Last Update: 01.09.2023

This Privacy Notice outlines how we handle information that can directly or indirectly identify an individual (personal data) and it explains what personal data is collected and processed by Satisloh AG and the group of companies belonging to Satisloh AG (referred to as “Satisloh”, “we”, “us”, or “our”) when conducting its business, who uses your personal data, for what purpose, for how long, and what rights you have in this context.

1. Who we are and how to contact us
Satisloh AG is a company incorporated under the laws of Switzerland, with registered office at Neuhofstrasse 12, 6340 Baar, Switzerland, registered with the Commercial Registry of the Canton of Zug under registration number CHE-107.363.527.

The group of companies belonging to Satisloh AG is made up of numerous legal entities with offices located across the globe; an overview of the Satisloh group entities is available here.

We, Satisloh AG and the group of companies belonging to Satisloh AG, are - in the context of the applicable data protection law - the data controller of your personal data, which alone or jointly determine the purposes and means of the processing of your personal data.

In case of any data privacy related questions or if you wish to exercise your rights under section 9 Satisloh’s data privacy organization may be contacted at privacy@satisloh.com.

Besides contacting Satisloh’s data privacy organization, you always have the right to approach the competent data protection authority with your request or complaint.

2. Where are the personal data collected from?
The personal data we collect about you depends on the context of your interactions with us, the purposes of this interactions, the products, services and features that you use, your location and applicable law.

We use different methods and various sources to collect data from and about you. We collect and obtain information:

• Provided directly by you
  We collect personal data that you provide directly through our external and internal websites or using applications, or online services (hereinafter “sites”) or other communication channels (for example via e-mail, chat, phone, SMS/MMS, postal service), for example, during registration process, the creation of an account on our sites, or when completing online forms to contact us for request, feedback or complaint, subscribing to a newsletter, subscribing to receive marketing communications from us, participating in surveys or registering for webinars/events that we are organizing.
  
  We do not intentionally collect sensitive personal data (for example health data, data about political opinions, religious or philosophical beliefs, and biometric data for identification purposes), unless you provide us with such data. While there may be free text boxes on our site where you are able to enter any information, we do not intend to process sensitive personal data. You are not required to provide, and should not disclose, sensitive personal data. If you choose to provide any sensitive personal data in this manner, you acknowledge you consent to the collection and processing of this sensitive information.
  
  If you register on our site, your personal data will be stored in our CRM and ERP system. If you have opted out of receiving marketing communications, your basic contact details will remain on our opt-out list.
   
• Using automatic tracking systems
  When you visit our site, we may use some technologies (cookies, and automatic tracking systems) that automatically collect certain personal data from your device relating to the way you are using our site. You can consent to or reject cookies other than to strictly necessary cookies for our sites through our cookie settings in the footer of satisloh.com. You can also do so by adjusting your web browser controls.
   
• From social network profile
  If you decide to log into the sites through social network applications or to link your account to your public profiles available on social networks, and share your actions through the site on those channels via the corresponding plug-ins (e.g. Facebook Connect, I like, fb share, etc.). The use of the said plug-in entails sharing the corresponding actions and information on the related social networks (see section 6).
   
• Through visits in our offices, production facilities etc.
  When you visit our offices, production facilities etc., information may be collected during the registration, negotiation or purchase or procurement process, the creation of quotation, the acceptance or adjustment of purchased products and/or services that can be carried out in our facilities. We also use surveillance systems (for example security camera, CCTV) in our facilities for purpose of security, access control, fraud and loss prevention, and for operational purposes.
   
• From you when you correspond via email or chat
  If you correspond via email or chat with a Satisloh recipient, your emails resp. chats will be scanned by the tools Satisloh operates to maintain the security of its IT infrastructure.
   
• From you when you correspond via phone and voice mail services
  When you call Satisloh personnel, only your phone number will be stored on our servers and will be delivered to the recipient of your call on its phone and via an email. Under certain conditions, we also keep records of calls from customers and other requestors and maintain a transcript of chats for quality assurance and quality management. No other personal data is collected but technical logs and reports may be stored for trouble shooting purposes.
   
• From you when you apply for an employment
  Any application data received for the purpose of processing the application procedure, which may be transmitted in various ways. The information that we collect, the manner in which it is used, and the timing in which it is gathered varies depending on the country in which you apply. You may find further information about Satisloh North America collects and processes your application data in the USA career center in the privacy notice specified here.
  
  If an employment contract is concluded with you, the data provided will be processed for the purpose of managing the employment relationship. If no employment contract is concluded with you, the application documents will be deleted in accordance with section 5 of this Privacy Notice, except where it has been individually agreed with you to retain the data for a longer period in order to be able to contact you in the event of future job offers.
   
