Data Privacy at Swiss Transfusion SRC

We take the protection of your privacy and your personal data seriously. Which is why we take great care to embed data protection in all our business processes.

WHAT DOES THIS PRIVACY POLICY COVER?

Blutspende SRK Schweiz AG (“Swiss Transfusion SRC”, hereinafter also referred to as “we” or “us”) collects and processes personal data relating to you or other individuals (so-called “third parties”).

This privacy policy explains what we do with your data when you visit our websites, use our services, have a contractual relationship with us, communicate with us or otherwise deal with us. In particular, we provide information on the purposes for which, the methods by which, and the locations where we process personal data. We also provide information about the rights of individuals whose data we process.

Additional privacy policies and other legal documents, such as terms and conditions, terms of use or conditions of participation, may apply to specific or additional activities and services.

This privacy policy is designed to meet the requirements of the Swiss Data Protection Act (‘DPA’) and the Swiss Data Protection Ordinance (‘DPO’). However, whether and to what extent these or other laws apply depends on the individual case.

WHO IS RESPONSIBLE FOR PROCESSING YOUR PERSONAL DATA?

Under data protection law, Swiss Transfusion SRC, Waldeggstrasse 51, 3097 Liebefeld, is responsible for the data processing described in this privacy policy. We will inform you if, in specific cases, other entities are responsible for processing personal data.

We have appointed the following data protection officer as the point of contact for data subjects and public authorities regarding enquiries relating to data protection:

Data Protection Officer
Waldeggstrasse 51
3097 Liebefeld

Datenschutz@blutspende.ch

WHAT DATA DO WE PROCESS, AND WHY?

We process the personal data necessary to enable us to carry out our activities and operations in a sustainable, user-friendly, secure and reliable manner. This kind of personal data may fall into the following categories of personal data, in particular: user data and contact details, browser and device data, content data, metadata and usage data, location data, sales data, as well as contract and payment details.

We process personal data for as long as is necessary for the relevant purpose or as required by law. Personal data that no longer needs to be processed is anonymised or deleted.

We may have personal data processed by third parties. These third parties are, in particular, specialist providers whose services we use.

We process personal data that a data subject voluntarily provides to us when contacting us – for example, by post, email, instant messaging, contact form, social media or telephone – or when registering for a user account. We can store such information, for example, in an address book, in a customer relationship management (CRM) system or in similar tools. Where we receive data relating to other individuals, the parties providing such data are obliged to ensure that those individuals’ data is protected and that the personal data is accurate.

We also process personal data that we receive from third parties, obtain from publicly available sources, or collect in the course of our activities and operations, provided that such processing is permitted by law.

APPLICATION AND CONTRACT DETAILS

We process personal data relating to job applicants to the extent necessary to assess their suitability for employment or for the subsequent performance of an employment contract. The personal data required is primarily obtained from the information requested, for example, in the context of a job advertisement. We process personal data that applicants voluntarily provide us with or publish, in particular as part of cover letters, CVs and other application documents, as well as online profiles.

PERSONAL DATA RELATING TO REGISTRATION AS A BLOOD STEM CELL DONOR

We collect and process your data in connection with your registration as a blood stem cell donor. Your personal details and HLA-typing results will be entered into the blood stem cell donor database maintained by Swiss Transfusion SRC. The basis for processing your data is the consent you gave during online registration.
Everything you need to know about what you are agreeing to when you register as a blood stem cell donor is set out below. All data collected is recorded, stored and processed in accordance with the Swiss Federal Act on Data Protection (FADP).

By registering as a blood stem cell donor, you are giving Swiss Transfusion SRC permission to record your name, date of birth, contact details and information about your state of health. The sample material collected for HLA-typing and further analyses (blood group, CMV) can be stored and used for subsequent tests to determine compatibility with a specific patient. If we are unable to contact you when a need arises, we will make enquiries at the relevant Residents’ Register Office. This Register Office is exempt from data protection obligations and is permitted to provide us with your new address.

We disclose data to third parties solely for the purpose of maintaining a blood stem cell donor register and matching donors with patients. Swiss Transfusion SRC will ensure that the lawful transfer of data to these third parties is guaranteed in accordance with the FADP. We will never sell or pass on your personal data to third parties for their own marketing purposes.

Swiss Transfusion SRC stores the data in accordance with the relevant legal requirements. You will remain on the donor register until your 60th birthday. However, you can revoke your registration as a blood stem cell donor at any time, voluntarily and without any consequences. Please let us know as soon as possible if you are no longer able to donate bone marrow or peripheral blood stem cells for personal or medical reasons.

