Privacy Notice for Business Partners

1. What is this Data Privacy Policy about?

Implenia Ltd and its affiliated subsidiaries and Group companies (hereinafter referred to as Implenia) herewith notify you about how your data is processed in connection with the business relationship with the Implenia Group. This privacy statement is in addition to our general privacy notice, which informs you about how and for what purpose your personal data is processed in connection with our websites, among other things. This privacy statement complies with the EU General Data Protection Regulation ("GDPR") and the Swiss Data Protection Act ("DPA"). However, the application of these laws depends on the individual case.

Integrity is an exceptional value for Implenia and part of our mission statement (Mission Statement Implenia), so we have tried to present the following to you as clearly and transparently as possible. If, despite all our efforts, there are still any uncertainties, please do not hesitate to contact us.

2. Who is responsible for processing your Data?

The relevant Implenia Group company with which you have or are seeking a business relationship is responsible for collecting and processing your data. You can contact this individual Implenia Group company at any time with data protection concerns and to exercise your rights in accordance with section 9. You can find a list of all locations and the respective person responsible here.

If you have any questions or concerns about data protection at Group level, please contact: 

Implenia Ltd.
Thurgauerstrasse 101 A
CH-8152 Glattpark (Opfikon)
Switzerland 
dataprivacy@implenia.com

In addition, a data protection officer has been appointed for the Group companies in Germany in accordance with Article 37 et seq. GDPR and Article 38 of the Federal Data Protection Act (BDSG), who can be contacted as follows:

Implenia Holding GmbH
Data Protection Officer
Am Prime Parc 1
D- 65479 Raunheim
dataprivacy-germany@implenia.com

3. What Data do we process and for what purpose? 

As part of the business relationship with Implenia, we may also process personal data relating to you or your employees. To manage our business contacts and to initiate and process contracts, we process information about your company (in particular address, authorised representatives, bank and tax data, any occurring communication) as well as information about the respective contact persons (in particular name, position, professional contact information and any communication with them). When using our electronic portals or other portals we provide, your IP addresses may also be processed for IT security purposes.

Implenia also operates a supplier management system. The system uses a standardised procedure to evaluate supplier and subcontractor performance, make purchasing decisions based on objective information and giving preference to the efficient suppliers. By assigning an individual account to each supplier/subcontractor, they can independently adjust their contact data and certifications to the actual status. A currently planned notification of standardised questionnaires also gives Implenia the opportunity to collect important information. In this context, Implenia will then process assessment data. This including all the information obtained from answers provided in the various questionnaires, as well as documents and information you have uploaded to our database. The personal data collected is primarily used for communication between Implenia and the business partner, to the extent it is required by the contractual relationship, where there is a business purpose or if it is necessary to process payment transactions and/or to fulfil legal obligations. Overall, we thus use this data to initiate and fulfil contracts, to be able to reach the appropriate contact person when an exchange is established, to be able to process items and orders appropriately and to maintain the business relationship. In addition, it is important to us to observe customer/business partner satisfaction in the long term. For this reason, we may also process the personal data collected on the legal basis of legitimate interest to provide you with information about our services and products, to receive your feedback regarding your satisfaction with our provided services, to document these services and for IT security purposes.

The gathered evaluation data is used to evaluate suppliers/subcontractors about sustainability, occupational safety, quality and purchasing conditions, as well as to compile statistics and support management processes as part of Implenia's purchasing activities. These purposes are also our genuine interest in this data processing.

4. On what basis do we process your Data?

Unless we ask for your consent, the processing of your personal data is centred on the business relationship between us or its initiation or, where applicable, on our legitimate interest in the respective processing.

If we ask you for your consent to certain processing activities (e.g., for the processing of sensitive personnel data), we will inform you separately about the respective processing purposes. Consent is always voluntary, so you can withdraw your consent at any time with future effect by notifying us in writing (post or email); once we have received the notice of withdrawal of consent, we will no longer process your data for the purpose(s) to which you consented, unless we have another legal basis to do so. However, withdrawal of consent will not affect the legitimacy of processing carried out based on the consent prior to the withdrawal. In certain circumstances, we may continue to process your data on other legal grounds, e.g., in the event of a dispute, where this is necessary in connection with a potential legal dispute or for the enforcement or defence of legal claims. In some cases, a different legal basis may apply, which we will inform you of separately if necessary. 