• From you when you are an employee
  Further Satisloh-internal privacy notices are available in the Satisloh Intranet (Satisloh Intranet access required).
   
• From you when you act as reporter on the EssilorLuxottica’s reporting channels
  Satisloh provides employees and other stakeholders outside Satisloh/EssilorLuxottica the opportunity with a means to confidentially, and either anonymously or on a disclosed basis, to report on activities which involve unethical or illegal behavior that is in violation of our highest ethical and legal standards or otherwise inconsistent with the EssilorLuxottica Code of Ethics. Reporting may be sent via e-mail, signed or anonymous, to the following address: compliance@essilorluxottica.com or via the existing EssilorLuxottica Ethics Points. The respective ethics point contains its own privacy notice which describes the practices EssilorLuxottica follows.
   
• From other sources
  As far as it is not unlawful we may obtain information about you from other sources, such as your employer who is acting as our business partner, data analytics providers, marketing or advertising service providers, service providers for fraud prevention, credit agencies (for example credit reports), associations, contractual partners, vendors that provide services on behalf us, banks, insurance companies or from public sources and authorities (for example debt collection registers, land registers, commercial registers), or the media and internet including social media, information from legal proceedings in which you appear (e.g. witness statements), documents concerning you (.e.g. power of attorney, recommendations, references), or we may receive data from other companies within our group. We also create information based on our analysis of the information we have collected from you.
   

3. What personal data may we process about you?
In the context of your interaction with us we may process the following categories of personal data:

4. For what purpose do we use your personal data?

When conducting business and operating our various web presences and other communication channels, we process personal data of the people we interact with, including customer, partners, suppliers, vendors, candidates, and any other people with whom we interact. You can find further information on the legal basis of our processing in section 10. 

Satisloh may process your personal data for one or more of the following business purposes depending on the nature of our relationship and the context in which your data is collected:

5. For how long do we retain your personal data?
We retain all or part of your personal data for the time strictly necessary for the following reasons:

(a) To meet applicable statutory requirements for data retention;
(b) To meet and comply with our legal and/or contractual obligations;
(c) For as long as necessary to carry out each of the purposes mentioned in this Privacy Notice, including for the purposes of satisfying any legal, accounting, reporting requirements.

To determine the appropriate retention period for personal data, we consider jointly the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

6. Who are the recipients of your personal data?
In relation to our contracts, the sites, our services and products, our legal obligations or otherwise with protecting our legitimate interests and the other purposes set out in Section 4, we may share your personal data with third parties, in particular with the following categories of recipients:

The below mentioned recipients will process your personal data on our behalf (as data processors) or as joint controllers with us or as separate controllers, depending on the circumstances.

• Group companies
  For the purpose of and to the extent necessary to conduct our business relationship with you, we may grant access to or transfer your personal to other Satisloh group companies and EssilorLuxottica group companies since Satisloh AG is an entity within the EssilorLuxottica group. An overview of the Satisloh AG group entities is available here. We sell certain products and services to our customers only via local business relationships and in this case, we may transfer your personal data to our respective local Satisloh affiliates conducting the business relationship with you.
  
  An overview of the EssilorLuxottica group entities is available here. EssilorLuxottica is a global organization with offices and operations throughout the world and some of your personal data relating to is stored and processed within a range of global applications that is used globally by the affiliates of EssilorLuxottica. Some of the processing of your personal data is carried out through the concentrated services of two entities: Essilor International and Luxottica Group S.p.A.
   
• Service Providers
  To be able to deliver our products and services efficiently and focus on our core competencies, we work with service providers in Switzerland and abroad who process your data on our behalf or as joint controllers with us or who receive data about you from us as separate controllers in various areas. These include, for example, IT services, information transmission, marketing, sales, logistics, communication or printing services, facility management, security and cleaning, organizing and holding events and receptions, debt collection, credit agencies, address verification provider (for example to update address lists in case of relocations), fraud prevention measures and services from consulting companies, lawyers, banks, insurers and telecommunication companies.
  
  If Service providers process your personal data as joint or separate controllers they inform you about their independent data processing activities in their own privacy statements. More information on how Microsoft processes data can be found here; for the use of Microsoft Teams in particular here.
  
  If you decide to log into the sites through social network applications or to link your account to your public profiles available on social networks, and share your actions through the site on those channels via the corresponding plug-ins (e.g. Facebook Connect, I like, fb share, etc.), these third-party services may be able to collect information about you, including information about your activity on the sites. Their use of your personal data is not governed by this Privacy Notice but in accordance with their own data protection policies.
   
