Privacy Policy

This privacy statement describes how we collect and process personal data on behalf of Serves AG, Serves Audit AG and distag ag. For the purposes of this privacy policy, personal data means all information relating to an identified or identifiable individual.

1 Responsible body and contact

The company that collects and processes the data is responsible for the data processing that we describe here. Inquiries about data protection can be sent by letter or email to the following contact, enclosing a copy of your ID or passport for identification:

Serves AG / Serves Audit AG / distag ag
Haselstrasse 18
5400 Baden
This email address is being protected from spambots. You need JavaScript enabled to view it.

2 Editing categories

We collect and process personal data in particular in connection with

  • the provision of services
  • of indirect data processing from service provision
  • the use of our website
  • participation in events
  • direct communication and visits
  • applications
  • Suppliers, service providers and other contractual partners
  • legal or regulatory obligations
  • the performance of our duty of care or other legitimate interests (e.g. to avoid conflicts of interest, money laundering or other risks, to ensure data accuracy, to check creditworthiness, to ensure security or to enforce our rights)

More detailed information can be found in the description of the respective categories of processing under point 4.

3 Personal data categories

Which personal data we process depends on your relationship with us and the purpose for which we process it. In addition to your contact details, we also process other information about you or people who have a relationship with you. This information may also include personal data that is particularly worthy of protection.

We collect the following categories of personal data depending on the purpose for which we process it:

  • Contact information (e.g. last name, first name, address, telephone number, e-mail)
  • Customer information (e.g. date of birth, nationality, marital status, occupation, title, job title, passport/ID number, AHV number)
  • Risk assessment data (e.g. creditworthiness information, commercial register data)
  • Financial information (e.g. bank details)
  • Mandate data, depending on the order (e.g. tax information, statutes, minutes, projects, contracts, personnel data (e.g. wages, social security), accounting data, beneficial owners, ownership)
  • Website data (e.g. IP address, device information (UDI), browser information, website usage (analysis and use of plugins, etc.)
  • Application data (e.g. CV, job references)
  • Security and network data (e.g. visitor lists, access controls, network and mail scanners, telephone call lists)

Insofar as this is permitted, we also take certain data from publicly accessible sources (e.g. debt collection registers, land registers, commercial registers, press, Internet) or receive such data from our clients and their employees, from authorities, (arbitration) courts and other third parties. In addition to the data you give us directly, the categories of personal data that we receive from third parties about you, in particular information from public registers, information that we learn in connection with official and judicial proceedings, information in connection with your professional functions and activities (so that we can, for example, conclude and process business with your employer with your help), information about you in correspondence and meetings with third parties, credit reports, information about you that people from your environment (family, consultants, legal representatives, etc.) so that we can conclude or process contracts with you or with your involvement (e.g. references, your address for deliveries, powers of attorney) information on compliance with legal requirements such as combating money laundering and export restrictions, information from banks, insurance companies, sales and other contractual partners of ours on the use or provision of services by you (e.g. payments made, purchases made), information about you from the media and the Internet (if this is indicated in a specific case, e.g. as part of an application, etc.), your addresses and possibly interests and other socio-demographic data (for marketing), data in connection with the use of the website (e.g. IP address, MAC address of the smartphone or computer, information about your device and settings, cookies, date and time of the visit, pages and content accessed, functions used, referring website, location information).

4 Processing purposes and legal bases

4.1 Provision of services

We primarily process the personal data that we receive from these and other people involved as part of our client relationships with our customers and other contractual relationships with business partners.

The personal data of our customers includes in particular the following information:

  • Contact information (e.g. last name, first name, address, telephone number, email, other contact information)
  • Personal information (e.g. date of birth, nationality, marital status, occupation, title, job title, passport/ID number, AHV number, family circumstances, etc.)
  • Risk assessment data (e.g. creditworthiness information, commercial register data, sanctions lists, specialized databases, data from the Internet)
  • Financial information (e.g. data on bank details, investments or participations)
  • Mandate data, depending on the order, e.g. tax information, statutes, protocols, personnel data (e.g. wages, social security), accounting data, etc.
  • Personal data that is particularly worthy of protection: This personal data may also include personal data that is particularly worthy of protection, such as data on health, religious beliefs or social assistance measures, especially if we provide services in the area of taxes (e.g. tax returns), payroll processing or bookkeeping.

We process this personal data for the purposes described based on the following legal bases:

  • Conclusion or processing of a contract with the data subject or in favor of the data subject, including contract initiation and any enforcement (e.g. advice, trusteeship)
  • Compliance with a legal obligation (e.g. when we are performing our duties as auditor or are required to disclose information)
  • Protection of legitimate interests (e.g. for administrative purposes, to improve our quality, ensure security, operate risk management, enforce our rights, defend ourselves against claims or to check possible conflicts of interest)
  • Consent (e.g. to send you marketing information).