5. Who do we share your Data with?

Die Daten werden innerhalb von Implenia den mit der Vertragsanbahnung und- abwicklung befassten Mitarbeitern z.B.  im Einkauf, Bauführern, Projektleitern im Rahmen der Geschäftsbeziehung zugänglich gemacht. Im Rahmen der Abwicklung von Rechnungen und der Revision haben die Finanzabteilung sowie die Revisoren Zugriff auf die personenbezogenen Daten. Wir arbeiten mit Dienstleistern im EWR, in der Schweiz und in weiteren Staaten zusammen, die Ihre Daten in unserem Auftrag oder als gemeinsam Verantwortliche mit uns verarbeiten. Wir geben die Daten weiter, die diese Anbieter für ihre Dienstleistungen benötigen. Diese Anbieter können diese Daten auch für eigene Zwecke verwenden, beispielsweise anonymisierte Informationen, um ihre Dienstleistungen zu verbessern. Zudem schliessen wir mit diesen Anbietern Verträge ab, um die Einhaltung des Datenschutzes zu gewährleisten, soweit sich dies nicht direkt aus dem Gesetz ergibt (z.B. Behörden). Schliesslich werden Daten in den Fällen weitergegeben, in denen der Gesetzgeber dies verlangt oder verbindlich vorsieht (z.B. im Rahmen einer Steuerprüfung durch die Finanzbehörden oder im Rahmen der Geldwäscheprävention). 

6. In welche Länder gelangen Ihre Personendaten?

Within Implenia, the data is made available to employees involved in contract initiation and processing, e.g., in purchasing, construction managers, project managers, as part of the business relationship. The finance department and auditors have access to personal data in the context of invoice processing and auditing. We work with service providers in the EEA, Switzerland and other countries who process your data on our behalf or as jointly responsible parties with us. We share the data that these providers need for their services. These providers may also use this data for their own purposes, e.g., anonymised information to improve their services. We also enter contracts with these providers to ensure their compliance with data protection, in so far that this does not arise in direct accordance with legislation (e.g., public authorities). Finally, data is disclosed in cases where the legislator requires this or makes it mandatory (e.g., in the context of an audit by the tax authorities or as part of the prevention of money laundering). 

7. How long do we process your Data? 

The data shall be stored for the duration of the business relationship, but at least for the duration of the statutory retention obligations under commercial and tax regulation.

8. How do we protect your Data?

We take appropriate security measures to maintain the confidentiality, integrity and availability of your personal data, to protect it against unauthorised or unlawful processing and to protect against the risks of loss, unintentional alteration, unauthorised disclosure or access. 

9. What rights do you have?

Applicable data protection laws give you the right to object to the processing of your data in certain circumstances, especially for processing activities based on legitimate interest.
To help you control your personal data management, you have the following rights in relation to our data processing, depending on the applicable data protection law: 

• the right to request information from us as to whether and what data of yours we process;
• the right to have data corrected by us if it is inaccurate;
• the right to request that we delete data;
• the right to request that we send you certain personal data in a commonly used electronic format, to provide or transfer it to another controller;
• the right to withdraw your consent where our processing is based on your consent;
• the right to obtain, on request, further information useful for the exercise of these rights.

If you wish to exercise any of the above rights against us or any of our Group companies, please contact us in writing addressed to our premises or, unless otherwise stated or agreed, by email; our contact details are given in section 2. For us to be able to prevent abuse, we will need to identify you (e.g., by means of a copy of your identity document, if identification is otherwise not possible). 

If you are in the EEA or Switzerland, you also have the right to file a complaint with the responsible data protection supervisory authority in your country.

A list of authorities in the EEA can be found here:  Members | European Data Protection Board (europa.eu).

You can reach the Swiss supervisory authority here: Contact (admin.ch).

6/2023