  • Google+
  • Twitter
  • YouTube
  • LinkedIn
  • Facebook
  • Pinterest
  • Instagram
  • TikTok
     
• Contractual partners including customers
  This refers to customers (for example service recipients), vendors and our other contractual partners as this data disclosure results from these contracts. If you work for one of these contractual partners, we may also disclose data about you to that partner in this regard. These recipients also include contractual partners with whom we cooperate or who carry out advertising for us and to whom we may therefore disclose data about you for analysis and marketing purposes (these may again be service recipients, but also sponsors and online advertising providers). We require these partners to send you or display advertising based on your data only with your consent.
   
• Authorities
  We may disclose your personal data to any authority, court, administrative body, or other authorised third party in Switzerland and abroad (including, without limitation, counsel), if we are obliged or entitled to by law, regulation or court order or where such disclosure is necessary for the protection and defense of our rights.
   
• Other instances
  We may ask if you would like to disclose your information with other third parties who are not described elsewhere in this Privacy Notice. For example, we may transfer your registration data based on your consent or as otherwise indicated by your request to companies listed on the registration page of a Satisloh webinar or event. These recipients may receive your personal data as co-organizer or sponsor of the event and will use your registration data for the purposes of your participation in the event. They will provide you directly with any legally required information about their processing purposes and how you may exercise your rights.
  
  Other recipients include other third parties in relation to agency relationships (for example if we share your data with your lawyer or your bank) or persons involved in administrative or legal proceedings. If we cooperate with the media and share materials with them (for example photos), this may also affect you depending on the circumstances. The same applies if we publish content (for example photos, interviews, quotes, etc.), for example on our website or in our other publications.
  
  As part of our business development, we may sell businesses, parts of businesses or companies to others or acquire them from others or enter into partnerships, which may also result in the disclosure of data (including from you, for example as a customer or supplier or as a supplier representative) to those persons involved in these transactions. In relation to communicating with industry organizations, associations and other bodies, data may be exchanged that also affects you. Furthermore, we do not sell, rent, or lease your personal data to third parties.

7. International data transfers
As explained in section 6, we disclose data to other parties. These are not all located in Switzerland. Your data may therefore be processed both in Europe and (given the presence of Satisloh in many countries around the world) in any country in the world as part of Satisloh’s international business operations.

As a result of the above, some of your personal data may be transferred to or accessible from countries which do not have adequate statutory data protection. In such cases, and if required by applicable law, we take the following measures:

If a recipient is located in a country without adequate statutory data protection, we require the external recipient to undertake to comply with data protection (for this purpose, we use the revised and - if data transfer is subject to Swiss law and GDPR - adapted or supplemented European Commission’s standard contractual clauses, which can be accessed here), unless the recipient is subject to a legally accepted set of rules to ensure data protection and unless we cannot rely on an exception. An exception may apply for example in case of legal proceedings abroad, but also in cases of overriding public interest or if the performance of a contract requires disclosure, if you have consented or if data has been made available generally by you and you have not objected against the processing.

Please note that data exchanged via the internet is often routed through third countries. Your data may therefore be sent abroad even if the sender and recipient are in the same country.

For further information with regard to the appropriate or suitable safeguards and the means by which to obtain a copy of them, you can contact us with the modalities as per this Privacy Notice.

8. How do we protect your personal data?
We take appropriate physical, technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, use, or alteration and against unauthorized disclosure or access. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.

Furthermore, a secure system for authorizing credit card payments and identifying fraudulent activities is used.

9. Your rights
To help you control the processing of your personal data, you have the following rights in relation to our data processing, depending on the applicable data protection law and subject to verification of your identity where necessary, in order for us to be able to prevent misuse (for example by means of a copy of your ID card, unless identification is possible otherwise):

• request for information whether or not your personal data is being processed by us and if that is the case request to be informed of its content, the purposes of processing, categories of recipients, storage period and source.
• request to rectify or delete your personal data our databases currently contain. We may not accommodate a request to change or delete your personal data if we believe that this would violate any law or legal requirement or cause the information to be incorrect. Upon receipt of such a request we will confirm receipt, consider your request, take a decision and communicate it to you.
• restrict the processing of your personal data. When such restrictions are not possible, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Notice.
• object to the processing of your personal data on grounds relating to your particular situation, if the processing is based on our legitimate interest. In addition, you have the right to object at any time to processing where your personal data are processed for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. When such objections are not possible, we will advise you accordingly. You can then choose to exercise any other right under this Privacy Notice.
• where applicable by local laws, request your personal data portability, i.e. that personal data you have provided to us be returned to you or transferred to the person of your choice in a structured, commonly used and machine-readable format. When such a request cannot be honoured, we will advise you accordingly. You can then choose to exercise any other rights under this Notice. Where applicable, we will ensure such changes are shared with any trusted third party.
• where processing is based on your consent, you may withdraw your consent at any time to the processing of your personal data. Upon receipt of such a withdrawal of consent, we will confirm receipt and proceed to stop processing your personal data.
• lodge a complaint with the relevant data protection supervisory authority.

