Cloud Risk Governance Consulting Rolf A. Becker
Controlling Information Security

Privacy Notice

1. What is this Privacy Notice about?

 

Cloud Risk Governance Consulting Rolf A. Becker (hereinafter also "CRGCRAB", “we”, “us”) is a sole proprietorship firm with its registered office in Walchwil, Switzerland. In the course of our business activities, we collect and process personal data (hereinafter also “data”), in particular personal data about our clients, associated persons, counterparties, authorities, professional and other associations, visitors to our websites, participants in events, job applicants, recipients of newsletters, and other entities or, in each case, their contact persons and employees (hereinafter also “you”). In this Privacy Notice we inform you about the processing of these personal data. In addition to this Privacy Notice, we may provide you with additional information about the processing of your data (e.g., in consent forms or contract terms), additional Privacy Notices (e.g. on other websites or in apps from us), forms and notices. 

 

If you disclose data to us about other persons (e.g., family members, representatives, counterparties, or other associated persons), we assume that you are authorized to do so, that such data is accurate, and that you have ensured that such persons are aware of such disclosure to the extent that an information obligation applies (e.g., by bringing this Privacy Notice to their attention in advance).

 

 

 

 

2. Who is the controller for processing your data?

 

For the processing activities described in this Privacy Notice, the following sole proprietorship firm is responsible:

 

Cloud Risk Governance Consulting Rolf A. Becker
Chellenstrasse 16d
6318 Walchwil

 

To the extent we are representing clients, CRGCRAB is generally a data controller with respect to CRGCRAB's related data processing activities, but may be so jointly with its respective clients. For the website on which you consulted this Privacy Notice, as well as for our pages on social networks (see Section 9), CRGCRAB is responsible for the collection and processing of personal data. If, on such a website, another entity obtains personal data as an independent controller, we will disclose this.

 

If you wish to contact us - CRGCRAB - about the processing of your data, you can do so via "dataprotection@cloudriskgovernance.ch".

 

 

 

 

3. For what purposes do we process which of your data?

 

When you use our services or our website www.cloudriskgovernance.ch (hereinafter "Website") or otherwise deal with us or are involved in a mandate that we are handling for a client of ours, we obtain and process different categories of your personal data. In particular, we process the following personal data from you for the following purposes:

 

  • Communication: We process personal data so that we can communicate with you as well as with third parties, such as regulators, courts, or authorities, by e-mail, telephone, letter, or other means (e.g., to answer inquiries, to provide consultancy and support services upon your request, to provide you guidance in the implementation and operation of cloud risk governance frameworks). For this purpose, we process in particular the content and metadata of the communication as well as your contact data, but also image and audio recordings of video or phone calls. In the event of an audio or video recording of the communication (e.g. in the course of a video conference), we will inform you separately, and you are free to inform us if you do not wish to be recorded or to terminate the communication. If we need or wish to confirm your identity, we may collect additional data (e.g., a copy of an ID, passport, other official form of identification including electronic or digital identification). We may also send information about events, regulatory changes, news about our firm, information about cyber attacks, vulnerabilities or data breaches, or similar information to our clients, contractual partners, and other interested parties. This may, e.g., take the form of newsletters and other regular communication (especially electronically, via mail, and via telephone). You have the option to refuse or withdraw your consent to communications for marketing purposes at any time (see our contact details in Section 2).
     
  • Pre-contractual measures and conclusion of contracts: With regard to the conclusion of a contract, such as, in particular, a contract for providing consultancy and advisory serviceswith you or your principal or employer, we may in particular process your name, contact details, mandates, declarations of consent, information about your company or third parties (e.g., contact persons, counterparties, organizational structures, directors and other organs of the respective companies), contract contents, date of conclusion, creditworthiness data, sensitive data about your information technology and security architecture, about your information security and data protection processes and implementation as well as potential deficiencies thereof, about data protection breaches or losses of data which have affected your company directly or indirectly, as well as all other data that you provide to us or that we collect from public sources or third parties (e.g. internet services providing information about cyber attacks, vulnerabilities, exploits, weaknesses, data losses, compromises; regulatory sources; scanning services; media)
     
