed in more detail below. We have tried to be comprehensive, but if you have any questions, please do not hesitate to contact us.
We keep this information for as long as we have a business relationship or potential relationship with you.
Online Forms (support portals/request call back or demo, contact us forms)
We process information you provide, such as your first and last name, gender, email address, company and address, phone number, job function, job title, country, and any comments you provide. Given that we are a business-to-business (B2B) company, we do this in order to respond to your request for information or resources or, in our legitimate interest, to collect information in order to reach out to you for potential business interest. We may reach out to you with marketing communications using the information you submit in these online forms. You can easily opt out of future communications using the opt-out link provided in the emails sent to you.
If you do opt-out, but then complete another form, you are essentially opting-in again.
Cookies, other passive trackers
We use browser session and permanent cookies. Session cookies are temporary cookies that are erased from your device’s memory when you close your Internet browser or turn your computer off, where permanent cookies are stored on your device until they expire, unless you delete them before that time. We group browser cookies on our site into four categories, which you can manage through our “Cookie Manager” – and you can return to this Cookie Manager at any time to change your preferences.
- Necessary cookies: Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
- Preferences cookies: Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
- Statistics cookies: Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
- Marketing cookies: Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third-party advertisers.
Some cookies may be placed by third party service providers who perform some of these functions for us.
In addition, there are browser settings which you can set in your internet browser, such as Internet Explorer, Google Chrome, or Mozilla FireFox, which can also address cookies and trackers. Sometimes these settings contradict what you may choose on a website. For example, if you set your browser settings to refuse all non-essential cookies, then when you visit our page and make a cookie selection – that preference is stored as a cookie and per your browser settings, may override your selection. This means the site won’t remember your selection on your next visit and you may have to make a selection every visit. This may be frustrating and is not something we do deliberately. There are many efforts underway by companies, technology, lawmakers, and others to make this a better user experience for everyone – and we at ELCA are active in trying to make this an easier process.
Server log files
We automatically gather server log file information when you visit our websites. This includes IP address, browser type, referring and exit web pages, and your operating system. We do this based on our legitimate interest in making sure our website operates as intended or to identify what may need to be changed.
Other online activities
In order to administer our website and our technical solutions and to understand how our website visitors navigate through our websites and technical solutions, we monitor our website and solutions based on our legitimate interest to continuously improve the experience for our users.
We may further analyze information we gather online to improve the online experience, resources, and tools we provide to our users. This is also based on our legitimate interest to provide appropriate materials or user experiences.
Communication & Engagement
ELCA is a business-to-business (B2B) company, meaning we sell our solutions to other businesses.
We keep this information as long as we have a potential or actual business relationship with you or if there is a legal obligation to keep the information. Where you consented to providing us the information, you may also revoke your consent. Where we do not collect identifying information, we may not be able to remove the information, because we will not know which information you provided.
Suggestions, Complaints, Inquiries
We process personal data about you based on our legitimate business interests for the following purposes, to which you may exercise your rights to object as described above:
- To investigate complaints or concerns to ensure that such complaints or concerns are addressed appropriately;
- To send optional customer satisfaction surveys once your complaint has been resolved in order to improve our processes;
- To evaluate the characteristics and needs of our customers to improve our solutions; and
- To communicate with you about ELCA events or industry-related news.
If you participate in our market or product / services research and surveys – whether delivered by us or a service provider on our behalf – we may process your email address, job title, phone number, survey responses, company name, job function, state, country, relationship with ELCA, and any comments you provide. We conduct online Customer surveys to learn about your views on our products and services based on our legitimate interest in better understanding the relevant market and to improve our solutions; Cookies and data collection technologies may be used to manage the delivery of the surveys. You may choose to respond or not and may opt out of future communications of this nature. In part, this is through our legitimate interest in obtaining your feedback and part through your consent to such activities.
