I. Contact Yokoy Group AG
Our data protection officer is available to answer any questions you may have about data protection.
1. Headquarters Yokoy Group AG Zurich
Yokoy Group AG
MLaw Claudio Berther, LL.M (University of California, Berkeley)
Legal Counsel and Data Protection Officer
Tel. +41 (0)43 508 15 77
2. Yokoy Deutschland GmbH - Munich
Yokoy Deutschland GmbH
Tel: +49 151 42 04 31 22
Company register number: HRB 267689
3. Yokoy Austria - Vienna
Tel: +43 1 417 01 15
Managing Director: Mag.(FH) Stephan Hebenstreit, LL.M.
Commercial register court: Vienna Commercial Court
Company register number: FN 534254
Place of jurisdiction: Vienna Commercial Court
Chamber affiliation: Vienna Chamber of Commerce
II. Categories of personal data
Such personal data may include the following categories
III. How we process data
1. Data that you give us
You voluntarily provide us with data in various situations. For example, when you contact us, order our newsletter, log in to the customer portal, apply for a job, register for a webinar or download gated content. If you would like to know more about how we process it, for what purpose and on what legal basis, click here.
2. Data which we process
In orde r to provide our services, maintain our infrastructure and provide all stakeholders with the best possible experience, we also process personal data. If you would like to know more about the purposes and legal basis for which we do this, please click here.
3. Data processed by our partners
In order to provide our services, maintain our infrastructure and provide the best possible experience for all stakeholders, we work with partners. They also process personal data. For example, when you visit our website, use the Yokoy app or as part of our marketing and social media activities. If you would like to know more about the purpose and legal basis for which we do this, click here.
IV. Internationnal data transfers
Even though we make every effort to work with Swiss providers, it is impossible to prevent data from flowing abroad. To find out how this is legally implemented by Yokoy and how your data is also transmitted in a legally secure manner in connection with foreign transfers, click here.
V. Data security
Data transmitted to us is treated confidentially and protected against unauthorised access, damage or loss with the help of technical and organisational measures. If you want to learn more about how we technically protect your data, click here.
VI. Data storage and data deletion
We store the data only as long as it is necessary for the fulfilment of the contract. The legal retention periods and your right to deletion according to Article 17 GDPR remain reserved, provided that the conditions for this are fulfilled. If you want to know more about this, click here.
VII. Your rights
The GDPR grants the person whose data is processed various rights with which the person can influence the data processing. An overview of the rights and how you can assert them can be found here.
I. Data you give us
1. By contacting us
DYou can contact us through various channels, e.g. telephone, email, contact form, chat, social media, webinar registration and registration for "gated content". We collect your contact details and information from the enquiry. This may be stored in our CRM (Customer Relationship Management) system. This data is only stored for internal use.
1.1 Purpose of the processing:
We store personal data in order to be able to respond to your enquiry or contact. Furthermore, this storage enables us to execute the contract or pre-contractual actions in case of questions in an existing contractual relationship. In addition, Yokoy can carry out analyses about potential future contractual relationships, e.g. about the size of the company, where the company is present and through which channels you have heard about Yokoy.
1.2 Legal basis
2. Newsletter registration
2.1 Purpose of the processing
Generation and sending of our newsletter.
2.2 Legal basis
If you subscribe to the newsletter, you give us permission to use your data for sending the newsletter. You also agree to the information described below. Based on Article 7 III GDPR, you can revoke your consent for the future at any time; for this purpose, you will find an unsubscribe link in every email sent. Alternatively, you can also contact us personally at any time. We use the software HubSpot and Sendgrid, a service of Twilio Inc., to send our newsletter. You can find an overview of all partners with whom we work for internal and external purposes and links to their data protection declarations here.
