Privacy policy

Privacy statement Confiserie – Tea-room Christian Boillat Sàrl

The present privacy policy defines and informs you of the manner in which Confiserie Tea-room Christian Boillat Sàrl uses and protects the information that you may transmit to us when you use the present site accessible from the following URL: www.confiserieboillat.ch (hereinafter the “Site”).

Please note that this privacy policy may be amended or supplemented at any time by Confiserie Tea-room Christian Boillat Sàrl, in particular in order to comply with any changes in legislation, regulations, case law or technology. In such a case, the date of the update will be clearly identified in this policy. These modifications are binding on the User as soon as they are posted online. It is therefore advisable for the User to consult this privacy and cookie use policy on a regular basis in order to take note of any changes.

  1. What does this data protection declaration cover?
  2. Who is responsible for processing your data?
  3. What data do we process?
  4. For what purposes do we process your data?
  5. On what basis do we process your data?
  6. What rules apply to profiling and automated individual decisions?
  7. With whom do we share your data?
  8. Will your personal data be transferred abroad?
  9. How long do we process your data?
  10. How do we protect your data?
  11. What are your rights?
  12. Do we use online tracking and online advertising?
  13. What data do we process on our social networking pages?
  14. Can we update this data protection declaration?

  1. What does this data protection declaration cover?

Confiserie – Tea-room Christian Boillat Sàrl (hereinafter also referred to as “we”, “us” or “our”) collects and processes personal data about you and other persons (“third parties”). We use the term “data” interchangeably with “personal data”.

More

The ” [société]Group” refers to [dénomination sociale complète du responsable principal du traitement] and its subsidiaries and affiliates. A list of these subsidiaries and group companies is available here [lien avec la liste des sociétés du groupe].

Personal data” includes all information relating to an identified or identifiable natural person, i.e. the identity of that person can be established from the data itself or through additional data. Sensitive personal data” is a sub-category of personal data that is specially protected by applicable data protection legislation. Sensitive personal data includes, for example, data revealing racial or ethnic origin, data concerning health, data concerning religious or philosophical beliefs, biometric data for the purpose of uniquely identifying a natural person, and data concerning trade union membership. In section 3, you will find information about the data we process within the scope of this data protection declaration. The term “processing” refers to any operation carried out on personal data, such as collection, storage, use, modification, communication and deletion.

In this data protection declaration, we describe what we do with your data when you use www.confiserieboillat.ch (“website”), when you purchase our products and services, when you are in contact with us as part of a contract, when you communicate with us or deal with us in any other way. If necessary, we will inform you by means of a separate declaration of any processing activities not covered by this data protection declaration.

If you communicate data to us or share data with us concerning other persons, such as family members, work colleagues, etc., we assume that you are authorized to do so and that the data concerned is accurate. When you share data about other people with us, you confirm the above. Please ensure that these persons have been informed of this data protection declaration.

This data protection declaration is aligned with the EU General Data Protection Regulation (“GDPR”), the Federal Data Protection Act (“DPA”) and the new Federal Data Protection Act (“nLPD”). However, the actual application of these laws depends on the case in question.

  1. Who is responsible for processing your data?

Christian Boillat, of La Confiserie – Tea-room Christian Boillat Sàrl, Saint-Prex (“Confiserie – Tea-room Christian Boillat Sàrl”) is the data controller of Confiserie – Tea-room Christian Boillat Sàrl under this data protection declaration, unless we indicate otherwise in a particular case, for example in additional data protection declarations, in a form or in a contract.

You can contact us for data protection issues and to exercise your rights under section 11 as follows:

Confiserie – Tea-room Christian Boillat Sàrl

Rue de la Gare 1

1162 St-Prex

contact@confiserieboillat.ch

  1. What data do we process?

We process different categories of data about you. The main categories are as follows:

  • Technical data: When you use our website or other online offers (e.g. free Wi-Fi), we collect the IP address of the device you are using (terminal) and other technical data in order to ensure the functionality and security of these offers. This data includes the usage logs of our systems. We generally keep technical data for 12 months. In order to guarantee the functionality of these offers, we may also assign an individual code to you or to your terminal (e.g. in the form of a cookie, see section 12). Technical data as such cannot be used to draw any conclusions about your identity. However, technical data may be linked with other categories of data (and potentially with your person) in the context of user accounts, registration, access control or the performance of a contract.