Further information: Data protection provisions applying to the blood stem cell register

COMMUNICATION DATA

We process personal data so as to be able to communicate with third parties. In this context, we process, in particular, data that a data subject provides when contacting us, for example by post or email. We can store such data in an address book or using similar tools.

Third parties who transfer data relating to other individuals are obliged to ensure data protection for those individuals. To this end, it is necessary, among other things, to ensure that the personal data provided is accurate.

We use selected services from suitable providers to improve our communication with third parties.

In particular, we use: Intercom: customer service, including via chatbot; provider: Intercom Inc. (USA) / Intercom R&D Unlimited Company (Ireland) / other Intercom companies; information on data protection: Privacy policy, “Security”.

WILL YOUR PERSONAL DATA BE SENT ABROAD?

Generally, we process personal data in Switzerland and within the European Economic Area (EEA) However, we may also transfer personal data to other countries.

We may also transfer personal data to countries whose laws do not guarantee an adequate level of data protection as recognised by the Federal Council. In such cases, data will only be transferred if the conditions set out in Article 16 and/or Article 17 of the Data Protection Act are met. This may be the case, in particular, if you have given your explicit consent, if the transfer is directly related to the conclusion or performance of a contract, if the data processing is based on a legal basis, or if it is necessary for the establishment, exercise or defence of legal claims.

ON WHAT GROUNDS DO WE PROCESS YOUR DATA?

We process personal data in accordance with the applicable legal provisions. We may do so when the processing is necessary to comply with a legal obligation or is in the public interest, is based on consent, is necessary for the conclusion or performance of a contract, or where there is an overriding legitimate interest.

Insofar as we obtain your consent, we will inform you in advance of the purpose and scope of the processing. Processing carried out without consent is based on another legal basis, such as contractual requirements, a legitimate interest or a legal obligation to fulfil our duties.

WHO DO WE SHARE YOUR DATA WITH?

We use services provided by specialist third parties to enable us to carry out our activities and operations in a sustainable, user-friendly, secure and reliable manner. These services allow us, amongst other things, to embed features and content on our website. In such cases, and for technical reasons, the services used will, at least temporarily, record users’ Internet Protocol (IP) addresses.

For necessary security, statistical and technical purposes, third parties whose services we use may process data associated with our activities and operations in an aggregated, anonymised or pseudonymised form. This includes, for example, performance or usage data, which is required in order to provide the relevant service.

We use, in particular:

Services provided by Google: Provider: Google LLC (USA) / Google Ireland Limited (Ireland) – applicable in part to users in the European Economic Area (EEA) and Switzerland; information on data protection: “Principles on Data Protection and Security”, ”Learn more about how Google processes personal information”, Privacy policy, “Committed to keeping data safe”, “Guide to data protection in Google products”, “How we use data from websites or apps on which our services are used”, Cookie guideline, “Advertising you can control” (Personalised advertising settings).
Digital infrastructure: We use the services of specialist third parties to access the digital infrastructure required for our activities and operations. These include, for example, hosting and storage services from selected providers.
Automation and integration of apps and services: We use specialised platforms to integrate and connect existing third-party apps and services. We can also use these “no-code” platforms to automate processes and tasks using third-party apps and services. We use, in particular: Zapier: Automation and integration of apps and services; provider: Zapier Inc. (USA); information on data protection: Privacy policy, “Data Privacy at Zapier”, “Data Privacy & Security FAQ”, “Security and Compliance”.
Online collaboration: We use third-party services to facilitate online collaboration. In addition to this privacy policy, any terms and conditions that are directly apparent in the services used, such as terms of use or privacy policies, shall also apply.
Maps: We use third-party services to embed maps on our website.
We use, in particular: HERE: Map service; provider: HERE Global B.V. (Netherlands); information on data protection: “HERE Technologies Privacy Charter”, “Privacy policy for products and services”, Cookie guideline.
Digital audio and video content: We use services provided by specialist third parties to enable the direct playback of digital audio and video content, such as music or podcasts. YouTube: Video platform; provider: Google; YouTube-specific information: “Data protection and security centre”, “My data on YouTube”.
Fonts: We use third-party services to embed selected fonts, icons, logos and symbols on our website. We use, in particular: Adobe Fonts: Fonts; provider: Adobe Inc. (USA) for users in North America / Adobe Systems Software Ireland Limited (Ireland) for users in the rest of the world; information on data protection: “Adobe Privacy Center”, Privacy policy (Adobe Fonts), Privacy policy (Adobe), “Privacy questions?”, “Adobe Privacy Settings”, Cookie guideline. fonts.com: Fonts; provider: Monotype Imaging Holdings Inc. (USA); information on data protection: “Your Privacy”, Privacy policy, “Web Font Tracking Privacy Policy”. Google Fonts: Fonts; provider: Google; Google-fonts-specific information: “Your Privacy and Google Fonts”, “Data protection and data collection” (Google Fonts).
Payments: We use specialist service providers to ensure that our customers’ payments are processed securely and reliably. In addition, the legal documents of the individual service providers, such as their terms and conditions or privacy policies, apply to the processing of payments. RaiseNow: Fundraising platform; provider: RaiseNow AG (Switzerland) / RaiseNow GmbH (Germany); information on data protection: Privacy policy, “Cooperation guidelines: Ethical and sustainable action”, Certification in accordance with Payment Card Industry Data Security Standard (PCI DSS).
Advertising: We make use of the option to display targeted advertising for our activities and services on third-party platforms, such as social media platforms and search engines. Our aim with this type of advertising is, in particular, to reach people who are already interested in our activities and operations, or who might be interested in them (remarketing and targeting). To this end, we may pass on relevant information – including, where necessary, personal data – to third parties who facilitate such advertising. We can also determine whether our advertising is successful, specifically whether it leads to visits to our website (conversion tracking). Third parties with whom we advertise and with whom you are registered as a user may, in some cases, link your use of our online service to your profile with them.