2.3 Double opt-in procedure for the purpose of provability
An important principle of the GDPR is accountability. I.e. in Article 5 II GDPR, the law requires not only compliance with the data protection provisions, but also evidence thereof. For this reason, registration takes place in a double opt-in process. After your registration you will receive an email in which you have to confirm your email address. This prevents misuse with registrations from other email addresses. The registrations are stored in our CRM system so that we can legally prove the registration process. This includes the following data: Registration and confirmation time, type of newsletter, IP address and your contact details. The legal basis for this is the fulfilment of a legal obligation according to Article 6 I c GDPR.
2.4 National specifics
Germany: The newsletter is sent and its success measured on the basis of the recipients' consent pursuant to Art. 6 Para. 1 lit. a, Art. 7 GDPR in conjunction with § 7 Para. 2 No. 3 UWG or on the basis of the legal permission pursuant to § 7 Para. 3 UWG.
Austria: The dispatch of the newsletter and the associated performance measurement is based on the consent of the recipients pursuant to Art. 6 para. 1 lit. a, Art. 7GDPR in conjunction with § 107 para. 2 TKG or on the basis of the legal permission pursuant to § 107 para. 2 TKG.§ 107 para. 2 and 3 TKG. The logging of the registration process is based on our legitimate interests according to Art. 6 para. 1 lit. f GDPR. Our interest is directed towards the use of user-friendly and secure newsletter software. In addition, there is a legal obligation to provide proof of registration.from the accountability principle according to Article 5 III GDPR.
Switzerland The data processing is carried out in compliance with the data protection principles according to Art. 6 DSG.
3. Webinar registrations You can also register for webinars via the Hubspot tool to get to know our products better. We store the data you provide so that we can contact you if necessary, e.g. if it becomes necessary to cancel the event. We base our data processing on your consent in accordance with Article 6 I a GDPR. This consent can also be revoked for the future. To do so, contact us via a channel as per point I. The data processing is carried out in compliance with the data protection principles as per Art. 6 DSG.
4. Gated content downloads Gated content is about sharing knowledge that is valuable to the user in exchange for contact details of the user that are valuable to us. In the case of Yokoy, this could be the following, for example. Events on topics such as digitalisation, artificial intelligence or data protection.
4.1 Purpose of the processing
4.2 Legal basis We base our data processing on your consent in accordance with Article 6 I a GDPR. This consent can also be revoked for the future based on Article 7 III GDPR. To do so, contact us via a channel as per point 1. Data processing is carried out in compliance with the data protection principles as per Art. 6 DSG.
We collect, process and transfer your personal data with automated data processing systems. For this purpose, we work with the join software. This is an offer from JOIN Solutions AG, Landsgemeindeplatz 6, 9043 Trogen. For example, the following types of personal data may be covered by the collection:
It should be emphasised at this point that the decision about employment is, of course, still made by our HR team. For further information on data protection at JOIN Solutions AG, please refer to the JOIN Solutions AG data protection policy.
5.1 Purpose of the processing
We process personal data provided to us in order to take pre-contractual measures to possibly conclude an employment contract with you. If your application is not successful or you withdraw your application, the data will be deleted within 30 days. If your application is successful, the data will be kept until the purpose is fulfilled, usually for the duration of the contractual relationship, plus a period if required by applicable law.
5.2 Legal basis
The data is stored on the basis of Article 6 I b GDPR or the consent of the person in accordance with Article 6 I a GDPR. This consent can also be revoked for the future based on Article 7 III GDPR. To do so, contact us via a channel according to point I. The data processing is carried out in compliance with the data protection principles according to Art. 6 DSG.
II. Data we process
1. Server log files
When using our website, information is automatically collected and stored that your browser transmits to us. These are:
We do not draw any conclusions about you when using this data.Lagging is done in accordance with our internal logging and monitoring policy.
1.1 Purpose of the processing The data is required, for example, to deliver the content of our website correctly, to ensure the functionality of our site or to be able to provide the information to law enforcement authorities in the event of a cyber attack. The anonymous data of the server log files are stored separately from your personal data.
1.2 Legal basis We base the collection of this anonymised data on legitimate interests of a functioning website according to Article 6 I f GDPR.
