1. Legal bases

  • REGLEMENT (EU) 2016/679 OF EUROPEAN PARLEMENT AND TIP of 27 April 2016 relating to the protection of individuals about the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • Federal Data Protection Act (LPD).
  • Federal Council On Data Protection (OLPD) Order.
  • Bond Code (s. 328 Al.2 CO).
  • The Federal Postal and Telecommunications Correspondence Surveillance Act (LSCPT).
  • Any equivalent data protection standard in the national rights of our operations abroad.

2. Purpose

The purpose of this regulation is to protect the personality and fundamental rights of people defined in art. 3 below that are being processed.

It governs the security requirements for the collection, retention, operation, modification, communication and archiving of the personal data of REGDATA SA employees and customers, the following “REGDATA”.  

3. Scope

This regulation applies to all personal data:

  • regarding employees regardless of the nature of the contract deploying or having deployed an activity for REGDATA;
  • inherent in customer management.

This regulation does not apply to:

  • personal data of candidates whose record has not resulted in a commitment.

4. Definitions

Means:

Access to data: ability to access personal data, in accordance with a specific access profile or permission granted by the file master.

Archive: the time at which files containing employees’ personal data are no longer exploited, but simply kept in order to meet legal requirements.

Entitled: anyone entitled to a profile of access to personal data or authorized by the master of the file.

Data category: grouping of personal data of employees or clients, depending on their nature (identity, individual, family-related, contractual, position-related, competency-related, administrative, financial, evaluation-related, complementary, historical).

Collaborator: any person employed by any of the entities of the REGDATA group (employment contract), including trainees (internship contract), apprentices (apprenticeship contract) and Matupro students (MPC contract).

Data Protection Advisor: Person acting on behalf of REGDATA, which controls the processing of personal data, makes any necessary corrections and maintains an inventory of files managed by the file master.

Data disclosure: making personal data accessible, for example by authorizing its consultation, transmitting it or disseminating it.

Personaldata: information about an identified or identifiable person.

Physical record: personal data of the client, in the form of documents,  including the resume, the contract of engagement or any internal questionnaire.

File: any set of personal data, the structure of which allows the search for data by the person concerned, in particular the physical record of a person or all the information contained in the information system specific to Human Resources.

HRD: REGDATA Human Resources Directorate.

GRH: human resources manager, in charge of employees in an industry, who can be delegated HRD functions.

Filemaster: person acting on behalf of REGDATA, validating the purpose and content of the file, as well as the rights to access the so-called file, in accordance with the LPD or equivalent laws.

Levels of data protection: categorization of personal data, based on its degree of confidentiality, i.e.:

  • Information of “public” level, non-sensitive, accessible to all REGDATA employees and externally.
  • “Internal” level information, either non-sensitive, accessible to all REGDATA employees, or insensitive, accessible to a predefined circle of REGDATA employees as needed, transmitted by them exclusively to the holder of an identical access profile to their own or benefiting from more extensive access than their own.
  • Sensitive “Confidential” level information, accessible to a small circle of REGDATA employees, transmitted by them to a third party exclusively with the express consent of their owner or file master.

Access profile: a profile determined in relation to the function and professional responsibilities, granting the beneficiary access to certain categories of personal data.

Data processing: any transaction related to personal data, regardless of the means and processes used, including data collection, retention, operation, modification, communication and archiving.

5. General provisions

5.1 Processing personal data

5.1.1 Collect

REGDATA collects personal information about its customers, in order to provide business line managers with the personal and statistical data of their  customers, necessary to carry out their business.

The content of the information collected is limited to the customer data necessary to execute a commercial contract. Customers are required to provide all the data required for this purpose.

The data collected may take physical or electronic form. 

5.1.2. Conservation

5.1.2.1. Physical records

The physical records of clients are kept by the Management and sales managers, in a cupboard or archives whose access is reserved for employees.

5.1.2.2. Computerized data

Personal customer data collected on computer media is retained under the responsibility of the backup administrator.

5.1.2.3. Preservation time

Customers’ personal data is kept from the time registration and without any time limit, except in cases of force majeure.

5.1.3. Archive

5.1.3.1. Physical Records

The physical records of clients are held until 31 December of the current year plus the previous year within REGDATA, and then deposited in the archives with Secur’Archiv. Access to these archives is regulated according to these regulations and according to the processes of Secur’Archiv.

5.1.3.2. Computerized data

Computerized data is not entered into an electronic archiving system (CAS) but is retained in document management systems for customer data.

5.1.4. Exploitation

Only persons authorized by this regulation or expressly authorized by the file master can exploit the personal data of customers, for exclusively professional purposes.

5.1.5. Modification

Employees are required at all times:

  • Keep up to date with their own personal data for which they have free access.
  • To have Human Resources’ authorized persons update their own personal data that they cannot access directly.
  • Ask customers to update their own personal data to which they have free access or to change it themselves at the customer’s request.

Both employees and customers are properly informed that any misrepresentation or concealment of useful data is their responsibility.

The team leaders ensure that the employees in their charges carry out their duty of information. They also ensure that the personal data of employees and customers whose treatment is theirs is kept up-to-date.

5.1.6. Communication

5.1.6.1. The employee’s communication of his own personal data

Every employee is entitled to disclose his or her own personal data to third parties at his or her discretion.

