General privacy notice of ecoGroup Swiss AG and its group companies

 

1. What is this privacy notice about?

ecoGroup Swiss AG, Lückenstrasse, 6430 Schwyz, Schweiz (ecoGroup) and its group companies may process personal data concerning you or other persons in different ways and for different purposes. A list of ecoGroup group companies can be found below:

  • Agro Energiezentrum Rigi AG, Haltikon 55, Küssnacht am Rigi, Switzerland
  • eco Rigi Pellets AG, Haltikon 55, Küssnacht am Rigi, Switzerland
  • ecoGroup Swiss AG, Lückenstrasse, 6430 Schwyz, Switzerland
  • ecoenergy systems AG, Gersauerstrasse 71, 6440 Brunnen, Switzerland
  • ECOGEN Rigi Genossenschaft, Haltikon 55, 6403 Küssnacht am Rigi, Switzerland
  • ECOGEN Euthal Genossenschaft, Lattbach 2, 8844 Euthal, Switzerland
  • ECOGEN Ybrig Genossenschaft, Waagtalstrasse 22, 8842 Unteriberg, Switzerland
  • ECOGEN Stoos Genossenschaft, Stoosplatz 1, 6433 Stoos, Switzerland
  • ECOGEN Arth-Goldau Genossenschaft, Rossbergstrasse 29, 6410 Goldau, Switzerland
  • ECOGEN Einsiedeln Genossenschaft, Langrütistrasse 43, 8840 Einsiedeln, Switzerland
  • ecocoach AG, Gersauerstrasse 71, 6440 Brunnen, Switzerland
  • ecocoach DE GmbH, Franz-Ehrlich-Strasse 12, 12489 Berlin, Germany
  • ecovolta AG, Gersauerstrasse 71, 6440 Brunnen, Switzerland
  • Tropenhaus Wolhusen AG, Hiltenberg, 6110 Wolhusen, Switzerland

Where we refer to «we» or «us» below, this refers in each case to the group company that is responsible for data processing (see Section 2).

«Personal data» means any information that can be related with a specific individual, and «processing» means any handling of personal data, such as collecting, using, and sharing it.

This privacy notice explains our processing of personal data when

  • you visit one of our websites,
  • you purchase our services or products,
  • you are otherwise associated with us by contract,
  • you contact us via e-mail, letter, on social media, by text message, via a contact form, etc.,
  • you register for certain offers (e.g. competitions) and our newsletter,
  • you deal with us in the context of all other data processing related to our offers.

Please take the time to read this privacy notice to find out how and why we process your personal data, how we protect your personal data and what rights you have in this regard. If you have any questions or would like further information about our data processing, please do not hesitate to contact us (Section 2).

We have aligned this privacy notice with both the Swiss Data Protection Act (DPA) and the European General Data Protection Regulation (GDPR). However, whether and to what extent the GDPR is applicable at all depends on the individual case.

2. Who is responsible for processing your personal data?

For the data processing according to this privacy notice, the following company is often the «controller», i.e. the party primarily responsible under data protection law, unless otherwise communicated in individual cases (e.g. in further privacy notices, on forms or in contracts):

ecoenergy systems AG
Gersauerstrasse 71
6440 Brunnen
Switzerland

If you are in contact with another Group company, e.g. because you or your company purchases a service from this company or because you correspond directly with this company, the company in question is the controller. Several companies may also be joint controllers for a particular data processing operation if they co-decide on the purposes or means of the data processing in question.

If you have any questions about data protection, please feel free to contact us at the following address so that we can process your request as quickly as possible:

+41 41 811 41 40, datenschutz@ecogroup.swiss

3. What personal data do we process?

We process different categories of personal data depending on the occasion and purpose. You will find the most important categories below, whereby this list cannot be exhaustive.  

For contracting parties that are companies, we process fewer personal data because the applicable data protection law generally only covers data of natural persons (i.e. human beings). However, we do process data of the contact persons with whom we are in contact, e.g. name, contact details, professional details and details obtained from communications, details of members of management, etc. as part of the general information about companies with which we work.