4.2 Indirect data processing from service provision

When we provide services for our customers, it may happen that we also process personal data that we have not collected directly from the person’s concerned or personal data from third parties. These third parties are usually employees, contact persons, family members or persons who have a relationship with the customer or the data subject for other reasons. We need this personal data in order to fulfill contracts with our customers. We receive this personal data from our customers or from third parties commissioned by our customers. Third parties whose information we process for this purpose are informed by our customers that we process their data. Our customers can refer to this privacy policy for this purpose.

The personal data of the people who have a relationship with our customers include the following information in particular:

  • Contact information (e.g. last name, first name, address, telephone number, email, other contact information, marketing data)
  • Personal information (e.g. date of birth, nationality, marital status, occupation, title, job title, passport/ID number, AHV number, family circumstances, etc.)
  • Financial information (e.g. data on bank details, investments or participations)
  • Mandate data, depending on the order, e.g. tax information, statutes, protocols, personnel data (e.g. wages, social security), accounting data
  • Personal data that is particularly worthy of protection: This personal data may also include personal data that is particularly worthy of protection, such as data on health, religious beliefs or social assistance measures, especially if we provide payroll processing or accounting services.

We process this personal data for the purposes described based on the following legal bases:

  • Conclusion or processing of a contract with the data subject or in favor of the data subject (e.g. if we fulfill our contractual obligations)
  • Compliance with a legal obligation (e.g. when we are performing our duties as auditor or are required to disclose information)
  • Protecting legitimate interests, in particular our interest in providing our customers with the best possible service.

4.3 Use of our website

In order to use our website, no personal data has to be disclosed. However, with each call, the server records a series of user information, which is temporarily stored in the server's log files. When using this general information, there is no assignment to a specific person. The collection of this information or data is technically necessary to display our website and to ensure its stability and security. This information is also collected to improve the website and to analyze how it is used.

In addition, the necessary information is collected in connection with Arcano, which is required for the transmission of the data to us.

Sometimes the following information is collected when using the website:

  • Information that you transmit to us via Arcano (e.g. surname, first name, address, telephone number, e-mail, etc.)
  • Technical information automatically transmitted to us or our service providers, information about user behavior or website settings (e.g. IP address, UDI, device type, browser, number of clicks on the page, opening the newsletter, clicking on links, etc.)

We process this personal data for the purposes described based on the following legal bases:

  • Conclusion or execution of a contract with the data subject or for the benefit of the data subject (e.g. when we carry out our contractual obligations)
  • Safeguarding legitimate interests (e.g. for administrative purposes, to improve our quality, analyze data or publicize our services)
  • Note on processing (e.g. regarding cookies).

4.4 Participation in events

If you take part in an event organized by us, we collect personal data in order to organize and carry out the event and, if necessary, to send you additional information afterwards. We also use your information to notify you of other events. You may be photographed or filmed by us at these events and we may publish this footage internally or externally.

In particular, this concerns the following information:

  • Contact information (e.g. last name, first name, address, telephone number, e-mail)
  • Personal information (e.g. occupation, position, title, employer company, eating habits)
  • pictures or videos
  • Payment information (e.g. bank details).

We process this personal data for the purposes described based on the following legal bases:

  • Fulfillment of a contractual obligation with the data subject or for the benefit of the data subject, including contract initiation and possible enforcement (enabling participation in the event)
  • Safeguarding legitimate interests (e.g. holding events, disseminating information about our event, providing services, efficient organization)
  • Consent (e.g. to send you marketing information or create visuals).

4.5 Direct communication and visits

If you contact us (e.g. via telephone, email or chat) or we contact you, we will process the necessary personal data. We also process this personal data when you visit us. In this case you may have to leave your contact details before your visit or at reception. These are retained by us for a certain period of time in order to protect our infrastructure and our information.

To conduct telephone conferences, online meetings, video conferences and/or webinars (“online meetings”), we use the “Microsoft Teams” service or an alternative service suggested by you.

In particular, we process the following information:

  • Contact information (e.g. last name, first name, address, telephone number, e-mail)
  • Marginal data for communication (e.g. IP address, duration of communication, communication channel)
  • Recordings of conversations, e.g. during video conferences
  • Other information that you upload, provide or create while using the video conferencing service and metadata used to maintain the service provided. Additional information about the processing of personal data by “Microsoft Teams” or an alternative service can be found in the privacy policies of the respective providers.
  • Personal information (e.g. occupation, position, title, employer company)
  • Time and reason for the visit.

