1. Who are we and why this Data Protection Statement

With this Data Protection Statement, we, FORFA Consulting AG (hereinafter “FORFA”, “FORFA Academy”, “FORFA Group”, “we” or “us”), describe to our Data subjects (hereinafter “you”, the “client” or “Data Subject”) how we collect and further process your Personal data according to the General Data Protection Regulation (“GDPR”). In this Data protection statement we intent to specifically inform you about us as the Controller, who our concerned Data Subjects are, the Processing of your Personal data, the purposes we exert for Processing your Personal data, the Legal basis on which the Processing of the Personal data is based, the retention period(s) that we apply for your Personal data, the use of cookies and tracking technologies, if and under what conditions Data transfer takes place to other organisations (in other countries), our Data security policy and the specific rights a Data subject has under the GDPR. This Data Protection Statement is not necessarily a comprehensive description of our complete data processing as it may depend on the relationship that we have with you; in those cases, we will make sure to have you informed about this completely. We have attempted to incorporate the most relevant topics as carefully and comprehensible as possible. It is, however, possible that, depending on the specific circumstances and/or the business-relationship between the Data Subject and FORFA, other Data Protection Statements, Disclaimers, General Terms and Conditions, Conditions of Participation and/or similar documents are applicable to the relationship between us.

Our contact information:

FORFA Consulting AG
Correspondence address: Dammstraße 16, 6300 ZUG, ZG, (Switzerland)
Chamber of Commerce registration: CHE-162.836.410-HR

Please note that any (undefined) term in this Data Protection Statement shall, in case the term is defined in the GDPR, have the exact same meaning as defined in the GDPR. You can find the GDPR in any European language by clicking here.

2. FORFA as Controller and our appointed EU-Representative:

The GDPR imposes substantial obligations on FORFA as the Controller of your Personal data, but what is actually meant by ‘Controller’? In terms of the GDPR, FORFA can be defined as “the legal person which, alone or jointly with others, determines the purposes and means of the Processing of your Personal data” (article 4 sub 7 of the GDPR). In other words, we are primarily responsible for and in ‘control’ of the conduct for Processing Personal data from you.

If you in any case want contact us about any data protection related concerns, then please don’t hesitate to contact us with contact details as mentioned under Section 1 in this Data Protection Statement.

The GDPR additionally requires in Art. 27 that we appoint a European Representative in a European Member State as we have our principle place of business outside the European Economic Area (“EEA”). For this reason, we have appointed subsidiary FORFA Europe GmbH as representative for privacy related concerns within the EEA:

Contact details of our Representative:

FORFA Europe GmbH
Eschenweg 15
76185 Karlsruhe

Please feel free to contact either us (Section1) or our Representative, whichever is easiest and most convenient for you.

3. Categories of concerned Data subjects

For the performance of our activities, we (may) process the Personal data of the following main categories of Data Subjects, in addition to the Data Subjects whose data are processed within internal employment and/or corporate relations:

  • (Potential, past and current) clients from Switzerland, Austria, Germany and the Netherlands and/or other European-member state(s);
  • Business contacts/affiliated partners and/or other parties involved, (in particular training organizations/, accreditation organizations, examination organizations and external trainers);
    (Web)users on our website or from different online (social media) platforms (e.g. LinkedIn);
  • Job applicants;
  • Representatives, proxies, contact persons and/or employees involved in the business relationship between any of the above-mentioned categories of Data subjects and FORFA.

4. The Collection and Processing of Personal data

We primarily process Personal data that we obtain from our clients and other business partners, as well from other individuals in the context of our business relationships with them and/or that we collect from them as (web)users when operating our websites and/or (social media) platforms.

In this Data Protection Statement “Personal data” shall be defined as: “any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular, but not limited to, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (article 4 (1) GDPR). We only collect and process Personal data that we essentially need for our specified purposes for Processing, as laid out in Section 5 of this Data Protection Statement. We also periodically review the (Personal) data that we hold of our Data subjects and delete anything we don’t need or use (anymore).

Please note: if you provide us with Personal data of other individuals (such as co-workers, acquaintances, friends, family members or other individuals), please make sure that the respective individuals are aware of this Data Protection Statement and only provide us with their Personal data if you are allowed to do so and such Personal data is correct.