  • Administration and performance of contracts: We process personal data in order to comply with our contractual obligations to our clients and other contractual partners (e.g., suppliers, service providers, project partners) and, in particular, to provide and claim contractual services. This also includes data processing for the management of mandates (e.g. information security and cloud risk governance consultancy and advice to our clients, expert advice in the context of cases of our clients they may have to defend in court and before authorities, and correspondence) as well as data processing for the enforcement of contracts, public communication (if permissible). For this purpose, we process in particular the data that we receive or have collected in the course of initiating and concluding the contract, as well as data that we create or you provide in the course of our contractual services (e.g. sensitive data about your information technology and security architecture, about your information security and data protection processes and implementation as well as potential deficiencies thereof, about data protection breaches or losses of data which have affected your company directly or indirectly), as well as all other data that you provide to us or that we collect from public sources or third parties (e.g. internet services providing information about cyber attacks, vulnerabilities, exploits, weaknesses, data losses, compromises; regulatory sources; scanning services; media; information services). Such data may include, in particular, minutes of conversations and consultations, notes, internal and external correspondence, contractual documents, documents that we create and receive in the course of regulatory proceedings, background information about you, your company, counterparties or other persons, image and audio recordings, as well as other mandate-related information, documents, transcripts of records, invoices, and financial and payment information. In this context, we may also process sensitive personal data. 
     
  • Operation of our websites: In order to operate our websites in a secure and stable manner, we collect technical data, such as IP address, information about the operating system and settings of your end device, region, time and type of use. Additionally, we use cookies and similar technologies. More information about this can be found in Section 8.
     
  • Improving our offerings: In order to continuously improve our websites, our services and other (electronic) offerings (e.g., other websites, apps, online tools), we collect data about your behavior and preferences by analyzing, for example, how you navigate through our websites and how you interact with our social media profiles and our online tools or how you use or like our services. For this purpose, we also process direct or indirect feedback from you regarding our website, social media presence and our tools (e.g. comments, emails or other statements that are directly addressed to us or of which we become aware of otherwise) as well as other feedback regarding our services, including in the context of an consultant-client relationship with you or in the context of public statements from you (e.g. on social media, in the media or mailings).
     
  • Registration: Certain offers and services (e.g. newsletter) require registration (directly with us or via our external login service providers). For this purpose, we process the data provided during the respective registration. Furthermore, we may also collect personal data about you during the use of the offer or service, e.g. data about your behavior and preferences or communication data. If required, we will provide you with further information about the processing of this data.
     
  • Security purposes and access controls: We process personal data to ensure and continuously improve the appropriate security of our IT and other infrastructure (e.g., buildings). This includes, for example, monitoring and controlling electronic access to our IT systems which include IT systems and services provided and operated by external service providers to us or on our behalf, which include analyzing and testing of respective IT infrastructures, performing system and error checks, and creating backup copies.
     
  • Compliance with laws, directives and recommendations of authorities as well as internal regulations (“Compliance”): We process personal data to comply with applicable law (e.g., anti-money laundering, tax law obligations or professional obligations), self-regulations, certifications, industry standards, our corporate governance and for internal and external investigations in which we are a party (e.g. by a law enforcement or supervisory authority or an appointed private body). For this purpose, we collect in particular master and behavioral data as well as financial data, but also all other data whose collection appears necessary or useful to us in order to fulfill our obligations with regard to our compliance.
     
  • Risk management and corporate governance: We process personal data as part of our risk management (e.g., to protect against criminal activities) and corporate governance. This includes, among other things, our own information security, data protection, cyber threat and vulnerability management, our process and operational organization (e.g., resource planning) and our corporate development (e.g., acquisition and sale of parts of businesses or companies). For this purpose, we process in particular master data, contract data, registration data and technical data, but also behavioral and communication data.
     
  • Job application: If you apply for a job with us, we process the relevant data for the purposes of reviewing and assessing the application, carrying out the application process, and, in the case of successful applications, preparing and concluding a contract. For this purpose, in addition to your contact data and the information from the corresponding communication, we also process in particular the data contained in your application documents, possibly also criminal record extracts, and the data that we can additionally obtain about you, for example from job-related social networks, the Internet, the media and references (if you consent to obtaining references). Data processing in connection with the employment relationship is governed by a separate privacy notice.
     