2. Customer login/customer portal The data protection provisions are agreed and signed with each customer when the contract is concluded. Customer data in our CRM system is processed in accordance with point 3.In addition, our system automatically records the following log data with every call:
2.1 Purpose of the processing
This data is collected for the purpose of providing the portal. Furthermore, this data is processed and stored for the purpose of ensuring the functionality of the portal and security.
2.2 Legal basis:
Article 6 I b and f GDPR. The data is only stored as long as it is necessary for the fulfilment of the purpose. To provide the portal, data is also passed on to technically necessary partners, e.g. the website hoster and the cloud provider. An overview of all partners, their services, the legal basis of the processing and the contact options can be found here. An internal logging and monitoring policy regulates the details.
3. Customer data (CRM Customer Relationship Management)
3.1 Purpose of the processing In order to fulfil our contractual services, we need to process the data of our customers. In doing so, we process inventory data (e.g., customer master data, such as names or addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g., charts of accounts), contract data (e.g., subject matter of the contract, term), payment data (e.g., bank details, payment history). This primarily concerns customers, employees and suppliers. The purpose of the processing is the provision of contractual services, billing and our customer service.
3.2 Legal basis
III. Data collected by our partners
When we involve partners, this is done in compliance with the requirements of Art. 9 DSG and Article 5 GDPR. There are data processing contracts that include the requirements of Article 28 (3) of the GDPR and Article 9 of the GDPR.
1. When visiting the website
In order to be able to operate a website technically, certain technical requirements are necessary for which we are dependent on partners. With the partners we have.
1.1 Hosting 1.1.1 Purpose of the processing
Our hosting provider provides us with infrastructure and platform services, database services, computing capacity, security services and storage space as well as technical maintenance services, which we use for the purpose of operating our online offers.
1.1.2 Legal basis
1.2 Content Delivery Network (CDN)
1.3 Google Web Fonts
1.3.1 Purpose of the processing
This site uses so-called web fonts provided by Google to display fonts. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This is a service of the American Google LLC. For users in the European Economic Area (EEA) and in Switzerland, the Irish company Google Ireland Limited is responsible. When you call up a page, your browser loads the required web fonts into the browser cache in order to display texts and fonts correctly. For this purpose, the browser you are using must connect to Google's servers. In this way, Google learns that our website has been accessed via your IP address.
1.4.1 Purpose of the processing
1.4.2 Legal basis
2. When using the Yokoy app
The following data is stored by the user: Name, first name, e-mail, personnel number or cost centre (in order to enable the correct booking with the customer). The data is stored in an encrypted private cloud and the transfer to the Google Cloud is also encrypted by 256-bit AES encryption. However, no employee data of the users is stored in our CRM through the use of the app.
2.1 Purpose of the data processing
This data is only processed to provide the Yokoy app.
2.2 Legal basis
This is done on the basis of Article 6 I a, b and f GDPR.
3. In our marketing activities
On our website, we use the software HubSpot for various purposes. HubSpot is a software company from the USA with a branch office in Berlin. Am Postbahnhof 17, 10243 Berlin.
3.1.1 Purpose of the processing
We also use HubSpot to provide contact forms (see point I.1.).
3.1.2 Legal basis
The legal basis for the processing is your consent pursuant to Art. 6 para. 1 lit. a GDPR and for the necessary processing of personal data for the performance of a contract with the data subject as well as for the implementation of pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR. If you do not want the aforementioned data to be collected and processed via Hubspot, you can refuse your consent or revoke it at any time with effect for the future. The personal data will be kept for as long as it is necessary to fulfil the purpose of the processing. The data will be deleted as soon as they are no longer required to achieve the purpose. Here you can find further information on the data protection provisions of HubSpot.
3.2 Google Tag Manager
3.2.1 Purpose of the processing
This website uses the Google Tag Manager. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Tag Manager is a solution with which website tags can be managed via an interface. The Tag Manager tool (which implements the tags) is a cookieless domain and does not collect any personal data. The tool provides for the forwarding of data and triggering of other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager.
