Data Protection Statement

In this data protection declaration we describe how Gruppo Multi SA (hereinafter referred to as “Gruppo Multi”, “we”) collects and processes personal data. This data protection declaration is not an exhaustive description and, if necessary, other declarations concerning data protection regulate specific cases. For the purposes of this data protection declaration, personal data means all information that relates to an identified or identifiable natural person within the meaning of Section 5 of the Federal Act of 25 September 2020 on Data Protection (‘nFADP’). We process personal data in accordance with the requirements of the nFADP and, if and to the extent applicable, in accordance with the General Data Protection Regulation in the European Union (“GDPR”) and local data protection laws.

1. Responsible body and contact

The Gruppo Multi consists of several companies, namely Multifiduciaria SA, Multirevisioni SA, Multiresidenza SA and MultiRE SA. In light of the above, the company responsible for the processing may change. The entity of the Gruppo Multi with which you have a contractual relationship or which has provided you with this data protection declaration in the context of a request for information, a contract or other correspondence is responsible for processing your personal data. Depending on the data processing, Gruppo Multi companies may individually or jointly be data controllers or also take on the role of data processors within the meaning of the nFADP.
Enquiries concerning data protection may be sent to us by letter or e-mail, enclosing a copy of your identity card or passport for identification purposes:

Gruppo Multi SA

Crocicchio Cortogna 6 – 6900 – Lugano – Switzerland

E-mail: privacy@gruppomulti.ch

Telephone: +41 91 923 32 65

2. Acquisition and processing of personal data

The term ‘processing’ means any operation concerning personal data, regardless of the means and procedures used, namely the collection, recording, storage, use, modification, communication, archiving, erasure or destruction of data.

Our processing of personal data concerns, in particular, the following categories:

• data of customers to whom we provide or have provided services;
• personal data, which we have received indirectly from our customers within the framework of the provision of services;
• data you obtain from viewing our website;
• data from our newsletter;
• data obtained by participating in one of our events;
• data obtained when we communicate or meet with a customer;
• within the framework of other contractual relationships, e.g. as a supplier of goods or services or as a consultant;
• data received in applications;
• data that we are obliged to process for legal or administrative reasons;
• when we protect our duty of care or other legitimate interests, e.g. to avoid conflicts of interest, money laundering or other risks, or to ensure the accuracy of data, verify creditworthiness, protect security or exercise our rights.

We aim to limit the collection of personal data to only those required for legitimate purposes.

Detailed information can be found in the description of the respective treatment categories under point 4.

3. Categories of personal data

The personal data we process depends on your relationship with us and the purpose for which we process it. In addition to your contact data, we also process other information about you or persons who have a relationship with you. At times, this information may also include personal data worthy of special protection.

Gruppo Multi acquires the following categories of personal data, depending on the purpose for which they are processed:

• contact information (e.g. name, surname, address, telephone number, e-mail);
• information concerning the customer (e.g. date of birth, nationality, marital status, profession, title, function designation, passport/ID card number, OASI number);
• data for risk assessment (e.g. solvency information, commercial register data);
• financial information (e.g. bank report data);
• data concerning the mandate, depending on the type of mandate (e.g. tax information, articles of association, minutes, projects, contracts, employee data (e.g. salary, social insurance), accounting data, beneficial owners, ownership relations);
• data concerning web pages (e.g. IP addresses, device information (UID), browser information, use of web pages (use and analysis of plug-ins, etc.);
• application data (e.g. CVs, work certificates);
• marketing information (e.g. subscription to a newsletter);
• security and network data (e.g. visitor lists, access controls, network and mail scanners, telephone call lists);

To the extent permitted, we also acquire certain data from public sources (e.g. debt enforcement registers, land registers, commercial register, press, internet) or receive them from our principals and their employees, authorities, (arbitration) courts and other third parties. In addition to your data, which you provide to us directly, the categories of personal data concerning you that we receive from third parties include, in particular, information from public registers, information that comes to our knowledge within the framework of judicial or administrative proceedings, information in connection with your professional functions and activities, information concerning you from correspondence and conversations with third parties, information on your creditworthiness, information concerning you provided by persons in your environment (family, advisors, legal representatives, etc.), so that we can conclude agreements with you.), in order to be able to conclude or execute contracts with you or with your involvement, information to comply with legal requirements, e.g. regarding money laundering or export restrictions, information from banks, insurance companies, distributors and our other contractual partners for the application or provision of services by you, information about you from the media and internet (as far as this is appropriate in the specific case, e.g. in the context of an application, application for a job, application for a job, etc.), information about you from the media and the internet (as far as this is appropriate in the specific case, e.g. in the context of an application for a job, etc.), information about you from your own personal data, information about your personal data, information about your personal circumstances, etc. (e.g. within the scope of an application, etc.), your addresses and, if applicable, interests, as well as other socio-demographic data (for marketing purposes), data relating to your use of the website (e.g. IP address, MAC address of your smartphone or computer, information about your device and its settings, cookies, date and time of visit, pages and content called up, functions used, referring websites, location information).