Other purposes: Other purposes include, for example, training and educational purposes and administrative purposes (e.g., accounting). We may listen to or record telephone or video conferences for purposes of training, evidence, and quality assurance. In such cases, we will notify you separately (e.g., by displaying a notice during the relevant video conference) and you are free to let us know if you do not wish to be recorded or to terminate the communication (if you do not wish your image recorded, please switch off your camera). In addition, we may process personal data for the organization, implementation, and follow-up of events, such as, in particular, lists of participants and the content of presentations and discussions, but also image and audio recordings made during these events. Protection of other legitimate interests is also one of the further purposes, which cannot be listed exhaustively.

 

 

 

 

4. Where does the data come from?

 

  • From you: You provide us with much of the data we process (e.g., in the context of our consultancy-client relationship or other services, your use of our websites, and your communication with us). You are not obliged or required to disclose your data, with certain exceptions as required for performing our services in the context of your mandate (e.g. information about your information technology and security architecture, about your information security and data protection governance, processes and implementation as well as potential deficiencies thereof, about data protection breaches or losses of data which have affected your company directly or indirectly). You must for example provide us with certain data to use our services or to enter into contracts with us. The use of our websites is also impossible without data processing.
     
  • From third parties: We may collect data from public sources (e.g., debt collection registers, land registry, commercial registers, the media, or the Internet including social media) or receive such data from public authorities, your employer or principal who has a business relationship with us or otherwise deals with us, as well as from other third parties (e.g. (e.g.internet services providing information about cyber attacks, vulnerabilities, exploits, weaknesses, data losses, compromises; regulatory sources; scanning services; media;information services; clients; counterparties; address brokers; associations; event organisations; contractual partners; Internet analysis services). This includes also the data that we process in the course of initiating, concluding and performing contracts, as well as data from correspondence and other communication with third parties, but also all other categories of data pursuant to Section 3.

 

 

 

 

5. With whom do we share your data?

 

In connection with the provisions set forth in Section 3 we disclose your personal data in particular to the categories of recipients listed below. If necessary, we obtain your consent for this or will have the competent supervisory authorities release us from our professional obligation of confidentiality. 

 

  • Service Providers: We work with service providers in Switzerland and abroad who (i) process data on our behalf (e.g. IT providers, such as green.ch, Microsoft, others), (ii) process data under joint responsibility with us or (iii) process data under their own responsibility that they have received from us or collected on our behalf. Service providers include e.g., IT providers, security service providers, forensic service providers, banks, insurance companies, list brokers, law firms or other consulting companies. As a general rule, we conclude contracts with our processors regarding the processing and protection of personal data.
     
  • Clients and other contractual partners: This mainly includes our clients and our other contractual partners for whom a transfer of your data arises from the contract (e.g., because you work for a contractual partner or they provide services in the context of the mandate you have given CRGCRAB or these partners). This category of recipients also includes entities with which we cooperate, such as other consultancy services, information security services, law firms, or organisations specialized on cyber and information security, in Switzerland and abroad. The recipients process the data under their own responsibility, partly as sole controllers, partly as joint controllers with us.
     
  • Authorities and courts: We may disclose personal data to offices, courts, and other authorities in Switzerland and abroad if this is necessary for the fulfillment of our contractual obligations and, in particular, to conduct our mandate, or if we are legally obliged or entitled to do so, or if this appears necessary to protect your or our interests. The recipients are themselves responsible for the processing of the data.
     
  • Counterparties and persons involved: To the extent necessary or useful for the performance of our contractual obligations, in particular for the management of mandates, we also disclose your personal data to counterparties and other involved persons (e.g. other consultants, experts, lawyers, respondents).
     