If you take the view that Satisloh is not processing your personal data in accordance with the applicable data protection laws, you can at any time lodge a complaint with your locally relevant data protection authority. If you are located in the European Economic Area, the United Kingdom or Switzerland, you can lodge a complaint with the competent data protection supervisory authority in your country. You can find a list of authorities in the European Economic Area here. You can reach the UK supervisory authority here. You can reach the Swiss supervisory authority here.

In order to exercise your rights, or if you do not agree with the way we process your personal data and/or our response to a request to exercise your rights, please contact privacy@satisloh.com.

Furthermore, we offer tools to you to update and amend your personal data e.g. through user account, if you are a registered user. You may modify and update your preferences on how you wish to receive e-mails or other communications from us. You may also request that your information on your account is deleted. For information on how to withdraw your consent for cookies, please refer to the cookie settings in the footer of satisloh.com.

10. Additional country and regional specific provisions

• PROCESSING UNDER THE EU’s GENERAL DATA PROTECTION REGULATION (GDPR)

This section applies and provides you with further information if your personal data is processed by one of our companies located in the European Economic Area.

Controller. The specific company identified in our external and internal websites and online services as being the operator of the site is the data controller in the meaning of the GDPR for the processing activities described in this Privacy Notice.

Legal basis of the processing. The GDPR requires us to provide you with information on the legal basis of the processing of your personal data. The legal basis for our processing data about you is that such processing is necessary for the purposes of:

• exercising our rights and performing our obligations under any contract we make with you (Article 6 (1) (b) General Data Protection Regulation) (“Contract Performance”);
• Compliance with our legal obligations (Article 6 (1) (c) General Data Protection Regulation) (“Compliance with Legal Obligations”); and/or
• Legitimate interests pursued by us (Article 6 (1) (f) General Data Protection Regulation) (“Legitimate Interest”). Generally, the legitimate interest pursued by us in relation to our use of your personal data is the efficient performance or management of (i) your use of the online services, and/or (ii) our business relationship with you. Where the below table states that we rely on our legitimate interests for a given purpose, we are of the opinion that our legitimate interest is not overridden by your interests and rights or freedoms, given (i) the regular reviews and related documentation of the processing activities described herein, (ii) the protection of your personal data by our data privacy processes and policies, (iii) the transparency we provide on the processing activity, and (iv) the rights you have in relation to the processing activity. If you wish to obtain further information on this balancing test approach, please contact our Data Privacy Organization at privacy@satisloh.com.

In some cases, we may ask if you consent to the relevant use of your personal data. In such cases, the legal basis for us processing that data about you may (in addition or instead) be that you have consented (Article 6 (1) (a) General Data Protection Regulation) (“Consent”).

International data transfers. In the event that - as part of our global business operations – some of your personal data is transferred to or accessible outside the European Economic Area, we ensure that your data is protected in a manner which is consistent with the General Data Protection Regulation. Therefore, and if required by applicable law, we take the following measures:

If we share your personal data with affiliated companies or external recipients located in countries outside the European Economic Area for which the EU Commission has not issued an adequacy decision, we ensure that specific contractual protection (such as the EU standard contractual clauses) is implemented. You may request further information about the safeguards implemented in relation to specific transfers by contacting us with the modalities as per this Privacy Notice.

Your competent data protection authority. In case of data privacy related concerns and requests, we encourage you to contact our Data Privacy Organization at privacy@satisloh.com. Besides contacting the Data Privacy Organization, you always have the right to approach the competent data protection authority with your request or complaint. A list and contact details of local data protection authorities is available here. More information from the European Commission on international data transfer you may also obtain here.

• PROCESSING UNDER THE BRAZILIAN GENERAL DATA PROTECTION LAW

This section applies and provides you with further information if the processing by one of our companies (i) occurs in Brazilian territory, (ii) concerns the data of individuals located in Brazilian territory, (iii) comprises personal data collected in Brazilian territory or (iv) has as its objective the offer or supply of products and/or services to individuals located in Brazilian territory. In these cases the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados - LGPD) applies to the processing of your personal data and the following additions and/or deviations apply to related sections of this Privacy Notice:

Retention Periods. As allowed under article 16 of LGPD we may retain your personal data to comply with legal or regulatory obligations (such as retention obligations under tax or commercial laws), during the legal statute of limitation period, or for the regular exercise of rights in judicial, administrative or arbitration proceedings.