You can opt out of all the targeting and remarketing activities described below on this website by clicking “Change cookie settings” in the footer of this website to open the cookie consent tool and then opting out of tracking under the ‘Advertising’ category.

Genutzte Dienste

We use, particular:

Google Ads: Search engine advertising; provider: Google; Google-ads-specific information: Advertising based, amongst other things, on search queries, with various domain names – in particular doubleclick.net, googleadservices.com and googlesyndication.com – being used for Google Ads, Privacy policy for advertising, “Manage pop-up adverts directly via the ad settings”.
LinkedIn Ads: Social media advertising; provider: LinkedIn Corporation (USA) / LinkedIn Ireland Unlimited Company (Ireland); information on data protection: Remarketing and targeting, particularly using the LinkedIn Insight Tag, ”Data protection”, Privacy policy, Cookie guideline, Opting out of personalized advertising.
Meta Ads: Social media advertising on Facebook and Instagram; provider: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); information on data protection: Targeting, as well as retargeting, in particular with Meta-Pixel and with Custom Audiences including Lookalike Audiences, Privacy policy, “Advertising preferences” (user registration is required).
- Snapchat Ads: Social media advertising; provider: Snap Inc. (USA); information on data protection: Remarketing and targeting, in particular with “Snap Pixel”‚ “Data protection centre”, “Our privacy promise”, Privacy policy, Specific privacy policies for individual regions and countries, including for the European Economic Area (EEA) and the United Kingdom, “Product-related data protection”, “How do I change my privacy settings on Snapchat?”, Cookie guideline.
- TikTok Ads: Social media advertising; provider: TikTok Information Technologies UK Limited (United Kingdom) and TikTok Technology Limited (Ireland) for users in the European Economic Area (EEA), Switzerland and the United Kingdom / TikTok Inc. (USA) for users in the USA / TikTok Pte. Ltd. (Singapore) for most users in the rest of the world; information on data protection: Remarketing and targeting, in particular with TikTok-Pixel, Privacy policy, “Children’s Privacy Policy”, “Privacy policy for TikTok partners”, Cookie guideline.

FOR HOW LONG DO WE PROCESS YOUR DATA?

We will process your data for as long as required for our processing purposes, the statutory retention periods and our legitimate interests in processing for documentation and evidential purposes, or for as long as storage is technically necessary. Unless there are any legal or contractual obligations to the contrary, we will delete or anonymise your data once the retention or processing period has expired, as part of our standard procedures.

HOW DO WE PROTECT YOUR DATA?

We take appropriate technical and organisational measures to ensure that data security is commensurate with the respective risk. Access to our website is secured using transport layer encryption (SSL/TLS, specifically the Hypertext Transfer Protocol Secure, abbreviated to HTTPS). Most browsers indicate transport encryption with a padlock in the address bar. However, we can only secure areas that we control. We also require our data processors to implement appropriate security measures. However, security risks cannot generally be ruled out entirely; residual risks are inevitable.