You disclose much of the data mentioned in this section yourself (e.g. via forms, when communicating with us, in connection with contracts, when using the website, etc.). You are not obliged to do so, subject to individual cases. If you wish to enter into contracts with us or claim services, you must provide us with data as part of your contractual obligation under the relevant contract, in particular, master data and contract data.

You may provide us with data that relates to other individuals, such as family members or work colleagues. If you do submit data concerning third parties, we understand that you confirm this data is correct and that you are authorized to provide us with this data. We ask you to inform these third parties about our processing of their data (for example, by a reference to this privacy notice).

Master data is the basic data that we need to process our business relationships or for marketing and advertising purposes and that relates directly to your person and characteristics. For example, we process the following master data:

  • Salutation, surname and first name, gender and date of birth
  • Address, contact details such as e-mail address and telephone and mobile phone number
  • Nationality
  • Further information from identification documents
  • Family data (e.g. marital status)
  • Information on language preferences
  • Information on the professional profile and employment (e.g. employment relationship, employer, start of employment) and, if applicable, on training
  • Information on housing situation
  • In the case of contact persons of companies also relationships with the company for which you work
  • Customer history
  • Signature authorizations and consent forms.

We usually obtain this master data from you directly but possibly also from other persons who work for your company, but may also obtain personal data from third parties, e.g. from organizations for which you work or from third parties such as our contractual partners, associations and address dealers and from publicly accessible sources such as public registers or the Internet (websites, social media, etc.).

Contract data is information that incurs in connection with the conclusion or execution of a contract, for example information about contracts and cooperative partnerships and the services to be rendered or the services rendered, as well as data from the period prior to the conclusion of a contract, information on the conclusion of the contract itself (e.g., the closing date and the subject matter of the contract), as well as the information required or used for the execution. For example, we process the following contract data:

  • Date, contract conclusion process, information on the type, duration and conditions of the contract in question, data concerning the termination of the contract;
  • contact details and delivery addresses;
  • information on the use of services;
  • information on payments and payment methods, invoices, mutual claims, contacts with customer service, complaints, defects, returns, information on customer satisfaction, complaints, feedback, etc.;
  • for services available online, access data and logins.

We receive this personal data from you, but also from partners with whom we work. Again, this personal data may relate to your company, in which case it is not «personal data», but also to you if you work for a company or if you obtain services from us yourself.

Communication data is personal data in connection with our communication with you, e.g., when you contact us via the contact form or via other means of communication. Communication data are, for example:

  • Name and contact details such as postal address, e-mail address and telephone number;
  • content of correspondence (e.g. emails, written correspondence, telephone conversations, chat messages, etc.);
  • responses to customer and satisfaction surveys;
  • information on the type, time and possibly location of the communication and other marginal data of the communication.

Technical data is collected in connection with the use of our website. This includes, for example, the following data:

  • IP address of the end device and device ID;
  • information about your device, the operating system of your end device or language settings;
  • information about your internet provider;
  • accessed content or protocols in which the use of our systems is recorded;
  • date and time of access to the website and your approximate location.

We may also assign an individual code to you or your end device (e.g. by means of a cookie; see Section 5.1). This code is stored for a certain duration, often only during your visit. We cannot usually deduce who you are from technical data unless, for example, you register for the newsletter on our website. In this case, we can link technical data with master data – and thus with your person.

To tailor our offers and services to you or your company in the best way possible, we try to get to know you better and try to better tailor our services to you. For this purpose, we collect and use data on your behavior. Behavioral data is, in particular, information about your use of our website. It may also be collected based on technical data. This includes, for example, information on your use of electronic communications (e.g. whether and when you opened an e-mail or clicked on a link, especially when sending newsletters). We may also use your other interactions with us as behavioral data, and we may link behavioral data with other data (e.g. with anonymous information from statistical offices) and evaluate this data on a personal and non-personal basis.