There are various methods by which you can provide us and/or by which we collect/process Personal data from you. For your information, we only refer in this Data Protection Statement to the most common ways in which Personal data is Processed by us. Our categories of Data subjects may provide us with their Personal data by:

  • Visiting our website;
  • Filling in (web)forms/registering for our services;
  • During the communication about and/or the performance of our business relationship (e.g. executing the agreement,
  • By e-mail, telephone or via postal mail;
  • By responding to our messages or sending (private) message on social media;
  • By voluntarily (physically) providing us with your Personal data;
  • Other methods not accounted for herein.

Insofar as it is permitted to us, we may also obtain certain Personal data next to the above-mentioned methods from publicly accessible sources (e.g., debt registers, commercial registers, press, internet, social media) or we may receive such information from affiliated partners (e.g. www.ISACA.org and www.PECB.com), from authorities or other Third parties that are involved in providing our services.

Apart from Personal data you provide to us directly, the categories/type of Personal data we collect and process (either being requested or sourced from public sources, our affiliated partners and/or other involved Third parties) include, but are not limited to:

  • Name, address, phone number, e-mail-address, company/employment-details, affiliated partner (membership) references, bank details, financial/tax information;
    Student exam results from our courses;
  • Information from public registers (e.g. details from a Chamber of Commerce or publicly accessible registers from private parties);
  • Information in connection with your professional role and activities;
  • Information about you in correspondence and discussions with Third parties, credit rating information;
  • Information about you given to us by individuals associated with you (family, consultants, legal representatives, etc.) in order to conclude or process contracts with you or with your involvement (e.g. references, delivery-address, powers of attorney, information regarding legal regulations such as anti-money laundering and export restrictions;
  • Information regarding insurances, our distributors and other business partners for the purpose of ordering or delivering services to you or by you (e.g., payments made, previous purchases);
  • Information about you found on social media or internet (insofar as indicated in the specific case, e.g. in connection with job applications, media reviews, marketing/sales, personalisation of our services etc.);
  • Any interests and other socio-demographic data in connection with your use of our websites (e.g. Anonymised IP address(es), information regarding your device and settings, cookies, date and time of your visit, sites and content retrieved, applications used, referring website, localisation data);
  • Data received in connection with administrative or court proceedings (e.g. in the unlikely event that there is a conflict between us).

Please note: our services or website do not intend to collect the Personal data of individuals and/or website visitors under the age of 16, unless we have the explicit legal consent from the parent(s) or guardian(s). Unfortunately, we can never confirm whether a visitor is under the age of 16 as the website(s) and / or social media platforms are also accessible to minors. For that reason, we recommend that you are involved in the online activities of your children so that it can be prevented that they distribute their Personal data without your consent. If you believe that we have incorrectly processed the Personal data of a minor, then please contact us or our Representative (Section 1, Section 2) so that we can examine and correct this accordingly.

5. The Purpose(s), Legal basis and Retention period(s) for Processing your Personal data

We primarily use your Personal data for the purpose to conclude and executing agreements with our clients and business partners, in particular in connection with professional training and certification service(s) to our clients and the procurement of products and services from our suppliers and subcontractors, as well as in order to comply with our domestic and foreign Legal obligations. You may also be affected by our data Processing in your capacity as an employee (on the Legal basis of our ‘Legal obligation’ or our Legitimate interest) and/or that of other categories of Data subjects as mentioned under section 3.

To provide you a clear overview, below you find the most common purposes that we invoke while Processing your (or others) Personal data, including the Legal basis on which the Processing is based and the retention period we apply. Please note however that this list is not comprehensive; we also may process your Personal data in case we have a purpose that is compatible with an ‘original’ purpose as mentioned under this section.

  • Entering into and executing agreements between us:

Your Personal data may be processed by us for entering into and executing agreements in context of providing our services, to maintain contact, for invoicing purposes, account management (and other administrative matters) and for maintaining our (business) relationships with you. For this we (may) process information like your name, telephone number, address, email address, company name, company contact number, student exam results, affiliated partner (membership) references, any financial or tax-relevant data and related correspondence.

We process these Personal data on the Legal basis of the ‘Contractual necessity’ and/or our ‘Legal obligation’. We might sometimes also ask for your ‘Consent’. The above-mentioned information is kept for as long as necessary to properly perform our services and agreements. We then afterwards destroy it, unless we are legally obliged to keep (part of) it longer or have another Purpose and/or Legal Basis for the continuance of processing this data. Your financial/tax information is kept for as long as is necessary to comply with our legal obligation to keep our (tax) administration.