3.2.2 Legal basis
The legal basis for the use of the Google Tag Manager is your consent according to Article 6 I a GDPR. This can be withdrawn at any time with effect for the future. To do so, contact us on a channel according to point I.
3.3 Google reCaptcha
3.3.1 Purpose of the processing
The purpose of reCAPTCHA is to check whether data entry on our website (e.g. in a contact form) is made by a human or an automated programme. The reCAPTCHA analyses run entirely in the background. Website visitors are not made aware that an analysis is taking place.
IV. International data transfers
Whenever possible and economically reasonable, Yokoy endeavours to work with providers from Switzerland, the EEA or the EU, or countries for which the EU Commission has recognised an adequate level of data protection in accordance with Article 45 of the GDPR.Alternatively, the data transfer is based on standard contractual clauses according to Art. 46 of the GDPR. We are aware that the decision of the European Court of Justice C-118-311 of 16.7.2021 has repealed the Privacy Shield and that the "old" Standard Contractual Clauses still require additional safeguards. Where necessary, we will ensure that our partners switch to the new standard contractual clauses by the end of the transition period on 27 December 2022 at the latest, should they rely on standard contractual clauses for the transfer of data, particularly in the USA. If available at the partner, we base the data transfer on Binding Corporate Rules according to Art. 47 GDPR. We work exclusively with large international partners who share our conviction regarding the importance of data protection. The guarantee of data protection is further secured by data processing agreements.Below you will find an overview of our foreign partners, in which country they are located and for which purpose they process Yokoy data. Furthermore, an internal guideline stipulates that we support all international sanctions against states, territories or persons and that we do not maintain any business relationships with such states, territories or persons.
V. Data processing directory
Further information can be found in our directory of data processing pursuant to Article 30 of the GDPR and Article 12 of the GDPR.
VI. Data security
1. Physical security
The building in which the offices are located is serviced by a reception desk 24/7. Access to the office premises is only granted by a key personally handed in by the supervisor. The entrances and exits to the engineering offices are also logged for better traceability. An internal policy on physical security exists and is included in regular staff training.
Access to our online offer takes place via transport encryption (SSL / TLS, in particular with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport encryption with a padlock in the address bar.Even when the data is with us, it is in good hands. We chose Google as our cloud provider because Google has always evolved in terms of data security and offers us a reliable service. Google's cooperation with SAP ensures high availability of your data. The security and data protection of Google products is regularly audited independently (ISO/IEC 27001, 27017, 27018, SOC 1/2/3, GDPR).The data in the cloud is encrypted with a 256 AES (Advanced Encryption Standard) and all data in transit is also encrypted.
3. Access management
Access is based on the need-to-know principle and is role-based. All activity is logged in order to be able to verify and prove access to the data. 1 In addition, all access management issues are documented in an internal policy.
4. Data availability
The data is made available on demand and there are automatic daily backups on an encrypted cloud (storage period 30 days) to ensure the availability of the data at all times.
5. External review
In addition to the measures taken internally, we also have our data security checked annually by an external partner through so-called penetration tests. The results of these tests also contain improvement measures, which we subsequently implement as prescribed by the internal penetration test governance guidelines.
6. Emergency plan
If, despite all the measures taken, a data incident should occur, we are prepared for it and will put our internal emergency plan into action to minimise the damage caused.
VII. Data storage and data deletion
We respect your data and only store it for as long as is absolutely necessary for the intended purpose. (Principle of data minimisation according to Article 5 c GDPR and Article 6 IV DSG. We delete the data at the latest after expiry of the contractual relationship. This is subject to statutory warranty and comparable obligations. In the case of legal archiving obligations, deletion takes place after their expiry (6 years, in accordance with § 257 para. 1 HGB, 10 years, in accordance with § 147 para. 1 AO). In the case of data disclosed to us by the client within the scope of an order, we delete the data in accordance with the specifications of the order. Personal data is only collected, processed and used if it is necessary for the establishment, content or amendment of the legal relationship (inventory data). This is done on the basis of Article 6 I b GDPR, which allows us to process data for the fulfilment of a contract or pre-contractual measures. The right to deletion in accordance with Article 17 GDPR is always reserved, provided that the legal requirements for this are met. Furthermore, we store backups of our data on a daily basis in order to comply with the principle of data availability. Backup data is automatically deleted after 30 days. The procedure for data deletion is documented in an internal policy.
