Data Privacy Policy Data Privacy Policy This Data Privacy Policy (“Policy”) provides an overview of how HEGIAS AG (“HEGIAS”, “we”, “our”), via our websites, products and services, handle privacy, and how we protect your Personal Data. Data and its protection belong to the core of our business. HEGIAS as well as our employees, contractors and service providers are committed to providing you with transparency and choice when it comes to Personal Data. We thereby define Personal Data as any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. We aim to process Personal Data in accordance with applicable legislation, while taking into account and transparently balancing the relevant interests of our customers, ourselves and other stakeholders. Certain products and services provided by HEGIAS may have additional specific privacy notices that describe how we handle Personal Data for those products and services. If any other privacy notice conflicts with this Data Privacy Policy, such specific notice will take precedence. We may update this Data Privacy Policy from time to time. If we modify our Data Privacy Policy, we will post the revised version on this website, with an updated revision date. You agree to visit these pages periodically to be aware of and review any such revisions. If we make material changes to our Data Privacy Policy, we may also notify you by other means prior to the changes taking effect, such as by posting a notice on our websites or sending you a notification. By continuing to use our website or our products and services after such revisions are in effect, you accept and agree to the revisions and to abide by them. A. What this Data Privacy Policy covers This Data Privacy Policy describes the following general aspects of our collection and processing of your Personal Data. What Personal Data we collect; On what grounds and how we process your Personal Data; Marketing and Community Networking How we protect your Personal Data; How we disclose your Personal Data; Your privacy rights; How to contact us. Please refer to our complementary product and service privacy notices for additional detail specific to those products and services. B. What Personal Data we collect a. General When you visit and use our websites and services, we may collect data or ask you to provide certain data, including Personal Data, about you as you use our websites and services and interact with us, for the purpose of helping us manage our relationship with you. “Personal Data” is any data relating to an identified or identifiable individual. If we link other data with your Personal Data, we will treat that linked data as Personal Data. We also collect Personal Data from trusted third party sources and engage third parties to collect Personal Data to assist us. Personal Data may include: Contact details, such as name, mailing address, email address and phone number; Billing data Your transaction history; Data you provide us to receive technical assistance or during customer service interactions; Data about your computer or device, including browser type and settings, IP address and traffic data relating to your Internet connection; and Product performance data and details about how you use our services. We collect Personal Data for a variety of reasons, such as: Your convenience when using our products and services. Processing your order, including payment transactions. Providing you with a newsletter subscription. Sending product information and updates with new features Creating an account. Enabling the use and ease of certain features of our Services. Personalizing your experience. Providing customer service. Managing a job application. Collecting information during the testing admissions process when a computer-based certification test is administered to you. Improving our Services We and the third parties we engage may combine the information we collect from you over time and across our websites and Services with information obtained from other sources. This helps us to improve its overall accuracy and completeness, and to better tailor our interactions with you. If you choose to provide HEGIAS with a third party’s personal information, you represent that you have the third party’s permission to do so. b. Website Most of our services provided on our websites do not require any form of registration, allowing you to visit our website without telling us who you are. However, some services may require you to provide us with Personal Data, which may include your direct identifiers, such as name, email address or telephone number. We may collect and use Personal Data to provide you with services, to bill you services you request, to market services and new features which we think may be of interest to you, or to communicate with you for other purposes which are evident from the circumstances or about which we inform you when we collect Personal Data from you. We may collect and process information about your visit to our websites, such as the pages you visit, the website you came from and some of the searches you perform. Such information is used by us to help improve the contents of the website and to compile aggregate statistics using our site for internal, market research purposes. In doing this, we may install “cookies” (see further below) that collect the domain name of the user, your internet service provider, your operating system, and the date and time of access. C. On what grounds and how we process your Personal Data We may use your Personal Data for the purposes of operating our business, delivering, improving, and customizing our websites and services, sending marketing material and other communications related to our business, and for other legitimate purposes permitted by applicable law. In addition to the Swiss Data Protection Law (CC 235.1), we are subject to applicable EU and international legislation. According to EU Regulation 2016/679 (“GDPR”), processing of Personal Data is lawful only if and to the extent that specific grounds mentioned in the GDPR apply. Your Personal Data is used on the following grounds: a. Your consent Article 6 (1) a) GDPR You can give us your