PRIVACY NOTICE

We respect the user’s privacy and are committed to protecting it through compliance with this privacy policy (“Privacy Notice”).
Pursuant to Art. 19 of the Federal Act on Data Protection (hereinafter also referred to as the “FADP”), Art. 13 of the Data Protection Ordinance (hereinafter also referred to as the “ODP”) as well as Articles 13 and 14 of the General Data Protection Regulation (EU) 679/2016, where applicable (hereinafter also referred to as the “GDPR”), Dreieck Fiduciaria SA, as further identified below, in its capacity as the “Controller” of data processing, provides the following information about the processing of the personal data of users who consult and/or interact with the web services accessible online from the address: www.dreieckfid.ch (hereinafter also referred to as the “Website”), which corresponds to the home page of the official Website of Dreieck Fiduciaria SA.
This Privacy Notice applies exclusively to the specified Website and does not cover other websites that users may access via links. It is intended for the users of this Website. This Website may contain links to websites, services and other Internet resources managed by third parties.
In such cases, the Controller assumes no responsibility for the content, security, or usability of these third-party websites and resources; in particular, the Controller does not verify the policies, nor does it provide any guarantees regarding their privacy and personal data protection practices.
In compliance with data protection obligations, this Website respects and protects the confidentiality of users.

Preliminary Statement:

The Website collects personal data provided by the user through the receipt of telephone or e-mail communications for the purpose of providing the information requested by the user.
Users are advised not to transmit information and/or documents containing particularly sensitive personal data to the Controller’s e-mail address, as this is an insecure means of communication that does not guarantee the protection of confidentiality.
Users should be aware that the use of e-mail does not ensure the confidentiality and integrity of data in transit, as many e-mail service providers are located or store their data in countries that do not guarantee adequate personal data protection. Using such email services entails transferring and storing data in a country that does not guarantee an adequate level of data protection.
By providing their email address, users authorise the Controller to send documents and/or information, including those containing personal and/or confidential data, via regular (non-secure) email in response to requests made via telephone or email. Users, fully aware of the aforementioned risks, release the Controller from any liability in the event of unauthorised third-party access to documents and/or personal and/or confidential information transmitted or received by email by the Controller.
The Website does not accept unsolicited applications. Should users forward their CVs via the e-mail address or contact forms on the Website, these will be deleted immediately.

1. Personal Data Controller and Contact Information

The Data Controller is: Dreieck Fiduciaria SA, Via Cantonale 19, 6900 Lugano, represented by its authorised signatories as registered with the Commercial Registry Office of the Canton of Ticino (CHE-108.161.860), hereinafter also referred to as the “Company” or the “Data Controller”.

2. Methods of processing personal data

For the purposes outlined below, personal data are processed manually, electronically, and through telecommunication methods, in such a way as to ensure the security and confidentiality of the data. Processing activities may include collection, recording, storage, organisation, elaboration, profiling for organisational purposes, selection, extraction, comparison, interconnection, communication, blocking, deletion, and destruction.
Data obsolescence of the retained data in relation to the purposes for which they were collected is periodically reviewed and, once the retention periods below have expired, the data are deleted or anonymised. Consequently, the right of access, deletion, rectification or the right to data portability cannot be exercised once the retention period has expired.

3. Details: Purposes of Processing, Types of Data, Legal Basis, and Legitimate Grounds

Purpose of processing Type of data Legal basis and justification
Website browsing:

www.dreieckfid.ch

Common Data:

By way of example, information concerning the use of the Website or data concerning the web pages (such as, for example, IP addresses of the user’s device, browser information and characteristics, type, language, plug-ins installed, etc., cookies, etc.), the use of the web pages, the unique identifiers of the user’s mobile device, the duration of sessions on the Website, the services used, the links and messages activated, the characteristics of the browser.

Overriding interest of the data Controller, specifically:
legitimate interest of the data Controller (Art. 31 n of the FADP c.2 and Art. 6 (f) of the GDPR).
Determining liability in the event of potential cybercrimes against the Website. Common Data:

By way of example, security and network data (e.g. visitor lists, access controls, e-mail network scanners, telephone call lists).

To assert or defend a right in judicial, extrajudicial or administrative proceedings. Common Data:

By way of example, any information transmitted via the Website.

