Data Protection

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes and to what extent in the context of providing our application.

The terms used are not gender-specific.

Status: 24 July 2024

Preamble
Person responsible
Overview of processing
Relevant legal bases
Safety measures
Transmission of personal data
General information on data storage and deletion
Rights of the data subjects
Provision of the online offer and web hosting

Person responsible

Prof. Dr. Isabel Karremann
University of Zurich
robinson.crusoe@es.uzh.ch

Overview of processing

The following overview summarises the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed

Content data
Usage data
Meta, communication and process data
Protocol data

Categories of affected persons

Users

Purposes of the processing

Ensuring the security of our website and IT systems
Provision of our online services and user-friendliness
Information technology infrastructure
Business processes and business management procedures
Creation and management of a searchable online catalogue of the Robinson Library

Relevant legal bases

Relevant legal bases according to the Swiss Data Protection Act: If you are located in Switzerland, we process your data on the basis of the Federal Act on Data Protection (“Swiss FADP” for short). Unlike the GDPR, for example, the Swiss FADP does not generally require that a legal basis for the processing of personal data be specified and that the processing of personal data be carried out in good faith, lawfully and proportionately (Art. 6 para. 1 and 2 of the Swiss FADP). In addition, personal data is only obtained by us for a specific purpose recognisable to the data subject and only processed in a way that is compatible with this purpose (Art. 6 para. 3 of the Swiss FADP).

Safety measures

We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the access, input, disclosure, safeguarding of availability and its separation. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data and responses to data threats. Furthermore, we already take the protection of personal data into account during the development and selection of hardware, software and processes in accordance with the principle of data protection, through technology design and data protection-friendly default settings.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), protecting the data from unauthorised access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. If a website is secured by an SSL/TLS certificate, this is signalled by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and encrypted.

Transmission of personal data

As part of our processing of personal data, it may be transmitted to other bodies, companies, legally independent organisational units or persons or disclosed to them. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.

General information on data storage and deletion

We delete personal data that we process in accordance with the statutory provisions as soon as the underlying consents are revoked or there is no further legal basis for the processing. This applies to cases in which the original purpose of processing no longer applies or the data is no longer required. Exceptions to this rule exist if legal obligations or special interests require longer storage or archiving of the data.

In particular, data that must be stored for commercial or tax law reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Our data protection information contains additional information on the retention and deletion of data that applies specifically to certain processing operations.

If there is more than one indication of the retention period or deletion period for a date, the longest period is always decisive.

If a period does not expressly begin on a specific date and is at least one year, it shall automatically start at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in the context of which data is stored, the event triggering the deadline is the date on which the cancellation or other termination of the legal relationship takes effect.

We only process data that is no longer stored for the originally intended purpose, but due to legal requirements or other reasons, for the reasons that justify its storage.

Further information on processing operations, procedures and services:

Retention and deletion of data: The following general time limits apply to storage and archiving in accordance with Swiss law:
- 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting vouchers and invoices as well as all necessary work instructions and other organisational documents (Art. 958f of the Swiss Code of Obligations (CO)).
- 10 years – Data necessary for the consideration of potential claims for damages or similar contractual claims and rights, as well as for the processing of related enquiries based on past business experience and standard industry practices, are stored for the statutory limitation period of ten years, unless a shorter period of five years is applicable, which is relevant in certain cases (Art. 127, 130 CO). Claims for rent, lease and capital interest as well as other periodic services, from the supply of food, for catering and for debts to landlords, as well as from handicraft work, retail sale of goods, medical care, professional work of lawyers, legal agents, procurators and notaries and from the employment relationship of employees expire after five years (Art. 128 CO).

Rights of the data subjects

Rights of data subjects under the Swiss DPA:

As a data subject, you have the following rights in accordance with the provisions of the Swiss Data Protection Act:

Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed and to receive the information necessary to enable you to assert your rights under this law and to ensure transparent data processing.
Right to data handover or transfer: You have the right to request the handover of your personal data that you have provided to us in a commonly used electronic format.
Right to rectification: You have the right to request the rectification of inaccurate personal data concerning you.
Right to object, erasure and destruction: You have the right to object to the processing of your data and to request that the personal data concerning you be erased or destroyed.

Provision of the online offer and web hosting

We process users’ data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or end device.

Processed data types: Usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); metadata, communication data and process data (e.g. IP addresses, time data, identification numbers, persons involved); log data (e.g. log files relating to logins or the retrieval of data or access times). Content data (e.g. textual or pictorial messages and contributions as well as the information relating to them, such as information on authorship or time of creation).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Provision of our online offer and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). Security measures.
Storage and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion”.
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).