1. Introduction and Scope

This Personal Data Processing, Protection and Destruction Policy outlines the principles and internal procedures applied by Offitec GmbH in full compliance with the Swiss Federal Data Protection Act (FADP), the EU General Data Protection Regulation (GDPR), the ePrivacy Directive and recognised international data protection standards.
It applies to all systems, processes, employees, contractors, service providers and any third parties acting on behalf of Offitec GmbH.

Personal data includes any information that identifies an individual, such as names, IDs, technical identifiers, device data, emails, contracts, service logs, behavioural data and any other linked information.

---

2. Core Principles of Data Processing

2.1 Lawfulness, Fairness and Transparency

All processing activities are based on a clear legal foundation, ensuring transparency for all data subjects.

2.2 Purpose Limitation

Data is collected only for legitimate, predefined purposes such as contract execution, customer service, technical support, legal compliance or consent-based marketing.

2.3 Data Minimization

Only the minimum required data is collected and processed.

2.4 Accuracy

We ensure data remains accurate and updated through continuous validation.

2.5 Storage Limitation

Data is retained only as long as legally required or operationally necessary.

2.6 Integrity and Confidentiality

Technical and organizational measures protect data from unauthorized access, misuse, loss and alteration.

2.7 Accountability

All processing activities are documented, monitored and traceable at every stage.

---

3. Categories of Personal Data Processed

• Identity data (name, address, contact information)

• Contract, communication and billing information

• Technical data (IP address, device logs, identifiers)

• Maintenance and service history

• Marketing preferences, consent logs, communication records

---

4. Legal Basis for Processing

• Performance of contractual obligations

• Compliance with legal requirements

• Legitimate interests of Offitec GmbH

• Explicit consent of the data subject

• Protection of essential individual interests

---

5. Personal Data Processing for Marketing

Marketing-related processing (newsletters, product updates, invitations, promotional materials) is performed only with explicit documented consent.
Consent may be withdrawn at any time.

---

6. Technical and Organizational Measures (TOMs)

• Encryption of data and communication channels

• Strict access controls

• Multi-factor authentication

• Firewalls, intrusion detection, antivirus systems

• Secure backup procedures

• Regular audits and monitoring

• Confidentiality agreements and staff training

• Documented incident-response processes

---

7. Data Transfers and Third-Party Processors

Data may be shared only with vetted third parties based on:

• Written data processing agreements

• Legal requirements

• Documented consent

• Adequate protection measures

International transfers occur only with legally sufficient safeguards.

---

8. Data Subject Rights

• Right of access

• Right to rectification

• Right to erasure

• Right to restrict processing

• Right to data portability

• Right to object

• Right to withdraw consent

Requests are processed transparently within legal deadlines.

---

9. Data Retention Policy

Retention periods depend on:

• Legal obligations

• Contractual requirements

• Business needs

• Data subject requests

When retention periods expire, data is securely deleted.

---

10. Data Destruction Procedures

• Secure digital erasure or overwriting

• Physical destruction of data carriers

• Logging of all destruction actions

• Monitoring by authorized personnel

---

11. Handling Data Breaches

• Immediate system safeguarding

• Risk analysis

• Assessment of impact on individuals

• Required notifications to authorities or affected persons

• Implementation of corrective actions

---

12. Training and Awareness

All employees receive ongoing training on data protection, cybersecurity and internal procedures.

---

13. Continuous Improvement

This policy is reviewed annually and updated whenever legal, technological or organizational changes occur.