  • To contact – or reply – to you (after contacting us):

In case you ask us questions, make requests or for example register for our training courses, we then may process your Personal data (e.g. name and address, telephone number and e-mail address) via e-mail, phone, while filling out (online)contact-, registration forms (in which case we also ask you for company details, company contact number, financial or tax-relevant data and the name of the referring organisation and membership details for verification purposes) and/or while using the messaging options on the online (social media) platforms on which we are active. With the use of this data we (try to) get back to you and, depending on the extent of your question, request or registration, address you promptly and accordingly.

We process this information primarily under the legal basis of the ’Contractual necessity’. We also may assert the legal basis of our ‘Legitimate interest’ in order to respond to you and/or to eventually conclude the contact with you in case we can’t evoke the legal basis of ‘Contractual necessity’. In some cases, we might ask for your ‘Consent’. In any case will we keep your Personal data until we think you are satisfied with our response, unless another Purpose or Legal basis justifies a longer retention period for the use of this data. If you have registered for one of our courses or services, we then will keep the registration information until the agreement with you has been executed and afterwards insofar necessary to comply with our ‘Legal obligation’ to keep our (tax) administration.

  • For marketing, advertising and market/opinion research of our services & products:

For the marketing and advertising (including organising events) of our services, courses and products or those of our (affiliated) partners, and provided that you have not objected to the use of your Personal data for this purpose, we may process Personal data like: name, address, phone number, e-mail-address, company/employment-details, information in connection with your professional role and activities, any interests and other socio-demographic data in connection with your use of our websites (e.g., IP address or information from tracking cookies) and information from social media/internet.

We primarily process this information on the Legal Basis of your ‘Consent’ or because it is in our ‘Legitimate interest’ (in regard to business continuity) to process this information. We keep this information as long as we have your Consent and/or may exert any of our Legitimate interests. In any case will your Personal data for this purpose be deleted after five years.

  • Providing, optimising and developing our website:

When you use our website we (may) obtain general visitor data. This concerns the (anonymised) IP address of your computer, the time of retrieval and data that your browser sends. We use this data for statistical analyses of visit and click behaviour on the website. With the use of this data we try to ensure a smooth connection setup and comfortable use of the website, evaluate our systems, security, stability as well ti optimise the functioning of the website. We try to Pseudonymise or Anonymise this data as much as possible and it is not provided to Third parties who could use it for our own purposes. In some cases, we may also process Personal data while using our website. When that is the case, we will explicitly inform you about it (see Section 6 for information obtained by the use of our cookies or similar technologies).

We use this Personal data on the legal basis of your ‘Consent’ or our ‘Legitimate interest’ while monitoring and improving our website. Anonymous data (which no longer contains any Personal data) is kept as long as they are relevant to us. When we have collected Personal Data via our website, then we keep it until you withdraw your consent or we no longer have a use for the data.

  • Sending and providing our newsletter:

We send out a newsletter on a quarterly base for which you can subscribe yourself. Once subscribed, you receive a periodical newsletter via e-mail with information, news and developments in the field of digital security as well information on our products, services, courses and offers from us. If you wish to cancel this subscription, you may do so at any time via the unsubscribe link in the e-mail(s) send to you.

Your e-mail address will only be added to the list of subscribers after obtaining your ‘Consent’ while registering for our newsletter. We keep this information until you cancel the subscription or in a different way withdraw your Consent. In case you withdraw you Consent/unsubscribe, we then register your e-mail address on the blocking list to be certain you do not receive the newsletter again by accident.

  • To respond to and/or go through an (open) job application procedure:

We may process your Personal data in case you send us an (open) job application. For this purpose, we may process Personal data such as your name, age, contact details, CV, grade lists, (optional) reference letters, (optional) diplomas, a motivation letter and/or other (job) specific information while assessing for potential employment. For screening purposes, we may also (on the legal basis of our Legitimate interests) process online/publicly available information about you such as your social media profiles and use the outcomes for further assessment; this will (afterwards) always be discussed/communicated to you. The (results of the screening) itself will never be the (sole) reason on which we reject applicants. In some cases, we may refer to the help of external HR consultants with regard to your application; in these instances, we (may) share your Personal data with them.