4. Purposes of data processing and legal bases

4.1. Provision of services

We mainly process personal data that, within the framework of our mandate relationships with our customers and other contractual relationships with business partners, we receive from them and other persons involved.

In the case of personal data of our customers, this concerns in particular the following information:

• contact information (e.g. first name, last name, address, telephone number, e-mail, other contact information);
• personal information (e.g. date of birth, nationality, marital status, profession, title, function designation, passport/ID card number, OASI number, family situation, etc.);
• data for risk assessment (e.g. creditworthiness information, commercial register data, sanctions lists, specialised databases, data from the Internet);
• financial information (e.g. data concerning banking relations, investments or shareholdings);
• mandate-related data, depending on the type of mandate, e.g. tax information, articles of association, minutes, employee data (e.g. salary, social insurance), accounting data, etc;
• personal data particularly worthy of protection: this data may include data on health status, religious beliefs or social welfare measures, in particular when we provide services in the field of payroll processing or accounting.

We process your personal data for the above-mentioned purposes, depending on the situation, in particular on the following legal bases:

• conclusion or execution of a contract with or for the person concerned, including pre-contract negotiations and possible implementation (e.g. consultancy, trustee);
• fulfilment of a legal obligation (e.g. when we fulfil our obligations as auditors or are obliged to disclose information);
• protection of legitimate interests (e.g. for administrative purposes or to improve our quality, ensure security, manage risks, exercise our rights, defend ourselves against unjustified claims or check for possible conflicts of interest);
• consent (e.g. to send you marketing information).

4.2. Indirect processing of data from the provision of services

When we provide services to our customers, it may happen that we also process personal data that we have not acquired directly from the persons concerned or personal data of third parties. As a rule, such third parties are employees, contact persons, family members or persons who for other reasons have a relationship with customers or data subjects. We need such personal data to fulfil contracts with our customers. We receive this personal data from our customers or third parties commissioned by them. The third parties whose information we process for this purpose are informed of such processing by our customers. For this purpose, our customers can refer to this data protection declaration. Data concerning persons who have a relationship with our customers consists in particular of the following information:

• contact information (e.g. name, surname, address, telephone number, e-mail, other contact information, marketing data);
• personal information (e.g. date of birth, nationality, marital status, profession, title, function designation, passport/ID card number, OASI number, family situation, etc.);
• financial information (e.g. data concerning banking relations, investments or shareholdings);
• mandate-related data, depending on the type of mandate, e.g. tax information, statutes, minutes, employee data (e.g. salary, social insurance), accounting data;
• personal data particularly worthy of protection: this may also include data particularly worthy of protection, e.g. data on health status, religious beliefs or social welfare measures, in particular when we provide services in the field of payroll processing or accounting.

We process your personal data for the above-mentioned purposes, depending on the situation, in particular on the following legal bases:

• conclusion or performance of a contract with or for the data subject, including pre-contractual negotiations and possible implementation (e.g. when we fulfil our contractual obligations);
• fulfilment of a legal obligation (e.g. when we fulfil our obligations as auditors or are obliged to disclose information);
• protection of legitimate interests, in particular our interest in providing our customers with an optimal service.

4.3. Use of our website

In order to use our website, you do not have to disclose any personal data. However, when you access the site, the server collects information about you, which is saved temporarily in the server’s logfiles.

The use of this generic information does not imply any attribution to a specific person. The acquisition of this information or data is necessary for technical reasons, in order to be able to view our site and to ensure its stability and security. This information is also collected to improve the site and to analyse its use.

More precisely, it is the following information:

• contact information (e.g. name, surname, address, telephone number, e-mail);
• other information you send us through the site;
• technical information, information about user behaviour or site settings (e.g. IP address, UDI, type of device, number of page clicks, opening of newsletter, clicks on links, etc.) that is transmitted directly to us or our service providers.

We process your personal data for the above-mentioned purposes, depending on the situation, in particular on the following legal bases:

• protection of legitimate interests (e.g. for administrative purposes, to improve our quality, to analyse data or to make our services known);
• consent (e.g. for the use of cookies or the newsletter).

