Data Protection Policy

Da Gehri Legal.
Versione del 9 mar 2026 alle 16:31 di Aron.stocker (discussione | contributi) (Importazione di una nuova versione da una fonte esterna)
(mostra/nascondi) (diff) ← Versione meno recente | Versione attuale (diff) | Versione più recente → (diff)
Vai alla navigazione Vai alla ricerca
Altre lingue:

Version 1.1 

Date: 01/03/2026 
Document: Data Protection Notice (Data Protection Policy)

Purpose and scope

Gehri Rivestimenti SA, hereinafter referred to as the “Organization”, is committed to complying with the applicable laws and regulations relating to the protection of personal data in the countries where it operates, in this case the Swiss nFADP.

This policy defines the fundamental principles according to which the Organization processes the personal data of customers, suppliers, business partners, employees and other individuals, and sets out the responsibilities of its departments and employees in the processing of personal data.

The principles of the nFADP

The data protection principles outline the basic responsibilities (accountability) for organizations involved in the processing of personal data. “The controller is responsible for compliance with these principles and must be able to demonstrate that its processing complies with them.

Lawfulness, fairness and transparency

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose limitation

Personal data must be collected for specified, explicit and legitimate purposes and must not be further processed in a manner incompatible with those purposes.

Data minimization

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Where possible, in order to reduce risks for data subjects, the Organization must apply anonymization or pseudonymization to personal data.

Accuracy

Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.

Storage limitation

Personal data must be kept for no longer than is necessary for the purposes for which the personal data is processed.

Integrity and confidentiality

Taking into account the state of the art and other available security measures, the costs of implementation, and the likelihood and severity of risks to personal data, the Organization must use appropriate technical or organizational measures to process personal data in a manner that ensures appropriate security of personal data, including protection, by means of suitable technical and organizational measures, against unauthorized or unlawful processing and against accidental loss, destruction or damage.

Accountability

The controller is responsible for compliance with these principles and must be able to demonstrate that its processing complies with them.

Collection

The Organization must seek to collect the minimum amount of personal data possible. If personal data is collected from a third party, the controller must ensure that the personal data is collected in accordance with the law. 

Use, retention and disposal

The Organization must maintain the accuracy, integrity, confidentiality and relevance of personal data according to the purpose of processing. Appropriate security mechanisms must be used to protect personal data in order to prevent it from being stolen or misused and to prevent personal data breaches. The controller is responsible for compliance with the requirements set out in this section.

Disclosure to third parties

Whenever the Organization uses a third-party supplier or business partner to process personal data on its behalf, the controller must ensure that such party provides appropriate security measures to safeguard personal data in relation to the associated risks. For this purpose, an appropriate compliance questionnaire must be used.

The supplier or business partner must process personal data only in order to fulfill its contractual obligations towards the Organization or on the latter’s instructions, and not for any other purposes. Where the Organization processes personal data jointly with an independent third party, it must explicitly specify the respective responsibilities in the relevant contract or in any other legally binding document, such as the supplier’s data processing agreement.

Cross-border transfer of personal data

Before transferring personal data from the Swiss Confederation and the European Economic Area (EEA), appropriate safeguards must be used, including the signing of a data transfer agreement as required by the European Union and, where necessary, authorization must be obtained from the data protection authority. The entity receiving the personal data must comply with the principles for processing personal data set out in the Cross-Border Data Transfer Procedure.

Data subjects’ rights of access

When acting as the data controller, the Organization is required to provide data subjects with a reasonable access mechanism that allows them to access their personal data and must enable them to update, correct, delete or transmit their personal data, where applicable or required by law. The access mechanism will be further detailed in the Data Subject Access Request Procedure.

Data portability

Data subjects have the right, upon request, to receive a copy of the data they have provided in a structured format and to transmit such data free of charge to another controller. The controller is responsible for ensuring that such requests are handled within one month, are not excessive, and do not prejudice other persons’ rights in relation to personal data.

Right to be forgotten

Upon request, the data subject has the right to obtain from the Organization the erasure of their personal data. Where the Organization acts as the controller, the controller must take the necessary actions (including technical measures) to inform third parties that use or process that data that they must comply with the request.

Organization and responsibilities

Responsibility for ensuring appropriate processing of personal data lies with anyone working within the Organization or on its behalf who has access to the personal data it processes.

The Board of Directors makes decisions and approves the Organization’s general strategies regarding the protection of personal data.


Date of last update: 01/03/2026


Estratto da "https://legal.gehri.swiss/index.php?title=Informativa_sulla_Protezione_dei_dati/en&oldid=371"