Preference data tells us which needs you are likely to have, and which services might meet your interest or the interest of your company (e.g. when selecting topics for the newsletter). We therefore also process data regarding your interests and preferences. For this purpose, we can link behavioral data with other data and evaluate this data on a personal and non-personal basis. This allows us to draw conclusions about characteristics, preferences, and anticipated behavior.

In connection with the purchase of our services, we may process certain energy data (in particular energy consumption data and billing data on energy consumption).

If you purchase software and/or cloud services from us, we may also process other energy data (data on energy generation and energy consumption) and safety-critical control commands (e.g. resetting functionally relevant system components or switching on/off large consumers and generators) that are generated by the software and/or cloud service and for which a personal reference can be established.

We may also collect personal data from you in other situations. In connection with official or judicial proceedings, for example, data (such as files, evidence, etc.) may be collected that may also relate to you. We may also collect data for health protection purposes (e.g. as part of protection concepts). We may also obtain or produce photos, videos and sound recordings in which you may be identifiable (e.g. at events, by security cameras, etc.). We may also collect personal data about who enters certain buildings and when or has corresponding access rights (including during access controls, based on registration data or visitor lists, etc.), who takes part in events or campaigns (e.g. competitions) and when, or who uses our infrastructure and systems and when.

4. For what purposes do we process your personal data?

We use the personal data we collect primarily for collaboration with you. If you have subscribed to our newsletter, we use your e-mail address for sending it. In addition, we also process your personal data, to the extent permitted and deemed appropriate, for other purposes in which we (and sometimes third parties) have a legitimate interest corresponding to the purpose:

  • For communication purposes, i.e. to contact you and maintain contact with you. This includes answering enquiries and contacting you in case of queries, e.g. by e-mail. For this purpose, we especially process your communication and master data.
  • For customer care and marketing purposes to offer you targeted information about new offers according to your personal interests and preferences, for example, through the newsletter and personalized advertising. For this purpose, we especially process technical data, master data, communication data and behavioral data.
  • We also process data to provide and improve our services and for product development. For example, we may process energy data so that users can take advantage of the full functionality of our software (e.g. visualization of energy data to illustrate energy consumption and energy sources), as well as to improve and further develop the services. 
  • To ensure IT security and for prevention: We process personal data to monitor the performance of our operations, in particular IT, our website, applications and other platforms, for security purposes, to ensure IT security, to prevent theft, fraud and abuse and for evidence purposes. This includes, for example, the evaluation of system-side recordings of the use of our systems (log data), the prevention, defense against and investigation of cyber-attacks and malware attacks, analyses and tests of our networks and IT infrastructures, system and error checks.
  • To maintain the internal rules and other measures for IT, building and facility security and for the protection of our employees and other persons and assets belonging to or entrusted to us (such as access controls, visitor lists, network and mail scanners, telephone records).
  • To protect our rights: we may also process personal data to enforce claims in or out of court and before authorities in Switzerland and abroad, or to defend ourselves against claims. For this purpose, master data and communication data may be processed.
  • To comply with legal requirements: This includes, for example, the processing of complaints and other reports, compliance with orders from a court or authority, measures to detect and clarify abuses and generally measures that we are obliged to take under applicable law, self-regulation or industry standards. In particular, we may process your master data and communication data for this purpose.
  • For administration and support: to shape our internal processes efficiently, we process data as far as necessary for the administration of IT, for accounting or for archiving data. For this purpose, particularly communication and behavioural data as well as technical data may be used.
  • We may also process personal data for other purposes. These include corporate management, including business organization and company development, other internal processes and administrative purposes (e.g. management of master data, accounting and archiving), training and education purposes and the preparation and processing of the purchase and sale of business divisions, companies or parts of companies and other transactions under company law and the associated transfer of personal data, as well as measures for business management and the protection of other legitimate interests.

If we ask for your consent for certain processing activities, we will inform you separately about the corresponding purposes of the processing. You can revoke your consent at any time by written notice.

5. Which online tracking and online advertising techniques do we use?

On our website, we use various techniques to let us and third parties consulted by us recognize you when you use our website and, in some cases, track you across multiple visits. The following section provides information on this topic.