4.4. Use of the newsletter

If you subscribe to our newsletter, we use your e-mail address and other contact data to send it to you. With your consent, you can subscribe to our newsletter. Mandatory information for sending the newsletter is your full name and your e-mail address, which we save after your subscription. The legal basis for the processing of your data in connection with our newsletter is your consent to the sending of the newsletter. This consent can be revoked at any time by unsubscribing from the newsletter.

4.5. Participation in events

If you participate in an event organised by us, we collect personal data necessary to organise and carry out the event and, if necessary, provide you with additional information later. We also use your information to notify you of further events. It may happen that during such events, you are photographed or filmed and that the images are then published by us internally or externally.

More precisely, it is the following information:

• contact information (e.g. name, surname, address, telephone number, e-mail);
• personal information (e.g. profession, function, title, employer’s company, dietary habits);
• images or videos;
• payment information (e.g. bank report).

We process your personal data for the above-mentioned purposes, depending on the situation, in particular on the following legal bases:

• fulfilment of a contractual obligation with or on behalf of the data subject, including pre-contractual negotiations and the possible realisation (possibility of attending the event);
• protection of legitimate interests (e.g. organisation of events, dissemination of information about our event, provision of services, efficient organisation);
• consent (e.g. to send you marketing information or create illustrative material).

4.6. Direct communication and visits

If you contact us (by phone, e-mail or in person) or we contact you, we process your necessary personal data, depending on the purpose. In this case, you may have to leave us your contact data before your visit or when you present yourself at the reception. These personal data are stored by us for a certain time in order to protect our infrastructure and information.

To organise telephone conferences, online meetings, video conferences and/or teleseminars, we use the ‘Zoom’ or ‘Microsoft Teams’ service.

In particular, we process the following information:

• contact information (e.g. name, surname, address, telephone number, e-mail);
• marginal information on the communication (e.g. IP address, duration and channel of the communication);
• recording of interviews, e.g. within the framework of video conferences;
• Other information, which the user uploads, makes available or creates during the use of the video conferencing service, as well as metadata used for the maintenance of the service provided, as well as additional information on the processing of personal data by ‘Zoom’ or Microsoft Teams can be found in their data protection notices;
• personal information (e.g. profession, function, title, employer’s company);
• time of the visit.

We process your personal data for the above-mentioned purposes, depending on the situation, in particular on the following legal bases:

• fulfilment of a contractual obligation with or for the data subject, including pre-contractual negotiations and the possible implementation (provision of a service);
• protection of legitimate interests (e.g. security, traceability, as well as the care and administration of customer relations).

4.7. Applications

You can send us, by letter or the e-mail address indicated on our website, your application for a job in our company. The documents and all personal data communicated to us with your application are treated confidentially and only for the purpose of processing your application for employment with us. In the absence of your objection, at the end of the application procedure, your file will be returned to you or deleted/destroyed if there is no legal obligation to keep it. However, we reserve the right to keep your file if we consider your profile suitable for future vacancies in our company. The legal bases for the processing of your data are your consent, the execution of the contract with you and our legitimate interests.

In particular, we process the following information:

• contact information (e.g. name, surname, address, telephone number, e-mail);
• personal information (e.g. profession, function, title, Company);
• application documents (e.g. motivation letter, certificates, diplomas, curriculum vitae);
• evaluation information (e.g. evaluation by the personnel consultant, references, assessment).

We process your personal data for the above-mentioned purposes, depending on the situation, in particular on the following legal bases:

• protection of legitimate interests (e.g. recruitment of new employees);
• consent

4.8. Suppliers of goods and services, other contractual partners

When we enter into a contract with you, so that you provide us with a service, we process personal data about you or your employees. We need this data in order to communicate with you to request your services. Sometimes we also process this personal data in order to check whether there may be a conflict of interest in connection with our activities as an auditing body and to ensure that we do not unintentionally incur any risks through our collaboration, e.g. with regard to money laundering or possible sanctions.

In particular, we process the following information:

• contact information (e.g. name, surname, address, telephone number, e-mail);
• personal information (e.g. profession, function, title, employer’s company);
• financial information (e.g. bank report data).

We process your personal data for the above-mentioned purposes, depending on the situation, in particular on the following legal bases:

• conclusion or performance of a contract with or for the person concerned, including pre-contractual negotiations and possible implementation;
• protection of legitimate interests (e.g. avoidance of conflicts of interest, protection of the company, exercise of legal rights).

