Privacy Policy
With this privacy policy, I inform about the processing of personal data in connection with my activities and operations, including my website under the domain name tobygiacometti.com. I specifically inform about the purposes, methods, and locations where I process personal data. I also inform about the rights of persons whose data I process.
For individual or additional activities and operations, I may publish further privacy policies or other information regarding data protection.
I am subject to Swiss law as well as any applicable foreign law, particularly that of the European Union (EU) with the European General Data Protection Regulation (GDPR).
The European Commission recognized with a decision on July 26, 2000, that Swiss data protection law provides adequate data protection. In a report dated January 15, 2024, the European Commission confirmed this adequacy decision.
Table of Contents
- 1. Contact Addresses
- 2. Terms and Legal Foundations
- 3. Nature, Scope, and Purpose of Processing Personal Data
- 4. Disclosure of Personal Data
- 5. Communication
- 6. Data Security
- 7. Personal Data Abroad
- 8. Rights of Affected Persons
- 9. Use of the Website
- 10. Online Platforms
- 11. Services from Third Parties
- 12. Final Notes on the Privacy Policy
1. Contact Addresses
Responsible in the sense of data protection law is:
Toby Giacometti
c/o Spühler Rechtsanwälte AG
General-Wille-Strasse 19
8002 Zürich
Switzerland
An email address and contact form can be found on my contact page.
In individual cases, third parties may be responsible for the processing of personal data, or there may be joint responsibility with third parties. I am happy to provide affected persons with information about the respective responsibility upon request.
2. Terms and Legal Foundations
2.1 Terms
Affected Person: A natural person about whom I process personal data.
Personal Data: Any information relating to an identified or identifiable natural person.
Particularly Sensitive Personal Data: Data concerning trade union, political, religious, or philosophical beliefs and activities, data about health, intimate life, or belonging to an ethnic group or race, genetic data, biometric data that uniquely identifies a natural person, data about criminal and administrative sanctions or prosecutions, and data about social assistance measures.
Processing: Any handling of personal data, regardless of the means and procedures used, such as querying, matching, adjusting, archiving, storing, reading, disclosing, obtaining, capturing, collecting, deleting, revealing, organizing, arranging, storing, modifying, disseminating, linking, destroying, and using personal data.
European Economic Area (EEA): Member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.
2.2 Legal Foundations
I process personal data in accordance with Swiss law, particularly the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).
I process—if and to the extent that the European General Data Protection Regulation (GDPR) is applicable—personal data according to at least one of the following legal bases:
- Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data to fulfill a contract with the affected person and to carry out pre-contractual measures.
- Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to safeguard legitimate interests—also the legitimate interests of third parties—unless the fundamental freedoms and rights as well as the interests of the affected person prevail. Such interests include, in particular, the sustainable, humane, secure, and reliable exercise of my activities, ensuring information security, protection against misuse, enforcement of my legal claims, and compliance with Swiss law.
- Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to fulfill a legal obligation to which I am subject under any applicable law of member states in the European Economic Area (EEA).
- Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data to perform a task carried out in the public interest.
- Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the affected person.
- Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect vital interests of the affected person or another natural person.
- Art. 9 para. 2 ff. GDPR for the processing of special categories of personal data, particularly with the consent of the affected persons.
The European General Data Protection Regulation (GDPR) refers to the processing of particularly sensitive personal data as the processing of special categories of personal data.
3. Nature, Scope, and Purpose of Processing Personal Data
I process those personal data that are necessary to carry out my activities and operations in a sustainable, humane, secure, and reliable manner. The processed personal data may particularly fall into the categories of browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data. The personal data may also represent particularly sensitive personal data.
I also process personal data that I receive from third parties, obtain from publicly accessible sources, or collect during the exercise of my activities and operations, as long as such processing is permissible.
I process personal data, as necessary, with the consent of the affected persons. I can process personal data in many cases without consent, for example, to fulfill legal obligations or to safeguard overriding interests. I may also request consent from affected persons when their consent is not required.
I process personal data for the duration necessary for the respective purpose. I anonymize or delete personal data, particularly depending on legal retention and limitation periods.
4. Disclosure of Personal Data
I may disclose personal data to third parties, have third parties process it, or jointly process it with third parties. Such third parties may include specialized providers whose services I utilize.
In the context of my activities and operations, I may disclose personal data, in particular, to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and economic information agencies, logistics and shipping companies, marketing and advertising agencies, media, parent, sister, and subsidiary companies, organizations and associations, social institutions, telecommunications companies, insurance companies, and payment service providers.
5. Communication
I process personal data to communicate with persons as well as with authorities, organizations, and companies. In doing so, I particularly process data that an affected person provides to me when making contact, for example, via postal mail or email. I may store such data in an address book or with comparable tools.
Third parties that provide me with data about other persons are obligated to independently ensure the data protection of those affected persons. They must particularly ensure that such data is accurate and may be transmitted.
6. Data Security
I take appropriate technical and organizational measures to ensure a level of data security that is commensurate with the respective risk. With my measures, I particularly ensure the confidentiality, availability, traceability, and integrity of the processed personal data, although I cannot guarantee absolute data security.
