I. Name and address of the responsible entity
The entity responsible for compliance with the provisions of the Swiss Data Protection Act (DPA) and any other applicable data protection provisions on this internet presentation platform for employee offers is:
corporate benefits swiss AG
Schwanengasse 3
CH-3011 Bern Switzerland
Tel.: 031 301 36 36
E-mail: info@cb-ag.ch
Web: https://www.corporate-benefits.ch
II. General information on data processing
1. Scope of the personal data processing
We collect and utilize our users' personal data only insofar as this is necessary for provision of an operational site and of our content and services. Collection and utilization of our users' personal data is only undertaken periodically with the user's consent. An exception applies in those cases where prior consent cannot be obtained for circumstantial reasons and the processing of the data is permitted by law.
2. Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for processing personal data, art. 6 para. 6 in conjunction with art. 31 para. 1 DPA applies as the legal basis.
For the processing of personal data necessary for performance of a contract to which the data subject is a party, art. 31 para. 1, 2 letter a DPA applies as the legal basis. This also applies to processing that is necessary for carrying out pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, art. 31 para. 1 DPA applies as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, art. 31 para. 1 DPA applies as the legal basis for processing.
3. Data deletion and storage duration
The affected person's personal data will be deleted or blocked as soon as the purpose of storage ceases to exist. Furthermore, data may be stored if this has been provided for by laws and regulations to which the data controller is subject. Data is also blocked or deleted once a retention period prescribed by the specified standards expires, unless there is a need for further storage of the data in order to conclude or fulfill a contract.
III. Provision of the website and creation of log files
1. Description and scope of data processing
Every time you visit our website, our system automatically collects data and information from the computer system of the accessing computer.
The following data is collected:
The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
When generating a coupon code, we save the following personal data for 1 year to protect against misuse (e.g. commercial resale):
2. Legal basis for data processing
The legal basis for temporary storage of data and log files is art. 31 para. 1 DPA.
3. Purpose of data processing
Temporary storage of IP address by the system is necessary to enable delivery of the website to the user's computer. To this end, the user's IP address shall remain stored for the duration of the session.
The data is stored in log files to ensure the website's functionality. In addition, the data is used to optimise the website and to ensure the security of our information technology systems. No evaluation of the data for marketing purposes is performed in this context.
These purposes also encompass our legitimate interest in data processing in accordance with art. 31 para. 1 DPA.
4. Duration of retention
The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of data collection for provision of the website, this will be undertaken once the respective session has ended.
Further storage is possible. In this case, the user's IP addresses will be deleted or altered so that a tracing back to the accessing client would no longer be possible.
Log files regarding the generation of coupon codes are deleted after one year to prevent abuse.
5. Options for Objection and Removal
Collection of data for provision of the website and storage of data in log files is absolutely necessary for operation of the website. Consequently, there is no option to object on the part of the user.
IV. Use of cookies
1. Description and Scope of Data Processing
Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. If a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a distinctive character string that enables unique identification of the browser when the website is accessed again.
We use cookies to make our website more user-friendly. Some elements of our website require that the browser's accessing can be identified even after changing the page.
The following data is stored and transmitted in the cookies:
Beyond this, we use services and cookies from Webtrekk GmbH on our website in order to collect statistical data on the use of the website and to improve the offer accordingly. Figures provided by Webtrekk are used to show the "Top 5 Offers Of My Colleagues" on the company platforms. Webtrekk GmbH is certified for data protection in the area of web controlling software by TÜV Saarland, Germany.
Every time our portal website is accessed, web controlling collects and evaluates some information that is transmitted by the user's browser during the registration process. The collection is carried out through a pixel that is integrated on each page. The following data is collected:
Webtrekk only saves the IP address in abbreviated (anonymised) form and uses it only for session detection, for geolocation and for the defense against cyber attacks. The IP address is then deleted immediately, so that the data collected is then anonymous.
Webtrekk places the following cookies:
More information can be found on the website of Webtrekk GmbH, Robert-Koch-Platz 4, 10115 Berlin, Germany, http://www.webtrekk.com .