The Legal basis on which we process your Personal data in case of an (open) job application is either ‘Consent’, ‘Contractual necessity’ (insofar we enter into an agreement) or ‘Legitimate interest’ (to assess whether we are employing you). We do not keep your Personal data for the above purposes longer than necessary. If the application process does not conclude to being employment by FORFA, we will not keep the data for longer than eight weeks after the procedure in case we might still approach you if another candidate doesn’t complete the procedure. In some cases, we may ask you to give us Consent to keep your data for a longer period of time. In that case we will keep your data for a maximum of one year after the application process has ended.

In addition, in line with applicable law and where appropriate, we may exert the Legal basis of ‘Legitimate interest’ to process your (or other individuals’) Personal data for the following purposes:

  • Ensuring, providing and developing our products, services, website(s), apps and other (social media) platforms;
  • For communication with Third parties and administering of their requests (e.g. media inquiries);
  • To maintain, explore and grow business/customer-relationships;
  • To send information to you regarding changes to our Customer Terms of Service, Privacy Policy (including the Cookie policy), or other legal agreements;
  • For reviewing and optimisation of procedures regarding needs assessment for the purpose of direct customer approach as well as obtaining Personal data from publicly accessible sources for customer acquisition;
  • Asserting legal claims and defence in legal disputes and official proceedings;
  • Prevention and investigation of criminal- or contractual offences and other misconduct (e.g. conducting internal investigations, data analysis to eliminate fraud);
  • Ensuring our operation, including our IT, our websites, apps and other appliances;
  • Acquisition and sale of business divisions, companies or parts of companies and other corporate transactions and the transfer of Personal data related thereto as well as measures for business management and compliance with legal and regulatory obligations as well as the internal regulations of FORFA.;
  • Any other purposes compatible with an ‘original’ purpose as mentioned in the above list.

In the event that we require further Persona Data from you for a specific purpose, while not having communicated the Processing of the specific Personal data or the purpose to you in advance, we in that case will contact you at the moment that we require the additional Personal data and provide you with the necessary information, next to explicitly requesting your Consent before initiating the Processing of that Personal data.

Insofar we have not provided an exact retention period for Processing your Personal data, in that case the following standard applies: we process and retain your Personal data as long as required for the performance of our Contractual necessity, our Legitimate interest and/or compliance with Legal obligations, as well as for other purpose we pursue while Processing. For example, we keep your Personal data for the duration of the entire business relationship (from the initiation, during the performance of the contract, for invoicing purposes, until it is terminated) as well as beyond this duration in accordance with our Legitimate interest, your Consent, legal retention and documentation obligations. Personal data may be retained for the period during which claims can be asserted against our company or insofar as we are otherwise legally obliged to do so or if our or affiliated partners Legitimate interests require further retention (e.g., for evidence and documentation purposes). As soon as your Personal data are no longer required for the above-mentioned purposes, they will be deleted or anonymised, to the extent possible. In general, shorter retention periods of no more than twelve months apply for operational data (e.g. system logs).

Please note: If you have given us your Consent to process your Personal data for certain purposes (for example when registering to receive our newsletters), we will then only process your Personal data within the scope and based on this Consent, unless we have another Legal basis, provided that we require one. Given Consent can be withdrawn at any time. This, however, does not affect the Personal data processed prior to withdrawal of your Consent. Please be advised that the withdrawal of Consent may in some cases result in us not being able to provide/deliver certain services to you and/or us not being able to guarantee any longer the correct execution of an agreement between us.

6. The use of Cookies and similar technologies

We typically use ‘cookies’ and similar techniques on our websites, which allow for an identification of your browser or device. A cookie is a small text file that is sent to your computer and automatically saved by the web browser on your computer or mobile device, when you visit our website. If you revisit our website, we may recognise you, even if we do not know your identity. Besides cookies that are only used during a session and deleted after your visit of the website (“session cookies”), we may use cookies in order to save user configurations and other information for a certain time period (“permanent cookies”). We use permanent cookies for the purpose of saving user configuration (e.g., language, automated log in, remembering your cookie preferences etc), in order to understand how you use our services and content and to enable us to show you customized offers and advertisement which may also happen on websites of other companies. Certain cookies are sent to you from us, others from business partners with which we collaborate (see below). Notwithstanding the foregoing, you may configure your browser settings in a way that it rejects cookies, only saves them for one session or deletes them prematurely. Most browsers are pre-set to accept cookies. If you block (our) cookies or not Consent to them, it is, however, possible that certain functions (such as, language settings, ordering processes) are no longer available to you.

