Version as of 01/12/2022
In this Data Protection Declaration we, KKL Luzern Management AG (hereinafter referred to as KKL Luzern Management AG, we or us), explain how we collect and otherwise process personal data. This is not an exhaustive description of data processing; other data protection declarations, general terms and conditions or similar documents may govern specific matters (e.g. online applications). Personal data is understood to be all information that relates to an identified or identifiable person.
If you provide us with personal data of other persons (e.g. family members, data of work colleagues), please make sure that these persons are aware of this Data Protection Declaration and only share their personal data with us if you are allowed to do so and if this personal data is correct.
This Data Protection Declaration is designed to meet the requirements of the EU General Data Protection Regulation («GDPR») and the Swiss Data Protection Act («revDPA») [Datenschutzgesetz, DSG]. However, whether and to what extent these laws are applicable depends on the individual case.
1. Controller / Data Protection Officer / Representative
Unless otherwise specified in an individual case, the controller of all the data processing which we describe here is KKL Luzern Management AG, Europaplatz 1, 6,002 Luzern, Switzerland. If you have any data protection concerns, you can send them to us at the contact address listed above or via E-Mail.
Our representative in the EEA within the meaning of Article of 27 GDPR is:
VGS Datenschutzpartner UG, Am Kaiserkai 69 20,457 Hamburg, Germany
2. Collection and Processing of Personal Data
We primarily process the personal data that we receive from our customers and other business partners in the course of our business relationship with them and other persons involved in it, or that we collect from their users when operating our websites, apps and other applications.
Insofar as permissible, we also obtain certain data from public sources (e.g. debt collection registers, land registers, commercial registers, the press and the internet) and from authorities and other third parties (such as credit bureaus and address brokers). Apart from the data you give us directly, the personal data which we receive about you from third parties include in particular details from public registers, details which we learn in connection with official or legal procedures, details of your professional duties and activities (so that for example we may with your help conclude and perform business with your employer), details about you in correspondence and talks with third parties, information about solvency (if we perform personal business with you), details about you provided by people in your surroundings (family, advisors, lawyers etc.), so that we can conclude or settle contracts with you or involving you (e.g. references, your delivery address, powers of attorney, details required to fulfil statutory obligations such as the combating of money laundering and export restrictions), details from our banks, insurance companies, sellers and other contracting parties (e.g. payments and purchases) so that we can use your services, details about you from the media and internet (if appropriate in a specific case, e.g. in publicity, press reviews, marketing/sales etc.), your addresses and, if appropriate, hobbies and other socio-demographic data (for marketing), data connected with the use of the website (e.g. IP address, smartphone or computer MAC address, details of your device and settings, cookies, data and time of visits, pages and contents called up, functions used, referring website, details of location).
3. Purposes of Data Processing and Legal Basis
We use the personal data we collect primarily to conclude and process our contracts with our customers and business partners, such as in particular in the area of events and catering, the purchase of products and services from our suppliers and subcontractors, as well as to comply with our legal obligations at home and abroad. If you work for such a customer or business partner, your personal data may of course also be affected in this capacity.
In addition, we also process personal data about you and other individuals, where permitted and where we consider it appropriate, for the following purposes in which we (and sometimes third parties) have a legitimate interest commensurate with the purpose:
- - offering and further development of our offers, services and websites, apps and other platforms on which we are present;
- - communication with third parties and handling their enquiries (e.g. applications, media enquiries);
- - review and optimisation of needs assessment procedures for direct customer approach and collection of personal data from publicly available sources for customer acquisition;
- - advertising and marketing (including the organisation of events), insofar as you have not objected to the use of your data (if we send you advertising as an existing customer of ours, you can object to this at any time, we will then put you on a blocking list against further advertising mailings);
- - market research and opinion pooling, media monitoring;
- - assertion of legal claims and defence in connection with legal disputes and official proceedings;
- - prevention and investigation of criminal offences and other misconduct (e.g. conducting internal investigations, data analysis to combat fraud);
- - safeguarding of our business operations, especially IT, our websites, apps and other platforms;
- - video surveillance to maintain house rights and other measures for IT, building and facility security and protection of our employees and other persons and assets belonging to or entrusted to us (such as access controls, visitor lists, network and mail scanners, telephone recordings);
- - If you have given us consent to process your personal data for specific purposes (for example, when you register to receive newsletters or carry out a background check), we process your personal data within the scope of and based on this consent, unless we have another legal basis and we require one. Consent given can be revoked at any time, but this has no effect on data processing that has already taken place.
