Privacy Notice

ELCA is one of Switzerland’s largest independent full-service providers of business and technology solutions, with over 2,000 experts specializing in IT consulting, software development, and systems integration. 

ELCA acts in two distinct legal capacities depending on context:

Data Controller – for website visitors, business contacts, job candidates, and users of platforms (B2C) we operate directly, data processing is governed under this Privacy Notice

Relevant entities:

• ELCA Informatique SA (CH)
• ELCA Security SA (CH)
• ELCA Information Technology S.L. (ES)
• ELCA Information Technology S.R.L (IT)
• ELCA Information Technology Ltd (VN)
• Information Technology ELCA Ltd (MU)
• SECUTIX SA (CH)
• SUMEX AG (CH)

Data Processor – when providing services under a customer contract (B2B), the customer is the Data Controller, data processing is regulated by the relevant Data Processing Agreement (DPA) and not governed under this Privacy Notice

Relevant entities:

• ELCA Informatique SA (CH)
• ELCA Cloud Services SA (CH)
• ELCA Security SA (CH)
• Senthorus SA (CH)
• NEOSIS Solutions SA (CH)
• SECUTIX SA (CH)
• SECUTIX SA (FR)
• SECUTIX GmbH (DE)
• SECUTIX S.R.L (IT)
• SECUTIX B.V. (NL)
• SECUTIX Ltd (UK)
• SECUTIX FL LLC (US)
• SUMEX AG (CH)

Our locations: 

• Switzerland: Pully (HQ), Geneva, Zurich, Bern, Basel, Rapperswil-Jona
• SECUTIX sales offices: Paris - France, Amsterdam – Netherlands, Munich – Germany, Milan – Italy, London – UK,  Fort Lauderdale - US
• Nearshore centers in EU: Palermo - Italy and Granada - Spain
• Offshore centers in Africa and Asia: St Pierre - Mauritius and Ho Chi Minh City - Vietnam

ELCA has appointed Stephane Rosa as Group Data Privacy Officer (Group DPO) who is responsible for the compliance with Data Protection Regulation and can be the point of contact for anything related:

ELCA Informatique SA
Data Protection Officer (DPO)
Av. Général-Guisan 70A,
CH-1009 Pully
privacy@elca.ch

ELCA has also designated Representatives within the EU, pursuant to Art. 27 GDPR, and within the UK, pursuant to Art. 27 UK GDPR, on behalf of any subsidiary of ELCA Group who would require such a Representative:

SecuTix Deutschland GmbH
Attn: Norbert Stockmann
Landsbergerstrasse 302
D-80687 Munich
norbert.stockmann@secutix.com

SecuTix Ltd
Attn: Andy Duckworth
40 Villiers Street,
UK-London WC2N 6NJ
andy.duckworth@secutix.com

Our approach to data is built on four core principles that guide every decision we make about how information is collected, used, and protected:

• Privacy by design. We embed privacy into our strategy and operations to manage compliance and risk continuously
• Purpose limitation. We only collect, use, and share information needed to deliver our solutions and support customer compliance
• Responsible use. We promote responsible data practices across our business and supply chain
• Continuous improvement. We analyze service usage to improve features, functionality, and user experience

“Personal Data” means any information relating to an identified or identifiable individual. The data we process depends on who you are and how you interact with us.

Section 4 details our key processing activities, grouped by activity type. For each activity the legal basis, retention period, categories of recipients, and key details of what is processed are set out.

3.1  Data You Provide

The following types of personal data may be collected directly from you when you interact with us, register for our services, or otherwise engage with ELCA.

• Identification data – name, email address, phone number
• Professional data – company name, job title, job function, company address
• Account data – username, password, account preferences
• Communications – messages, feedback, comments, survey responses
• Application data – CV, assessments, interview notes (recruitment context)

3.2  Data Collected Automatically

In addition to information you actively provide, we automatically collect certain technical and behavioural data when you use our websites or platforms.

• Technical data – IP address, browser type, device type, operating system
• Usage data – pages visited, features used, session duration, interactions
• Tracking data – cookies and similar technologies (see Section 6)

3.3  Data from Third Parties

We may also receive personal data about you from external sources where this is relevant to our business relationship with you.

• Business contact data – from partners, lead providers, and business intelligence tools
• Public sources – professional profiles (e.g. LinkedIn), company websites, public registries

We rely on the following legal bases, depending on the activity:

• Contract performance – processing necessary to enter into or perform a contract with you
• Legitimate interests – processing necessary for our legitimate business interests, provided these are not overridden by your rights  Examples include IT security, service improvement, and B2B marketing outreach
• Consent – where we have asked for and received your consent (e.g. non-essential cookies, recording of calls). You may withdraw consent at any time without affecting the lawfulness of prior processing
• Legal obligation – processing required by applicable law or regulation

Legitimate interest assessments. Where we rely on legitimate interests, we assess: (1) whether the processing is necessary for a legitimate business objective (purpose test), (2) whether it is proportionate and limited to what is required (necessity test), and (3) whether the impact on individuals is limited and does not override their rights (balancing test). You may request further information about these assessments at privacy@elca.ch.

We use cookies and similar technologies for website functionality, analytics, personalization, and marketing. Cookies are grouped into four categories, manageable via our Cookie Manager:

• Necessary – required for core site functions, always active
• Preferences – remember your settings such as language or region
• Statistics – anonymous usage data to help us improve the site
• Marketing – track activity across sites to deliver relevant advertising

Non-essential cookies are only placed with your consent. You can change your preferences at any time via the Cookie Manager. Note that browser-level cookie settings may override your Cookie Manager selections, meaning your preference might not persist across visits.

