Privacy Notice of Confiserie Sprüngli AG

Version from August 11, 2023

IMPORTANT NOTE: The German version of this document will govern our relationship – this translated version is provided for convenience only and will not be interpreted to modify the German version. For the German version, please see https://www.spruengli.ch/de/datenschutz.html.

1. General information on our handling of personal data

In this Privacy Notice, we, Confiserie Sprüngli AG (Bahnhofstrasse 21, 8001 Zurich) and its group and subsidiary companies, explain how we collect and process personal data. This is not an exhaustive description; if necessary, General Terms and Conditions, Conditions of Participation and similar documents are regulate specific matters. “Personal data” means all information relating to an identified or identifiable individual. “Sensitive personal data” is a category of personal data that is specially protected by applicable data protection law.

If you provide us with personal data of other persons (e.g. family members, work colleagues), please make sure that these persons are aware of this Privacy Notice and only provide us with their personal data if you are allowed to do so and such personal data is correct. By submitting personal data of third parties, you confirm this.

This Privacy Notice is in line with the EU General Data Protection Regulation (“GDPR”), the Swiss Data Protection Act (“DPA”, taking into account the revision). Whether and to what extent these laws are applicable, however, depends on the individual case.

2. Controller / Data Protection Officer / Representative

The “controller” of data processing as described in this Privacy Notice is Confiserie Sprüngli AG, Bahnhofstrasse 21, 8001 Zurich, unless otherwise stated or communicated in individual cases, e.g. in further Privacy Notices, on forms or in contracts. If you have any concerns regarding data protection, you can send them to us at the following contact address: Confiserie Sprüngli AG, Data Protection Officer, Bahnhofstrasse 21, 8001 Zurich, or by e-mail to datenschutz@spruengli.ch. Our representative in the European Economic Area according to Art. 27 GDPR (if required) is: Chocolat Sprüngli (Austria) GmbH, Object 115/Level 3/G Gates, 1300 Vienna Airport, 1300 Schwechat, Austria.

3. Collection and Processing of Personal Data

We primarily process personal data that we obtain from our clients and other business partners as well as other individuals in the context of our business relationships with them or that we collect from users when operating our websites, apps and other applications.

Insofar as it is permitted to us, we obtain certain personal data from publicly accessible sources (e.g., debt registers, land registries, commercial registers, press and internet) or we may receive such information from affiliated companies, from authorities or other third parties (such as e.g., credit rating agencies, list brokers). Apart from data you provided to us directly, the categories of data we receive about you from third parties include, but are not limited to, information from public registers, data received in connection with administrative or court proceedings, information in connection with your professional role and activities (e.g., in order to conclude and carry out contracts with your employer), information about you in correspondence and discussions with third parties, credit rating information (if we conduct business activities with you personally), information about you given to us by individuals associated with you (family, consultants, legal representatives, etc.) in order to conclude or process contracts with you or with your involvement (e.g. references, your delivery-address, powers of attorney), information regarding legal regulations such as anti-money laundering and export restrictions, bank details, information regarding insurances, our distributors and other business partners for the purpose of ordering or delivering services to you or by you (e.g., payments, purchases), information about you found in the media or internet (insofar as indicated in the specific case, e.g. in connection with job applications, media reviews, marketing/sales, etc.), your address and any interests and other socio-demographic data (e.g. for marketing purposes) and data in connection with your use of our websites (e.g., IP address, MAC address of your smartphone or computers, information regarding your device and settings, cookies, date and time of your visit, sites and content retrieved, applications used, referring website, localization data).

Where we perform a service before payment is made, e.g. in the case of a purchase on account, we may obtain a credit report based on mathematical-statistical methods from CRIF Bürgel GmbH, Radlkoferstrasse 2, D-81373 Munich, Germany, in order to protect our legitimate interests. For this purpose, we forward the personal data required for a credit check to the credit agency mentioned above and use the information received for a balanced decision on whether to establish, perform or terminate the contractual relationship.

4. Purposes of Data Processing and Legal Grounds

We primarily use collected data in order to conclude and process contracts with our clients and business partners, in particular in connection with selling our products to our clients and the procurement of products and services from our suppliers and subcontractors, as well as in order to comply with our domestic and foreign legal obligations. You may be affected by our data processing in your capacity as an employee of such a client or business partner.