  • Registration data: Some offers and services can only be used with a user account or after registration, which can be done directly with us or via our third-party connection service providers. In this context, you must provide us with certain data and we collect data on the use of the offer or service. Access control to certain facilities may require registration data and, depending on the control system, biometric data. We generally retain registration data for 24 months from the end of use of the service or closure of the user account.

  • Communication data: When you contact us via the contact form, e-mail, telephone, post or any other means of communication, we collect the data you exchange with us, including your contact details and the metadata of the communication. If we need to determine your identity, we collect data that enables us to identify you (e.g. a copy of an identity document). We generally keep this data for 24 months from the last time we communicate with you. This period may be longer if necessary for evidential purposes, to comply with legal or contractual requirements, or for technical reasons. E-mails in personal inboxes and written correspondence are generally kept for at least 3 years.

  • Basic data: By basic data, we mean the basic data that we need, in addition to contractual data (see below), for the performance of our contractual and other business relationships or for marketing and promotional purposes, such as your name and contact details, as well as information concerning, for example, your role and function, bank details, date of birth, customer history, powers of attorney, signature authorizations and declarations of consent. We process your basic data if you are a customer or other business contact or if you work for one of them (e.g. as a contact person for the business partner), or because we wish to contact you for our own purposes or those of a contractual partner (e.g. as part of marketing and advertising, invitations to events, with vouchers, with newsletters, etc.). We receive basic data from you (e.g. when you make a purchase or as part of a registration), from people you work for or from third parties such as contractual partners, associations and address brokers, as well as from public sources such as public registers or the Internet (websites, social networks, etc.). We may also collect basic data from our shareholders and investors. We generally retain basic data for 3 years after our last exchange with you or the end of the contract. This period may be longer if necessary for evidential purposes, to comply with legal or contractual requirements, or for technical reasons. For contacts used solely for marketing and advertising purposes, the retention period is in principle much shorter, generally no more than 3 years from the last contact.

  • Contractual data: This refers to data collected in connection with the conclusion or performance of a contract, such as information on contracts and services provided or to be provided, as well as data relating to the period prior to the conclusion of a contract, information required or used for the performance of a contract, and customer feedback (e.g. complaints, customer satisfaction data, etc.). We generally collect this data from you, contractual partners and third parties involved in the execution of the contract, but also from third-party sources (e.g. credit information providers) and public sources. We generally keep this data for 3 years from the last contractual activity or the end of the contract. This period may be longer where necessary for evidential purposes, to comply with legal or contractual requirements, or for technical reasons.

  • Behavioral and preference data: Depending on the relationship we have with you, we try to get to know you better and tailor our products, services and offers to your needs. To this end, we collect and process data about your behaviour and preferences. We do this by evaluating information about your behavior in our domain, and we may also supplement this information with information from third parties, including public sources. On the basis of this data, we can, for example, determine the likelihood that you will use certain services or behave in a certain way. The data processed for this purpose is either already known to us (e.g. where and when you use our services), or we collect it by recording your behavior (e.g. the way you browse our website). We anonymize or delete this data when it is no longer relevant to the purposes for which it was collected, i.e. – depending on the type of data – between 4 weeks (for movement profiles) and 24 months (for product and service preferences). This period may be longer where necessary for evidential purposes, to comply with legal or contractual requirements, or for technical reasons. We describe how tracking works on our website in section 12.

