PRIVACY NOTICE
of Thomas Müller Chocolatier

Version dated 23.05.2024

MPORTANT NOTE: The German version of this document will govern our relationship – this translated version is provided for convenience only and will not be interpreted to modify the German version. For the German version, please see https://thomasmuller.ch/de/datenschutz/.

1. General information on our handling of personal data
In this Privacy Policy, we, Thomas Müller Chocolatier (Rheinstrasse 20, CH-8200 Schaffhausen), explain how we collect and otherwise process personal data. This is not an exhaustive description; other privacy policies or general terms and conditions, participation conditions, and similar documents may regulate specific matters. Personal data refers to all information relating to a specific or identifiable person.

If you provide us with personal data of other persons (e.g., family members, data of colleagues), please ensure that these persons are aware of this Privacy Policy and only share their personal data with us if you are permitted to do so and if the personal data is accurate.

This Privacy Policy is designed to meet the requirements of the EU General Data Protection Regulation (“GDPR”), the Swiss Data Protection Act (“DPA”), and the revised Swiss Data Protection Act (“revDPA”). Whether and to what extent these laws are applicable depends on the individual case.

2. Controller / Data Protection Officer / Representative
The controller responsible for the data processing described here is Thomas Müller Chocolatier. If you have any data protection concerns, you can contact us at the following address:

Thomas Müller Chocolatier
Rheinstrasse 20
CH-8200 Schaffhausen
Email: info@thomasmuller.ch

3. Collection and Processing of Personal Data
We primarily process the personal data that we receive from our customers and other business partners in the context of our business relationships or that we collect from users when operating our websites, apps, and other applications. To the extent permitted, we also obtain certain data from publicly accessible sources (e.g., debt registers, land registers, commercial registers, press, internet) or receive such data from other companies, authorities, and other third parties (such as credit reporting agencies). In addition to the data you provide directly to us, the categories of personal data we receive from third parties about you include, in particular, information from public registers, information that we obtain in connection with official and judicial proceedings, information related to your professional functions and activities (to conclude and process transactions with your employer with your help), information about you in correspondence and meetings with third parties, creditworthiness information (to the extent we conduct transactions with you personally), information about you provided to us by persons in your environment (family, advisors, legal representatives, etc.) to conclude or process contracts with you or involving you (e.g., references, your address for deliveries, powers of attorney, information for compliance with legal requirements such as anti-money laundering and export restrictions, information from banks, insurance companies, distributors, and other contractual partners to take advantage of or provide services by you (e.g., payments made, purchases made)), information from media and the internet about you (to the extent indicated in the specific case, e.g., in the context of an application, press review, marketing/sales), your addresses and possibly interests and other sociodemographic data (for marketing), data related to the use of the website (e.g., IP address, MAC address of the smartphone or computer, information about your device and settings, cookies, date and time of the visit, pages and content retrieved, used functions, referring website, location information).

4. Purposes of Data Processing and Legal Basis
We primarily process personal data that we receive from our customers and other business partners in the context of our business relationships or that we collect from users when operating our websites and other applications.

If you work for such a customer or business partner, you may also be affected by your personal data in this function. In addition, we process personal data about you and other persons, to the extent permitted and as deemed appropriate, for the following purposes, which we (and sometimes also third parties) have a legitimate interest in corresponding to the purpose:

  • Offering and developing our offers, services, and websites, apps, and other platforms on which we are present;
  • Communication with third parties and processing their requests (e.g., applications, media inquiries);
  • Review and optimization of procedures for needs analysis for direct customer contact and collection of personal data from publicly accessible sources for customer acquisition;
  • Advertising and marketing (including the execution of events), unless you have objected to the use of your data (if we send you advertising as an existing customer, you can object at any time, and we will put you on a blacklist against further advertising mailings);
  • Market and opinion research, media monitoring;
  • Assertion of legal claims and defense in connection with legal disputes and official proceedings;
  • Prevention and investigation of crimes and other misconduct (e.g., conducting internal investigations, data analysis for fraud prevention);
  • Ensuring our operations, particularly IT, websites, apps, and other platforms;
  • Video surveillance to protect house rights and other measures for IT, building, and facility security and the protection of our employees and other persons and the values entrusted to us (such as access controls, visitor lists, network and mail scanners, telephone recordings);
  • Purchase and sale of business units, companies, or parts of companies, and other corporate transactions and related transfer of personal data and measures for business management and compliance with legal and regulatory obligations and internal rules of Thomas Müller Chocolatier.