5. Tracking technologies

We use cookies on our site. These are small files that your browser automatically creates and saves on your terminal device (laptop, tablet, smartphone, etc.) when you visit our site.

Information from the specific terminal used is entered into the cookie. However, this does not mean that we immediately learn your identity. The use of cookies serves on the one hand to make the use of our offer more pleasant for you. For example, we use so-called session cookies to find out whether you have already visited certain pages of our website. When you leave our page, such cookies are deleted automatically.

In order to optimise user-friendliness, we also use temporary cookies, which are saved on your terminal device for a set period of time. If you then visit our page again to use our services, the system automatically recognises that you have already visited us, what data you have entered and which settings you have activated, so that you do not have to enter/activate them again. We use cookies to statistically record the use of our website and to analyse our offer in order to optimise it for you. When you revisit our page, these cookies automatically let us know that you have already been to us. These cookies are automatically deleted after a preset time.

The data processed by cookies is necessary for the purposes mentioned. Most cookies are automatically accepted by browsers. However, you can configure your browser so that no cookies are saved on your computer or so that a warning appears before a new cookie is placed. However, completely deactivating cookies may prevent you from using all the functions of our website. Please refer to our Cookie Policy published at the following link: https://gruppomulti.ch/en/cookie-policy

6. Web and newsletter analysis

In order to be informed about the use of our website, to improve our internet offer or to be able to draw your attention with our advertising also on third-party websites or social media, we use the following web analysis tools and retargeting technologies: Google Analytics.

These tools are made available by third-party providers. As a rule, information collected for this purpose on the use of a site is transmitted to the server of the third-party provider by means of cookies or similar technologies. Depending on the third-party provider, it may be that these servers are located abroad. Normally, data transmission takes place by abbreviating IP addresses, which prevents individual terminals from being identified. The transmission of this information by third-party providers takes place exclusively on the basis of legal requirements or within the framework of mandated data processing.

6.1. Google Analytics

On our website we use Google Analytics, the web analysis service of Google LLC, Mountain View, California, USA; Google Limited Ireland (“Google”) is responsible for Europe. To deactivate Google Analytics, Google provides a browser plug-in at https://tools.google.com/dlpage/gaoptout?hl=en. Google Analytics uses cookies. These are small text files that enable specific information about the user to be stored on the user’s terminal device. These cookies enable Google to analyse the use of our website. The information generated by the cookie about your use of our website (including your IP address) is generally transferred to a Google server in the USA and stored there. We would like to point out that on this website Google Analytics has been integrated with “gat._anonymizeIp();” in order to ensure anonymised acquisition of IP addresses (so-called IP-masking). If anonymisation is activated, within the member states of the European Union and the other member states of the European Economic Area, Google shortens IP addresses, so that your identity cannot be traced. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and abbreviated there. Under special circumstances, Google may link your IP address with other Google data. For the transmission of data to the USA, Google has committed itself to adhere to and respect the standard contractual clauses of the EU.

6.2. Google Maps

On our website, we use Google Maps (API) from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; the authority for Europe is Google Limited Ireland, ‘Google’). Google Maps is a web service for displaying interactive (geographic) maps. Through this service, we can show you where we are and make it easier for you to find your way around. Already by calling up the pages below, on which the Google Maps map is integrated, information about your use of our website (e.g. your IP address) is transmitted to Google’s servers in the USA and stored there. This occurs irrespective of whether Google provides a user account, to which you are logged in, or whether there is no such account. If you are logged into Google, your data are assigned directly to your account. If you want to avoid this allocation to your Google profile, you must log out before activating the button. Google stores your data (even if you are not logged in as a user) as user profiles and analyses them. For the transmission of data to the USA, Google has undertaken to sign and comply with the EU standard contractual clauses.

6.3. Social media plug-ins

So-called social media plug-ins (‘plug-ins’) from third-party providers are used on our website. The plug-ins are recognisable by the logo of the respective social network. By means of plug-ins, we offer you the opportunity to interact with social networks and other users. We use the following plug-ins on our website: Facebook, Twitter, LinkedIn, YouTube. When you access our site, your browser establishes a direct connection to the servers of the third-party provider. The content of the plug-in (e.g. YouTube video) is transmitted directly from the third-party provider in question to your browser and integrated into the page.