  • Other data: We also collect data about you in other situations. For example, we process data that may concern you (such as files, evidence, etc.) as part of administrative or legal proceedings. We may also collect data for health protection purposes (e.g. as part of health protection concepts). We may obtain or create photos, videos and sound recordings in which you may be identifiable (e.g. at events, with security cameras, etc.). We may also collect data on who enters certain buildings, and when, or on who has access rights (including as part of access controls, on the basis of registration data or visitor lists, etc.), on who participates in events or campaigns (e.g. competitions), and on who uses our infrastructure and systems and when. The length of time we keep this data depends on the purpose of the processing and is limited to what is necessary. It ranges from a few days for many security cameras, to a few weeks for contact tracing and screening, and for visitor data, which is generally kept for 12 months, to several years or more for event reports containing images.

  • Most of the data mentioned in this section 3 is provided to us directly by you (via forms, when you communicate with us, when concluding a contract, when using the website, etc.). You are not obliged or required to provide us with data, except in certain cases, for example in the context of mandatory health protection concepts (legal obligations). If you wish to enter into contracts with us or use our services, you must also provide us with certain data, including master data, contract data and registration data, as part of your contractual obligations under the relevant contract. Furthermore, it is not possible to avoid the processing of technical data when using our website. If you wish to have access to certain systems or buildings, you must also provide us with registration data.
  1. For what purposes do we process your data?

We process your data for the purposes set out below. Further information on online services can be found in sections 12 and 13. These purposes and their objectives serve our interests and, possibly, those of third parties. You will find further information on the legal basis for our processing in section 5.

We process your data for the purpose of communicating with you, in particular to respond to your requests and exercise your rights (section 11) and to enable us to contact you if we have any questions. In particular, we use communication and master data for this purpose. We store this data to document our communication with you, for training, quality assurance and follow-up purposes.

We process data for the conclusion, administration and execution of contractual relations.

We process data for marketing and relationship management purposes, for example to send our customers and other contractual partners personalized advertisements for products and services offered by us or by third parties (e.g. advertising partners). This may take the form of newsletters and other regular contact (by electronic means, e-mail or telephone), through other channels for which we have your contact details, but also as part of marketing campaigns (e.g. events, competitions, etc.) and may also include free services (e.g. invitations, vouchers, etc.), for example. You may object to such contact at any time (see the end of this section 4) or refuse or withdraw your consent for us to contact you for marketing purposes. With your consent, we can target our online advertising on the Internet more specifically to you (see section 12).

We also process your data for market research purposes, to improve our services and business activities, and for product development.

We may also process your data for security and access control purposes.

We process personal data to comply with laws, directives and recommendations of authorities and internal regulations (“compliance with legal requirements”).

We also process data as part of our risk management and corporate governance, including organization and business development.

We may process your data for other purposes, for example as part of our internal processes and administration.

  1. On what basis do we process your data?

When we request your consent for certain processing activities (e.g. for the processing of sensitive personal data, for marketing activities, for personalized movement profiles and for the management of advertising and analysis of website behavior), we inform you separately of the processing purposes concerned. You may withdraw your consent at any time with effect for the future by sending us written notification (by post) or, unless otherwise indicated or agreed, by sending us an e-mail; you will find our contact details in section 2. To withdraw your consent to online tracking, see section 12. If you have a user account, you can also withdraw your consent or contact us via the website or service in question. Once we have received notice of withdrawal of consent, we will no longer process your information for the purpose(s) to which you consented, unless we have another legal basis to do so. However, withdrawal of consent does not affect the lawfulness of processing based on consent prior to withdrawal.

Where we do not seek consent for processing, the processing of your personal data is based on the necessity of the processing to initiate or perform a contract with you (or the entity you represent) or on our legitimate interest or that of a third party in the processing in question, in particular in the pursuit of the purposes and aims set out in section 4 and in the implementation of measures relating thereto. Our legitimate interests also include compliance with legal regulations, insofar as this is not already recognized as a legal basis by applicable data protection legislation (for example, in the case of the RGPD, laws in the EEA and, in the case of the LPD, Swiss law).