If you have given us consent to process your personal data for specific purposes (e.g., when subscribing to newsletters or conducting a background check), we will process your personal data within the framework of and based on this consent, unless we have another legal basis and we need such a basis. Consent given can be withdrawn at any time, but this does not affect data processing already carried out.

5. Cookies / Tracking and Other Technologies Related to the Use of Our Website
We typically use “cookies” and similar techniques on our websites to identify your browser or device. A cookie is a small file sent to your computer or automatically stored on your computer or mobile device by the web browser you use when you visit our website. When you visit this website again, we can recognize you, even if we do not know who you are. In addition to cookies used only during a session and deleted after your website visit (“session cookies”), cookies can also be used to store user settings and other information over a certain period (e.g., two years) (“permanent cookies”). You can configure your browser to reject cookies, save them only for a single session, or delete them prematurely. Most browsers are preset to accept cookies.

We use permanent cookies to save user settings (e.g., language, autologin), to better understand how you use our offers and content, and to show you tailored offers and advertising (which can also happen on websites of other companies; however, they will not know from us who you are if we know that at all because they only see that on their website is the same user who was on a specific page of ours). Some cookies are set by us, others by contractual partners we work with. If you block cookies, certain functionalities (e.g., language selection, shopping cart, order processes) may no longer work.

We incorporate visible and invisible image elements in our newsletters and other marketing emails to the extent permitted. When they are retrieved from our servers, we can determine whether and when you opened the email, so we can measure and better understand how you use our offers and tailor them to you. You can block this in your email program; most are preset to do so.

By using our websites and agreeing to receive newsletters and other marketing emails, you consent to the use of these techniques. If you do not want this, you must set your browser or email program accordingly.

We use the following services on our websites for success and reach measurement (analysis):

  • Google Analytics, Google Tag Manager, and Google DoubleClick by Google Ireland Ltd., located at Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Ltd. relies on Google LLC, located in the USA, as its processor. The use of our website is monitored and recorded. Google uses permanent cookies and other tracking technologies to collect anonymous information (e.g., the number of website visitors, origin of visitors, length of stay). We generally do not transmit any personal data or complete IP addresses to Google. Google provides us with aggregated information. We cannot identify individual visitors. However, Google can use the data it collects for its own purposes. Google processes your personal data on its own responsibility and according to its privacy policies. For more information on the data collected, refer to Google Ireland Limited’s privacy policy at: https://policies.google.com/privacy.
  • Bing Universal Event Tracking (UET) by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. We use Bing UET to record user behavior on our website. Microsoft can track usage behavior across multiple electronic devices through cross-device tracking and thus display personalized advertising on or in Microsoft websites and applications. You can disable this behavior at https://choice.microsoft.com/de-de/opt-out. For more information on Bing UET and the data collected, refer to Microsoft’s privacy policy at: https://privacy.microsoft.com/de-de/privacystatement.
  • Facebook Pixel, Facebook Signal, and Facebook Custom Audiences from Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. According to Facebook, the collected data is also transferred to the USA and other third countries. We use Facebook’s services to record user behavior on our website. For us as the website operator, the collected data is anonymous; we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Facebook, allowing it to be linked to the respective user profile and enabling Facebook to use the data for its own advertising purposes in accordance with Facebook’s data usage policies. This allows Facebook to display ads on Facebook pages as well as outside of Facebook. As the site operator, we have no influence over this data usage. Data transfer to the USA is based on the EU Commission’s standard contractual clauses. Details can be found at: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381. In cases where personal data is collected on our website via the tool described here and transmitted to Facebook, we and Meta Platforms Ireland Limited are jointly responsible for this data processing. The obligations that we jointly hold are outlined in a joint processing agreement: https://www.facebook.com/legal/controller_addendum. For more information on protecting your privacy, please see Facebook’s privacy policy: https://de-de.facebook.com/about/privacy/. You can deactivate the remarketing function “Custom Audiences” in the ad settings area at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. You must be logged into Facebook to do this. If you do not have a Facebook account, you can deactivate Facebook’s usage-based advertising on the website of the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/.