We use session cookies (deleted when you close your browser) and persistent cookies (stored until they expire or you delete them). Some cookies are set by third-party providers acting on our behalf.

We do not sell or rent personal data. We share data only as described below, and all recipients are contractually required to protect it:

• Service providers / vendors – hosting, analytics, CRM, email platforms, support tools, recruitment and HR platforms, and event/video-conferencing platforms. Authorized to process data only as directed by us. Those used in customer service delivery may qualify as sub-processors under applicable data privacy legislation and are listed in the relevant DPA. A current list of sub-processor categories is available upon request at privacy@elca.ch
• ELCA group companies – our subsidiaries and affiliates as necessary to deliver services
• Business partners – where relevant to a partnership arrangement. Partners may only process your data as directed by us
• Third-party cookie partners – analytics and advertising purposes; manageable via our Cookie Manager
• Regulatory and legal authorities – when required by law or a lawful request from government or law enforcement. We will notify you where permitted
• Safety and rights protection – where necessary in good faith to protect safety, prevent fraud, or enforce our agreements
• Corporate transactions – in mergers, acquisitions, or divestitures, subject to equivalent privacy protections

ELCA is headquartered in Switzerland, and data may be transferred to or accessed from Switzerland, our EU subsidiaries, Vietnam, Mauritius, the US or the UK.

When transferring personal data outside the EEA, Switzerland, or the UK, we apply one or more of the following safeguards:

• Standard Contractual Clauses (SCCs) – used as our primary transfer mechanism, with Swiss (FDPIC) and UK addenda where required
• Adequacy decisions – relied upon for transfers to countries recognized as providing equivalent data protection
• Transfer impact assessments – conducted where required by applicable regulatory guidance
• Supplementary technical and organizational measures – applied where the protection level in the destination country requires reinforcement
• Consent – sought for specific transfers where other mechanisms do not apply

We retain personal data only as long as necessary. Retention periods are determined by legal and regulatory requirements, contractual obligations, the nature and sensitivity of the data, and the risk of harm from unauthorized use. We periodically review our retention schedules and securely delete or anonymize data when no longer required. Anonymized data that can no longer identify an individual falls outside the scope of this Notice.

We implement appropriate technical and organizational measures to protect personal data against loss, misuse, unauthorized access, alteration, disclosure, or destruction. Our measures include:

• Access controls – role-based access controls and least-privilege principles
• Encryption – in transit and at rest where appropriate
• Logging & monitoring – of systems and user activity
• Security testing – regular assessments and penetration testing
• Incident response – documented procedures for breach detection, notification, and remediation
• Availability – measures to restore access to data promptly in the event of a physical or technical incident

Depending on your location, you have rights under applicable privacy and data protection laws. To exercise any right, email privacy@elca.ch. Requests are free of charge in most cases. We will verify your identity before processing a request, respond within 30 days (extendable by a further 60 days for complex cases, with notice to you), and document and track all requests. In some cases, legal obligations may limit our ability to fulfil a specific request.

• Access – obtain a copy of personal data we hold about you
• Rectification – have inaccurate or incomplete data corrected
• Erasure – request deletion of your personal data
• Restriction – ask us to pause processing of some or all of your data
• Portability – receive your data in a machine-readable format where processing is based on consent or contract and is automated
• Objection / Opt-out – object to processing based on legitimate interests or consent, including sharing with third parties for advertising via cookies
• Withdraw consent – at any time, without affecting the lawfulness of processing before withdrawal

You also have the right to lodge a complaint with your supervisory authority: the Swiss FDPIC (www.edoeb.admin.ch) or the relevant Supervisory Authority for your country of residence.

We process your contact details and any relevant documentation to fulfil our legal obligation to respond to your Data Subject Rights Request.

Our services are not directed at minors as defined in applicable law. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us at privacy@elca.ch.

Our websites and platforms may contain links to third-party sites not under ELCA’s control. This Notice does not apply to those sites. We encourage you to review the privacy policies of any external site you visit. We are not responsible for third-party privacy practices.

In the course of using our services, we may ask for business information about your company (practices, policies, processes, documentation). This is stored on ELCA systems and used solely to deliver the contracted solutions in accordance with the relevant agreement.

ELCA may use artificial intelligence (AI) tools and platforms in connection with the Personal Data covered by this Privacy Notice . This section explains the restrictions that apply to how AI tools may process that data. 

It does not apply to customer data processed by ELCA as a data processor under a customer contract, which is governed by the relevant Data Processing Agreement.

15.1  What our Policies enforce on Personal Data covered by this Privacy Notice

• No Model Training on personal data – we do not improve AI models with your data
• No data transfer outside approved jurisdictions – we do not route or store personal data in countries or with sub-processors not covered by ELCA’s data transfer safeguards as described in Section 8
• No unsupervised decisions about individuals – we do not engage in solely automated decision-making producing legal or similarly significant effects on individuals
• No operation without access controls – no access to HR systems, CRM platforms, recruitment tools, or website analytics beyond the individual user's permissions assigned, as applicable
• No unjustified processing of Personal Data for purposes beyond those defined by the Legal Basis and internal policies on the use of AI

15.2  Safeguards we apply

Before deploying any AI tool that processes Personal Data, ELCA conducts vendor due diligence, ensures appropriate Data Processing Agreements are in place, and applies data minimization principles. Questions about specific AI tools in use may be directed to privacy@elca.ch.

We may update this Notice to reflect changes in applicable law, technology, or our business. Material changes affecting how we process your personal data will be posted on our website. We encourage you to review this Notice periodically.