Where we receive sensitive personal data (for example, data relating to health, data revealing political opinions, religious or philosophical beliefs, as well as biometric data for the purpose of uniquely identifying a natural person), we may process your data on other legal bases; for example, in the event of litigation, for the purposes of potential litigation or for the enforcement or defense of legal claims. In some cases, other legal bases may apply and, if so, we will inform you of these separately.

  1. What rules apply to profiling and automated individual decisions?

We may automatically assess personal aspects about you (“profiling”) on the basis of your data (section 3) for the purposes set out in section 4, where we wish to establish preference data, as well as to detect abuse and security risks, to carry out statistical analyses and for business planning. We may also create profiles for these purposes, which means that we may combine behavioral and preference data, as well as basic, contractual and technical data about you in order to better understand you as a person – with your different interests and other characteristics.

In both cases, we ensure the proportionality and reliability of the results, and take measures against the misuse of these profiles or profiling. If these automated individual decisions may have legal consequences for you or otherwise affect you in a significant way, we ensure in principle that the decision is controlled by a human being.

  1. With whom do we share your data?

In connection with our contracts, the website, our products and services, our legal obligations, the protection of our legitimate interests, and the other purposes set out in section 4, we may disclose your personal data to third parties, including the following categories of recipients:

  • Service providers: We work with service providers in Switzerland and abroad who process your data on our behalf or as joint processors with us, or who receive your data from us as independent processors.

  • Contractual partners, including customers: These are customers and our other contractual partners, insofar as the communication of data derives from these contracts. If you work for one of these contractual partners, we may also pass on your data to them. These recipients also include the contractual partners with whom we cooperate.

  • Authorities: We may disclose personal data to agencies, courts and other authorities in Switzerland and abroad if we are legally obliged or entitled to make such disclosures or if it appears necessary to protect our interests.

  • Other people: These are other cases where interactions with third parties fall within the scope of the objectives set out in section 4.

All these categories of recipients may involve third parties, so your data may also be communicated to them. We may restrict processing by certain third parties (e.g. IT suppliers), but not by others (e.g. authorities, banks, etc.).

  1. Will your personal data be transferred abroad?

As explained in section 7, we share data with other parties. Not all of them are located in Switzerland. Your data may therefore be processed in both Europe and Switzerland; in exceptional cases, in any country in the world.

If a recipient is located in a country without adequate legal data protection, we require that the recipient undertakes to comply with the applicable data protection legislation (for this purpose, we use the revised standard contractual clauses of the European Commission, available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?), unless the recipient is already subject to a legally accepted set of rules designed to guarantee data protection or we can invoke an exception. An exception applies, for example, in the case of legal proceedings abroad, in the case of an overriding public interest or when the performance of a contract requires the communication of data, as well as if you have consented to the transfer of the data or if the data has been made generally available by you directly and you have not objected to the processing.

  1. How long do we process your data?

We process your data for as long as required by our processing purposes, legal retention periods and our legitimate interests in documenting and preserving evidence, or if retention is a technical requirement. You will find further information on the respective retention and processing periods for the various categories of data in section 3, and for cookies in section 12. In the absence of legal or contractual obligations to the contrary, we will delete or anonymize your data once the retention period has expired or processing has ceased as part of our normal processes.

  1. How do we protect your data?

We take appropriate security measures to ensure the necessary security of your personal data and to guarantee the confidentiality, integrity and availability of your data, to protect it against unauthorized or unlawful processing, and to minimize the risk of loss, accidental alteration, unauthorized disclosure or access.

  1. What are your rights?

Applicable data protection laws give you the right to object to the processing of your data in certain circumstances, including processing for direct marketing purposes, profiling for direct marketing purposes and other legitimate interests in processing.

To help you control the processing of your personal data, you have the following rights with respect to our processing of your data, in accordance with applicable data protection legislation:

– The right to ask us for information about whether we process data about you and, if so, which data;

– The right to request that we correct inaccurate data;

– The right to request the deletion of data;

– The right to request that we provide certain personal data in a commonly used electronic format or transfer them to another controller;

– The right to withdraw your consent, where our processing is based on your consent;

– The right to receive, on request, other information relevant to the exercise of these rights;

If you wish to exercise the aforementioned rights towards us, you can contact us in writing at our address or, unless otherwise indicated or agreed, by e-mail; you will find our contact details in section 2. In order to prevent misuse, we need to identify you (e.g. by means of a copy of your identity card, if identification is not otherwise possible).