2. Legal basis for data processing
The legal basis for processing personal data using cookies is art. 31 para. 1 DPA.
3. Purpose of data processing
The purpose of using technically necessary cookies is to simplify use of websites for users. Some features of our website are not offered without the use of cookies. In such cases, it is necessary that the browser is recognised even after changing the page.
4. Duration of storage and options for objection and removal
Cookies are stored on the user's computer and transmitted to our site. Therefore, as a user you have full control of the use of cookies. By changing the settings in your Internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all of the website's features in full.
V. Newsletter
1. Description and scope of data processing
You have the possibility to subscribe to free newsletters on our website. You can sign up for the monthly newsletter immediately upon registration. You can also subscribe to the newsletter at any time under "My Account". In this case, the data from the input form are transmitted to us when you subscribe to the newsletter during registration:
In addition to monthly newsletters, you can also subscribe to a special newsletter that is sent at irregular intervals after successfully completing your registration and logging in.
During the registration process, your consent is obtained for processing data and reference is made to this data protection declaration.
In connection with data processing for sending newsletters, the data is transmitted to Mapp Digital Germany GmbH, Dachauer Strasse 63, 80335 Munich, Germany. The data will be used exclusively for sending the newsletter.
For the purpose of sending the newsletter, we hand over a data package with the following personal content to Mapp:
2. Legal basis for data processing
The legal basis for processing data after the user registers for the newsletter, if the user's consent to this has been obtained, is art. 6 para. 6 in conjunction with art. 31 para 1 DPA.
3. Purpose of data processing
The user's email address is collected in order to deliver the newsletter.
Collection of other personal data as part of the subscription process is for preventing the misuse of the services or of the used email address.
4. Duration of retention
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. The user's email address will therefore be stored for as long as the subscription to the newsletter is active.
5. Options for Objection and Removal
The subscription to the newsletter can be cancelled by the user at any time. For this purpose, a relevant link to the employee's "My Account" area can be found in every newsletter. Here, the employee can unsubscribe from the newsletters.
The "My Account" area transparently lists when a the has user subscribed or unsubscribed to a monthly newsletter or special newsletter.
VI. Use of a Content Delivery Network (CDN) and Security Services (MyraSecurity)
1. Description, Purpose and Scope of Data Processing
For optimizing loading times (performance), increasing reliability and protecting our IT infrastructure against malicious attacks (e.g. so-called DDoS attacks) we have implemented a content delivery network (CDN).
For this purpose, we use the services of Myra Security GmbH, Landsberger Straße 187, 80687 Munich, Germany ("MyraSecurity").
A CDN is a network of regionally distributed servers that helps making available content from our website to you faster and more securely – including but not limited to static files, such as images, JavaScript and CSS files. From a technical point of view, MyraSecurity serves as a so-called reverse proxy. This means that the traffic between your device and our servers is routed through MyraSecurity's infrastructure for speeding up delivery and analyzing and defending against potential threats.
Within such process, technical protocol data (so-called access logs) are processed. These include, but shall not be limited to:
- Your IP address
- Date and time of access
- The requested content (e.g. URL) and
- Information about your browser and operating system (e.g. user-agent)
The processing of this data is technically required to ensure the stability, performance and security of our website.
2. Legal basis for data processing.
The legal basis for the use of MyraSecurity is our legitimate interest in providing our platform securely, quickly and reliably in accordance with Art. 6 (1) (f) GDPR.
MyraSecurity acts for us solely as a technical service provider bound to our instructions. We have concluded a contract processing agreement with MyraSecurity in accordance with Art. 28 GDPR. This ensures that the data is processed only according to our instructions and not for MyraSecurity's own purposes. The data processing takes only place in data centres within the European Union (EU) or the European Economic Area (EEA). MyraSecurity does not use its own cookies for this service to analyze user behavior.
3. Duration of storage
The access logs containing your IP address are stored for a maximum period of 10 days to ensure stability and security and are automatically deleted or anonymized afterwards.