Access to my website and other digital presence is conducted using transport encryption (SSL/TLS, particularly with Hypertext Transfer Protocol Secure, abbreviated as HTTPS). Most browsers warn against visiting a website without transport encryption.
My digital communication is subject—like basically any digital communication—to mass surveillance without cause or suspicion by security authorities in Switzerland, other parts of Europe, the United States of America (USA), and other countries. I cannot exert direct influence on the corresponding processing of personal data by intelligence agencies, police departments, and other security authorities. I also cannot rule out that an affected person may be specifically monitored.
7. Personal Data Abroad
I generally process personal data in Switzerland and in the European Economic Area (EEA). However, I may also export or transmit personal data to other countries, particularly to process it there or have it processed.
I can export personal data to all countries on Earth and elsewhere in the universe, provided that the local law ensures adequate data protection according to the decision of the Swiss Federal Council and—if and to the extent that the General Data Protection Regulation (GDPR) is applicable—also according to the decision of the European Commission.
I may transmit personal data to countries whose laws do not provide adequate data protection, as long as data protection is ensured for other reasons, particularly based on standard data protection clauses or with other suitable guarantees. Exceptionally, I may export personal data to countries without adequate or suitable data protection if the specific data protection legal requirements are met, such as the explicit consent of the affected persons or a direct connection to the conclusion or execution of a contract. I am happy to provide affected persons with information about any guarantees or supply a copy of any guarantees upon request.
8. Rights of Affected Persons
8.1 Data Protection Claims
I grant affected persons all claims according to applicable law. Affected persons have, in particular, the following rights:
- Information: Affected persons can request information on whether I process personal data about them, and if so, which personal data is involved. Affected persons will also receive the information necessary to assert their data protection claims and ensure transparency. This includes the processed personal data as such, but also information about the purpose of processing, the duration of storage, any disclosure or export of data to other countries, and the source of the personal data.
- Correction and Restriction: Affected persons can correct inaccurate personal data, complete incomplete data, and request the restriction of the processing of their data.
- Opportunity for Own Position and Human Review: Affected persons can present their own position and request a human review in decisions that are based solely on automated processing of personal data and that have legal effects or significantly affect them (automated individual decisions).
- Deletion and Objection: Affected persons can request the deletion of personal data ("right to be forgotten") and object to the processing of their data with effect for the future.
- Data Access and Data Transfer: Affected persons can request the release of personal data or the transfer of their data to another controller.
I may postpone, restrict, or refuse the exercise of the rights of affected persons within the legally permissible framework. I may inform affected persons about any conditions that must be met to exercise their data protection claims. For example, I may refuse to provide information based on confidentiality obligations, overriding interests, or the protection of other persons, either wholly or partially. I may also refuse the deletion of personal data, particularly with reference to legal retention obligations, either wholly or partially.
I may exceptionally impose costs for the exercise of rights. I will inform affected persons in advance about any potential costs.
I am obligated to identify affected persons who request information or assert other rights through appropriate measures. Affected persons are required to cooperate.
8.2 Legal Protection
Affected persons have the right to enforce their data protection claims through legal means or to file a complaint with a data protection supervisory authority.
The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
European data protection supervisory authorities are organized as members of the European Data Protection Board (EDPB). In some member states of the European Economic Area (EEA), the data protection supervisory authorities are federally structured, particularly in Germany.
9. Use of the Website
9.1 Cookies
I do not use cookies on my website.
9.2 Logging
In case of errors during access to my website and other digital presence, I may log at least the following information, provided that this information is transmitted during such access to my digital infrastructure: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed individual subpage of my website including transmitted data volume, and the last webpage accessed in the same browser window (referrer).
I log such information, which may also represent personal data, in log files. The information is necessary to provide my digital presence sustainably, humanely, and reliably. The information is also necessary to ensure data security—also through third parties or with the help of third parties.
9.3 Tracking Pixels
I do not incorporate tracking pixels into my digital presence.
10. Online Platforms
I am present on online platforms to communicate with interested persons and to inform them about my activities and operations. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).
The general terms and conditions (GTC), usage terms, as well as privacy policies and other provisions of the individual operators of such platforms also apply. These provisions particularly inform about the rights of affected persons directly with respect to the respective platform, including, for example, the right to information.
11. Services from Third Parties
I utilize services from specialized third parties to carry out my activities and operations sustainably, humanely, securely, and reliably. With such services, I can embed functions and content into my website. During such embedding, the services used may temporarily capture the IP addresses of users for technical reasons.
For necessary security-related, statistical, and technical purposes, third parties whose services I use may process data related to my activities and operations in an aggregated, anonymized, or pseudonymized manner. This includes, for example, performance or usage data to provide the respective service.
Digital Infrastructure
I utilize services from specialized third parties to access the necessary digital infrastructure related to my activities and operations. This includes, for example, hosting and storage services from selected providers.
I specifically use:
- Hetzner: Hosting and other infrastructure; providers: Hetzner Online GmbH / Hetzner Cloud GmbH (both Germany); data protection information: privacy policy, "Data Privacy FAQ."
12. Final Notes on the Privacy Policy
I may update this privacy policy at any time. I will inform about updates in an appropriate manner, particularly by publishing the current privacy policy on my website.