This Privacy Notice (hereinafter "Notice") has been prepared in accordance with Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (hereinafter "GDPR").
This notice applies to the processing operations carried out by BIOCOM INTERNATIONAL (EUROPE) AG as Data Controller (hereinafter referred to as the "Controller") for the purpose of processing the personal data of members who register in its system (hereinafter referred to as the "Data Subjects"), in particular their personal data concerning their contact details, and for facilitating communication within the network.
The purpose of this notice is to inform Data Subjects in a concise, clear and comprehensible manner of the rules governing the processing of their personal data by the Controller in the context of the operation of the Network.
Further detailed information on the matters described is contained in the Data Controller's current Privacy Policy (hereinafter "Policy"), which is available in printed form at the Data Controller's headquarters or in electronic form on the website biocomnetwork.ch.
1. THE CONTROLLER AND CONTACT DETAILS
BIOCOM INTERNATIONAL (EUROPE) AG. (registered office: Freier Platz 10. Schaffhausen CH-8200 Switzerland; tax number: CHE 225 084 646, represented by Beat Moser, Managing Director).
Contact details of the Data Controller: e-mail: office@biocomag.ch, postal address: Freier Platz 10. Schaffhausen CH-8200 Switzerland.
2. THE PURPOSES FOR WHICH THE PERSONAL DATA ARE INTENDED TO BE PROCESSED, THE LEGAL BASIS FOR THE PROCESSING, THE CATEGORIES OF PERSONAL DATA, THE DURATION OF THE PROCESSING
Purpose of processing: to ensure the maintenance of contacts within the network, in particular to facilitate sponsorship and consultancy activities and to maintain the network of contacts necessary for the operation of the Biocom system.
Legal basis for the present processing: voluntary consent of the Data Subject (Article 6(1)(a) GDPR).
Personal data processed: name, address (postal code, municipality), e-mail address, telephone number and other contact details provided during registration.
Duration of processing: until consent is withdrawn, but no later than the termination of the Data Subject's membership.
3.DATA PROCESSORS, CATEGORIES OF RECIPIENTS
The contact details provided by the Data Subjects during registration may be made available to other members (e.g. sponsors, consultants) registered in the Controller's system, acting as independent data controllers, for the sole purpose of cooperation and communication within the network.
These data will not be transferred to third parties and will only be used to ensure the necessary communication for the internal functioning of the system.
The recipients of personal data are the natural or legal persons to whom or with whom the personal data are disclosed. The Data Controller does not use any data processor in connection with this processing.
4. DATA SUBJECT RIGHTS
The Data Controller attaches the utmost importance to ensuring that Data Subjects are adequately informed of their rights regarding the protection of their personal data.
The following list is not exhaustive, and further detailed information on each right and the rules for exercising it is set out in the Policy.
Data Subjects have the "right of access" under Article 15 of the GDPR in relation to this processing. As such, Data Subjects have the right to receive feedback on whether their personal data is processed by the Controller and, if so, the right to access the personal data and the information listed in the Policy.
Data Subjects have a "rightof rectification" in relation to this processing in accordance with Article 16 of the GDPR. As such, Data Subjects have the right to request the Controller to correct inaccurate personal data relating to them or to complete incomplete data, which the Controller will do without undue delay as described in the Policy.
Data Subjects have a "right to erasure" ("right to be forgotten") in relation to this processing, as referred to in Article 17(1) of the GDPR. As such, Data Subjects have the right to request the erasure of personal data relating to them by the Controller, which will be carried out without undue delay in the manner described in the Policy, subject to the conditions specified therein.
Data Subjects have the right to "restriction of processing" in accordance with Article 18 of the GDPR in relation to this processing. As such, Data Subjects have the right to request the Controller to restrict the processing of personal data relating to them, which it will do in the manner described in the Policy without undue delay, subject to the conditions set out therein.
The Data Controller shall be subject to the obligation to notify the Data Subjects of their right to rectification pursuant to Article 16 of the GDPR above; their right to erasure (right to be forgotten) pursuant to Article 17(1) of the GDPR above; and their right to restriction of processing pursuant to Article 18 of the GDPR, pursuant to Article 19 of the GDPR. Accordingly, the Controller shall inform all recipients of any rectification, erasure or restriction of processing pursuant to Articles 16, 17(1) and 18 to whom or with which the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. Upon request of your Data Subjects, the Controller will inform them of these recipients.
Data Subjects have a "right to object" under Article 21 of the GDPR in relation to this processing. As such, Data Subjects have the right to object to the processing of their personal data where the Controller processes personal data concerning them for its own legitimate interests or for the legitimate interests of a third party or on the basis of profiling. In the event of a Data Subject's objection - and subject to the conditions set out in the Policy - the Controller may no longer process personal data concerning the Data Subject.
Data Subjects have the right to "data portability" in accordance with Article 20 of the GDPR in relation to this processing. Accordingly, in the case of processing based on this data subject's consent, Data Subjects have the right to receive personal data relating to them processed by the Controller in a structured, commonly used, machine-readable format from the Controller and the right to transmit personal data relating to them to another Controller without being prevented from doing so by the Controller. The Controller shall comply with such requests in the manner described in the Policy without undue delay.
Data Subjects shall have the right to "withdraw their consent" in accordance with Article 7(3) of the GDPR in relation to this processing. The processing of the Data Subjects' personal data is based on the Data Subjects' consent and they have the right to withdraw their consent at any time (which withdrawal does not affect the lawfulness of the processing carried out on the basis of their consent prior to the withdrawal).
Data Subjects have the rightto a"Right to a remedy" under Chapter VIII of the GDPR in relation to this processing. Thus, in the event of a breach of their rights, Data Subjects may lodge a complaint with the National Authority for Data Protection and Freedom of Information (headquarters: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, Pf. 9., website: https://www.naih.hu) or enforce their rights in court.
No automated decision-making (including profiling) within the meaning of Article 22 of the GDPR is carried out in the course of the processing of data by the Data Controller as described in this Notice.
Data Subjects are responsible for the accuracy and correctness of the personal data they provide and bear the consequences of providing incorrect or false data.
Data security measures
The Data Controller shall protect the personal data of Data Subjects by appropriate technical and organisational measures, in particular against unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or accidental damage, and against inaccessibility resulting from changes in the technology used.
The Data Controller shall apply the following specific measures:
- Physical protection: lockable office premises, filing cabinets.
- IT protection: firewall, virus protection, encrypted data storage and communication.
- Organisational measures: internal rules, job descriptions, employee training.
The Data Controller shall register any data protection incidents and notify them to the National Authority for Data Protection and Freedom of Information as required by Article 33 of the GDPR and inform the Data Subjects.
International data transfers.
As a general rule, the Data Controller will not transfer Personal Data of Data Subjects to a third country or international organisation outside the European Economic Area. If such a transfer would exceptionally take place, the Data Controller will ensure that appropriate safeguards (e.g. general data protection clauses, binding corporate rules) are in place during the transfer and that enforceable rights and effective remedies are available to Data Subjects.
Version information:
Version number of this Notice: v.1
Effective date: 2 April 2025