Please note that conditions, exceptions and restrictions may apply to the exercise of these rights in accordance with applicable data protection legislation (e.g. to protect third parties or trade secrets). If necessary, we will inform you.

If you do not agree with the way we respond to the exercise of your rights or with our data protection practices, you can let us know. If you are located in the EEA, the UK or Switzerland, you also have the right to lodge a complaint with the competent data protection supervisory authority in your country.

  1. Do we use online tracking and online advertising?

We use various techniques on our website that enable us – and the third parties we engage – to recognize you when you use our website, and possibly to track you over several visits. This section provides information on this subject.

In essence, we want to distinguish between your access (through your system) and access by other users, so that we can ensure the functionality of the website and carry out analyses and customization. We do not intend to determine your identity, although it may be possible for us or third parties we engage to identify you by linking to registration data. However, even in the absence of registration data, the technologies we use are designed to recognize you as an individual visitor each time you access the website, for example our server (or third-party servers) assigning a specific identification number to you or your browser (called a “cookie”).

We use these technologies on our website and may authorize certain third parties to do so as well. Depending on the purpose of these technologies, we may seek your consent before using them. You can also configure your browser to block or deceive certain types of cookies or alternative technologies, or to delete existing cookies. You can also add software to your browser to block certain third-party tracking. Further information can be found on your browser’s help pages (usually with the keyword “data protection”) or on the websites of the third parties listed below.

We distinguish the following categories of “cookies” (including technologies that work in the same way, such as fingerprints):

– Necessary cookies: Some cookies are necessary for the operation of the website or for certain functionalities. For example, they ensure that you can move from one page to another without losing the information you have entered in a form. They also make sure you stay connected. These cookies exist only temporarily (“session cookies”). If you block them, the website may not function properly. Other cookies are needed by the server to store options or information (which you have entered) beyond a session (i.e. a visit to the website) if you use this function (e.g. language settings, consents, automatic login functionality, etc.). These cookies have an expiry date of up to 24 months.

– Performance cookies: In order to optimize our website and related offers and better tailor them to users’ needs, we use cookies to record and analyze the use of our website, potentially beyond a single session. We use third-party analysis services for this purpose. We’ve listed them below. Before using these cookies, we ask for your consent. Performance cookies also have an expiration date of up to 24 months. Details can be found on the websites of third-party suppliers.

– Marketing cookies: We and our advertising partners have an interest in targeting advertising as precisely as possible, i.e. showing it only to the people we wish to address. We have listed our advertising partners below. For this purpose, and with your consent, we and our advertising partners use cookies which may record the content consulted or contracts concluded. This allows us and our advertising partners to display advertisements that we think may be of interest to you on our website and on other websites that display advertisements from us or our advertising partners. These cookies have an expiration period ranging from a few days to 12 months, depending on the circumstances. If you consent to the use of these cookies, you will be shown corresponding advertisements. If you do not consent, you will not see fewer advertisements, but simply any other advertisements.

In addition to marketing cookies, we use other technologies to control online advertising on other websites and thus reduce advertising waste. For example, we may pass on the e-mail addresses of our users, customers and others to whom we wish to display advertisements to operators of advertising platforms (e.g. social networks). If these people are registered with them with the same e-mail address (which the advertising platforms determine through a matching process), the providers display our advertisements specifically to these people. Providers do not receive personal e-mail addresses from people they do not already know. In the case of known e-mail addresses, however, they learn that these people are in contact with us and the content they have consulted.