VII. Registration
1. Description and scope of data processing
On our website, user may subscribe for our portal by providing personal data. The data is entered into an online sheet and transmitted to us and stored. The data will not be passed on to third parties. The following data is collected during subscription:
- Salutation (mandatory)
- Title (optional)
- First name and last name (mandatory)
- Date of birth (optional)
- Postal code (optional)
- Email address (mandatory)
- Newsletter (optional)
- Date and time of subscription
Within the subscription path, the user's consent to the processing of the optional data will be obtained. We also store:
IOS and Android App
Insofar as far as this has been activated for your respective portal, users have the possibility to post classified ads. The following data can be entered for the creation of an advertisement:
2. Legal basis for data processing
The processing of data collected during subscription takes place due to different legal grounds:
- The legal basis for the processing of the data that is essential for providing access to the Portal and user administration (first name, last name, email address), shall be Art. 6 para. 1 lit. b GDPR (performance of contract).
- The legal basis for the processing of the optional data (e.g. title, date of birth, postal code) shall be Art. 6 (1) (a) GDPR if the user has provided his consent
- The legal basis for collecting the salutation is Art. 6 (1) (f) GDPR (legitimate interest). The details of our legitimate interest and the balancing of interests carried out can be found under Section 3.
- The legal basis with respect to the fingerprinting for access control and abuse prevention is Art. 6 para. 1 sentence 1 lit. f GDPR (legitimate interest).
3. Purpose of Data Processing and Legitimate Interests
For making available certain content and services on our website the user needs to subscribe. With successful subscription, the user gains access to our platform for employee offers. [...] Collecting personal data within the subscription process serves to identify and address users, support requests, legal evidence, marketing and target group analyses and to display saved offers.
Justification of the legitimate interest in collecting the salutation (Art. 6 para. 1 lit. f GDPR):
The salutation is collected for safeguarding our legitimate interest in high-quality, addressee-oriented and professional communication. We consider appropriate communication in the context of support, system notifications, and general provision of information to be essential for ensuring the quality of service and maintain the relationship of trust with our users. In our opinion, your interests and fundamental rights do not outweigh our stated interest in the necessary balancing, as the use of a customary form of address ("Mr" or "Mrs") is a common and reasonably expected practice in business transactions. Our analysis has shown that our interest in a structured basis for professional communication outweighs the interest of the data subjects in these circumstances.
Justification of the legitimate interest for fingerprinting (Art. 6 para. 1 lit. f GDPR):
We process a fingerprint generated by your device or browser to safeguard our legitimate interests in ensuring platform integrity and preventing abuse. Our business model is based on granting exclusive benefits to authorized users only (employees of partner companies). This model is existentially endangered by the unauthorized disclosing of access data, automatically creating accounts and commercially using discounts.
Protecting your account only with username and password is not sufficient for this purpose, as access data can be easily shared. Fingerprinting is therefore necessary to detect and stop patterns of abuse and to ensure that the terms of use are respected. The affection of your rights is kept as low as possible: The fingerprint created is pseudonymous, is used exclusively for this security purpose, is not passed on to uninvolved third parties and is not used for advertising or tracking purposes beyond our platform. When balancing the interests, our compelling interest in protecting our service and the entire user community from fraud and abuse outweighs your interest in protecting this specific technical data, particularly with you as authorized user also having an interest in the exclusivity and security of the platform.
4. Duration of retention
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. This is the case for the data collected during the registration process, if registration on our website is withdrawn or amended.
5. Options for Objection and Removal
As a user you have the option of cancelling the registration at any time. You may change the data stored about you, at any time. You can remove your account and platform access at any time in the "My Account" area using the "Delete account" link or change your data in this area.
VIII. Contact form and email contact
1. Description and scope of data processing
There is a contact form on our website which can be used for electronic contact. If a user accepts this option, the data entered in the input form will be transmitted to us and saved. This data is:
The following data are also stored at the time the message is sent:
Alternatively, you can contact us via the e-mail address provided. In this case, the user's personal data that is transmitted along with the email will be stored.
2. Legal basis for data processing
The legal basis for processing the data, if the user's consent to this has been obtained, is art. 6 para. 6 in conjunction with art. 31 para 1 DPA.
