Privacy statement

For better readability of the privacy statement, the masculine form is used when referring to persons and for personal nouns. Corresponding terms apply in principle to all genders for the purposes of equal treatment. The abbreviated form of language is for editorial reasons only and does not imply any evaluation.

When you as a Intershop shareholder submit your instructions in writing or electronically, then this privacy policy applies to the processing of your personal data.

When you use netVote, you entrust us with important data. We process your data in accordance with the Swiss Data Protection Act (FADP) and – where applicable – the European General Data Protection Regulation (GDPR).

With this declaration, we provide you with information on how we handle and protect personal data.

In this statement we set out:
  • who processes personal data,
  • what personal data we process,
  • the purposes for which we process personal data,
  • with whom we share personal data,
  • how long we store personal data,
  • whether you are obliged to provide us with personal data, and
  • what applies should the European General Data Protection Regulation (GDPR) apply to our data processing.

We may amend this privacy statement at any time. The latest version published on netVote applies.

  1. Who processes personal data?

    The controller within the meaning of data protection law is:

    Intershop Holding AG
    Giessereistrasse 18
    8005 Zürich
    Schweiz
    www.intershop.ch

    If you have any questions or concerns about data protection in relation to netVote, please contact our Data Protection Officer.
    In addition, the provider of netVote has the following data protection representation pursuant to art. 27 GDPR in the European Economic Area (EEA) including the European Union (EU) and the Principality of Liechtenstein as an additional point of contact for supervisory authorities and data subjects for requests in connection with the GDPR:

    VGS Datenschutzpartner GmbH
    Am Kaiserkai 69
    20457 Hamburg
    Deutschland
    info@datenschutzpartner.eu

  2. What personal data do we process?
    1. Shareholder data

      We process the following personal data in connection with your capacity as a shareholder of our company:

      • Your first and last name or your corporate name
      • Your address, postcode, city and country
      • Your email address
      • Your telephone numbers
      • Your nationality
      • Your date of birth
      • The language in which you wish to correspond with us
      • The number of shares you hold as a shareholder of our company
      • The number of voting rights you may exercise as a shareholder of our company at the general meeting
      • Details of the share deposit account(s) in which you hold the shares of our company, in particular order book number, type of deposit account, trader, bank deposit account reference number, payout type, payout account, number of shares in the deposit account
      • Transaction data relating to the shares you hold in our company, in particular transaction type, number, date, partner and subject matter
    2. Data in the run-up to a general meeting

      Further, we process the following personal data in the run-up to a general meeting:

      • Indication of whether you will attend a particular general meeting in person by means of an admission card or whether you will be represented by the independent proxy
      • If you are represented by the independent proxy at a particular general meeting:
        • The instructions you give the representative for each agenda item (Yes/No/Abstention)
        • The instructions you give to the representative in the event of unannounced or new items for discussion (Approval/Disapproval of the proposal of the Board of Directors or Abstention)
  3. For what purposes do we process your personal data?

    We collect and process your personal data so that you can exercise your shareholder rights in accordance with the Swiss Code of Obligations (CO) and so that we can fulfil the relevant obligations under company law.

    This includes in particular the following rights:

    • Right to be listed in the share register with name and address
    • Right to attend and vote at the general meeting
    • Right to give written or electronic instructions to the independent proxy on any agenda item and on unannounced or new items for discussion.

    We do not use your personal data for direct marketing, profiling or automated individual decision-making.

  4. With whom do we share your personal data?

    We share your personal data exclusively with the following persons:

    • The independent proxy to whom you have given instructions.
    • Processors based in Switzerland (esp. Segetis AG, areg.ch ag) who process your personal data on our behalf, in particular IT service providers.
    • Custodian banks, to the extent necessary for the proper keeping of the share register.
    • Twilio Ireland Limited (owner of SendGrid, Inc.), platform for transactional emails as well as dispatch of the electronic admission cards connected with the general meeting.
  5. Do we transfer your personal data to third countries?

    We generally process personal data in Switzerland. We do not transfer your data to countries that do not have an adequate level of data protection according to Swiss data protection law (third countries). There are the following exceptions: If you log into netVote from a third country, your personal data may be transferred to such third country as part of this data transfer. Whenever we verify your email address and have electronic admission cards dispatched, we use the Twilio service, which may store the data in the United States. We have concluded the European standard protection clauses with Twilio, which constitute a suitable guarantee as per Art. 16(2) FADP and Art. 46 ff. GDPR.

  6. How long do we store your personal data?

    We store shareholder data in accordance with section 2.1 for as long as you are our shareholder and subsequently for ten years from the deletion of all your entries in our share register. This corresponds to the legal regulation of Art. 686(5) CO.