This may include voluntary participation in our customer offerings, such as online communications, group meetings, and other engagements. You must consent to participate in such activities and if so, can revoke your consent easily by withdrawing from such activities. You must agree to follow the engagement rules, which will vary by the method of engagement.
If you register for or attend our webinars (or other presentations), your IP-address and some other technical information may be shared with the relevant hosting provider or application, such as Zoom, MS Teams or Skype. Where applicable, registration information and any comments or feedback you provide to us will be captured.
If you are invited to be a guest in an ELCA-hosted or sponsored webinar (or other presentation), your contact information will be processed as part of the production. This generally includes your first and last name, gender, email address, phone number, company name and address, image, and job title. These programs are recorded, as is the nature of such programs, which includes your voice and image and the information you share during such programs.
Follow-up information for the webinars will be sent to the email address registered and you can opt out at any time. If you do register for another webinar, you will be implicitly opted-in again to communications.
Interest in our Solutions
If you request or indicate an interest in information about our solutions or partnership opportunities, we process your first and last name, gender, email address, phone number, job title, information about the company where you work (incl. postal address), including its website address, and any comments you provide. We add business information related to the company where you work from third party sources, such as business intelligence providers, information from publicly available sources such as LinkedIn, as well as information about the number and frequency of your interactions with us online and offline, such as at events, webinars, email communications, and our website. We maintain and update this information as we continue to engage with you. Engaging with you once you express interest in our solutions may be based on your consent or our legitimate interests. If we rely on consent, this will be clear to you that you are providing consent because you will complete a form or register for an event. As such, you can cancel your consent using the opt-out link in the emails we send or by contacting us via email.
We may send you marketing communications (including sales, information, events, and business development communications) about our solutions, events, or resources that we think may be of interest to you. For these communications, we process your first and last name, phone number, email address, , job title, job function, company name and address, and information about which of our solutions you use, or which may be of interest to you, including any responses you make to such communications. We also process automatic information such as what we collect via cookies IP address, device type, browser, if the email was opened, etc. and we may also associate other information to the communication for insight such as company size, company financial information, and whether the company is a current or prospective customer. In general, these communications are initiated in our legitimate interest to engage you in business, but if the information was collected through our online forms, you also consented to being contacted. We track these communications to determine whether, when, and the IP address and associated city of, a marketing communication we sent was viewed based on our legitimate interest to effectively manage and improve upon such communications.
Communications may also include asking for your review of our solutions from your perspective as a customer or user of our solutions. We do this from our interest in having you evaluate our performance.
You may opt-out at any time from marketing emails using the unsubscribe link in the emails or by replying to the email.
Telephone / Video Calls
If you have consented to a recorded telephone call or video conference with ELCA, we may process your first and last name, gender, email address, job title, image, and voice for analytical purposes to improve our training and customer relationship management and to provide recorded information to our customers upon request. For example, a customer may want a recording of a demo on a particular solution. For any such telephone calls or video conferences, notice of the intent to record will be provided before recording. You may decline recording at any time before or during the meeting, and you may request deletion of the recording at any time. All such recorded meetings will be automatically deleted within 60 days.
Contracts / Relationship Management
We process your first and last name, email address, postal address, company name, billing information (e.g., purchase order number, bank wire information, credit card number), company size, company financial information, and signature along with communication content and any comments or feedback you may provide. Some information about you may come from other individuals. For example, a colleague may tell us that you moved to another company or a different role. Similarly, such information may be available publicly, such as on LinkedIn.
We use this information in order to facilitate the contract execution and to deliver on the contract. We will communicate with you, including via email, about your use of our solutions, obtain your input on new features, functionality, and content, and to provide information about updates to our solutions. We will also communicate with you about ELCA events, or industry-related news. We have a legitimate business interest in renewing your subscription-based solutions in order to retain you as a customer or partner along with providing additional solutions you request based on our legitimate business interest and / or contractual obligation to respond to your reasonable requests.
