The following privacy policy provides information on how your personal data is processed in connection with the website www.lezzilegal.ch (website) and in the context of the client relationship by Dr.iur. Lukas Lezzi (me, my).

The following information is regularly checked and updated to ensure it is up to date.

Your personal data will generally be processed in accordance with the standard of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (FDPA).

1. Scope and purpose of the collection, processing, and use of personal data

1.1 Website visit

When you visit the website, the servers of Hostpoint.ch, Hostpoint AG, Neue Jonastrasse 60 8640 Rapperswil-Jona, Switzerland, temporarily store each access in a log file. The following data is collected without your intervention and stored until automated deletion by me:

• Date and time of the access
• IP address
• By IP address,s the approximate location of the Internet connection is tracked
• The operating system used e.,g. Apple or Windows
• The browser type, e.g., Safari, Firefox, Explorer, etc.
• Where the access comes from; via Google, Yahoo, etc., or directly by entering the https:// domain.
• Error messages
• Information about the transferred data (e.g., the size of a question, answer, or comment in the case of a blog post, for example).

The collection and processing of this data are for the purpose of enabling the use of the website (connection establishment), to ensure system security and stability on a permanent basis, and to enable the optimization of my website as well as for internal statistical purposes. In the purposes described above, there is a legitimate interest in data processing within the meaning of Art. 6 para. 1 lit. f GDPR.

In the event of an attack on the network infrastructure or suspicion of other unauthorized or abusive website use, the IP address will be evaluated for reconnaissance and defense and, if necessary, used in criminal proceedings for identification and civil or criminal action against the users concerned. In the purposes described above, my legitimate interest in data processing within the meaning of Art. 6 para. 1 lit. f GDPR.

Finally, cookies and other applications based on cookies are used when you visit the website. For further information, please refer to section 3 “Cookies”.

1.2 Contact by email

You are responsible for the message and/or the transmitted content that you send me. Personal data is only collected if you provide it to me voluntarily. Therefore, you yourself are responsible for what data you transmit. In order to be able to answer your questions, I may ask you to provide me with additional information, e.g., your address, telephone number, etc. I only collect personal data from you if this is necessary to answer your questions or to provide the services you have requested.

When processing your inquiry by email, there is a legitimate interest in data processing within the meaning of Art. 6 (1) lit. f GDPR  You can object to this data processing at any time.

1.3 Contact via contact form

On my website, you can contact me via the contact form. Although the connection is secure, I ask you not to send me confidential data through this channel.

1.4 Mandate relationship

In the context of a client relationship, I process the following personal data, among others:

• Your name and contact information (including name, address, telephone number, or email address).
• Information about the company you represent, your position or title
• Identification and background information that you provide to me or that I collect from you in the course of establishing the client relationship
• Billing and payment information
• Information that you have provided to me or that I collect from you in the course of providing services to you, including communications related to the engagement
• Any other information relating to you which you provide to me in connection with the mandate.

I process the information in order to communicate with you, to conduct money laundering, conflict, and reputational checks prior to opening the mandate, to provide you with the services or legal advice you request, to bill you for the services, and to manage the business relationship with you, including the assertion, enforcement, and defense of legal claims.

The legal basis for the processing of your personal data for the preceding purposes lies in pre-contractual measures and the execution of a contract within the meaning of Art. 6 (1) lit. b GDPR  in the fulfillment of legal obligations according to Art. 6 (1) lit. c GDPR and, if applicable, in my legitimate interest in the targeted and efficient support of the client relationship within the meaning of Art. 6 (1) lit. f GDPR.

1.5 Microsoft 365

I use Microsoft 365 and various applications contained therein. Microsoft 365 is software produced by Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399 USA. However, my contractual partner is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (hereinafter “Microsoft”).

Otherwise, I process via Microsoft 365 all data that you provide to me by telephone, email, or via other channels when you contact me.