consent to process your Personal Data in order to: send you marketing communications and information on new services and trainings; subscribe you to a newsletter, send service updates or technical alerts; communicate with you about, and provide you with offers upon your request; solicit your opinion or feedback; order services. b. Fulfilling our contracts Article 6 (1) b) GDPR We may process your data in order to fulfil our contractual obligations with you and third parties, such as: delivering a service you have requested. update you on the status of your orders; process your purchase transactions; analysing, supporting, and improving services and your online experience. create and manage your personalized accounts with HEGIAS; allow your registration of services; verify your identity and entitlement to services, when you access our services; provide you with technical and customer support; and manage your renewals and subscriptions. c. Legal obligations Article 6 (1) c) GDPR HEGIAS is obligated by law to keep records for accounting and tax reasons, to provide information to other public authorities and to be documented in case of legal proceedings. d. Legitimate interest in accordance with Recital 47 of the GDPR When delivering our services and communications to you as well as to our other customers and partners, we may process Personal Data of you to: communicate commercial promotions, updates and upgrades of services; provide quotes for our services; research and implement service improvements; evaluate and improve the performance and quality of our services and websites; provide you with a customized experience when you visit our websites; allow interoperability within our applications; secure our systems and applications; allow for the provisioning of services; prevent fraud; enforce our legal rights; and share your data with partners for sales conversions and lead generation. e. Legitimate interest in accordance with Recitals 39 and 49 and Article 32 of the GDPR Some of our services support organizations to comply with Recital 39 and Article 32 of the GDPR, ensuring that Personal Data is processed in a manner that ensures appropriate security and confidentiality, including for preventing unauthorised access to or use of Personal Data and the equipment used for processing. HEGIAS processes Personal Data for network and information security purposes. Pursuant to Recital 49 of the GDPR, organizations have a recognized legitimate interest in collecting and processing Personal Data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security. According to Recital 49, network and information security means the ability of a network or of an information system to resist events, attacks or unlawful or malicious actions that could compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data, or the security of the related services offered by, or accessible via those networks and systems. HEGIAS is supervising and securing its technologies and services which may include hosted and managed computer emergency and security incident response services. As described in Article 6(1) f) GDPR, it is in our legitimate interests as well as in our customers’, to collect and process Personal Data to the extent strictly necessary and proportionate for the purposes of ensuring the security of our own, and of our customers’ networks and information systems. This includes the use of threat intelligence resources aimed at maintaining and improving on an ongoing basis the ability of networks and systems to resist unlawful or malicious actions and other harmful events (“cyber-threats”). The Personal Data we process for said purposes includes, without limitation, network traffic data related to cyber-threats such as: sender email addresses (e.g., of sources of Spam); recipient email addresses (e.g., of victims of targeted email cyberattacks); reply-to email addresses (e.g., as configured by cybercriminals sending malicious email); filenames and execution paths (e.g., of malicious or otherwise harmful executable files attached to emails); URLs and associated page titles (e.g., of web pages broadcasting or hosting malicious or otherwise harmful contents); and/or IP addresses (e.g., of web servers and connected devices involved in the generation, distribution, conveyance, hosting, caching or other storage of cyber-threats such as malicious or otherwise harmful contents). Depending on the context in which such data is collected, it may contain Personal Data concerning you or any other data subjects. However, in such cases, we will process the data concerned only to the extent strictly necessary and proportionate to the purposes of detecting, blocking, reporting (by removing any personally identifiable elements) and mitigating the cyber-threats of concern to you, and to all organizations relying on our products and services. When processing Personal Data in this context, we will not seek to identify a data subject unless strictly indispensable to the remediation of the cyber-threats concerned or required by law. D. Marketing and Community Networking HEGIAS has a legitimate interest in promoting our commercial offerings and to optimize the delivery of communications to that effect to our customers and audiences that are most likely to find them relevant. We will therefore collect and process data to that end as explained below. However, where we are legally required to obtain your consent to provide you with certain marketing materials, we will only provide you with such marketing materials where we have obtained such consent from you. If you do not want to continue receiving any marketing materials from us, you can click on the unsubscribe function in the communication or e-mail. a. Cookies Cookies help to make your visit of our website easier, more enjoyable, and more efficient. A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed. Cookies do not typically contain Personal Data, but Personal Data that we store about you may be linked to the information stored in and obtained from cookies. Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. Browsers regularly allow you to set your browser to notify you when you receive a “cookie”, this will enable you to decide if you want to accept it or not. You may also deactivate Cookies. However, if you do not accept our Cookies, you may not be able to use all functionalities of your browser software or our website. b. Google Analytics The use of our digital offerings is measured and evaluated by means of various technical systems, mainly from third party providers such as Google Analytics. These measurements can be carried out in an anonymous or personalized form. The collected data may be passed on by us or the third party providers of such technical systems based in Switzerland and abroad for processing. The most frequently used and the most popular analysis tool is Google Analytics, a service provided by Google Inc. located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, the US (“Google”). Google Analytics uses Cookies (see above) stored on your computer to help analyse how users use our website. The information generated by Google Analytics about your use of the website (including your IP address) will be transmitted to and stored on a Google server in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for us, and providing other services relating to website activity and Internet usage. Google may also transfer this information to third parties if this is required by law or if third parties process this data on behalf of Google. Google will not associate your IP address with any other data held by Google. If you do not want your website activity to be available to Google Analytics, you can install the browser add-on to disable Google Analytics that can be found at https://tools.google.com/dlpage/gaoptout?hl=en. This prevents the JavaScript (ga.js, analytics.js, and dc.js) running on the websites from sharing activity data with Google Analytics. The analysis of data by other tools of the website owner is not disabled when you use the add-on. Data may still be sent to the website or other web analytics services. c. Newsletter, Email and other forms of correspondence If you sign up for our newsletter(s), or if you contact us via a contact form or directly by email, we will store some of your information, including your email address, IP address and certain information about the links you click within the emails we send you. We will not sell your email address or share it with any other party, unless we are legally compelled to do so. We use Campaign Monitor to generate and distribute our newsletters. Please be referred to Campaign Monitor’s privacy policy at https://www.campaignmonitor.com/policies/#privacy-policy to learn more about their processing of Personal Data. In addition to the purposes described above, we may, in compliance with applicable legal requirements, use your Personal Data to provide you with advertisements, promotions and information about products and services . This may include demographic data or trend data provided by third parties, where permitted. Contact details, including phone numbers, mail and email addresses, may be used to contact you. If you do not want us to use your Personal Data in this way, you can simply choose not to consent to such use of your data on the webpages and/or forms through which such Personal Data is collected. You can also exercise this right at any time by contacting us as explained below. E. How we protect your Personal Data a. Safeguards Securing Personal Data is an important aspect of protecting privacy. We take reasonable and appropriate administrative, technical, organizational, and physical security and risk management measures in accordance with market standards and applicable laws to ensure that your Personal Data is adequately protected against accidental or unlawful destruction, manipulation, damage, loss or alteration, unauthorized or unlawful access, disclosure or misuse, and all other unlawful forms of processing of your Personal Data in our possession. These measures include: Physical Safeguards: We lock doors and file cabinets, control access to our facilities and apply secure destruction to media containing your Personal Data. Technology Safeguards: We and data centres commissioned by us use network and information security technologies, and we monitor our systems and data centres to ensure that they comply with our security policies. For example, the connection to our servers is established via secure connections and the data centers commissioned by us back up data on a regular basis, encrypt these backups and store them at different physical locations compliant with Swiss data protection laws. Our technology safeguards are continuously adapted and improved in line with technological developments. Organizational Safeguards: We conduct regular training and awareness programs on security and privacy, to make sure that our employees and contractors understand the importance of protecting your Personal Data, and that they learn and maintain the necessary knowledge and skills effectively to protect it in practice. Our security organization applies policies, standards and supporting security controls at the level appropriate to the risk level and the services provided. In addition, appropriate security controls are communicated to application owners and technology teams to support secure development of services and a secure operating environment. b. Storage / Duration The data we collect from you may be stored, with risk-appropriate technical and organizational security measures applied to it, on third party servers in locations compliant with Swiss data protection obligations. We will retain your personal information as needed to fulfil the purposes for which it was collected. We will retain and use your personal information as necessary to comply with our business requirements, legal obligations, resolve disputes, protect our assets, and enforce our agreements. c. Measures upon Personal Data breaches We take every reasonable measure to prevent Personal Data breaches. When these do occur, we have a process in place to take swift action within our responsibilities. These actions will be consistent with the role we have in relation to the services or