VIII. Data subject rights
1. Right to confirmation Art. 15 GDPR
Based on Article 15 of the GDPR and Article 19 of the FADP, you have the right to request confirmation from us as to whether personal data relating to you is being processed. To do so, contact us via a channel according to point I.
2. Right to information Art. 15 GDPR
Article 15 of the GDPR and Article 19 of the FADP also grant you the right to obtain from us at any time, free of charge, information about the personal data stored about you, as well as a copy of this data in accordance with the legal provisions.If you wish to do so, contact us via a channel in accordance with Section I. The relevant information in accordance with Article 19 of the FADP can also be found in our data processing directory in accordance with Article 12 of the FADP.
3. Right of rectification Article 16 GDPR
You have the right to request the rectification of inaccurate personal data concerning you. You also have the right to request the completion of incomplete personal data, taking into account the purposes of the processing. This obligation to correct data also arises under Swiss law from Article 6 of the Data Protection Act if the legal requirements are met.
4. Right to erasure Article 17 GDPR
You have the right to demand that we delete the personal data concerning you without delay, provided that one of the reasons provided for by law applies and insofar as the processing or storage is not necessary. A similar situation arises from Article 6 IV DSG.
5. Restriction of processing Article 18 GDPR
You have the right to demand that we restrict processing if one of the legal requirements is met.
6. Data portability Article 20 GDPR
You have the right to receive the personal data concerning you, which has been provided to us by you, in a structured, common and machine-readable format. You also have the right to transfer this data to another controller without hindrance from us to whom the personal data has been provided, provided that the processing is based on consent pursuant to Article 6 I a of the GDPR or Article 9 II a of the GDPR or on a contract pursuant to Article 6 I b of the GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
Furthermore, when exercising your right to data portability in accordance with Article 20 I of the GDPR, you have the right to have the personal data transferred directly from one controller to another controller, insofar as this is technically feasible and insofar as this does not affect the rights and freedoms of other persons. The right to data portability has also been included in Article 28 of the FADP.
7. Objection Article 21 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 I e or f GDPR.This also applies to profiling based on these provisions within the meaning of Article 4 No. 4 GDPR.If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
In individual cases, we process personal data in order to carry out direct advertising. You can object to the processing of personal data for the purpose of such advertising at any time. This also applies to profiling, insofar as it is connected with such direct advertising. If you object to us processing for the purposes of direct advertising, we will no longer process the personal data for these purposes.You also have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to Article 89 I GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.You are free to exercise your right to object in connection with the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.
8. Revocation of consent under data protection law You have the right to revoke your consent to the processing of personal data at any time with effect for the future in accordance with Article 7 III GDPR.
9. Complaint to a supervisory authority You have the right to lodge a complaint about our processing of personal data with a supervisory authority responsible for data protection in accordance with Article 77 of the GDPR. In Switzerland, our supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC):
Federal Data Protection and Information Commissioner
CH - 3003 Bern
Phone: +41 (0)58 462 43 95 (Mon. to Fri., 10.00 to 12.00)
Fax: +41 (0)58 465 99 96
For affected parties from the EU area, our Lead Supervisory Authority is
Bavarian State Office for Data Protection Supervision (BayLDA)
Phone: +49 (0) 981 180093-0
We can adapt and supplement this data protection declaration at any time. We will inform you about such adjustments and additions in an appropriate form, in particular by publishing the respective current data protection declaration on our website and via an email.