In addition, to better understand the needs of the privacy and business communities we aim to serve, we analyze our interactions with you online and offline. This helps us continue to improve how we provide information and engage specifically with you, including to help us determine when you might be ready to make a purchase based on repeated interactions with ELCA. We want to understand the business that you work for, and your prior experience based on our legitimate interest to tailor our communications with you to improve our engagement with you from a business perspective. We also want to understand your business and privacy-related needs based on our legitimate interest to develop and enhance our solutions to address your needs and to make them more relevant to you. Lastly, we do not make any automated decisions about you.
USING OUR SERVICES & SOLUTIONS (“SERVICES”)
ELCA is a business-to-business (B2B) company, meaning we sell our services to other companies., such as:
You may use our services as an authorized user because your company purchased them or because you work with a company that does business with our customers, in both cases we are a supplier (a Data Processor) to our customers and the customer is the Data Controller and the one responsible for determining their processing purpose and choosing to communicate with you. If you have any questions, you may contact us or the customer to learn more.
If you are an authorized user of our platforms, we may process your contact details, username, password, IP address, job title, information about the company where you work, actions you have taken in the applications on the platform or in response to communications, such as support tickets.
For individuals at our customer companies or potential customer companies, we process this information to provision and de-provision your account on our platform; authenticate you to enable you to access your account on our platform, including adding users of the solution; provide customer service and support, and investigate issues that you raise; deliver our services and solutions to you; provide alerts in the platform based on your implementation; We may further analyze the use of our solutions, and characteristics of the companies that use our solutions (e.g., by size and industry sector) to help us understand and make decisions about customer and market needs, to improve our solutions, to design new solutions, and to inform partnership and business development decisions.
Some of our Standard SaaS solutions that customers use, are consumer-facing, such as:
If you are a consumer interacting with any of our B2C solutions and products, we are a supplier (Data Processor) to our customers. As such, our B2B Customers are the Data Controller and the ones who determine the processing purpose and use your information through our platforms. In most cases, we anticipate that their basis for processing your information is consent, but you will need to confirm that with the customers.
We also use our TrustID solution and offer it to the public, so in that case, we are the “Customer/Data Controller”:
- TrustID for employees and for everyone
When you use TrustID, we process your name, email address, residence, gender, place of birth, birthdate, mobile number and any additional information customers need to verify your identity as well as sector-specific information as required. When you use the system via another company that has implemented our TrustID solution, we process the information you provided through that company, and we support the management of your request by the company as well as the retrieval of information responsive to your request. Communications related to an individual rights request, including more information needed or providing the data requested will be managed through the platform, using an email server.
This section applies to current, past and future employees or individuals in an employment-like relationship, such as contractors, consultants, interns, externs, or other individuals acting in a work-related capacity. We keep this information for the time period required by law or based on your consent, for example, for employment applications.
Applying to work at ELCA: If you apply to work at ELCA, we process personal data about you and your professional experience, such as your application, your contact details, your educational background, your academic achievements, your professional certifications and licenses, your employment history, and your curriculum vitae or resume. Your data may be shared for the same purpose with other Group entities and departments involved in your application and recruitment process. If you are not offered the position you applied for, we will retain you data for 2 years, as your profile may be interesting for other open positions.
Offer of employment or contractor position: If we extend an offer of employment or a contractor position at ELCA to you, we will process personal data about the position to which you have been appointed, your job title at ELCA, the compensation or project-based contractor rate we offer to you, whether you accept the offer, your signature, and your starting compensation or project-based contractor rate, and your start date at ELCA.
Employment-Related Background checks: We engage service providers to conduct background checks that involve the necessary personal data processing as permitted by the laws in the location in which you reside and/or work. More details are provided to you in the context of our request to you to complete these checks. We also have designated employees who will do reference checks, usually HR. We contact individuals that you have provided and engage in conversation (written or oral) about you, your work habits, challenges, experience, and more. We do not control the information provided to us by these references.