We may also integrate additional offers from third parties on our website, in particular from social network providers. These offers are deactivated by default. As soon as you activate them (for example by clicking on a button), these suppliers can determine that you are using our website. If you have an account with the social network provider, it can allocate this information to you and thus track your use of online offers. These social network providers process this data as independent data controllers.

We currently use offers from the following service providers and advertising partners (where they use data about you or cookies placed on your computer for advertising purposes):

– Google Analytics: Google Ireland Ltd. is the provider of the “Google Analytics” service and acts as our subcontractor. Google Ireland uses Google LLC (located in the United States) as a subcontractor (both referred to as “Google”). Google collects information on the behavior of visitors to our website (duration, pages viewed, geographical region of access, etc.) by means of performance cookies (see above) and, on this basis, creates reports for us on the use of our website. We have configured the service in such a way that visitors’ IP addresses are truncated by Google in Europe before being transmitted to the USA, making it impossible to trace them afterwards. We have disabled the “Data sharing” and “Signals” options. Although we can assume that the information we share with Google does not constitute personal data for Google, it is possible that Google may be able to draw conclusions about the identity of visitors from the data collected, create personal profiles and associate this data with the Google accounts of these individuals for its own purposes. In any case, if you consent to the use of Google Analytics, you expressly consent to such processing, including the transfer of your personal data (in particular concerning website and application usage, device information and unique identifiers) to the United States and other countries. You can find data protection information about Google Analytics here [https://support. google. com/analytics/answer/6004245] and if you have a Google account, you can find more details about Google’s processing here [https://policies. google. com/technologies/partner-sites? hl=en].

– [additional service providers, advertising partners such as Facebook when using Custom Audiences, some of whom have specific requirements on how to inform website users, etc. ].

  1. What data do we process on our social networking pages?

We may operate pages and other online presences (“fan pages”, “channels”, “profiles”, etc.) on social networks and other platforms operated by third parties and collect data described in section 3 and below. We receive this data from you and the platforms when you interact with us through our online presence (for example, when you communicate with us, comment on our content or visit our online presence). These platforms also analyze your use of our online presences and combine this data with other data they have about you (e.g. behavioral and preference data). They also process this data for their own purposes, in particular for marketing and market research purposes (e.g. to personalize advertising) and to manage their platforms (e.g. what content they show you) and, for this purpose, they act as independent data controllers.

We process this data for the purposes set out in section 4, in particular for communication, for marketing purposes (including advertising on these platforms, see section 12) and for market research. You will find information on the applicable legal basis in section 5. We may distribute content published by you (e.g. comments on an advert), for example as part of our advertising on the platform or elsewhere. We or the platform operators may also remove or restrict content from or about you in accordance with their terms of use (e.g. inappropriate comments).

For more information on the processing of platform operators, please consult the relevant data protection declarations. You will also find information on the countries in which they process your data, your rights of access and erasure of data and other rights of data subjects, as well as how you can exercise these rights or obtain further information. We currently use the following platforms:

– Facebook: On Facebook, we operate the www.facebook.com/confiserieboillat page. The data controller for the operation of the platform for users in Europe is Facebook Ireland Ltd. Dublin, Ireland. Its data protection declaration is available at www. facebook.com/policy. Some of your data will be transferred to the United States. You can object to advertising here: www.facebook.com/settings? tab=ads. With regard to data collected and processed when visiting our website for “page insights”, we are jointly responsible for processing with Facebook Ireland Ltd. Dublin, Ireland. As part of “page insights”, statistics are created on the actions visitors take on our site (commenting on articles, sharing content, etc.). This is explained at www.facebook.com/legal/terms/information_about_page_insights_data. This data helps us to understand how our page is used and how to improve it. We only receive anonymous, aggregated data. We have agreed our data protection responsibilities in accordance with the information on www.facebook.com/legal/terms/page_controller_addendum.

– [Other social network providers such as LinkedIn, Instagram, Youtube, etc.].

  1. Can we update this data protection declaration?

This data protection declaration does not form part of a contract with you. We may amend this privacy statement at any time. The version published on this website is the current version.

Last update: 01.03.2024