The legal basis for processing the data transferred in the course of sending an email is art. 31 para. 1 DPA. If the ultimate purpose of sending the e-mail is entering into contract with us, the additional legal basis for the data processing is art. 31 para. 1, 2 letter a DPA.
3. Purpose of data processing
The processing of personal data in the input screen is used by us only for processing the contact. If contact is made via email, this is also because of our required legitimate interest in processing the data.
The other personal data processed during the sending process is for preventing the misuse of the contact form and to ensure the security of our information technology systems.
4. Duration of retention
The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For the personal data from the contact form input screen and the data that was sent by e-mail, this is the case when the respective conversation with the user has been completed. The conversation will have ended when it is evident from the circumstances that the matter at hand has been conclusively resolved.
5. Options for Objection and Removal
The user has the option of revoking his or her consent to the processing of personal data at any time. If the user contacts us by email, he may object to the storage of his personal data at any time. It will not be possible to continue the conversation in this case.
In such cases, all personal data that was stored when establishing contact with us shall be deleted.
IX. Disclosure of personal data to third parties
We use an external system from http://salesforce.com Germany GmbH (Registered office: München, Bavaria District court München HRB, 158525, Business address: Erika-Mann-Straße 31-37, 80636 Munich, Germany, Directors: Joachim Wettermark, José Luiz Moura Neto) to process service requests submitted by e-mail or via the Service Portal Forms. Data is stored only within the EU. We have entered into a contract processing agreement with Salesforce and also an additional EU standard contract. Please also note Salesfroce's data protection/privacy policy: https://www.salesforce.com/de/company/privacy/
We store our portal data with our technical service provider mpex GmbH (Hosting), Werner-Voß-Damm 62, 12101 Berlin, Germany.
Furthermore, data is passed on within our group to corporate benefits IT solutions, Schiffbauerdamm 40, 10117 Berlin, Germany for the purpose of providing our services.
X. Rights of the data subject
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights with respect to the data controller (responsible party):
1. Right to information
You can request that the responsible party confirm whether we will process personal data that concerns you.
If such is indeed the case, you can request the following information from the responsible entity:
(1) the purposes for which the personal data is being processed;
(2) the categories of personal data being processed;
(3) the recipients or categories of recipients to whom your personal data has been or will be disclosed;
(4) the planned duration of retention of your personal data, or, if specific information in this respect is not possible, the criteria for determining the retention period;
(5) the existence of a right to correct or have your personal data deleted or to restrict its processing by the responsible entity or to object to such processing;
(6) the existence of the right to lodge a complaint with a supervisory authority;
(7) any available information on the origin of the data if the personal data has not been collected from the person concerned;
(8) the existence of automated decision-making, including profiling, and at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
You have the right to request information regarding whether your personal information will be transmitted to a third-party country or an international organisation. In this respect, you can request information about the appropriate guarantees in accordance with art. 16 of the DPA in relation to the transmission.
2. Right to have data corrected
You have a right to correct and/or add to your personal data held by the data controller if it is incorrect or incomplete. The responsible party shall make the correction immediately.
3. The right to limitation of processing
You may ask for the processing of your personal data to be restricted under the following conditions:
(1) if you contest the accuracy of your relevant personal data, for as long as it takes the responsible entity to verify its accuracy;
(2) the processing is unlawful and you refuse to have the data deleted and instead wish to restrict its use;
(3) the party responsible no longer needs the personal data for processing purposes, but you need it to establish, exercise, or defend legal claims; or
(4) if you have made an objection against processing based on art. 30 para. 2 letter b in conjunction with art. 32 para. 2 letters a, b DPA and it is not yet clear whether the legitimate reasons of the data controller outweigh your reasons.
If the processing of personal data concerning you has been restricted, then – apart from their storage – this data may only be processed with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person, or for reasons of an important public interest on the part of the Union or a Member State.
If the limitation of the processing has been restricted for any of the grounds listed above, the responsible entity will notify you before lifting the restriction.
4. Right to deletion
4.1 Deletion obligation
You may request that the data controller delete the personal data that concerns you immediately, and the data controller will be obliged to delete this data immediately if one of the following reasons applies:
(1) Your personal data is no longer required for the purposes for which it was originally collected or otherwise processed.