In addition, in line with applicable law and where appropriate, we may process your personal data and personal data of third parties for the following purposes, which are in our (or, as the case may be, any third parties') legitimate interest, such as:

• providing and developing our products, services and websites, apps and other platforms, on which we are active

• review and optimization of procedures regarding needs assessment for the purpose of direct customer approach as well as obtaining personal data from publicly accessible sources for customer acquisition

• advertisement and marketing (including organizing events), provided you have given consent to the use of your data for this purpose. If we send you our advertising as part of our customer base, you may object to this at any time via the contact form at www.spruengli.ch. You may unsubscribe from the newsletter using an opt-out link provided for this purpose in the newsletter.

• market and opinion research, media surveillance

• asserting legal claims and defense in legal disputes and official proceedings

• ensuring our operation, including our IT, our websites, apps and other appliances

• video surveillance to protect our domiciliary rights and other measures to ensure the safety of our premises and facilities as well as protection of our employees and other individuals and assets owner by or entrusted to us (such as e.g. access controls, visitor logs, network and mail scanners, telephone recordings);

If you have given us your consent to process your personal data for certain purposes (for example when registering to receive newsletters or carrying out a background check), we will process your personal data within the scope of and based on this consent, unless we have another legal basis, provided that we require one. The legal ground for the processing of data is the DPA or, if and to the extent applicable, the GDPR, if you have given your consent. Consent once given can be withdrawn at any time via the contact form at www.spruengli.ch or the corresponding opt-out link in the newsletter; however this has no effect on data processed before the consent is withdrawn.

5. Cookies, analysis and tracking techniques

We typically use "cookies" and similar techniques on our websites [and apps], which allow for an identification of your browser or device. A cookie is a small text file that is sent to your computer and automatically saved by the web browser on your computer or mobile device, when you visit our website. If you revisit our website, we may recognize you, even if we do not know your identity. Besides cookies that are only used during a session and deleted after your visit of the website ("session cookies"), we may use cookies in order to save user configurations and other information for a certain time period ("permanent cookies"). Notwithstanding the foregoing, you may configure your browser settings in a way that it rejects cookies, only saves them for one session or deletesthem prematurely. Most browsers are preset to accept cookies. We use permanent cookies for the purpose of saving user configuration (e.g., language, automated log in), in order to understand how you use our services and content, and to enable to show you customized offers and advertisement (which may also happen on websites of other companies; should your identity be known to us, such companies will not learn your identity from us; they will only know that the same user is visiting their website has previously visited a certain website). Certain cookies are sent to you from us, others from business partners with which we collaborate. If you block cookies, it is possible that certain functions (such as, e.g., language settings, shopping basket, ordering processes) are no longer available to you.

In accordance with applicable law, we may include visible and invisible image files in our newsletters and other marketing e-mails. If such image files are retrieved from our servers, we can determine whether and when you have opened the e-mail, so that we can measure and better understand how you use our offers and customize them. You may disable this in your e-mail program, which will usually be a default setting.

By using our websites and consenting to the receipt of newsletters and other marketing e-mails you agree to our use of such techniques. If you object, you must configure your browser or e-mail program accordingly.

Change your personal cookie settings https://www.spruengli.ch/de/AGB/Cookie-Einstellungen

We use the following services in particular on our websites for performance and reach measurement (analysis):

Google Analytics, Google Tag Manager and Google DoubleClick by Google Ireland Ltd., with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Ltd. relies on Google LLC, based in the USA, as its processor. This involves monitoring and recording the way in which our website is used. Google uses permanent cookies and other tracking technologies for the collection of anonymous information (e.g. number of visitors to the website, origin of visitors, length of stay). As a matter of principle, we do not transmit any personal data or complete IP addresses to Google. Google provides us with the collected information in aggregated form. We do not have the possibility to identify the individual visitor. However, Google may use the additional data it collects, and the knowledge gained from it for its own purposes. Google knows you if you have registered with Google. Google then processes your personal data on its own responsibility and in accordance with its privacy policy. For more information regarding the data collected, please refer to the Privacy Notice of Google Ireland Limited at: https://policies.google.com/privacy.