Currently, the following Microsoft 365 applications store data in Switzerland: Exchange Online, SharePoint, OneDrive, Teams. However, data in Switzerland can be transferred to other countries while using these applications. Microsoft 365 applications other than those mentioned above can also store data outside of Switzerland. According to Microsoft, the data, in this case, is primarily stored on servers in the EU. For these data processing operations, I have concluded an order processing agreement with Microsoft pursuant to Art. 28 GDPR and Art. 10a FDPA, respectively. Accordingly, I have agreed on extensive technical and organizational measures with Microsoft for Microsoft 365, which correspond to the currently applicable state of the art IT security, e.g., with regard to access authorization and end-to-end encryption concepts for the data line, databases, and servers. Microsoft also undertakes to me to be bound by professional secrecy and to implement appropriate protective measures. Microsoft has also added further protective provisions to the EU standard contractual clauses included in its contracts. Accordingly, Microsoft undertakes to take action against any request from a government agency and to compensate users in the event of government access. Where data is transferred to third countries, Microsoft always uses state-of-the-art encryption and promises that the data will be returned to its internal EU storage location immediately after processing. Microsoft assures that – even if it is legally obligated to disclose the data to security authorities – it will not disclose the encryption key or allow the encryption to be circumvented.

In connection with the foregoing data processing by Microsoft, access may also be obtained by Microsoft affiliates from outside the European Union. Exclusively for this case of access from outside the European Union in individual cases approved by me, I have concluded EU standard contracts (standard data protection clauses) with Microsoft. In order to guarantee an adequate level of data protection when transferring personal data to a third country such as the USA in this specific case, I have agreed and implemented supplementary measures in the form of state-of-the-art technical and organizational measures such as access authorization and encryption concepts for data lines, databases and servers with Microsoft, as described above.

The legal basis for the processing of personal data within Microsoft Teams is described below. The legal basis for all other data processing in Microsoft 365 is primarily the processing for pre-contractual actions as well as the execution of a contract, i.e. the client relationship, according to Art. 6 (1) lit. b GDPR  If you contact me outside of a client relationship (by phone or email), my legal basis is my legitimate interest within the meaning of Art. 6 (1) lit. f GDPR in the correct response and administration of your request. You can object to this data processing at any time (see section 14 “Contact”). In this case, however, I may no longer be able to process your request.

1.6 bexio AG

I use the services of bexio AG, Alte Jonastrasse 24, 8640 Rapperswil-Jona, Switzerland for accounting, invoicing and time tracking. All data is held on bexio servers in Switzerland. Bexio has implemented IT security measures according to the current state of the art. 

The legal basis for all other data processing at bexio is primarily the processing for pre-contractual actions as well as the execution of a contract, i.e. the client relationship, according to Art. 6 para. 1 lit. b GDPR.

2.   Location of data storage

The personal data affected by and referred to in the data protection provisions are stored on local data carriers in my office premises in addition to the servers of Hostpoint.ch as well as in the cloud on servers of Microsoft (see section 1.5) and bexio (see section 1.6.).

3.   Cookies

A cookie is a small record stored in text files that are placed on your browser or other device when websites are loaded in the browser. Cookies are used to “remember” you and your preferences when you visit my website, either for a single visit (through a “session cookie”) or for multiple repeat visits (referred to as a “persistent cookie”). A session cookie is deleted when you close your browser or after a short period of time. A persistent cookie is kept for a specified period of time, after which it expires and is deleted.

I use session cookies and persistent cookies on my website to provide a consistent and efficient experience for users of my website. Cookies also perform functions that allow users to remain logged in to the website, if that is the case.

There are the following types of cookies:

• Strictly necessary: These cookies are essential to allow you to use my website and its features. The information collected by these cookies relates to the operation of my website, such as language recognition, website scripting language, and security tokens to maintain secure areas of my website.
• Performance and analytics: these cookies collect anonymous information about how you use my website, such as which pages you visit most often, whether you receive error messages, and how you arrived at my website. They are also used to track details such as the number of unique visitors and page views to improve the user experience. The information collected by these cookies is only used to improve the use of my website, and never to identify you. These cookies are sometimes set by trusted third parties, such as Google Analytics.
• Functionality: these cookies store the choices you make, such as the country from which you visit my website and any changes you have made to the text size or other parts of web pages that you can customize to improve your experience with my website and make your visits more tailored and enjoyable. The information collected by these cookies can be anonymized and cannot be used to track your browsing activity on other websites.
• Third-party / embedded content: These cookies improve the experience of users of the website. These cookies allow you to share your activity on my website with social media such as Facebook and Twitter. I have no control over the information collected by these cookies.

My website automatically uses only strictly necessary cookies to allow you to use my website and its features and to ensure the functionality of my website.

4.   Links to my social media appearances

There are links on the website to my social media appearances on the following social networks:

• LinkedIn Corp, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA.

If you click on the corresponding icons of the social networks, you will automatically be redirected to my profile of the respective social network. In order to use the functions of the respective network there, you must partially log into your user account for the respective network.