(2) You revoke your consent on which the data processing was based and there is no other legal basis for data processing.
(3)You object to processing in accordance with 30 para. 2 letter b in conjunction with art. 32 para. 2 letters a, b DPA.
(4) Your personal data has been processed unlawfully.
(5) The deletion of personal data that concerns you is required to fulfill a legal obligation to which the data controller is subject.
4.2 Transfer of Personal Data to Third Parties
If the data controller has made the personal data that concerns you public and if the data controller is obliged to delete it pursuant to art. 6 para. 4 in conjuction with art. 32 para. 2 letter c DPA, that data controller shall take appropriate measures, including technical means, while taking into account available technology and implementation costs, to inform the parties responsible for data processing who process this personal data, that you as the data subject have requested the deletion of all links to such personal data or of copies or replications of such personal data.
4.3 Exceptions
The right to deletion does not exist if processing is necessary:
(1) to exercise the rights to freedom of expression and information;
(2) to fulfil a legal obligation that requires processing under laws and regulations to which the responsible party is subject or for the performance of a task in the public interest or in the exercise of official authority conferred to the responsible party;
(3) for reasons of public interest with regard to public health;
(4) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes, insofar as the right referred to under section 4.1 is likely to make impossible or seriously impair the attainment of the objectives of such processing, or
(5) to assert, exercise, or defend legal claims.
5. Right to information
If you have exercised your right to have the responsible party correct, delete, or limit the processing, this party is obliged to inform all recipients to whom the personal data that concerns you has been disclosed of this correction or deletion of the data or restriction on processing, unless this proves impossible or involves a disproportionate effort.
It is your right to have the controller inform you about these recipients.
6. Right to data portability
You have the right to obtain your personal data, which you have provided to the controller, in a structured, commonly used and machine-readable format. In addition, you have the right to pass this data on to another responsible party without obstruction by the data controller to whom the personal data was provided, insofar as
(1) the processing is based on consent given in accordance with art. 6 para. 6 in conjunction with art. 31 para. 1 DPA or on a contract in accordance with art. 31 para. 1, 2 letter a DPA and
(2) processing is carried out using automated methods.
In exercising this right, you also have the right to bring about that the personal data relating to you are transmitted directly from one data controller to another data controller, as far as this is technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the responsible party.
7. Right of Objection
You have the right, for reasons arising from your specific situation, to object to the processing of personal data concerning you at any time, which is carried out in accordance with art. 31 para. 1 DPA; the same applies to profiling based on these provisions.
The data controller will no longer process the personal data that concerns you, unless the party can prove compelling legitimate reasons for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If the personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such marketing; this also applies to profiling insofar as it is associated with such direct marketing.
If you object to your data being processed for direct marketing purposes, your personal data will no longer be processed for such purposes.
In the context of the use of information society services, you may exercise your right to object by automated means using technical specifications.
8. Right to revoke consent
You have the right at any time to revoke your data protection declaration of consent. The withdrawal of consent shall not affect the lawfulness of processing taking place on the basis of this consent before its revocation.
9. Automated decision in individual cases, including profiling
You have the right not to be subject to a decision based exclusively on automated processing - including profiling - that has legal effect against you or significantly impairs you in a similar manner. This shall not apply if the decision:
(1) is necessary for the conclusion or fulfilment of a contract between you and the responsible party,
(2) is authorised by laws and regulations to which the party responsible is subject and which also lay down suitable measures to safeguard your rights and freedoms and legitimate interests; or
(3) is based on your explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to art. 5 letter c DPA, unless appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.
In the cases referred to in (1) and (3), the data controller shall take reasonable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person on the part of the data controller, to state his or her own position and to challenge the decision.
10. The right to file a legal complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you also have the right to report to, consult with and, at all events, to receive recommendations from the responsible supervisory authority in Switzerland (Federal Data Protection and Information Commissioner, EDOEB) or in your country of residence if you believe that the processing of your personal data violates the DPA or data protection regulations applicable in your country of residence.
last updated: 11.2025
corporate benefits swiss AG