Your rights. Additionally to the rights mentioned in this Privacy Notice, you are entitled under LGPD to:

• In case you understand your data is not being processed in accordance with the applicable data protection law or in an excessive way, request us to anonymize, block or delete unnecessary or excessive personal data or;
• Request information regarding the public and/or private entities we shared your personal data with;
• Be informed about the possibility of not giving your consent to process your data and the consequences of not giving the consent in case we request your consent to process your data;
• Revoke at any time your consent to our processing of your personal data in case we request your consent to process your data.

Legal basis of the processing. The Brazilian General Data Protection Law requires us to provide you with information on the legal basis of the processing of your personal data.

The legal basis for our processing is:

• Article 7 V LGPD (“Contract Performance”);
• Article 7 II LGPD (“Compliance with Legal Obligations”);
• Article 10 I and II LGPD (“Legitimate Interest”).
• Article 7 I LGPD (“Consent”).

International transfers. Following the LGPD requirements defined in the Article 33 of Brazilian General Data Protection Law, in the event that we transfer your personal data outside the Brazilian territory, we ensure that your data is protected in a manner which is consistent with the Brazilian General Data Protection Law, we will follow the applicable law and decisions imposed by the proper authority.

Your competent data protection contact. If this section applies, you may also contact our Brazilian Data Privacy Organization at info.br@satisloh.com.

• Processing under People’s Republic of China Personal Information Protection Law

This section applies and provides you with further information if the processing by one of our companies is located within the borders of People’s Republic of China (“PRC”) or concerns the data of individuals within the borders of PRC.

Processing of sensitive personal information.
According to the Personal Information Protection Law of PRC (PIPL), sensitive personal information means personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons or grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc. as well as the personal information of minors under the age of 14.

In addition to the payment information mentioned in section 3 of this Privacy Notice, we will, in principle, not process your sensitive personal information. In case your sensitive personal information will be processed, we will notify you about the necessity of processing and effects on the individual’s rights and interests, and obtain your specific consent if applicable.

Transfer and disclosure of personal data. Following the requirements defined in the Article 23 of PIPL, additionally to the contents mentioned in section 3, we, in principle, will not transfer or share your personal information to third party controllers, unless (1) we obtain your specific consent if applicable, or (2) to fulfill the statutory duties under local laws and regulations.

International Transfer. You acknowledge that your data will be transferred and proceed outside of PRC. We will follow the applicable laws and decisions imposed by the competent authority, and ensure that your data is protected in a manner which is consistent with the PRC Personal Information Protection Law. If you or the company you work for is a business partner, please be aware that Satisloh is a multi-national company, and for the purpose of concluding or fulfilling the contract/agreement with you or the company you work for, you understand and agree that we may transfer your personal information to foreign affiliated companies.

Legal Basis of the processing. The PIPL requires us to provide you with information on the legal basis of the processing of your personal data.

The legal basis for our processing is:

• PIPL Article 13(2) (“Contract Performance”);
• PIPL Article 13(3) (“Statutory duties and responsibilities”)
• PIPL Article 13(6) (“Process publicly available data”);
• PIPL Article 13(1) (“Consent”)

Usage by Children. This Online Offering is not directed to children under the age of fourteen (14). We will not knowingly collect personal data from children under the age of fourteen (14) without prior parental consent if required by applicable law. We will only use or disclose personal data about a child to the extent permitted by law, to seek parental consent, pursuant to local law and regulations or to protect a child.

• Further information for US residents

If you are a U.S. resident, then please take note of the following:

Usage by Children. We do not knowingly collect the personal data of children under the age of 13. Furthermore, websites and online services are not intentionally designed for or directed at children under the age of 13. If you are a parent or guardian and believe Satisloh collected information about a child, please contact Satisloh as described in this Privacy Notice. We will only use or disclose personal data about a child to the extent permitted by law, to seek parental consent, pursuant to local law and regulations or to protect a child.

State Rights. Depending on the US state in which you reside, you may have special rights with respect to your personal data. For information regarding any of those rights, please click here.

11. Changes to this Privacy Notice
We will update this Privacy Notice from time to time, in particular in response to legal and/or organizational developments.

You can see when this Privacy Notice was last updated by checking the “Last Update” date displayed at the top of this Privacy Notice.