Currently, we use services particularly from the following providers and advertising partners (insofar as they use your data or cookies set by you for advertising purposes):

  • Microsoft Advertising by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. In the European Economic Area, the United Kingdom, and Switzerland: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. We use Microsoft Advertising services to advertise our company online (especially for search engine advertising). You can find Microsoft’s privacy policy at: https://privacy.microsoft.com/de-de/privacystatement.
  • Mailchimp by Intuit Mailchimp, 405 N Angier Ave. NE, Atlanta, GA 30308, USA. We use Mailchimp to send newsletters to registered subscribers. https://mailchimp.com/de/legal/
  • Google Adsense and Google DoubleClick by Google Ireland Ltd., headquartered at Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Ltd. relies on Google LLC based in the USA as its processor. We use Google AdSense services to display personalized ads on our website. You can find Google Ireland Limited’s privacy policy at: https://policies.google.com/privacy.
  • Google Maps including Google Maps Platform by Google Ireland Ltd., headquartered at Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Ltd. relies on Google LLC based in the USA as its processor. We use Google Maps services to embed maps on our website. You can find Google Ireland Limited’s privacy policy at: https://policies.google.com/privacy. Information on the use of location data can be found at: https://policies.google.com/technologies/location-data.
  • Adobe Fonts by Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Park, Dublin 24, Ireland. We use Adobe Fonts to embed fonts (including logos, icons, and symbols) into our website. You can find Adobe’s privacy policy at: https://www.adobe.com/ch_de/privacy/policies/adobe-fonts.html.
  • Google Fonts by Google Ireland Ltd., headquartered at Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Ltd. relies on Google LLC based in the USA as its processor. We use Google Fonts to embed fonts (including logos, icons, and symbols) into our website. You can find Google Ireland Limited’s privacy policy at: https://policies.google.com/privacy. Answers to frequently asked questions about data privacy can be accessed here: https://developers.google.com/fonts/faq/privacy.
  • YouTube by Google Ireland Ltd., headquartered at Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Ltd. relies on Google LLC based in the USA as its processor. We use YouTube to embed videos into our website. You can find YouTube’s privacy policy at: https://support.google.com/youtube/topic/2803240?hl=de.

We also use plugins from social networks such as Facebook (Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland), YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland), and Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA) on our websites. This is typically indicated by corresponding symbols. We have configured these elements to be deactivated by default. If you activate them (by clicking), the operators of the respective social networks can register that you are on our website and where, and they can use this information for their purposes. The processing of your personal data is then the responsibility of the respective operator according to their privacy policies. We do not receive any information about you from them.

6. Social Media
We may operate pages and other online presences (such as “fan pages,” “channels,” “profiles,” etc.) on social networks and other platforms operated by third parties, and collect data about you as described in section 4 and below. We receive this data from you and the platforms when you interact with us through our online presence (e.g., when you communicate with us, comment on our content, or visit our presence). At the same time, the platforms analyze your use of our online presences and link this data with other data they know about you (e.g., your behavior and preferences). They also process this data for their own purposes under their own responsibility, especially for marketing and market research purposes (e.g., to personalize advertising) and to manage their platforms (e.g., which content they show you).

We process this data for the purposes described in section 4, particularly for communication, marketing purposes (including advertising on these platforms, see section 5), and market research. Information on the relevant legal bases can be found in section 4. Content published by you (e.g., comments on an announcement) may be further distributed by us (e.g., in our advertising on the platform or elsewhere). We or the platform operators can also delete or restrict content from or about you in accordance with the usage guidelines (e.g., inappropriate comments).

For further information on the processing by platform operators, please refer to the privacy policies of the platforms. There you will also find information on which countries process your data, what rights you have (e.g., rights to access and delete your data), and how you can exercise these rights or obtain further information. Currently, we use the following platforms:

7. Data Sharing and International Data Transfers
We disclose personal data as part of our business activities and for the purposes outlined in section 3, where permitted and deemed appropriate, to third parties, either because they process the data for us or because they intend to use it for their own purposes. This primarily concerns the following recipients:

  • Service providers
  • Domestic and foreign authorities, offices, or courts
  • Media
  • The public, including visitors to websites and social media
  • Other parties in potential or actual legal proceedings
  • Joint recipients.