Contact the user in response to a request by e-mail, by filling in the contact form, by telephone or by fax, and in particular to

  • forward the requested information material or other communications;
  • inform users of changes to this Website or updates regarding the services.
Common Data:

The user’s contact information (e.g. first name, surname, e-mail).

Overriding interest of the data Controller, specifically:

the execution of pre-contractual and/or contractual measures (Art. 6 c7 and 31 c1 DPA as well as Art. 6 (b) of the GDPR).

For legal, administrative and auditing purposes and, in particular:

  • to fulfil responsibilities;
  • to carry out legal and regulatory compliance checks;
Common data:

By way of example, any information transmitted via the Website.

Legal obligation (Art. 31 no. 1 DPA and Art. 6 (c) of the GDPR).

 

Purpose of processing Type of data Legal basis and justification
Website browsing:

www.dreieckfid.ch
Common Data:
By way of example, information concerning the use of the Website or data concerning the web pages (such as, for example, IP addresses of the user’s device, browser information and characteristics, type, language, plug-ins installed, etc., cookies, etc.), the use of the web pages, the unique identifiers of the user’s mobile device, the duration of sessions on the Website, the services used, the links and messages activated, the characteristics of the browser.
Overriding interest of the data Controller, specifically:
legitimate interest of the data Controller (Art. 31 n of the FADP c.2 and Art. 6 (f) of the GDPR).
Determining liability in the event of potential cybercrimes against the Website. Common Data:
By way of example, security and network data (e.g. visitor lists, access controls, e-mail network scanners, telephone call lists).
Overriding interest of the data Controller, specifically:
legitimate interest of the data Controller (Art. 31 n of the FADP c.2 and Art. 6 (f) of the GDPR).
To assert or defend a right in judicial, extrajudicial or administrative proceedings. Common Data:
By way of example, any information transmitted via the Website.
Overriding interest of the data Controller, specifically:
legitimate interest of the data Controller (Art. 31 n of the FADP c.2 and Art. 6 (f) of the GDPR).
Contact the user in response to a request by e-mail, by filling in the contact form, by telephone or by fax, and in particular to

  • forward the requested information material or other communications;
  • inform users of changes to this Website or updates regarding the services.
Common Data:
The user’s contact information (e.g. first name, surname, e-mail).
Overriding interest of the data Controller, specifically:the execution of pre-contractual and/or contractual measures (Art. 6 c7 and 31 c1 DPA as well as Art. 6 (b) of the GDPR).
For legal, administrative and auditing purposes and, in particular:

  • to fulfil responsibilities;
  • to carry out legal and regulatory compliance checks;
Common Data:
By way of example, any information transmitted via the Website.
Legal obligation (Art. 31 no. 1 DPA and Art. 6 (c) of the GDPR).

4. Period of retention of personal data

In compliance with the provisions of Article 6 (4) of the FADP and the GDPR (where applicable), the Data Controller retains the user’s personal data based on the principle of necessity of processing for as long as necessary to achieve the above-mentioned purposes.
In particular:
– Browsing data: retained for the period pertaining to the browsing session;

– Personal and contact details provided at the time of the contact request: retained for the period of time required to respond to the user’s request and in any case no longer than 7 days after the contact request or until withdrawal of the data subject’s consent, whichever is earlier.

In any case, the processed data will be retained for the entire duration of any extrajudicial and/or judicial proceedings, until the expiry of the time limits for exercising judicial remedies and/or filing appeals. The obsolescence of the retained data in relation to the purposes for which they were collected is periodically reviewed, and once the above-mentioned retention periods have expired, the data will be deleted or anonymised. Consequently, the right of access, the right to deletion, the right to rectification, and the right to data portability cannot be exercised after the retention period has expired.

5. Data Security

All Company personnel who have access to personal data are required to comply with internal rules and procedures concerning the processing of personal data in order to protect them and guarantee their confidentiality. The Data Controller has also implemented appropriate technical and organisational measures to protect personal data against destruction, loss, alteration, misuse, unauthorised, accidental or unlawful disclosure or access, as well as against all other unlawful forms of processing. These measures include, for example, the dissemination of guidelines, training, IT and network security solutions, access controls and restrictions, data encryption for storage and transmission, pseudonymisation, and monitoring.