When you open a link to one of my social media profiles, a direct connection is established between your browser and the server of the social network in question. This provides the network with the information that you have visited my website with your IP address and accessed the link. If you access a link to a network while logged into your account on the network in question, the content of my site may be linked to your profile on the network, i.e. the network may link your visit to my website directly to your user account. If you want to prevent this, you should log out before clicking on the relevant links. In any case, an allocation takes place when you log into the relevant network after clicking on the link.

If you click on one of these links, you thereby give your consent within the meaning of Art. 6 para. 1 lit. a GDPR to the following data processing.

5.   Disclosure of the data to third parties

Personal data will be passed on to Hostpoint.ch, Hostpoint AG, Neue Jonastrasse 60 8640 Rapperswil-Jona Switzerland for the purpose of providing and maintaining the functionality of the websites.

I reserve the right to disclose personal data to government and regulatory authorities. In doing so, I fully comply with applicable regulation, legislation and any judicial or official requirements, in particular Swiss attorney-client privilege.

For these processing operations, I rely on my legitimate interests within the meaning of Art. 6 (1) lit. f GDPR.

6.   Transfer of personal data abroad

I may transfer your data to third parties (contracted service providers) based abroad for the purposes of the Transfer data processing to third parties (contracted service providers) located abroad.

Such third parties are obliged to protect the privacy of individuals to the same extent as I do. If the level of data protection in a country does not correspond to the Swiss or European level, I contractually ensure that the protection of your personal data corresponds at all times to that in Switzerland or the EU. For this purpose, I agree with the partners on the EU standard clauses and implement, if necessary, additional technical and organizational measures.

7.   Right to information, deletion and correction

You can object to data processing, in particular data processing in connection with direct marketing (e.g. against advertising emails) at any time. You have the following rights:

Right of access: You have the right to request at any time, free of charge, access to your personal data stored by me, if I process them. This gives you the opportunity to check what personal data I process about you and that I use it in accordance with the applicable data protection regulations.

Right to rectification: You have the right to have inaccurate or incomplete personal data rectified and to be informed about the rectification. In this case, I will inform the recipients of the data concerned of the adjustments made, unless this is impossible or involves disproportionate effort.

Right to erasure: You have the right to have your personal data erased under certain circumstances. In individual cases, the right to erasure may be excluded.

Right to restriction of processing: You have the right, under certain circumstances, to request that the processing of your personal data be restricted.

Right to data transfer: Provided that you are resident in an EU or EEA member state, you have the right, under certain circumstances, to receive the personal data that you have provided to me free of charge in a readable format.

Right to lodge a complaint with a supervisory authority: Provided you are resident in an EU or EEA member state, you have the right to lodge a complaint with a competent supervisory authority about the way in which your personal data is processed.

Right of revocation: You generally have the right to revoke any consent you have given at any time. However, processing activities based on your consent in the past will not become unlawful as a result of your revocation.

8. Storage periods

I store your personal data only as long as necessary to provide you with services you have requested or for purposes for which you have given your consent.

Please note that special legal retention periods may apply to certain data. This data must be stored by me until the end of the retention period. After that, business communication or concluded contracts, for example, must be stored for up to 10 years. I use them exclusively to fulfill my legal obligations.

9. Data security

I protect your personal data with appropriate physical, electronic and procedural safeguards, including firewalls, personal passwords, encryption and authentication technologies. If in individual cases personal data is collected via the website, the transmission is encrypted using the currently most common and most secure data transmission method SSL “Secure-Socket-Layer”.

Your data relating to the mandate relationship will additionally be encrypted again locally before being uploaded to Microsoft’s encrypted cloud.

In this context, please also note that data transmitted via an open network such as the Internet or an email service is openly accessible. If you share personal data over an open network, you should be aware that third parties may access this data and collect and use it for their own purposes.

10. Contact

If you have any questions about data protection, if you would like information, or if you would like to request deletion of your personal data, please contact us by email at lezzi@lezzilegal.ch. Alternatively, you can write to:

LezziLegal
Dr.iur. Lukas Lezzi
P.O. Box
Etzelstrasse 3
8038 Zurich

I have the following data protection representation according to Art. 27 GDPR in the European Economic Area (EEA) including the European Union (EU) and the Principality of Liechtenstein as an additional point of contact for supervisory authorities and data subjects for inquiries related to the General Data Protection Regulation (GDPR):

VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
Germany
info@datenschutzpartner.eu

 

Date: October 1, 2021