These recipients may be located within the country or anywhere around the world. You should particularly expect your data to be transferred to all countries where Thomas Müller Chocolatier has group companies, branches, or other offices (locations), as well as to other countries in Europe and the USA where our service providers are located (e.g., Microsoft, SAP, Amazon, BSI CRM).

If a recipient is located in a country without adequate legal data protection, we contractually require the recipient to comply with applicable data protection (we use the revised Standard Contractual Clauses of the European Commission, which are available here), unless the recipient is already subject to a legally recognized framework ensuring data protection and we cannot rely on an exception. An exception may apply, particularly in legal proceedings abroad, but also in cases of overriding public interest or if contract execution requires such disclosure, if you have given consent, or if it concerns data you have made generally accessible and you have not objected to its processing.

8. Duration of Retention of Personal Data
We process and store your personal data for as long as necessary to fulfill our contractual and legal obligations or other purposes pursued with the processing, i.e., for the duration of the entire business relationship (from initiation and processing to termination of a contract) and beyond, in accordance with legal retention and documentation obligations. This means that personal data may be retained for the period during which claims can be made against our company and as far as we are otherwise legally obligated or have legitimate business interests (e.g., for evidence and documentation purposes). Once your personal data is no longer necessary for the above-mentioned purposes, it will be deleted or anonymized as a general rule and where possible. For operational data (e.g., system logs), shorter retention periods of twelve months or less generally apply.

9 Data Security
We implement appropriate technical and organizational security measures to protect your personal data from unauthorized access and misuse, such as issuing directives, training, IT and network security solutions, access controls and restrictions, encryption of data carriers and transmissions, pseudonymization, and controls.

10. Obligation to Provide Personal Data
In the context of our business relationship, you must provide the personal data necessary for initiating and conducting a business relationship and fulfilling the associated contractual obligations (you generally do not have a legal obligation to provide us with data). Without this data, we will typically be unable to enter into or execute a contract with you (or the entity or person you represent). Similarly, the website cannot be used if certain information required to ensure data traffic (such as IP address) is not disclosed.

11. Profiling
We partially process your personal data automatically with the aim of evaluating certain personal aspects (profiling). We use profiling primarily to inform and advise you about products in a targeted manner. For this purpose, we use evaluation tools that enable us to conduct needs-based communication and advertising, including market and opinion research. In establishing and conducting the business relationship, and generally, we do not use fully automated decision-making (as regulated in Art. 22 GDPR). Should we use such procedures in individual cases, we will inform you separately, as legally required, and clarify the associated rights.

12. Rights of the Data Subject
Under the applicable data protection law and as provided therein (such as in the case of the GDPR), you have the right to information, rectification, deletion, restriction of data processing, objection to our data processing, particularly for direct marketing purposes, profiling for direct advertising, and other legitimate interests in processing, as well as the right to data portability (i.e., the right to receive certain personal data for transfer to another entity). Please note that we reserve the right to enforce the legally prescribed restrictions, such as when we are obliged to retain or process certain data, have an overriding interest (as far as we can rely on this), or need it for asserting claims. If costs arise for you, we will inform you in advance. We have already informed you about the possibility of withdrawing your consent in section 3. Note that exercising these rights may conflict with contractual agreements and result in consequences such as early termination of the contract or additional costs. We will inform you in advance if this is not already contractually regulated. Exercising these rights generally requires you to clearly prove your identity (e.g., by providing a copy of an ID where your identity is otherwise unclear or cannot be verified). You can contact us at the address provided in section 1 to exercise your rights. Every affected person also has the right to enforce their claims through the courts or file a complaint with the competent data protection authority.

A list of authorities in the EEA can be found here: https://edpb.europa.eu/about-edpb/board/members_de.

The Swiss supervisory authority can be reached here: https://www.edoeb.admin.ch.

In Liechtenstein, the following data protection office is responsible: https://www.datenschutzstelle.li.

13. Changes
We may amend this privacy policy at any time without prior notice. The current version published on our website applies. If the privacy policy is part of an agreement with you, we will inform you of any updates via email or other suitable means.

***