Hotjar by Hotjar Ltd, Dragonara Business Centre, 5th Floor, Dragonara Road,Paceville St Julian's STJ 3141 Malta (EU). We use Hotjar to record user behavior (for example, based on movements and clicks on the website). If you would like to deactivate the data collection by Hotjar, click on the following link and follow the instructions there: https://www.hotjar.com/policies/do-nottrack/. Please note that the deactivation of Hotjar must be done separately for each browser or terminal device. For more information about Hotjar and the data it collects, please see Hotjar's Privacy Notice at the following link: https://www.hotjar.com/privacy.

Bing Universal Event Tracking (UET) by Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399 USA. We use Bing UET to record user behavior on our website. Microsoft may be able to track user behavior across multiple electronic devices through so-called cross-device tracking and is thus able to display personalized advertising on or in Microsoft websites and applications. You can disable this behavior at https://choice.microsoft.com/de-de/opt-out. For more information about Bing UET and the data it collects, please see Microsoft's Privacy Notice at the following link: https://privacy.microsoft.com/de-de/privacystatement.

Facebook Pixel, Facebook Signal and Facebook Custom Audiences by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. According to Facebook, the data collected is also transmitted to the USA and other third countries. We use the services of Facebook to record user behavior on our website. For us as the operator of this website, the collected data is anonymous, we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Facebook so that an assignment to the respective user profile is possible and Facebook can use the data for its own advertising purposes in accordance with Facebook's data usage guidelines. Thus, Facebook can enable the placement of advertisements on Facebook pages as well as outside of Facebook. As the site operator, we have no influence on this use of data. The data transfer to the USA takes place on the basis of the standard contractual clauses of the EU Commission. Details can be found at https://www.facebook.com/legal/EU_data_transfer_addendum and https://dede.facebook.com/help/566994660333381. In the event that personal data is collected on our website via the tool described here and transferred to Facebook, we and Meta Platforms Ireland Limited are jointly responsible for this data processing. The obligations we share are set forth in a joint processing agreement: https://www.facebook.com/legal/controller_addendum. For more information about protecting your privacy, please see Facebook's privacy notice: https://de-de.facebook.com/about/privacy/. You can also deactivate the "Custom Audiences" remarketing function in the ad settings area at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you must be logged in to Facebook. If you do not have a Facebook account, you can deactivate Facebook's usage-based advertising on the website of the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/.

We currently use offers from the following service providers and advertising partners in particular (insofar as they use data from you, or cookies set on your computer for advertising purposes):

Microsoft Advertising by Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399 USA. In the European Economic Area, the United Kingdom and Switzerland: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. We use the services of Microsoft Advertising to advertise our business online (esp. for search engine advertising). Microsoft's Privacy Notice can be found at: https://privacy.microsoft.com/de-de/privacystatement.

Google Adsense and Google DoubleClick by Google Ireland Ltd., with its registered office in Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Ltd. relies on Google LLC, based in the USA, as its order processor. We use the services of Google AdSense to display personalized advertising on our website. The Privacy Notice of Google Ireland Limited can be found at: https://policies.google.com/privacy.

Adform by Adform A/S, Silkegade 3B, ST &1, 1113 Copenhagen, Denmark. We use Adform's services to advertise our business online. Adform's Privacy Notice (incl. opt-out) can be found at: https://site.adform.com/de/privacy-center/platform/datenschutzrichtlinie-fuer-produkteund-services/.

Google Maps including Google Maps Platform by Google Ireland Ltd., with its registered office in Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Ltd. relies on Google LLC, based in the USA, as its order processor. We use the services of Google Maps to embed maps on our website. The Privacy Notice of Google Ireland Limited can be found at: https://policies.google.com/privacy. Information about the use of location information can be found at: https://policies.google.com/technologies/location-data.

Adobe Fonts from Adobe Systems Software Ireland Limited 4-6 Riverwalk, Citywest Business Park, Dublin 24, Ireland. We use Adobe Fonts to embed fonts (including logos, icons, and symbols) on our website. Adobe's Privacy Notice can be found at: https://www.adobe.com/ch_de/privacy/policies/adobe-fonts.html.

