Version 1.0 from the 19.05.2023
INTRODUCTION / DEFINITIONS
The protection of personal data, in particular the data of our candidate organisations and their employees, is key to the EQUAL-SALARY Foundation (The Foundation). We ensure a responsible and legal treatment of this data in accordance with Swiss and European legislation on data protection, in particular the Federal Act on Data Protection (FAPD) and the General Data Protection Regulation (GDPR).
The Foundation has appointed a Data Protection Officer (DPO) who is registered with the Federal Data Protection and Information Commissioner (FDPIC) and can be contacted by e-mail here. Our aim is to ensure that the personal data in our possession is protected in a transparent manner.
If you would like to find out more about our key commitments to protecting personal data, please see our Data Protection Charter for our candidate organizations’ employees and the Data Protection Charter for Human Resources.
WHO IS RESPONSIBLE FOR PROCESSING PERSONAL DATA?
The Data Controller is the person or body who determines the purposes and means of processing Personal Data. The Data Processor is a person or body who processes data in accordance with instructions defining the essential parameters of data protection. It acts under the authority of the Data Processor and on its instructions.
- In the context of its certification activities, the EQUAL-SALARY Foundation acts as a Data Processorunder the applicable data protection legislation. The Foundation undertakes to process, at any time, the Personal Data of the candidate organisation only on behalf of the candidate organisation and in accordance with the instructions of the candidate organisation.
- Candidate organisation and its affiliated entities shall be considered as the Data Controllers.
- The Foundation’s audit partners and other external experts act as sub-processors or Independent Data Controllers with respect to Personal Data collected in the context of EQUAL-SALARY certification. The list of partners with whom the Foundation shares personal data is available here.
The Foundation undertakes to take all necessary measures to ensure the confidentiality of the Personal Data. For this purpose, the Foundation has drafted specific internal policies on IT security and data protection, and all Sub-processors are bound by a confidentiality agreement and a data protection agreement.
In certain situations, confidential information may be disclosed under legal or regulatory provisions, or by order of a competent authority or court. Personal data is not considered confidential if it is generally available to the public or already known, as long as it has not been obtained illegally or in breach of contractual provisions or this policy.
HOW PERSONAL DATA IS COLLECTED?
- Personal data relating to the EQUAL-SALARY certification
EQUAL-SALARY is a not-for-profit Foundation that carries out statistical analyses and audits to verify that organisations applying for the EQUAL-SALARY certification pay their employees equally. Personal Data of candidate organisations and their employees are not used for any other purpose than the one mentioned above. The Foundation does not use Personal Data to advertise or sell services and has no commercial activity.
Organisations applying for the ‘Ethnicity’ and ‘Intersectional’ (Gender & Ethnicity) certifications undertake to obtain valid consent (under GDPR, i.e. free, specific, informed and unambiguous consent) from their employees before transmitting their personal data to the EQUAL-SALARY Foundation. The purpose of the processing, the implications for employees and the possible risks are explained. Candidate organisations must keep proof of their employees’ consent.
- Personal data relating to other Services
We collect Personal Data directly through forms available on the Foundation’s website, or through other documents that are completed as part of the Services offered by the Foundation.
We collect this personal data for the purpose of responding to a specific request, such as contact request via the contact form, registering for a webinar or requesting a subscription to our newsletter. We undertake to delete this data at your request.
- Personal data we collect automatically when using the Services
When you use our website or social networks, we automatically collect personal data, in particular by using cookies.
It is possible to set certain permissions regarding the automatic collection of your personal data by configuring your device or web browser with the available options.
- What Personal Data do we collect and why?
The categories of data we collect and the purposes for which we use them are detailed on the page Purposes and processing of Personal Data collected.
As a not-for-profit foundation with no commercial activities, we do not use your personal data to create a profile about you (profiling) and we do not make decisions with legal consequences for you based solely on automated processing (automated individual decision making).
Personal data received for the purpose of the EQUAL-SALARY certification is pseudonymised and stored in encrypted form.
WITH WHOM AND WHY WE SHARE YOUR PERSONAL DATA?
We might share your personal data with third parties in the course of providing our services:
- The Sub-processor or Independent Data Controller is selected by the candidate organisation. The Foundation delegates salary analysis and certification audits to its partners. Personal Data collected from the Platform or from the Website may also be passed on to our IT/software providers, payment service providers or communication service providers. All service providers are subject to confidentiality obligations and are bound by data processing agreements. The list of our subcontractors is presented on the following page: List of subcontractors.
- To other third parties where it is a legal requirement. We may also disclose the personal data of our candidate organisations and their employees where there is a legal necessity or other legitimate interest to do so, namely (i) to comply with a request from a judicial authority or in accordance with an obligation imposed by law; or (ii) to bring or defend a legal claim.
DO WE TRANSFER PERSONAL DATA ABROAD?