  • Other persons: This refers to other cases where the inclusion of third parties results from the purposes according to Section 3. This includes, for example, delivery addressees or payment recipients specified by you, third parties in the context of agency relationships (e.g., your IT providers, your lawyers or your banks) or persons involved in official or legal proceedings. We may also disclose your personal data to our supervisory authority, in particular if this is necessary to release us from our professional obligation of confidentiality. You may also be affected if we cooperate with the media (including publishers of business directories) and transmit content to them (e.g., photos, contact details). We may also disclose personal data about you in the context of publications (e.g., in the form of citations, references and case studies and reports). Communications with our competitors, industry organizations, associations, market observers and other bodies may also involve the exchange of your data.
     

All these categories of recipients may involve third parties, so that your data may also become accessible to them. We can restrict processing by certain third parties (e.g. IT providers), but not by others (e.g. authorities, banks, etc.).

 

We also allow certain third parties to collect personal data from you on our websites and at events organized by us or our partners, also under their own responsibility (e.g., media photographers, providers of tools that we have embedded on our websites, etc.). These third parties are solely responsible for the data processing insofar as we are not decisively involved in these data collections. If you have any concerns or wish to assert your data protection rights, please contact these third parties directly (see Section 8).

 

 

 

 

6. Is your personal data also disclosed abroad?

 

We process and store personal data mainly in Switzerland and the European Economic Area (EEA). However, depending on the circumstances personal data may potentially be processed in any country in the world, for instance through subcontractors of our service providers or in response to regulatory or legal proceedings triggered against you or CRGCRAB by foreign courts or authorities. In the course of our activities for clients, your personal data may also end up in any country in the world.

 

If a recipient is located in a country without adequate statutory data protection, we require the recipient to undertake to comply with data protection (for this purpose, we use the revised standard contractual clauses of the European Commission, which can be accessed via https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?, if necessary with the required adaptations for Switzerland), unless the recipient is subject to a legally accepted set of rules to ensure data protection. We may also disclose personal data to a country without adequate statutory data protection without entering into a separate contract for this purpose if we can rely on an exception clause. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the performance of a contract that is in your interest requires such disclosure (e.g., if we have to disclose data to foreign regulators who have raised an investigation related to you or us in the context working for you), if you have consented, if it is not possible to obtain your consent within a reasonable period of time and the disclosure is necessary to protect your business’ integrity or that of a third party, or if it concerns data made publicly available by you, the processing of which you have not objected to.

 

 

 

 

7. What are your rights?

 

You have certain rights in connection with our data processing. In accordance with applicable law, you may, in particular, request information about the processing of your personal data, have inaccurate personal data rectified, request the deletion of personal data, object to data processing, request the release of certain personal data in a standard electronic format or its transfer to other data controllers or revoke consent with effect for the future, insofar as our processing is based on your consent.

 

If you wish to exercise any of the above rights against us, please contact us. Our contact details can be found in Section 2. To prevent misuse, we must verify your identity as specified in Section 3

 

Please note that conditions, exceptions, or limitations apply to these rights (e.g., to protect third parties or trade secrets or due to our professional obligation of confidentiality). We reserve the right to redact copies or to supply only excerpts for reasons of data protection or confidentiality.

 

 

 

 

8. How are cookies, similar technologies and social media plug-ins used on our websites?

 

When using our websites (incl. newsletters), data is generated that is stored in logs (especially technical data). In addition, we may use cookies and similar technologies (e.g., pixel tags or fingerprints) to recognize website visitors, evaluate their behavior and recognize preferences. A cookie is a small file that is transmitted between your system and the server and enables the recognition of a specific device or browser. 

You can set your browser to automatically reject, accept or delete cookies. You can also disable or delete cookies on a case-by-case basis. You can find out how to manage cookies in your browser in the help menu of your browser.

 

Both the technical data we collect and cookies generally do not contain any personal data. However, personal data that we or third-party providers commissioned by us store about you (e.g., if you have a user account with us or these providers) may be linked to the technical data or to the information stored in and derived from cookies, and thus possibly to your identity.

 

We also use social media plug-ins, which are small pieces of software that establish a connection between your visit to our websites and a third-party provider. The social media plug-in tells the third-party provider that you have visited our websites and may send the third-party provider cookies that the third-party provider has previously placed on your web browser. For more information about how these third-party providers use your personal data collected via their social media plug-ins, please refer to their respective privacy notices.