Google Fonts by Google Ireland Ltd., with its registered office in Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Ltd. relies on Google LLC, based in the USA, as its order processor. We use Google Fonts to embed fonts (including logos, icons and symbols) into our website. The Privacy Notice of Google Ireland Limited can be found at: https://policies.google.com/privacy. Answers to frequently asked questions about data protection can be found here: https://developers.google.com/fonts/faq/privacy

Font Awesome von Fonticons Inc., 307 S Main St, Ste 202 Bentonville, AR, 72712-9214, USA. Wir verwenden Font Awesome, um in unsere Website insbesondere Logos, Icons und Symbole einzubetten. Die Datenschutzerklärung von Fonticons Inc. finden Sie unter: https://fontawesome.com/privacy.

jsDeliver by Prospect One, Królewska 65A/1, 30-081, Kraków, Poland. We use jsdelivr.com to deliver our website content quickly and flawlessly on all devices. Privacy Notice of jsDelivr can be found at: https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net.

YouTube by Google Ireland Ltd., with its registered office in Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Ltd. relies on Google LLC, based in the USA, as its order processor. We use YouTube to embed videos on our website. YouTube's Privacy Notice can be found at: https://support.google.com/youtube/topic/2803240?hl=de.

We also use so-called plug-ins from social networks such as Facebook (Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland), YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) and Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA) on our websites. This is visible for you (typically based on the respective symbols). We have configured these elements to be disabled by default. If you activate them (by clicking on them), the operators of the respective social networks may record that you are on our website and where on our website you are exactly and may use this information for their own purposes. This processing of your personal data lays in the responsibility of the respective operator and occurs according to its data protection regulations. We do not receive any information about you from the respective operator.

6. Social media

We may operate pages and other online presences («fan pages», «channels», «profiles», etc.) on social networks and other platforms operated by third parties and collect the data about you described in Section 4 and below. We receive this data from you and from the platforms when you interact with us through our online presence (for example when you communicate with us, comment on our content or visit our online presence). At the same time, the platforms analyze your use of our online presences and combine this data with other data they have about you (for example about your behavior and preferences). They also process this data for their own purposes, in particular for marketing and market re-search purposes (for example to personalize advertising) and to manage their platforms (for example what content they show you) and, to that end, they act as separate controllers.

We process this data for the purposes set out in Section 4, in particular for communication, for marketing purposes (including advertising on these platforms, see Section 5) and for market research. You will find information about the applicable legal basis in Section 4. We may disseminate content published by you (for example comments on an announcement), for example as part of our advertising on the platform or elsewhere. We or the operators of the platforms may also delete or restrict content from or about you in accordance with their terms of use (for example inappropriate comments).

For further information on the processing of the platform operators, please refer to the privacy information of the relevant platforms. There you can also find out about the countries where they process your data, your rights of access and erasure of data and other data subjects rights and how you can exercise them or obtain further information. We currently use the platforms listed below.

• Facebook: https://www.facebook.com/policy.php

• YouTube: https://support.google.com/youtube/topic/2803240?hl=de

• Instagram: https://help.instagram.com/519522125107875

• LinkedIn: https://www.linkedin.com/legal/privacy-policy

7. Data transfer and data transmission abroad

of our business activities and in line with the purposes of the data processing set out in Section 3, we may transfer data to third parties, insofar as such a transfer is permitted and we deem it appropriate, in order for them to process data for us or, as the case may be, their own purposes. In particular, the following categories of recipients may be concerned

• domestic and foreign authorities or courts

• the media

• the public, including users of our websites and social media

• other parties in possible or pending legal proceedings

together Recipients.

but they may be located in any country worldwide. In particular, you must anticipate your data to be transmitted to any country in which the Confiserie Sprungli AG is represented by affiliates, branches or other offices (https://www.spruengli.ch/en/locations.html) as well as to other countries in Europe and the USA where our service providers are located (such as Microsoft, SAP, Amazon, BSI CRM). If we transfer data to a country without adequate legal data protection, we contractually oblige the recipient to comply with the applicable data protection (for this purpose, we use the revised standard contractual clauses of the European Commission, which can be accessed here: https://eurlex.europa.eu/eli/dec_impl/2021/914/oj? ), unless it is already subject to a legally recognized set of rules to ensure data protection and we cannot rely on an exemption provision. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the performance of a contract requires such disclosure, if you have consented or if it is a matter of data made generally available by you, the processing of which you have not objected to. You may at any time contact the data protection officer named in sec. 2 to obtain a copy of the contractual guarantees mentioned above. However, we reserve the right to redact copies for data protection reasons or reasons of secrecy or to produces excerpts only.