6. Recipients of personal data

The Controller may disclose the user’s personal data to third parties only if it is necessary to provide the requested service, if there is a legal or administrative obligation, or if there is an overriding interest in the transmission of the personal data.
As part of the management of the Website, the Data Controller may share the user’s personal data with the following categories of recipients: data processors; individuals acting under the authority of the Controller and the Processor for the purposes described above; firms or companies in the context of assistance and consultancy services (e.g. legal advisors); entities authorised to access the data by law, secondary legislation or EU regulations; competent authorities, to comply with legal obligations and/or the requirements of public bodies, upon request; service providers (e.g. IT service providers, hosting providers, suppliers, consultants, lawyers, insurers); and third parties within the framework of legal or contractual obligations, such as authorities, state institutions, or courts.
Third-party service providers are therefore required to comply with a set of technical and organisational security measures, regardless of their location, including measures relating to: (i) information security management; (ii) information security risk assessment; and (iii) information security measures (e.g. physical access controls, logical access controls, protection against malware and hacking, data encryption measures, and backup and recovery management measures). The third parties described above must process the personal data shared under this provision in accordance with the purpose for which such data were originally collected and at least to the same level of protection as is guaranteed in Switzerland.

7. Transfer of personal data

Users’ personal data will be stored in Switzerland and will not be transferred to third countries that do not have the same data protection laws as the country where the information was initially provided.
To this end, the Controller has taken steps by expressly requesting that Microsoft M365 servers be located in Zurich.
For the sake of completeness, it should be noted that, pursuant to Articles 16 and 17 of the FADP, the transfer of personal data abroad is permitted only if the Federal Council has determined that the legislation of the recipient country or the international organisation guarantees adequate data protection. Otherwise, such transfer is permitted if: the data subject has given his or her consent; the transfer is directly related to the conclusion or performance of the contract; the transfer is necessary for the protection of an overriding public interest or to establish, exercise or assert a right before a court or a competent foreign authority; the transfer is necessary to protect the life or physical integrity of the data subject or of a third party; the data subject has made the personal data accessible to the public; the data originate from a legally established public register that is accessible to the public or to persons with an interest worthy of protection.
Specifically, the user’s personal data may be transferred to the United States because the Controller uses Google Maps on the Website.
These tools are made available by third-party providers. As a rule, information collected for this purpose on the use of a Website is transmitted to the server of the third-party provider via cookies or similar technologies. Typically, data transmission involves anonymising IP addresses, thereby preventing the identification of individual devices.

8. Rights of the Data Subject

In accordance with the provisions of the FADP and the GDPR, the Controller grants the user the following rights (non-exhaustive list):

  • To withdraw consent;
  • To be subject to transparent processing;
  • To obtain confirmation as to whether or not personal data concerning the user are being processed;
  • To obtain the rectification of inaccurate or outdated personal data;
  • To obtain the deletion of personal data;
  • To receive personal data in a structured format or request its transfer to third parties;
  • To object to the processing;
  • To obtain restriction of processing;
  • To assert his/her point of view with respect to automated decisions;
  • To lodge a complaint with the competent supervisory authority (in Switzerland the Federal Data Protection and Information Commissioner – FDPIC);
  • To have unlawful processing of personal data recognised as such;
  • To request the addition of a note to the data indicating its disputed nature.

9. How to Exercise User’s Rights

In order to exercise his/her rights, the user may submit a request by contacting the Controller via e-mail or by post (enclosing a copy of his/her identity card or passport for user identification) to the following addresses:

Dreieck Fiduciaria SA
Via Cantonale 19,
6900 Lugano, Switzerland
Tel: +41 (0)91 260 03 03
privacy@dreieckfid.ch

The Controller will process such requests, withdrawals, or objections as required by the applicable data protection regulations, unless the Controller is obliged to retain/process certain data because of an overriding interest or for the purpose of asserting certain rights.

10. Data Protection Officer

The Data Controller has appointed a Data Protection Officer who can be contacted at the Data Controller’s address above or by sending an e-mail to privacy@dreieckfid.ch.

11. Amendments to the Data Protection Policy

The Controller reserves the right to amend, update, add to or remove parts of this Privacy Notice at its sole discretion and at any time. This Privacy Notice has been drafted in Italian, German and English. In the event of discrepancies, the Italian language version shall prevail.

Effective date: November 2024 (2nd version)