As an employee or contractor of ELCA: We may process personal data about your employment status and conditions, skills and trainings, work assignments and performance, your administrative status, your profile picture, your home and workplace contact information, family and emergency contacts, your financial information including benefits and payment details. Depending on your position in the company, we may share your professional resume with potential customers as part of an offer during a tendering process.
If your employment with ELCA ends, we process personal data necessary to offboard you from ELCA, including deactivation of your access to our systems, fulfilling our financial, benefits, and related obligations with respect to the end of your employment with ELCA.
In certain countries, supplemental privacy notices will be provided to ELCA employees and contractors, and where applicable, consent will be obtained, to ensure compliance with local requirements.
We process personal data about you based on our legitimate interests to establish and manage our relationship with and responsibilities to you and for effective operation of our business, including activities necessary to comply with laws or contracts, such as to:
- Recruit new talent to join ELCA;
- Onboard employees and contractors to ELCA;
- Grant and ensure appropriate access to ELCA systems and facilities;
- Ensure the security and safety of the workplace and the tangible and intangible assets for which we are responsible;
- Assign roles and responsibilities;
- Manage team and cross-functional communications and collaboration;
- Promote a positive workplace culture;
- Administer payroll;
- Benefits administration;
- Award and pay incentive compensation;
- Invoice payments;
- Managing ELCA projects and processes;
- Maintaining corporate, financial and other essential business records and reporting;
- Evaluating financial and operational performance; and
- Managing compliance, including, but not limited to our privacy, security, accounting, labor and employment, and other legal and regulatory obligations.
Statistical and research purposes: We may further analyze information to evaluate and understand employee engagement and to develop plans to continuously improve our workplace culture.
Using Devices for Work Activities
You may participate in communication processes, which may be recorded, such as video conferences, phone calls, or written correspondence, or video/audio presentations for public release (webinars, podcasts, etc.) and such may be performed from your personal device. ELCA may inadvertently collect information from your surroundings or device. You should take this into account if using a personal device for work purposes. We may also request or require security software to be installed. More information can be found on ELCA intranet and throughout various policies and communications from executives or other personnel in key roles.
ELCA’s Personnel Scope of Work
As part of your employment activities, you may engage with customers, other employees, technology, vendors, and/or other individuals. Your actions or communications will typically be recorded via online tools or communication technologies. These recordings may be temporary or permanent depending on their intent. For example, if you write code, that may become a permanent entry in ELCA’s platform. If you engage with regulators on an investigation, that will likely become a long-term record both for ELCA and the regulator.
Keeping and Securing Your Personal data
We will keep personal data about you for as long as we provide solutions to you or your company; as long as you work for or with us; as long as we are addressing a concern, question, complaint, or request you have made to us; as applicable to our interactions with you; as long as the law requires us to do so; or for the time period we need to maintain the information, e.g., to respond to investigations or lawsuits. If we have a contract or other agreement with you or your company, we will follow the retention obligations of that agreement.
We may keep data longer if we have a legal obligation to keep it or to maintain necessary records for legal, financial, compliance, or other reporting obligations, and to enforce our rights and agreements. We also may keep data about you for statistical analysis or research purposes.
We take appropriate security measures to protect personal data against loss, misuse, and unauthorized access, alteration, disclosure or destruction. We also have implemented measures to maintain the ongoing confidentiality, integrity and availability of the systems and services that process personal data and will restore the availability and access to data in a timely manner in the event of a physical or technical incident.
Sharing Your Personal Information
At ELCA, we only share personal data in ways that we tell you about. We do not sell or rent personal data to third parties, and we do not share personal data with third parties that are not owned by us, under our control or direction, or in a direct business relationship with us except as described in this Notice.