We use third-party services for our website in order to measure and improve the user-friendliness of the website and online advertising campaigns. For this purpose, we may integrate third-party components on our website, which in turn may use cookies. When we track you or use similar technologies, the core purpose is to enable us to distinguish access by you (via your system) from access by other users so that we can ensure the functionality of the website and perform statistical analyses. We do not want to identify you in this process. The technology used is designed to recognize you as an individual visitor each time you access the site, for example, by having our server (or the servers of third parties) assign a specific identification number to you or your browser (so-called «cookie»).

Cookies are files that your browser automatically stores on your end device when you visit our website. Cookies contain a unique identification number (an ID) that allows us to distinguish individual visitors from others, but usually without identifying them. Depending on the purpose use, cookies contain further information, for example, on accessed sites and the duration of the visit to a site. On the one hand, we use session cookies, which are deleted again when the browser is closed, and on the other hand, we use permanent cookies, which remain stored for a certain duration after the browser is closed and are used to recognize visitors on a subsequent visit (see also Section 10 below).

We use the following types of cookies and similar technologies:

  • Necessary cookies: necessary cookies are required for the functionality of the websites, for example, to allow you to switch between sites without losing information entered in a form.
  • Cookies for carrying out analyses and statistics: These cookies collect information about the use of a website and enable analyses, e.g. about the number of visitors and which pages are the most popular. They can thereby simplify the visit to a website and improve the user experience. Certain analytics cookies also allow us to target you on our websites and on third-party websites with adverts for products and services that may be of interest to you.
  • Social media cookies: Social media cookies allow us and our partners to save your preferences and comparable information and thus improve the corresponding services.

We use cookies for the following purposes in particular:

  • Personalisation of content
  • Displaying personalized advertisements and offers;
  • Displaying adverts on third-party websites and measuring their success, i.e. whether you respond to these adverts (remarketing)
  • Saving settings between your visits
  • Determining whether and how we can improve our website
  • Collection of statistical personal data on the number of users and their usage habits and to improve the speed and performance of the website
  • We may process your contact details to target you with advertising on third-party platforms.

Detailed information on which cookies we use for which purposes can be found in the cookie information in Section 15 of this privacy notice.

We may also use similar technologies, e.g. pixel tags or fingerprints, to store personal data in the browser. Pixel tags are small, usually invisible images or a program code that are loaded by a server and thereby transmit certain information to the server operator, e.g. whether and when the website was visited. Fingerprints are information that is collected when you visit our website via the configuration of your end device or your browser and that make your end device distinguishable from other devices.

When you first visit our website, you will see a cookie banner with an integrated consent management tool. You will then have the option to activate or deactivate certain categories of cookies via our consent management tool.

You can also change your consent later by clicking on «Change Consent» in the cookie information referred to in Section 15 of this privacy notice and then adjusting your consent in the consent management tool.

You can also configure your browser settings to block certain cookies or similar technologies or to delete existing cookies and other personal data stored in the browser. You can also enhance your browser with software (so-called «plug-ins») that blocks tracking by certain third parties. You can find out more about this in the help pages of your browser (usually under the heading «Privacy»). Please note that our website may no longer function fully if you block cookies and similar technologies.

Detailed information on which cookies we use for which purposes can be found in the cookie information referred to in Section 15 of this privacy notice.

6. What applies to profiling and automated decisions?

We may process your personal data in accordance with Section 3 automatically process and analyze it. This also includes so-called profiling, i.e. automated evaluations of personal data for analysis and forecasting purposes, to determine preference data (Section 3.6), but also to identify misuse and security risks. The most important examples are profiling to combat money laundering and terrorist financing, to prevent fraud, for credit checks and risk management, for customer care and for marketing purposes.

To ensure the efficiency and uniformity of our decision-making processes, we make certain decisions with the help of computers according to certain rules and, where appropriate, without being reviewed by one of our employees. These include, in particular, the credit checks, limit adjustments during the course of the contractual relationship and the automatic blocking of certain transactions in the event of anomalies. As far as decisions are exclusively automated and lead to a negative legal consequence for you or otherwise significantly impairs you («automated individual decisions»), we will inform you accordingly. In this case, you may state your position and request that a natural person review the relevant decision.