    We store data that we collect and process in the run-up to a general meeting in accordance with section 2.2 during the period before the general meeting until 180 days after it has ended. Exempt from this and stored for a longer period of time is data that originates from a general meeting whose resolutions are contested or otherwise become the subject of (arbitration) court or official proceedings. We store this data until the relevant proceedings have been legally concluded.

  7. Do I have to provide my personal data?

    You only need to provide personal data to the extent required under Swiss company law to enable you to exercise your shareholder rights.

    If you purchase our shares on the stock exchange, we will receive the necessary data from the buyer’s custodian bank via SIX SIS AG and you have nothing further to do.

    If you purchase our shares over the counter, you will only be entered in the share register if you provide us with your name and address as well as proof of purchase (Art. 686 CO).

  8. What applies when GDPR is applicable?

    If GDPR applies to the processing of your personal data, we must tell you at this point the legal basis for the data processing:

    • We process your personal data to comply with our legal obligations (Art. 6(1)(c) GDPR) as well as on the basis of legitimate interest pursuant to Art. 6(1)(f) GDPR. The legal obligations or legitimate interests are to fulfil our obligations under company law and to enable our shareholders to exercise their statutory shareholder rights.
    • Further, we process your personal data on the basis of necessity for the performance of a contract pursuant to Art. 6(1)(b) GDPR. The processing of personal data is necessary for the fulfilment of our obligations towards our shareholders under company law (a legal relationship similar to a contract).

    If your personal data is processed by us and GDPR is applicable, you have the following rights against us:

    • Right of access. You can ask us to confirm whether we are processing personal data relating to you. If so, you can ask us for information about this personal data and about the following information:

      1. the purposes for which we carry out the processing;
      2. the categories of personal data we process;
      3. the recipients or categories of recipients to whom the personal data has been or will be disclosed;
      4. the planned period for storing the personal data or, if concrete information on this is not possible, criteria for determining the storage period;
      5. the existence of a right to rectify or erase the personal data, a right to restrict processing or a right to object to such processing;
      6. the existence of a right of appeal to a supervisory authority;
      7. any available information on the origin of the data if the personal data is not collected from the data subject;
      8. the existence of automated decision-making, including profiling, pursuant to Art. 22(1) and (4) GDPR, and – at least in these cases – meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

      You have the right to request information on whether personal data concerning you is transferred to a third country or an international organisation. In this context, you may ask to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in relation to the transfer.

    • Right to rectification. You have the right to rectification and/or completion if the personal data processed is inaccurate or incomplete. We will carry out the rectification without delay.

    • Right to restriction of processing. You may request the restriction of processing of your personal data under the following conditions:

      1. if you dispute the accuracy of the personal data for a period of time that enables us to verify its accuracy;
      2. if the processing is unlawful and you refuse the erasure of the personal data and instead request the restriction of the use of the personal data;
      3. if we no longer need the personal data for the purposes of processing but you need it for the assertion, exercise or defence of legal claims; or
      4. if you have objected to the processing and it has not yet been determined whether our legitimate grounds override your grounds.

      Where the processing of personal data has been restricted, such data may be processed, with the exception of storage, only with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of any other natural or legal person or for reasons of substantial public interest of the European Union or any of its member states.

    • Obligation to delete. You may request that we delete your personal data without undue delay and we are obliged to delete such data without undue delay if any of the following reasons applies:

      1. Your personal data is no longer necessary for the purposes for which we collected or otherwise processed it.
      2. You object to the processing and there are no overriding legitimate grounds for the processing.
      3. The personal data has been processed unlawfully.

      The right to erasure does not exist insofar as the processing is necessary for the assertion, exercise or defence of legal claims.

      If the restriction of processing has been lifted under the above conditions, we will inform you when we lift the restriction.

    • Right to information. If you have exercised the right to rectification, erasure or restriction of processing, we are obliged to notify all recipients to whom the personal data has been disclosed of such data rectification or erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed by us about such recipients.
    • Right to object. You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data that we process solely on the legal basis of a legitimate interest.
      We will in such case no longer process the personal data relating to you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
    • Right to data portability. You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format. Furthermore, you have the right to transfer such data to any other controller without hindrance on our part.
    • Right to complain to a supervisory authority. Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data infringes GDPR. You can find a list of the supervisory authorities here.

    If you log into netVote from a third country (see point 5 above), then according to GDPR, we are permitted to make this transfer pursuant to Art. 49(1)(b) GDPR, as it is necessary for the fulfilment of our obligations to you under company law (a legal relationship similar to a contract). You always have the option of preventing such transmission by not logging into netVote from a third country. Whenever we verify your email address or have electronic admission cards dispatched, we use the Twilio service (see point 4 above), which may store the data in the United States. We have concluded the European standard protection clauses with Twilio, which constitute an appropriate guarantee as per Art. 46(2)(c) GDPR.