However, it is bound to a strict confidentiality with regard to private data that may reveal professional information, in accordance with the content of its employment contract.

5.1.6.2. Communication within REGDATA

  • Any employee who is aware of personal data relating to other employees or clients in the course of his professional activity is strictly obliged to treat it confidentially and undertakes not to disclose it, except in the following cases:
  • He can only provide personal data at the “Internal” level to which his access profile is entitled to him to the holder of a profile identical to his own or a profile with wider access than his own. If in doubt, the employee is required to speak to the file master.
  • Disclosure to a third party of personal data of the “Confidential” level requires the express agreement of their owner or the master of the file.

5.1.6.4. REGDATA external communication

Any disclosure of personal data relating to employees outside REGDATA, subject to “Public” level data, must be subject to express prior authorization from the file master, including in cases where this communication is intended for a third party bound by a mandate with REGDATA.

5.1.6.5. Authorisation of the file master and written statement

In the case of communication authorized by the master of the file, the recipient is obliged to sign a confidentiality agreement, making him in particular attentive to the criminal consequences of a violation of the duty of discretion defined by the applicable legislation.

If the recipient is bound by a mandate with REGDATA and to the extent that the terms and conditions of that mandate are sufficiently binding in terms of the duty of confidentiality, the file master may exempt him from signing such a commitment.

5.2. Access to personal data

5.2.1. Physical records

The contents of physical files can only be accessed by the Directorate and the authorized Human Resources staff.

Each employee has access to his physical file, at the request addressed to the HRM in charge of his line of activity.

Data protection laws, applicable in Switzerland and abroad, allowing third parties to access the data are reserved.

5.2.2. Computerized data

5.2.2.1.  Customers’ access to their own data

Each client has access to their personal data processed by Finance, in accordance with their access profile on the commercial platforms (RegData Protection Suite and REGDATA SaaS) of REGDATA.

5.2.2.2. Access to “Public” and “Internal” personal data

Each REGDATA employee and client has access to the personal data of the “Public” and “Internal” levels of all REGDATA employees.

5.2.2.3. Access to “Confidential” Personal Data

Access to other personal data of employees and clients, i.e. those at “Confidential” levels, is governed by predetermined access profiles according to the needs and responsibilities specific to the professional function of their beneficiary (including the functions Direction, Finance, HR, Security, and hierarchical or functional responsibilities).

The different access profiles are subject to change, at any time, by the file master.

Each access profile gives its recipient, for each specific personal data category, one of three options:

  • “Y” type of access: access is automatic and unrestricted for the profile recipient.
  • “D” type of access: access is subject to permission from the file master.
  • “N” type of access: Access is not granted to the profile recipient.

5.2.2.4. Access to permission from the file master

Any “D” access request must be motivated and addressed to the file master, using the form made available by REGDATA.

The file master is entitled to grant or not access to the data required by the recipient of the access profile. If so, he or she has the applicant sign a confidentiality agreement. It takes all necessary and useful measures to ensure the confidentiality of the data concerned.

6. Special arrangements

6.1 External employee data

When REGDATA employs the services of external collaborators it complies with the provisions of this Regulation. In particular, it will make sure to limit access to the data of these employees to only those authorized.

7. Organzation and responsibilities

7.1.  Having rights

Any employee for the benefit of an access profile or permission granted by the file master is required to ensure the protection of the data to which he accesses.

It is required to use the data strictly for the purpose assigned to it.

It is only permitted to disclose such data to third parties in accordance with the rules set out in Chapter 5.1.6. Above.

Any violation of data protection rules will involve blocking the access profile. In addition, any violator will be subject to appropriate internal sanctions, ranging from warning to dismissal. Possible criminal sanctions remain reserved.

7.2.  Client

The Customer is responsible for providing all the personal data required by REGDATA and ensuring its veracity. He is required to announce without delay any changes to his personal data.

The Customer is duly informed in the General Terms that any misrepresentation or concealment of useful data is personally responsible.

7.3.  File Master

The master of the file is designated by Human Resources. In case of absence, the file master can only be validly replaced by one of the data protection advisors.

The file master’s mission is to determine the purpose, content and access to the personal data of employees processed by Human Resources.

To this end, the master of the file is entitled to:

  • Whether or not to grant access to “D” data;
  • Save declarations signed by recipients of an access profile when granting permission;
  • Take all necessary and useful measures to ensure the confidentiality and accuracy of the data involved;
  • amend these regulations.

7.4.  Data Protection Advisor

The data protection advisor is appointed by the file master. This may be a member of its staff or a third party, with the necessary professional knowledge and not engaged in any activity incompatible with his or her advisory duties. The data protection advisor performs his function independently, without receiving instructions from the file master.

The data protection advisor’s mission is to monitor the processing of personal data carried out and, if necessary, to propose the necessary corrections.

To this end, it is entitled to:

  • Make an inventory of files managed by the file master, for the Federal Commissioner or the persons concerned who request it;
  • Make recommendations to the file master;
  • to take over the master of the file, in case the latter is absent.

8. Comes into force and amended

This regulation comes into force with immediate effect. It has no retroactive effect.

It can only be changed by the file master or data protection advisor.

Enterprise wide
application data protection

Location

REGDATA SA
Campus Biotech Innovation Park Genève
Avenue de Sécheron 15
1202 Genève - Suisse