  • Cookie pop- up box and Consent for the use of cookies

When you visit our website for the first time, we display a pop-up message explaining the use cookies with a referring link to our Data Protection Statement where you can find information about the cookies we use. In this pop-up display you can indicate whether you wish to Consent to our cookies or not. Insofar applicable, we have made agreements with other businesses that place cookies on our website about the use of these cookies. However, we do not have full control over what they do with the cookies themselves. It is for this reason advised that you also pay attention to their privacy statements.

If you Consent to all our cookies, we also use marketing/tracking cookies that enables us to show you customised offers and advertisement, which may also happen on websites of other organisations. Should your identity be known to us, such companies will not learn your identity from us. They will only know that the same user (id) that previously visited a certain website is visiting the website again.

Change my consent

Please check our Cookie table below for more detailed information about our cookies, the purposes they serve and which retention period we have set for these cookies while using them:

Statistical cookies

Name of cookie Provider Purpose / categories of Personal Data Retention period Type of cookie
_ga FORFA / Google Analytics This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. 2 years HTTP Cookie
_gat_gtag FORFA / Google Analytics Used by Google Analytics to slow down request speed. 1 day HTTP Cookie
_gid FORFA / Google Analytics Registers a unique ID that is used to generate statistical data about how the visitor uses the website. 1 day HTTP Cookie


Necessary/functional cookies

Name of cookie Provider Purpose / categories of Personal Data Retention period Type
of cookie
Cookie_notice_ accepted   FORFA Stores the users’ cookie status for the current domain. 1 year HTTP Cookie


FORFA / WPML Stores the users’ preferred language on the website. 13 months HTTP Cookie

Marketing Cookies

Name of cookie Provider Purpose / categories of Personal Data Retention period Type of cookie
_hssc FORFA/  HubSpot  Cookie for keeping track of sessions. This is used to determine if we should increment the session number and timestamps in the _hstc cookie. It contains: the domain, viewcount (increments each pageview in a session), session start timestamp. 1 day HTTP Cookie
_hssrc FORFA/ HubSpot Whenever HubSpot changes the session cookie, this cookie is also set. We set it simply to the value “1”, and use it to determine if the user has restarted their browser. If this cookie does not exist when we manage cookies, we assume it is a new session. Session HTTP Cookie
_hstc FORFA/ HubSpot The main cookie for tracking visitors. It contains: the domain, utk (see below), initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session) 1 year HTTP Cookie
hubspotutk FORFA/ HubSpot Keeps track of a visitors’ identity. This cookie is passed to the HubSpot marketing platform on form submission and used when de-duplicating contacts. 13 months HTTP Cookie

As can been seen from the Cookie table, most cookies have a pre-set expiration date. They expire automatically after the set period and will from that point no longer record any data. Please see our Cookie table for the specific retention period per cookie. You can also choose to delete the cookies manually before the expiration date. If you wish to do so, please read the instructions of your browser on how to do this.

Third-party providers of our cookies

Googly Analytics | We use Google Analytics or similar services on our website. These are services provided by Third parties, which may be located in any country worldwide (in the case of Google Analytics Google LLC is in the U.S., www.google.com) and which allow us to measure and evaluate the use of our website (on an Anonymised basis). For this purpose, permanent cookies are used, which are set by the service provider. The service provider does not receive (and does not retain) any Personal data from us, but the service provider may on their own capacity track your use of the website, combine this information with data from other websites you have visited and which are also tracked by the respective service provider and may use this information for its own purposes (e.g. to controlling of advertisements). If you have registered with the service provider, the service provider will also know your identity. In this case, the Processing of your Personal data by the service provider will be conducted in accordance with its data protection regulations. The service provider only provides us with data on the use of the respective website (but not any personal information of you). We have furthermore in no way influence on what these Third-parties do with the (Personal) Data that they acquire from you during their services. For this reason, we suggest for the completeness of your information, that you also take notice of the Data Protection statement(s) (also known as Privacy Policy, Privacy Statement, Data Protection Statement or an abbreviation of that) of these Third parties. The processing of your personal data via Google Analytics is based on your ‘Consent’ in obtaining general statistics (e.g. anonymised IP addresses from our website visitors). Please read more information about the privacy policy of Google here or for the specific privacy policy applicable to the cookies of Google Analytics please click here.

