Privacy Notice for Business Partners

1. What is this Data Privacy Notice about?
2. Who is responsible for processing personal data?
3. What personal data do we process and for what purpose?
4. On what basis do we process personal data?
5. Who do we share your personal data with?
6. In which countries does personal data end up?
7. How long do we process personal data?
8. How do we protect personal data?
9. What rights can be asserted?

Implenia Ltd. and its affiliated subsidiaries and Group companies (hereinafter referred to as Implenia) herewith notify you about how your data respectively data of your employees is processed in connection with the business relationship with the Implenia Group. This privacy statement is in addition to our general privacy notice, which informs you about how and for what purpose personal data is processed in connection with our websites, among other things. This privacy statement complies with the EU General Data Protection Regulation ("GDPR") and the Swiss Data Protection Act ("DPA"). However, the application of these laws depends on the individual case. 

Integrity is an exceptional value for Implenia and part of our mission statement (Mission Statement Implenia - Implenia Ltd.), so we have tried to present the following as clearly and transparently as possible. If, despite all our efforts, there are still any uncertainties, please do not hesitate to contact us. 

The relevant Implenia Group company with which you have or are seeking a business relationship is responsible for collecting and processing data. You can contact this individual Implenia Group company at any time with data protection concerns and to exercise rights in accordance with section 9. You can find a list of all locations and the respective person responsible here.

If you have any questions or concerns about data protection at Group level, please contact: 

Implenia Ltd.
Thurgauerstrasse 101 A
CH-8152 Glattpark (Opfikon)
Switzerland 
dataprivacy@implenia.com

In addition, a data protection officer has been appointed for the Group companies in Germany in accordance with Article 37 et seq. GDPR and Article 38 of the Federal Data Protection Act (BDSG), who can be contacted as follows:

Implenia Deutschland GmbH
Data Protection Officer
Am Prime Parc 1
D- 65479 Raunheim
dataprivacy-germany@implenia.com

As part of the business relationship with Implenia, we may also process personal data relating to your employees (i.e. details of the respective contact persons, in particular names, position, professional contact information and any communication). When using our electronic portals or other portals we provide, IP addresses may also be processed for IT security purposes.

The personal data collected is primarily used for communication between Implenia and the business partner respectively the contact person, to the extent it is required by the contractual relationship, where there is a business purpose or if it is necessary to process payment transactions and/or to fulfil legal obligations. Overall, we thus use this data to initiate and fulfil contracts, to be able to reach the appropriate contact person when an exchange is established, to be able to process items and orders appropriately and to maintain the business relationship. In addition, it is important to us to observe customer/business partner satisfaction in the long term. For this reason, we may also process the personal data collected on the legal basis of legitimate interest to provide you with information about our services and products, to receive your feedback regarding your satisfaction with our provided services, to document these services and for IT security purposes.

Unless we ask for consent, the processing of personal data is centred on the business relationship between us or its initiation or, where applicable, on our legitimate interest in the respective processing.

If we ask for consent to certain processing activities (e.g., for the processing of sensitive personnel data), we will inform separately about the respective processing purposes. Consent is always voluntary, therefore consent can be withdrawn at any time with future effect by notifying us in writing (post or email); once we have received the notice of withdrawal of consent, we will no longer process data for the purpose(s) for which consent was given, unless we have another legal basis to do so. However, withdrawal of consent will not affect the legitimacy of processing carried out based on the consent prior to the withdrawal. In certain circumstances, we may continue to process data on other legal grounds, e.g., in the event of a dispute, where this is necessary in connection with a potential legal dispute or for the enforcement or defence of legal claims. In some cases, a different legal basis may apply, which we will inform of separately if necessary.

Within Implenia, the data is made available to employees involved in contract initiation and processing, e.g., in purchasing, construction managers, project managers, as part of the business relationship. The finance department and auditors have access to personal data in the context of invoice processing and auditing. We work with service providers in the EEA, Switzerland and other countries who process data on our behalf or as jointly responsible parties with us. We share the data that these providers need for their services. We also enter contracts with these providers to ensure their compliance with data protection, in so far that this does not arise in direct accordance with legislation (e.g., public authorities). Finally, data is disclosed in cases where the legislator requires this or makes it mandatory.

As explained in section 5, we share data with other parties. These are not all located in the EEA and in Switzerland. Your data may therefore also be processed in further countries, exceptionally in any country in the world. If a recipient is located in a country without adequate legal data protection, we oblige them to comply with the applicable data protection law (for this purpose we use the European Commission's standard contractual clauses, which are available here) unless they are already subject to a legally recognised regulations to ensure data protection and we cannot rely on an exemption. An exception may apply in the case of legal proceedings abroad, but also in cases of overriding public interests or if the performance of a contract requires such disclosure, if you have consented or if it concerns data made generally accessible and the processing of which you have not objected to.

The data shall be stored for the duration of the business relationship, but at least for the duration of the statutory retention obligations.

We take appropriate security measures to maintain the confidentiality, integrity and availability of personal data, to protect it against unauthorised or unlawful processing and to protect against the risks of loss, unintentional alteration, unauthorised disclosure or access.

Applicable data protection laws grant data subjects the right to object to the processing of their personal data under certain circumstances, in particular in the case of processing activities based on a legitimate interest. Depending on the applicable data protection law, the following rights can be asserted: 

• the right to request information from us as to whether and what data we process;
• the right to have data corrected by us if it is inaccurate;
• the right to request that we delete data;
• the right to request that we send you certain personal data in a commonly used electronic format, to provide or transfer it to another controller;
• the right to withdraw consent where our processing is based on consent;
• the right to obtain, on request, further information useful for the exercise of these rights;

If you wish to exercise any of the above rights against us or any of our Group companies, please contact us in writing addressed to our premises or, unless otherwise stated or agreed, by email; our contact details are given in section 2. For us to be able to prevent abuse, we will need to identify you (e.g., by means of a copy of your identity document, if identification is otherwise not possible).

If you are in the EEA or Switzerland, you also have the right to file a complaint with the responsible data protection supervisory authority in your country.

A list of authorities in the EEA can be found here: Members | European Data Protection Board (europa.eu). 

You can reach the Swiss supervisory authority here: Contact (admin.ch).