processes affected by the breach. In all cases, we will work together with affected parties to minimize effects, to make all notifications and disclosures that are required by applicable law or otherwise warranted, and to take action to prevent future breaches. d. No guarantee The Internet, however, cannot be guaranteed to be 100% secure, and we cannot ensure or warrant the security of any personal information you provide to us. F. How we disclose your Personal Data a. General We do not sell, lease, rent or give away your Personal Data. We may share your Personal Data with third parties for the purposes of operating our business, delivering, improving, and customizing our solutions, sending marketing and other communications related to our business, and for other legitimate purposes permitted by applicable law or otherwise with your consent. b. Business Partners We may provide your Personal Data to our business partners for the purpose of allowing them to conduct business. This may include: so that these business partners may share information with you about their products or services; to provide a requested product, solution, service or transaction; in connection with, or during negotiations of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or to another company. c. Service Providers Processing Data on Our Behalf We may use contractors and service providers to process your Personal Data on our behalf for the purposes described in this Statement. We contractually require service providers to keep data secure and confidential and we do not allow our data processors to disclose your Personal Data to others without our authorization, or to use it for their own purposes. However, if you have an independent relationship with these service providers their privacy statements will apply to such relationships. Such service providers may include in particular contact centres, payment card processors and marketing/survey/analytics suppliers. d. Public Authorities In certain instances, it may be necessary for HEGIAS to disclose your Personal Data to public authorities or as otherwise required by applicable law. No Personal Data will be disclosed to any public authority except: In response to a request for information by a competent authority if we believe disclosure is in accordance with, or is otherwise required by, any applicable law, regulation or legal process; Upon request of law enforcement officials, government authorities, or other third parties as necessary to comply with legal process; protect the rights, property, or safety of HEGIAS, its business partners, you, or others; or as otherwise required by applicable law; Upon discovery of fraudulent activity or other deceptive practices if we believe a governmental agency should be notified; Where such disclosure is necessary for HEGIAS to enforce its legal rights pursuant to applicable law. G. Your Privacy Rights Whenever we process Personal Data, we take reasonable steps to ensure that your Personal Data is kept accurate and up to date for the purposes for which it was collected. We will provide you with the ability to exercise the following rights under the conditions and within the limits set forth in the law: to ask us to provide you with information regarding the Personal Data we process concerning you (Article 15 of the GDPR); to rectify, update or complement inaccurate or incomplete Personal Data concerning you (Article 16 of the GDPR); to delete or request the erasure of Personal Data concerning you (Article 17 of the GDPR); in certain circumstances to obtain of us that we restrict the way in which we process Personal Data concerning you (Article 18 of the GDPR); to obtain of us the portability of Personal Data concerning you which we process using automated means on the basis of your consent or of a contract you have entered into with us (Article 20 of the GDPR); and to object to our processing of Personal Data concerning you on the basis of our, or of third parties’ legitimate interests (Article 21 of the GDPR); in the European Economic Area, to lodge a privacy complaint with a supervisory authority if you are unhappy with the way we have handled your Personal Data or any privacy query or request that you have raised with us (Article 77 of the GDPR). In addition, you may at any time withdraw any consent you may have given for us to process Personal Data concerning you. If you believe that your Personal Data was unduly collected or is unduly processed by HEGIAS for purposes relating to network and information security, please be aware that if it is determined that Personal Data concerning you is processed by HEGIAS because it is necessary for the detection, blocking or mitigation of convicted cyber-threats, in line with Article 21 (1) GDPR, objection, rectification or erasure requests may be rejected. It is our compelling legitimate interests to protect HEGIAS and our customers from cyber threats, and therefore our interest may override your objection, rectification or erasure requests until you demonstrate the measures necessary to dissociate your Personal Data from any identified cyber-threat. Where your exercise of any of the rights above is dependent on HEGIAS’s action, we will abide by our legal obligation to take reasonable measures to ascertain your identity and the legitimacy of your request and may ask you to disclose to us any information necessary for that purpose. We will respond to legitimate request within 1 (one) calendar month. In certain limited circumstances, we may need to extend our response period as permitted by applicable law. Pursuant to any such requests, we may retain certain data necessary to prevent fraud or future abuse or as otherwise required or permitted by law, including to comply with legal obligations we are subject to, as well as to establish, exercise and defend our legal claims. How to contact us HEGIAS AG Compliance Limmatstrasse 264 CH-8005 Zurich @support By contacting us, please note the name of the website or service related to your request, your relationship and/or interactions with us (as applicable), as well as the specifics of the information you would like us to provide.