Service providers / Vendors. We share personal data with service providers / vendors that help us with our business activities. Service providers support us in processing the types of personal data described above in the section “What personal data” and for the purposes described in the section “Why do we process personal data.” They only are authorized to process that information as necessary and as directed by us. Some of these providers qualify as “sub processors” under the General Data Protection Regulation (GDPR) because they are used in the provision of services that our customer purchase, in which case the list will be included in any relevant agreement like a DPA (Data Processing Agreement).
Business partners. ELCA forms a variety of partnership relationships, to whom we may share your information legitimately under one of the reasons described in the Notice or receive information from them. We only permit partners to process your information as necessary and directed by us. In some cases, the partners may be contracted through ELCA, such as customers who purchase our services through one of our partners. In other cases, partners may share your information with us, and their privacy notices will also apply.
Third-party cookies and similar technologies. While ELCA does not sell personal data to third parties, ELCA does share data related to cookies and similar technologies with third parties to evaluate and optimize the performance of and analyze your use of our online services and for advertising purposes. You may choose to consent to our use of these technologies, reject non-essential technologies, or further manage your preference with our Cookie Preferences.
Required by law. If we are required to disclose personal data as part of a legal process, we will take commercially reasonable steps to inform you as part of that process. We may also be required to disclose personal data in response to lawful requests by government authorities, including law enforcement. Some of these requests may be by regulatory oversight agencies investigating a complaint where others may be by law enforcement looking for information.
Safety, fraud prevention, government requests and protection of our rights are all reasons where we may share personal data where we believe in good faith it is necessary.
Mergers, acquisitions, divestitures, but only if the acquiring organization agrees to this Notice’s protections, where this is within our control. If we are under the control of a court, such as bankruptcy proceedings, we may not have full authority to ensure this protection.
International Data Transfers
ELCA is headquartered in Switzerland and personal data we process will be transferred to or accessed from Switzerland or through our subsidiaries in the EU, Vietnam, Mauritius or other locations.
Customers have the option for their data to be hosted in the United States, Australia, Switzerland or EU. Customers should make sure that their notices reflect our transfer arrangements for their Data Subjects. Customers can refer to ELCA TOMs (Technical and Organizational Measures) for more information on how we protect customer data in international transfers.
This means that we may transfer, access, or store personal data about you outside of the European Economic Area (“EEA”), Switzerland, the United Kingdom or another country that requires legal protections for international data transfer. When we do, we will ensure that an adequate level of protection is provided for the information by using one or more of the following approaches:
- We may transfer personal data to countries that have privacy laws that have been recognized by the country from which the data are transferred as providing similar protections for the data (“Adequacy”).
- We may enter into written agreements, such as Standard Contractual Clauses (SCC) and other data transfer agreements, with recipients that require them to provide the same level of protection for the data.
- We may seek your consent for transfers of your personal data for specific purposes.
- We may rely on other transfer mechanisms approved by authorities in the country from which the data are transferred.
Business Information and Links to Other Sites
In the course of using our services, we may ask you to provide business information related to the company where you work. Business information may include information about your company’s practices, policies, processes, and supporting documentation. This business information is stored on ELCA systems, and we use it to provide the solutions you have contracted us to provide and in accordance with the terms and conditions set forth in agreements between ELCA and your company.
Links to other websites – This Notice applies only to ELCA practices, technologies, solutions and services. Our online properties may include links to websites and online services that are operated by other companies not under the control or direction of ELCA. If you provide or submit personal data to those websites or online services, the privacy policies on those websites or online services apply to your personal data. We encourage you to carefully read the privacy policies of any website you visit.
Changes to this Notice
We may make changes to this Notice from time to time based on changes to applicable laws and regulations or other requirements applicable to us, changes in technology, or changes to our business. New laws and decisions occur relatively frequently but may not impact this Notice. Any changes we make to the Notice in the future will be posted on this page, and where we change this Notice in substantive ways that also affect how we process personal data about you, please visit our website regularly to make yourself aware of such changes. Change from January, 1st 2022.