 

In addition, we use our own tools as well as third-party services (which may in turn use cookies) on our websites, in particular to improve the functionality or content of our websites (e.g., integration of videos or maps), to compile statistics, and to serve advertisements.

 

In particular, we currently use offers from the following service providers and advertising partners on our website and other digital services, whereby their contact details and further information on the individual data processing can be found in the respective privacy notice:

In terms of data protection law, these third-party providers may be either data processors of us (e.g. Google Analytics) or (independent) data controllers. Further information on this can be found in the privacy notices of the corresponding service providers. 

 

Some of the third-party providers we use may be located outside of Switzerland. Information on cross-border data transfers can be found under Section 6.

 

 

 

 

9. How do we process personal data on our social media pages?

 

We maintain pages and other online presences on social networks and other platforms operated by third parties. In this context, we may process data about you. We may receive data from you (e.g., when you communicate with us or comment on our content) and from the platforms (e.g., statistics). The platform providers may analyze your usage and process this data together with other data they have about you. They also process this data for their own purposes (e.g., marketing and market research purposes and to manage their platforms), and act as individual data controllers for this purpose. For more information on processing by platform operators, please refer to the privacy notice of the respective platforms. 

 

We currently maintain a presence on the following platforms, with the identity and contact details of the platform operator available in the respective privacy notices:

We are entitled, but not obliged, to check content before or after it is published on our online presences, to delete content without notice and, if necessary, to report it to the provider of the relevant platform.

 

Some of the platform operators may be located outside of Switzerland. Information on cross-border data transfers can be found under Section 6. If you access their offers directly (e.g. visit our online presence on social media, see below), you yourself will transmit your personal data abroad and not us.

 

 

 

 

10. What else needs to be considered?

 

We do not presume that the EU General Data Protection Regulation (“GDPR”) is applicable to data processing by us. Nonetheless, if the GDPR should apply to certain data processing on an exceptional basis, this Section 10 shall apply exclusively for the purposes of the GDPR and the data processing subject to it. 

 

In this case, we base the processing of your personal data in particular on the fact that 

 

  • as set out in Section 3 it is necessary for the initiation, conclusion and performance of contracts and their administration and enforcement (article 6 para. 1 lit. b GDPR); 
     
  • it is necessary for the protection of legitimate interests of us or of third parties as set out in Section 3, e.g., for communication with you or third parties, to operate our websites, to improve our electronic offers and registration for certain offers and services, for security purposes, for compliance with the law and internal regulations, for our risk management and corporate governance, and for other purposes such as training and education, administration, evidence and quality assurance, organization, implementation and follow-up of events and for the protection of other legitimate interests (article 6 para. 1 lit. f GDPR);
     
  • it is required or permitted by law due to our mandate or position under the law of the EEA or a member state (article 6 para. 1 lit. c GDPR) or is necessary to protect your vital interests or those of other natural persons (article 6 para. 1 lit. d GDPR); 
     
  • you have separately consented to the processing, e.g., via a corresponding declaration on our websites (article 6 para. 1 lit. a and article 9 para. 2 lit. a GDPR). 
     

We would like to point out that we process your data for as long as it is necessary for our processing purposes (cf. Section 3), the legal retention periods and our legitimate interests, in particular for documentation and evidence purposes, or storage is technically required (e.g. in the case of backups or document management systems). If there are no legal or contractual obligations or technical reasons to the contrary, we generally delete or anonymize your data after the storage or processing period has expired as part of our usual processes and in accordance with our retention policy.

 

If you do not disclose certain personal data to us, this may mean that it is not possible to provide the related services or conclude a contract. In principle, we indicate which personal data requested by us are mandatory.

 

The right to object to the processing of your data, described in Section 7, applies in particular to data processing for the purpose of direct marketing.

 

If you do not agree with our handling of your rights or data protection, please let us know (see contact details in Section 2). If you are in the EEA, you also have the right to complain to the data protection supervisory authority in your country. You can find a list of authorities in the EEA here: edpb.europa.eu/about-edpb/about-edpb/members_en.

 

 

 

 

11. Can this Privacy Notice be changed?

 

This Privacy Notice is not part of any contract with you. We may amend this Privacy Notice at any time. The version published on this website is the current version.