HubSpot | On our website, we use HubSpot as our CMS system. In addition, we use HubSpot moderately as a marketing automation/analytics system. HubSpot uses different cookies which remember your preferences, but also make it possible to make a link with the system. You can read more information in the about the specific cookies in the cookie chart and or by navigating to this webpage from HubSpot. HubSpot adheres to the Privacy Shield principles. This implies that there is an appropriate level of protection for the processing of your Personal Data. For more information, please read the HubSpot privacy statement here.

WPML | on our website, we use the WPML plugin for translation options to our web visitors. WPML uses different cookies for providing the translation services. The cookies that are placed on your electronic device store information such as the current language, the current WordPress administration area language, the redirected language, tests if cookies are enabled and to stores the last requested URL on the back-end. You can read more information in the about the specific cookies in the cookie chart and/or by navigating to this webpage from WPML. WPML adheres to the GDPR priciples. For more information, please read the WPML privacy statement here.

  • Social media buttons

In addition, we plan to use plug-ins (‘buttons’) from social networks such as Facebook, Twitter, Youtube, Instagram, and LinkedIn on our websites. The buttons/ Youtube-frame work by using pieces of code that come from the social media providers themselves and is visible for the website visitor (typically based on the respective symbols). We have configured these elements to be disabled by default. When activated (by clicking on them), the operators of the respective social networks may record (Personal data) for their own purposes. This processing of your personal data lays in the responsibility of the respective operator and occurs according to its data protection regulations. We do not receive any information about you from the respective social networks. Read the privacy statement of Facebook, Twitter, Youtube, Instagram, and LinkedIn (which can change regularly) to see what they do with your personal data that they process with this code. The information is transferred to and stored by social media networks on servers in the United States. Facebook, Twitter, Instagram and LinkedIn adhere to the Privacy Shield principles and are affiliated with the Privacy Shield program of the US Department of Commerce. This means that there is an appropriate level of protection for the processing of any personal data.

7. Datatransfer and Transfer of data abroad

In the context of our business activities and in line with the purposes of the data Processing set out in Section 5, we may transfer Personal data to Third parties, insofar as such a transfer is permitted and we deem it appropriate, in order for them to process Personal data for us or, as the case may be, their own purposes. In this context, the most common categories of Recipients are:

  • Our service providers (within FORFA group or externally, e.g. banks, insurances), including Processors (e.g. IT providers);
  • Our affiliated partners (e.g. ISACA, PECB);
  • Dealers, suppliers, subcontractors, business partners (in particular training organizations, accreditation organizations, examination organizations and external trainers) and other Third parties;
  • Clients;
  • Domestic and foreign authorities or courts;
  • Acquirers or parties interested in the acquisition of business divisions, companies or other parts of the FORFA group;
  • Other parties in possible or pending legal proceedings.


  • (together: “Recipients”)

Certain Recipients of your Personal data may be within Switzerland or the EEA (and insofar applicable, have appointed a suitable Data Protection Officer), but they may also be located in any country worldwide. In particular, you must anticipate your data to be transmitted to any country in which we represented by affiliates, branches or other offices as well as to other countries in Europe and the USA where our service providers are located (such as for example Microsoft, Goole, Apple etc). If we transfer data to a country without adequate legal data protection, we ensure an appropriate level of protection as legally required by way of using appropriate (Processor) agreements (and with non EEA-Processors on the basis standard contract clauses of the European Commission), binding corporate rules or while relying on the statutory exceptions of Consent, performance of contracts, the establishment, exercise or enforcement of legal claims, published Personal data or because it is necessary to protect the integrity of the persons concerned.

8. Data Security

We have taken appropriate technical and organisational security measures to protect your Personal data from unauthorised access and misuse such as internal policies, training, IT and network security solutions, access controls and restrictions, physical access measures including access-chips and camera security in our office building, organisational measures for access security, security of network connections via Transport Layer Security (TLS) technology, encryption of data carriers and transmissions, Pseudonymisation and/or Anonymisation, regular inspections, quality assurance and so on.

9. Third-party website(s)

Please be advised that this Privacy Statement (and cookie Section) does not apply to any Third-party websites linked to- or from our website through hyperlinks. We have no overview and/or influence and therefore cannot guarantee that these Third parties handle your personal data in a reliable, safe manner and in accordance with the GDPR. Please read the privacy statements of these Third parties before sharing Personal data with them

10. Obligation to Provide Personal data To Us

In the context of our business relationship you must provide us with any Personal data that is necessary for the conclusion and performance of a business relationship and the performance of our contractual obligations. As a rule, however, no statutory requirement exists to provide us with your Personal data. Do be advised that, without this information, we will usually not be able to enter into- or carry out a contract with you (or the entity or person you represent).