We host the Personal Data of our candidate organisations and their employees exclusively in Switzerland. The platform is hosted in a TIER III and ISO 27001 certified data center.
In general, we do not export your Personal Information or make it available to persons in other countries. However, in some cases, certain Personal Data may be transferred to recipients located abroad. You can access the list of sub-processors here.
Personal data is only transferred abroad if the applicable legal requirements are met. Our service providers abroad are obliged to comply with the same data protection requirements as the Foundation. If the level of data protection in a country does not correspond to that of Switzerland, we ensure that the protection of Personal Data is equivalent to that of Switzerland by contractual means, such as signing the Standardised Contractual Clauses (SCCs) of the European Union.
By submitting personal data to us, you tacitly consent to these data transfers. If you wish to obtain further information on this subject or obtain a copy of the relevant guarantees, you can send a request here.
HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We are committed to delete personal data as soon as it is no longer necessary to fulfil the purposes for which it was collected, in accordance with the document Purposes and Processing of Collected Personal Data. The duration of the retention of personal data depends on the type of data and the applicable legal obligations. The following rules apply:
- Personal data collected when a contract is established between the EQUAL-SALARY Foundation and a candidate organisation (e.g. in the context of certification) are kept for the duration of the contractual relationship. We are committed to delete the Personal Data of our candidate organisations and their employees no later than two months after the end of the validity of the certification,
- Data collected on the basis of your consent (e.g. via forms on the Website) is retained until you revoke your consent,
- In the case where we are legally obliged to retain Personal Data for a longer period (e.g. accounting rules or tax law), by order of an authority or as part of a procedure. Certain information relating in particular to the contractual relationship must be kept for at least 10 years.
- You also have the right to file a complaint with the Federal Data Protection and Information Commissioner (FDPIC) – Feldeggweg 1 – CH-3003 Bern, concerning any issues related to how ESF collects and processes your data.
WHAT RIGHTS DO YOU HAVE?
As a Data Subject, you have a certain number of rights in relation to the personal data we process, including:
- Obtain information about your Personal Data we process (all of which is accessible through our Privacy Centre),
- Obtain a verification and/or correction of your data at any time,
- Request the deletion or removal of your Personal Data,
- Withdraw your consent at any time,
- Obtain an opposition to the processing of your personal data,
- Collect your personal data in a suitable format (data portability).
Data Controller’s personal data will only be deleted at the request of the Data Controller, and if there are no legal or other legitimate concerns for doing so. Data Subjects should contact the Data Controller to request the deletion of personal data. It is important to note that any deleted data remains in backup storage for thirty days after deletion.
The above does not exclude other rights you may have under applicable data protection legislation.
In addition, a candidate organisation or an employee has the right to file a complaint with the competent supervisory authority. In Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC). Although it is not necessary, we suggest that you contact us first as we may be able to respond directly to your request.
HOW TO USE YOUR RIGHTS
- You can contact our DPO directly at here.
- Please include in your message the Personal Data relevant to your request and provide us with all the information necessary to verify your identity.
HOW WE PROTECT YOUR PERSONAL DATA
The EQUAL-SALARY Foundation implements adequate technical and organisational security measures to guarantee the security of processing and the confidentiality of Personal Data, in order to prevent unauthorized access, transmission, modification or destruction of such data. These measures are regularly improved in line with technological developments.
Effectively, we take all necessary measures to protect the security of Personal Data according to their nature and the risks associated with their processing. In particular, we take appropriate precautions to prevent damage, destruction or unauthorized access by third parties. In this respect, we follow the guidelines of ISO 27001 and ISO 27701.
The personal data entrusted to us is treated confidentially: access to this data is limited to what is strictly necessary according to the “Least Privilege” principle. Apart from the Foundation’s employees, further sub-processors with access to personal data are detailed in the EQUAL-SALARY Privacy Centre and are subject to verification.
The EQUAL-SALARY Foundation is in the process of acquiring ISO27001 and ISO 27701 certification, which define good practice in terms of information security and data protection. In addition, we carry out recurrent security tests on our platform with specialised third-party organisations to ensure the effectiveness of the measures taken.
Although we take every precaution to protect your personal data, no digital service is 100% secure. In fact, we cannot guarantee that the data we receive is protected against unauthorised access and theft by third parties, and we cannot be held responsible for this.
If we suspect (on reasonable grounds) that an unauthorised person has accessed your personal data and notification is required by applicable law, we will contact the Data controller as soon as possible to inform them of the incident, by email or other communication channel.
You will be informed of any changes affecting your personal data by any appropriate means, including by e-mail and/or via the Platform or via the Privacy Center (e.g. by means of banners, pop-ups or other notification mechanisms). If you do not agree to the changes made, you must stop accessing and/or using the affected Service.
HOW TO CONTACT US?