4. Cookies / Tracking and Other Technologies Associated with the Use of Our Website
5. Transfer of Personal Data
We disclose your personal data to third parties within the scope of our business activities and in accordance with the processing purposes pursuant to section 3 - to the extent permitted and appropriate for the processing purpose. Such third parties may be service providers of ours, including third parties who process data on our behalf (“data processors”) and public authorities located in Switzerland or abroad. All locations of the third parties commissioned by us are eligible as recipient countries. If the level of data protection in a recipient country is deemed inadequate in accordance with the DPA or the GDPR, we will ensure that your personal data is protected at all times in accordance with the DPA or the GDPR by means of overriding contractual guarantees and, on a subsidiary basis, technical, organisational or contractual security measures. Otherwise, data is only transferred in connection with the processing of enquiries, the provision of services and within the scope of marketing activities as well as at the request of the authorities.
6. Duration of Storage of Personal Data
We process and store your personal data for as long as it is necessary for the fulfilment of our contractual and legal obligations or otherwise the purposes pursued with the processing, i.e. for example for the duration of the entire business relationship (from the initiation, processing to the termination of a contract) as well as beyond that in accordance with the statutory retention and documentation obligations. In doing so, it is possible that personal data will be retained for the time during which claims can be made against our company and insofar as we are otherwise legally obliged to do so or legitimate business interests require this (e.g. for evidence and documentation purposes). As soon as your personal data is no longer required for the above-mentioned purposes, it will be deleted or made anonymous as far as possible. For operational data (e.g. system logs, logs), shorter retention periods of twelve months or less generally apply.
7. Data Security
We take appropriate technical and organisational security measures to protect your personal data from unauthorised access and misuse, such as issuing instructions, training, IT and network security solutions, access controls and restrictions, encryption of data carriers and transmissions, pseudonymisation, controls.
8. Profiling and Automated Decision-Making
We process your personal data partly automatically with the aim of evaluating certain personal aspects (profiling). We use profiling in particular to be able to provide you with targeted information and advice about products. In doing so, we use evaluation tools that enable us to provide needs-based communication and advertising, including market and opinion research.
As a matter of principle, we do not use fully automated decision-making for the establishment and implementation of the business relationship or in any other way. Should we use such procedures in individual cases, we will inform you separately about this, insofar as this is required by law, and inform you about the associated rights.
9. Rights of Data Subjects
Within the framework of the data protection law applicable to you and insofar as stipulated therein, you have the right to information, correction, deletion, the right to restrict the processing of data and otherwise the right to object to our data processing, in particular that for the purposes of direct marketing, profiling for direct advertising and other legitimate interests in the processing, as well as to the release of certain personal data for the purpose of transfer to another body (so-called data portability). Please note, however, that we reserve the right to assert the statutory restrictions on our part, for example if we are obliged to retain or process certain data, have an overriding interest in doing so (insofar as we are entitled to rely on this) or require it for the assertion of claims. If there are any costs for you, we will inform you in advance. We have already informed you about the possibility of revoking your consent in section 3.
The exercise of such rights usually requires that you clearly prove your identity (e.g. by a copy of your identity card where your identity is otherwise not clear or cannot be verified). To exercise your rights, you can contact us at the address given in section 1.
In addition, every data subject has the right to enforce his or her claims in court or to lodge
a complaint with the competent data protection authority. The competent data protection
authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).