11. Profiling and automated individual decision-making

We may partially process your Personal data automatically with the aim of evaluating certain personal aspects (Profiling). In particular, Profiling allows us to inform and advise you about products possibly relevant for you more accurately. For this purpose, we may use evaluation tools that enable us to communicate with you and advertise you as required, including market and opinion research. (also see section 6).

In establishing and while carrying out a business relationship, we generally do not use any automated individual decision-making (such as pursuant to article 22 of the GDPR). Should we use such procedures in certain cases, we will inform you separately on this and advise you of your relevant rights insofar required by law.

12. Your rights under the GDPR

In accordance with and as far as provided by the GDPR, you have the Right of access (Art. 15 GDPR) – This right grants the Data subject insight into the Personal data concerning him or her and into other important information, such as the purposes of the Processing or the period for which the data is retained; Right to rectification (Art. 16 GDPR) – This right grants the possibility for the Data subject to have inaccurate Personal data concerning them rectified; Right to erasure (Art. 17 GDPR ) – This right entails the possibility for the Data Subjects to have Personal data in possession of the Controller erased under the conditions as set out in art. 17 of the GDPR; Right to restriction of Processing (Art. 18 GDPR) – This right gives the Data Subject the possibility to (temporarily) forfend further Processing of Personal data concerning the Data Subject. A restriction mainly occurs at the stage of examining other exercises of rights by the Data subjects; Right to data portability (Art. 20 GDPR) – This right entails the possibility for Data subjects to receive their Personal data (after submitting a request) from the Controller in a commonly used, machine-readable, format and have this data transferred to another Controller or Processor. Right to object (Art. 21 GDPR) – This right includes the possibility for Data subjects to object to the further Processing of their Personal data. Please note that we reserve the right to enforce statutory restrictions on our part, for example if we are obliged to retain or process certain data, have an overriding interest (insofar as we may invoke such interests) or need the Personal data for asserting claims. If exercising certain rights will incur costs on you, we will notify you thereof in advance. We have already informed you of the possibility to withdraw Consent in Section 5 (see section 6 for withdrawing consent for cookies).

In general, exercising these rights requires that you are able to prove your identity. In some cases, we might ask you to identify yourself in order to prevent sending the wrong Personal data. In order to assert these rights, please contact us at the addresses provided in Section 1 and 2 above.

  • Complaints and the Supervisory authorities

While we are at all times at your disposal for any privacy any related matter, every Data subjects has the right to enforce his/her rights in court or to lodge a complaint with the competent Supervisory Authority. As most of our clients are based in Switzerland, Austria, Germany or the Netherlands, we refer to the competent Data Protection Authorities of these countries:

  • The competent Supervisory Authority of Switzerland is the Eidgenössicher Datenschutz- und Öffentlichkeitsbeauftragter (https://www.edoeb.admin.ch).
  • The competent Supervisory Authority of The Netherlands is the Autoriteit Persoongsgegevens (https://www.autoriteitpersoonsgegevens.nl).
  • The competent Supervisory Authority of Austria is the Österreichische Datenschutzbehörde (https://www.dsb.gv.at).
  • In case you’re a German resident, the following applies to you: Germany does not have a central competent Supervisory Authority, but instead sixteen ‘independent’ authorities for each of the German States (Länder). Germany, furthermore, also knows the ‘Bundesbeauftragte für Datenschutz und informationsfreiheit’ (the German Federal Commissioner for Data Protection and Freedom https://www.bfdi.bund.de). Please feel free the contact us if you are uncertain of which competent Supervisory Authority is appointed in your particular case.

13. Amendments of this Data Protection Statement

We may amend this Data Protection Statement at any time without prior notice. The current version published on our website is the most current version and applies to all the relationships between FORFA and (EU) Data subject. If the Data Protection Statement is part of an agreement with you, we will notify you by e-mail or other appropriate means in case of an (important) amendment of this Data Protection Statement. In case important modifications have been made to the current version of the Data Protection Statement, we will notify you by publishing a notice on our homepage. To keep yourself updated with the latest version of our Data Protection Statement, it is therefore suggested that you check this Data Protection Statement on a regular basis.