Please also note that data exchanged via the Internet is often routed via third countries. Your data may therefore end up abroad even if the sender and recipient are in the same country.

8. Duration of the retention of personal data

We process and retain your personal data as long as required for the performance of our contractual obligation and compliance with legal obligations or other purposes pursued with the processing, i.e. for the duration of the entire business relationship (from the initiation, during the performance of the contract until it is terminated) as well as beyond this duration in accordance with legal retention and documentation obligations. Personal data may be retained for the period during which claims can be asserted against our company or insofar as we are otherwise legally obliged to do so or if legitimate business interests require further retention (e.g., for evidence and documentation purposes). As soon as your personal data are no longer required for the above-mentioned purposes, they will be deleted or anonymized, to the extent possible. In general, shorter retention periods of no more than twelve months apply for operational data (e.g., system logs).

9. Data security

We take appropriate technical and organizational security measures to maintain the confidentiality, integrity and availability of your personal data, to protect it against unauthorized or unlawful processing, and to protect against the risks of loss, accidental alteration, unauthorized disclosure or access.

10. Obligation to Provide Personal Data to us

In the context of our business relationship you must provide us with any personal data that is necessary for the conclusion and performance of a business relationship and the performance of our contractual obligations (as a rule, there is no statutory requirement to provide us with data). Without this information, we will usually not be able to enter into or carry out a contract with you (or the entity or person you represent). In addition, the website cannot be used unless certain information is disclosed to enable data traffic (e.g., IP address).

11. Profiling and automated decision making

We may partially process your personal data automatically with the aim of evaluating certain personal aspects (profiling). In particular, profiling allows us to inform and advise you about products possibly relevant for you more accurately. For this purpose, we may use evaluation tools that enable us to communicate with you and advertise you as required, including market and opinion research.

12. Rights of the data subject

In accordance with and as far as provided by applicable law (as is the case where the GDPR is applicable), you have the right to access, rectification and erasure of your personal data, the right to restriction of processing or to object to our data processing in addition to right to receive certain personal data for transfer to another controller (data portability). Please note, however, that we reserve the right to enforce statutory restrictions on our part, for example if we are obliged to retain or process certain data, have an overriding interest (insofar as we may invoke such interests) or need the data for asserting claims. If exercising certain rights will incur costs on you, we will notify you thereof in advance. We have already informed you of the possibility to withdraw consent in Section 4 above. Please further note that the exercise of these rights may be in conflict with your contractual obligations and this may result in consequences such as premature contract termination or involve costs. If this is the case, we will inform you in advance unless it has already been contractually agreed upon.

In general, exercising these rights requires that you are able to prove your identity (e.g., by a copy of identification documents, unless otherwise possible). In order to assert these rights, please contact us at the addresses provided in Section 2 above.

If you do not agree with the way we handle your rights or with our data protection practices, please let us or our Data Protection Officers (Section Fehler! Verweisquelle konnte nicht gefunden werden.) know. If you are located in the EEA, the United Kingdom or in Switzerland, you also have the right to lodge a complaint with the competent data protection supervisory authority in your country.

A list of authorities in the EEA can be found here:

https://edpb.europa.eu/about-edpb/board/members_de

You can reach the Swiss supervisory authority here:

https://www.edoeb.admin.ch/edoeb/de/home/der-edoeb/kontakt/adresse.html

In Liechtenstein, the following data protection authority is responsible:

https://www.datenschutzstelle.li

13. Amendments of this Privacy Notice

We may amend this Data Protection Statement at any time without prior notice. The current version published on our website shall apply. If the Data Protection Statement is part of an agreement with you, we will notify you by e-mail or other appropriate means in case of an amendment.

  • You have any questions?

    You can contact us from Monday - Friday 8.00 to 17.00 at +41 44 224 47 40.

  • Your advantages in the online shop

    • Free postal service within Switzerland from CHF 60.—
    • Easy and secure shopping
    • Shipping costs Switzerland CHF 8.90
    • International shipping
    • Pickup in a store
    • From CHF 75.00 is possible to pay with invoice