WHAT ARE YOUR RIGHTS?

We grant data subjects all rights under the applicable data protection legislation. To help you manage the processing of your personal data, you have the following rights with regard to our data processing:

The right to request information from us as to whether we process your data and, if so, what data we process;
The right to have data corrected if it is inaccurate;
The right to request the deletion of data;
The right to request that we provide you with certain personal data in a commonly used electronic format or transfer it to another data controller;
The right to withdraw your consent, insofar as our processing is based on your consent;
The right to receive, upon request, further information necessary for you to exercise these rights.

We may suspend, restrict or refuse to allow data subjects to exercise their rights within the limits permitted by law. We may refuse, in whole or in part, to provide access to or delete personal data on the grounds of trade secrets, the protection of other individuals, or statutory retention obligations.

We are required to take reasonable steps to identify data subjects who request information or wish to exercise other rights. Data subjects are obliged to cooperate.

Please let us know if you are not satisfied with the way we handle your rights or data protection. If you are in the EEA or Switzerland, you have the right to lodge a complaint with your country’s data protection supervisory authority. You can find a list of authorities in the EEA here: https://edpb.europa.eu/about-edpb/about-edpb/members_en. You can contact the Swiss supervisory authority, the FDPIC, here: www.edoeb.admin.ch/en/.

HOW AND WHY DO WE USE COOKIES, TRACKING AND REACH MEASUREMENT?

WHAT ARE COOKIES AND HOW CAN YOU CONTROL THEM?

We may use cookies. Cookies – both our own cookies (first-party cookies) and cookies from third parties whose services we use (third-party cookies) – are pieces of data that are stored in the browser. Such stored data need not be limited to traditional text-based cookies.

Cookies can be stored temporarily in the browser as ‘session cookies’ or for a specific period of time as so-called ‘persistent cookies’. ‘Session cookies’ are automatically deleted when the browser is closed. Persistent cookies have a specific retention period. Cookies enable us, in particular, to recognise a browser the next time it visits our website and, for example, to measure the reach of our website. However, persistent cookies can also be used for online marketing, for example.

Cookies can be disabled or deleted, either in full or in part, at any time via your browser settings. Without cookies, our website may no longer be fully accessible. We actively seek your explicit consent to the use of cookies – at least insofar as this is necessary.

Managing cookies in the most popular browsers:

Chrome
Firefox
Edge
Safari

In the case of cookies used to measure performance and reach or for advertising purposes, a general opt-out option is available for many services via AdChoices (Digital Advertising Alliance of Canada), Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

WHAT USAGE DATA IS COLLECTED ON OUR WEBSITE (SERVER LOGS, WEB BEACONS)?

Server logs

We may collect the following information each time our website is accessed, provided that this information is transmitted from your browser to our server infrastructure or can be determined by our web server: date and time, including time zone; Internet Protocol (IP) address; access status (HTTP status code); operating system, including user interface and version; browser, including language and version; specific subpages of our website visited, including the amount of data transferred; the last webpage visited in the same browser window (referrer).

We store such information, which may also include personal data, in server log files. This information is required to ensure that our website remains available, user-friendly and reliable, and to guarantee data security and, in particular, the protection of personal data – including where this is carried out by or with the assistance of third parties.

Web Beacons

We may use web beacons on our website. Web beacons are also called tracking pixels. Web beacons – including those from third parties whose services we use – are small, usually invisible images that are automatically loaded when you visit our website. Web beacons can be used to collect the same information as is found in server log files.

WHAT EMBEDDED CONTENT AND SOCIAL PLUGINS DO WE USE?

A plug-in provider stores the data they collect as user profiles. It is used for market research and advertising. You have the right to object to the creation of user profiles by the provider of the relevant plug-in. We use plug-ins to optimise our website and our services, and to make them more interesting for users.

YouTube-Plug-ins

Our website features YouTube buttons that are designed as a passive solution to protect your privacy. The button only establishes a direct link between YouTube and you once you have actively clicked on the Share/Like button. This prevents you from leaving a digital footprint on the social network simply by visiting our website and enhances your privacy.

When you click the Share button, your IP address and the post you have just viewed on our website will be sent to YouTube, just as with any other standard link. If you click the button whilst logged into your YouTube account, you can link the content from our pages to your profile. This allows YouTube to link your visit to our site to your user account. We would like to point out that, as the provider of this website, we have no knowledge of the content of the data transmitted or of how YouTube uses it. Further information on this can be found in YouTube’s privacy policy .