7. How do we process personal data in connection with social media?

We offer you the option on our website to use a «social media plugin» for Meta / Facebook and LinkedIn to incorporate functions from these providers into our websites. These plugins are deactivated by default. As soon as you activate them (e.g. by clicking the button), the relevant providers can determine that you are on our website. If you have a corresponding account with the social media provider, they can assign this information to you and thus track your use of online services.

We are generally jointly responsible with the relevant providers for the exchange of data that this provider collects via plugins or comparable functions (but not for further processing of a provider). Where possible, we have concluded a corresponding additional agreement with the provider. You can address requests for information and other requests from data subjects in connection with joint responsibility directly to the provider in question.

8. How do we process personal data in connection with our app?

As part of our offering, we also provide an application for installation on mobile devices («App»). During the installation process, the operator of the relevant App Store (e.g. Apple or Google) processes certain data under its own responsibility and in accordance with its own privacy policy.  
When you use the App, we process information that you provide to us or that is generated by your use of the App. This may include the following data as set out in Section 3: 

  • Master data such as your name or email address; 
  • Technical data such as the mobile device ID, your IP address, and other device information such as operating system;
  • Behavioral data such as features used, duration of use;
  • Preference data such as language or notification settings;
  • Energy data (data on energy generation and consumption) and control commands.

We process the aforementioned personal data for the purposes set out in Section 4, in particular to provide and improve our services (e.g. authentication, login procedures) and for product development, to ensure IT security and prevention, to comply with legal requirements and to administer and support our business processes.

The processing of technical data is essentially the same as described in point 5.1 above, although the technologies used may differ. You can view and change your privacy preferences in the application under «More», then «GTC & Privacy». Under «More», then «Account», you can also modify your personal data or delete your account.

9. To whom do we disclose your personal data?

In connection with our processing activities, we also disclose your personal data to other recipients.

Personal data that we receive from you or from third-party sources may be forwarded, in particular, to other companies of the ecoGroup (see Section 2). This may serve the internal group administration or the support of the respective group companies and their own processing purposes, e.g. for the processing of contracts, the personalization of marketing activities or the development and improvement of services.

We further disclose personal data to service providers as required for their services. This particularly concerns IT service providers, but also consulting companies, analysis service providers, debt collection service providers, credit agencies, marketing service providers, etc. As far as service providers process personal data as processors, they are obliged to process personal data exclusively according to our instructions and to implement data security measures.

Data may also be disclosed to other recipients, e.g. to courts and authorities as part of legal proceedings and legal information and cooperation duties, to buyers of companies and assets, to financing companies in the case of securitizations, and to collection agencies.

In individual cases, it is possible that we also disclose personal data to other third parties for their own purposes, e.g. if you have given us your consent to do so or if we are legally obliged or entitled to disclose such data.

10. Do we disclose personal data abroad?

Recipients of personal data are not only located in Switzerland. This applies in particular to group companies and certain service providers. These may be located inside and outside the European Economic Area (EEA) and Switzerland (in particular in Germany and the USA), but also in other countries worldwide. For example, we may transfer personal data to authorities and other persons abroad if we are legally obliged to do so or, for example, in the context of a company sale or legal proceedings. Not all of these countries currently guarantee a level of data protection equivalent to Swiss law. We therefore take contractual precautions to contractually compensate for the lower level of legal protection, especially with the standard contractual clauses issued by the European Commission and recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC). For more information and a copy of these clauses, please visit https://www.edoeb.admin.ch/edoeb/en/home/datenschutz/arbeit_wirtschaft/datenuebermittlung_ausland.html.   

In certain cases, we may transmit data in accordance with data protection law requirements even without such contracts, e.g. if you have consented to the corresponding disclosure or if the disclosure is necessary for the execution of the contract, for the establishment, exercise or enforcement of legal claims or for overriding public interests.