The retransmission of data to display content (e.g. publications on Twitter) takes place regardless of whether or not you have an account with the third-party provider and are logged in. Furthermore, if you are connected to the third-party provider, the data we collect is assigned directly to the account you have with that provider. Finally, if you activate plug-ins, the information is published in the social network and shown to your contacts. In order to find out the purpose and extent of data acquisition, as well as the further processing and use of data by third-party providers, as well as your rights in this respect and possible settings to protect your privacy, please refer to the third-party provider’s data protection information. The third-party provider stores the data acquired about you in the form of a user profile and uses it for the purposes of advertising, market research and/or configuring its website in a way that is appropriate to the need. Such analysis is also carried out for non-connected users in order to present advertisements in accordance with the need and to inform other users of the social network about your activities on our site. If you want to prevent third-party providers from assigning data acquired on our site to your personal profile in the respective social network, you must log out of the social network in question before visiting our site. You can also completely prevent the loading of plug-ins with specialised add-ons for your browser, such as ‘Ghostery’ (https://www.ghostery.com/) or ‘NoScript’ (https://noscript.net/).

7. Data Retransmission and Trasmission

We will only pass on your data to third parties if this is necessary for us to provide our services, if such third parties provide us with a service, if there is a legal or administrative obligation to do so, or if we have an overriding interest in passing on your personal data. We also pass on personal data to third parties when you have given us your consent or asked us to do so.

We also point out that if you transmit data to us about third parties, we will assume that you are authorised to do so and that this data is correct. The very transmission of such data about third parties counts as confirmation. We therefore ask you to inform these third parties about our processing of their data and to provide them with a copy of this data protection declaration.

Personal data are not always transmitted in encrypted form. Unless explicitly agreed otherwise with the customer, accounting data, payroll administration data, payroll statements and payroll certificates are not transmitted in encrypted form.

The following categories of recipients may receive personal data from us:

• branches, subsidiaries and sister companies;
• service providers (e.g. IT service providers, hosting providers, suppliers, consultants, lawyers, insurance companies);
• third parties within the framework of our legal or contractual obligations, such as authorities, state institutes, courts.

We conclude contracts with service providers, who process personal data on our behalf, whereby they undertake to guarantee data protection. Our service providers are primarily located in Switzerland or the EU/EEA. Certain personal data may also be sent to the USA (e.g. Google Analytics data) or, in exceptional cases, to other countries worldwide. If it is necessary to send data to other countries, which do not have a sufficient level of data protection, this is done on the basis of EU standard contractual clauses (e.g. in the case of Google) or other suitable means.

8. Duration of personal data retention

We process and store your personal data for as long as it is necessary for the fulfilment of our contractual or legal obligations or the achievement of the objectives pursued by the processing, i.e. for the duration of the entire business relationship (from pre-contractual negotiations to the execution and termination of a contract), as well as in accordance with legal archiving and documentation obligations. In addition, personal data may be retained for as long as claims against our company could be asserted (in particular until the expiry of the statutory limitation period), and insofar as we are obliged to do so for other legal reasons or legitimate business interests so require (e.g. for purposes of proof and documentation). As soon as your personal data is no longer required, in principle and as far as possible, it is deleted or anonymised. Basically, retention periods of twelve months or shorter apply for operational data (e.g. system logs, logs).

9. Data Security

We take appropriate technical and organisational security measures to protect your personal data from misuse and unlawful access, such as the dissemination of guidelines, training, IT and network security solutions, access controls and restrictions, encryption of data carriers and data transmissions, pseudonymisation and controls.

10. Duty to disclose personal data

Within the framework of our business relationship, you must provide us with the personal data necessary for the establishment and execution of this relationship, as well as for the fulfilment of contractual obligations in connection with this relationship (you are generally under no legal obligation to provide us with data). Without such data we will neither be able to enter into a contract with you (or the service or person you represent) nor execute it. Our website can also not be used, if certain information (e.g. IP address) is not disclosed in order to ensure data transmission.

11. Your rights

In connection with our processing of personal data, you have the following rights:

• the right to be informed about the personal data concerning you and stored by us, the purpose of the processing, the origin and the recipients or categories of recipients to whom the personal data are passed on;
• right of rectification, if your data is incorrect or incomplete;
• right to restrict the processing of your personal data;
• right to demand the deletion of processed personal data;
• right to data portability;
• right to object to the processing of data, or to withdraw consent to the processing of personal data, at any time without stating reasons;
• right to lodge a complaint with a competent supervisory authority, if legally provided for.

In order to assert these rights, please contact us at the address given in Section 1. Please note, however, that we reserve the right to assert statutory restrictions if, for example, we are obliged to store or process certain data, if we have an overriding interest in this (insofar as we can invoke it) or if we need to assert rights. If this entails costs for you, we will inform you in advance.

12. Modification of the data protection declaration

We expressly reserve the right to amend this data protection declaration at any time.