HOW AND WHY DO WE MEASURE THE PERFORMANCE AND REACH OF OUR WEBSITE?

We are trying to find out how our website is used. In this context, we can, for example, measure the performance and reach of our activities and initiatives, as well as the impact of third-party links on our website. However, we can also, for example, test and compare how different parts or versions of our online offering are used (using the ‘A/B testing’ method). Based on the results of our performance and reach measurements, we can, in particular, rectify errors, enhance popular content or make improvements to our online offering. In most cases, the Internet Protocol (IP) addresses of individual users are stored for the purpose of measuring performance and reach. In this case, IP addresses are always truncated (‘IP masking’) in order to comply with the principle of data minimisation through the use of pseudonymisation. Cookies may be used to measure performance and reach, and user profiles may be created. Any user profiles created may include, for example, the individual pages visited or content viewed on our website, details of the screen or browser window size, and the user’s location (at least approximately). In principle, any user profiles created are always pseudonymised and are not used to identify individual users. Certain third-party services with which users have an account may, in some cases, link the use of our online service to the user’s account or profile on that service.

You can opt out of all the activities described below for measuring performance and reach on this website by clicking “Change cookie settings” in the footer of this website to open the cookie consent tool and then opting out of tracking under the ‘Performance’ category.

Genutzte Dienste

We use, particular: Google Analytics:

Performance and reach measurement; provider: Google; Google Analytics-specific information: Tracking across different browsers and devices (cross-device tracking) as well as using pseudonymised Internet Protocol (IP) addresses, which are only transferred in full to Google in the USA in exceptional cases, “Data protection” , “Browser add-on to disable Google Analytics” . Google Tag Manager: Integration and management of other services for measuring performance and reach, as well as other services provided by Google and third parties; provider: Google; Google Tag Manager-specific information: “Data collected using Google Tag Manager”; further information on data protection can be found in the privacy policies of the individual services integrated and managed. Matomo Cloud: Measurement of performance and reach using pseudonymised Internet Protocol (IP) addresses; provider: InnoCraft Ltd. (New Zealand); information on data protection: Privacy policy, No cross-website data collection and no sharing of data with third parties (“100 % Data Ownership”) .

HOW DO WE SEND NOTIFICATIONS AND MESSAGES – AND HOW CAN YOU MANAGE THEM?

We send notifications and messages by email and via other communication channels, such as instant messaging or SMS.

HOW DO WE MEASURE THE PERFORMANCE OF OUR NOTIFICATIONS AND MESSAGES?

Notifications and messages may contain web links or web beacons that record whether a particular message has been opened and which web links were clicked. These web links and web beacons may also track the use of notifications and messages on a personal basis. We require this statistical data on usage to measure performance and reach, so that we can send notifications and messages in a way that is effective and user-friendly, as well as sustainable, secure and reliable, based on the needs and reading habits of the recipients. We send out notifications and messages with the help of specialist service providers.

We use, in particular:

ActiveCampaign: Marketing automation platform, specialising in email marketing; provider: ActiveCampaign LLC (USA); information on data protection: Privacy policy.

HOW DO WE OBTAIN CONSENT, AND HOW CAN YOU WITHDRAW IT?

You must, as a general rule, give your express consent to the use of your email address and other contact details, unless such use is allowed for other legal reasons. Wherever possible, we use the ‘double opt-in’ procedure for obtaining consent; this means you will receive an email containing a web link which you must click to confirm your consent, thereby preventing any misuse by unauthorised third parties. We may log such consents, including the Internet Protocol (IP) address and the date and time, for evidential and security purposes.

You may, in principle, opt out of receiving notifications and messages such as newsletters at any time. By submitting such an objection, you can simultaneously opt out of the statistical tracking of your usage for the purposes of measuring performance and reach. This does not apply to any necessary notifications and messages relating to our activities and operations.

HOW DO WE USE SOCIAL MEDIA PLATFORMS, AND HOW IS DATA PROCESSED IN THIS CONTEXT?

We maintain a presence on social media and other online platforms so that we can communicate with interested parties and keep them informed about our activities and work. In connection with such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).

The terms and conditions (T&Cs), terms of use, privacy policies and other provisions of the individual operators of such platforms also apply in each case. These provisions set out, in particular, the rights of data subjects in relation to the respective platform, including, for example, the right of access.

CAN OUR PRIVACY POLICY BE AMENDED?

We may amend or update this privacy policy at any time. We will provide information about such amendments and supplements in an appropriate manner. The version published on this website is always the current one.