11. How long do we process personal data?

We store and process your personal data as long as it is necessary for the purpose of the processing (in the case of contracts, usually for the duration of the contractual relationship), as long as we have a legitimate interest in storing it (e.g. to enforce legal claims, for archiving and or to ensure IT security) and as long as the data is subject to a legal retention obligation (for example, for certain data, a ten-year retention period applies). If there are no legal or contractual obligations to the contrary, we will destroy or anonymize your data after the storage or processing period has expired within our normal processes.

Energy data that we may process as part of our software and/or via cloud services is processed on a personalized basis during the term of the services, insofar as this is necessary for the above-mentioned processing purposes. After the end of the term of the software and/or cloud services, the energy data may be processed further in anonymized form.

With regard to cookies, you will find information on the duration of storage in the cookie information referred to in Section 15 of this privacy notice.

12. What is the legal basis for data processing?

Under certain circumstances, data processing is only permitted if the applicable law specifically allows it. This does not apply under the Swiss Federal Data Protection Act, but does apply, for example, under the GDPR as far as it is applicable. In this case, we base the processing of your personal data on the following legal bases:

  • on your consent (Art. 6 Section 1 lit. a and Art. 9 Section 2 lit. a GDPR);
  • that the processing is necessary for the performance of the contract or pre-contractual measures (e.g. the review of a contract proposal; Art. 6 Section 1 lit. b GDPR);
  • that the processing is necessary for the assertion or defense of legal claims or civil proceedings (Art. 6 Section 1 lit. f and Art. 9 Section 2 lit. f GDPR);
  • that the processing is necessary for the establishment or defence of legal claims or civil proceedings (Art. 6 Section 1 lit. c and lit. f; Art. 9 Section 2 lit. g GDPR);
  • that the processing is necessary for compliance with domestic or foreign legal provisions (Article 6(1)(c) and (f); Article 9(2)(g) GDPR);
  • that the processing is necessary for a legitimate interest in data processing, in particular the interests mentioned in Section 4 (Art. 6 Section 1 lit. f GDPR).

13. How do we protect your personal data?

We take appropriate security measures to protect the confidentiality, integrity and availability of your personal data to protect it against unauthorised or unlawful processing and to protect it against the risks of loss, accidental loss or alteration, unauthorised access. However, security risks cannot be completely ruled out; residual risks are unavoidable.

14. What rights do you have?

Under the applicable data protection law, you have certain rights to obtain further information about and influence our data processing. Particularly, these are the following rights:

  • Access right: you can request further information about our data processing. We are at your disposal for this purpose. You can also submit a so-called information request if you wish to receive further information and a copy of your data.
  • Objection and deletion: you may object to our data processing and request that we delete your personal data at any time if we are not obliged to continue processing or storing this data and if it is not necessary for the contract.
  • Correction: you can have incorrect or incomplete personal data corrected or completed or complemented by a note that indicates your objection.
  • Data portability: you also have the right to receive the personal data you have provided to us in a structured, common and machine-readable format or to have it transferred to a third party, as far as the respective data processing is based on your consent or is necessary for the execution of the contract.
  • Revocation: if we process data based on your consent, you can revoke your consent at any time. The revocation is only valid for the future, and we reserve the right to continue to process data based on another basis in the event of a revocation.

Please note that these rights are subject to legal requirements and restrictions and are therefore not fully applicable in every case. In particular, we may need to further process and store your personal data in order to fulfil a contract with you, to protect our own legitimate interests such as the assertion, exercise or defence of legal claims, or to comply with legal obligations. To the extent legally permissible, in particular to protect the rights and freedoms of other data subjects and to safeguard interests worthy of protection, we may therefore also reject a data subject request in whole or in part (e.g. by redacting certain content relating to third parties or our trade secrets).

If you wish to exercise your rights against us, please contact us in writing. You will find our contact details in Section 2. As a rule, we will need to verify your identity (e.g. by means of a copy of your ID card). You are also free to file a complaint against our processing of your personal data with the competent supervisory authority. The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

15. Cookie-information

How can we help you?