We process this personal data for the purposes described based on the following legal bases:

  • Fulfillment of a contractual obligation with the data subject or in favor of the data subject, including initiation of a contract and any enforcement (provision of a service)
  • Protection of legitimate interests (e.g. security, traceability as well as processing and administration of customer relationships).

4.6 Applications

You can submit your application for a position with us by post or via the e-mail address given on our website. The application documents and all personal data communicated to us will be treated as strictly confidential, will not be disclosed to any third party and will only be processed for the purpose of processing your application for employment with us. Without your consent to the contrary, your application dossier will either be returned to you or deleted/destroyed after the end of the application process, unless it is subject to a statutory retention obligation. The legal basis for the processing of your data is your consent, the fulfillment of the contract with you and our legitimate interests.

We process the following information in particular:

  • Contact information (e.g. last name, first name, address, telephone number, email)
  • Personal information (e.g. occupation, position, title, employer company)
  • Application documents (e.g. letter of motivation, references, diplomas, CV)
  • Assessment information (e.g. assessment of HR consultants, reference information, assessments)

We process this personal data for the purposes described based on the following legal bases:

  • Safeguarding legitimate interests (e.g. hiring new employees)
  • consent

4.7 Suppliers, service providers and other contractual partners

If we conclude a contract with you so that you provide a service for us, we process personal data from you or your employees. We need this in order to communicate with you and to make use of your services. We may also process this personal data to check whether there could be a conflict of interest in connection with our work as an auditor and to ensure that we do not take any unwanted risks with the cooperation, e.g. with regard to money laundering or sanctions.

In particular, we process the following information:

  • Contact information (e.g. last name, first name, address, telephone number, e-mail).
  • Personal information (e.g. occupation, position, title, employer company).
  • Financial information (e.g. bank details).

We process this personal data for the purposes described based on the following legal bases:

  • Conclusion or processing of a contract with the data subject or in favor of the data subject, including initiation of a contract and any enforcement
  • Protecting legitimate interests (e.g. avoiding conflicts of interest, protecting the company, enforcing legal claims).

5 Web and tracking technologies

In order to obtain information about the use of our website, to improve our Internet offer and to be able to address you with advertising on third-party websites or on social media, we use the web analysis tools and re- targeting technologies described below.

These tools are provided by third parties. As a rule, the information collected for this purpose about the use of a website is transmitted to the third-party server through the use of cookies or similar technologies. Depending on the third-party provider, these servers are located abroad.

The data is usually transmitted by shortening the IP addresses, which prevents the identification of individual devices. A transfer of this information by third parties only takes place due to legal regulations or as part of order data processing.

5.1 Cookies

We use cookies on our website. These are small files that your browser creates automatically and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our site.

Information is stored in the cookie that arises in connection with the specific end device used. However, this does not mean that we are immediately informed of your identity. On the one hand, the use of cookies serves to make the use of our offer more pleasant for you. We use so-called session cookies to recognize that you have already visited individual pages on our website. These are automatically deleted after leaving our site.

In addition, we also use temporary cookies to optimize user-friendliness, which are stored on your end device for a specific period of time. If you visit our site again to make use of our services, it will automatically be recognized that you have already been with us and what inputs and settings you have made so that you do not have to enter them again. On the other hand, we use cookies to statistically record the use of our website and to evaluate it for the purpose of optimizing our offer for you. These cookies enable us to automatically recognize when you visit our site again that you have already been with us. These cookies are automatically deleted after a defined period of time.

The data processed by cookies are required for the purposes mentioned. Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or that a message always appears before a new cookie is created. However, the complete deactivation of cookies may mean that you cannot use all the functions of our website.

5.2 Google Analytics

We use Google Analytics, the web analysis service provided by Google LLC, Mountain View, California, USA, on our websites; Google Limited Ireland (“Google”) is responsible for Europe. To deactivate Google Analytics, Google provides a browser plug-in at https://tools.google.com/dlpage/gaoptout?hl=de. Google Analytics uses cookies. These are small text files that make it possible to store specific, user-related information on the user's device. These enable Google to analyze the use of our website. The information collected by the cookie about the use of our pages (including your IP address) is usually transmitted to a Google server in the USA and stored there. We would like to point out that on this website Google Analytics is supplemented by the code «gat._anonymizeIp();» has been expanded to ensure anonymized collection of IP addresses (so-called IP masking ). If anonymization is active, Google shortens IP addresses within member states of the European Union or in other contracting states to the Agreement on the European Economic Area, which is why no conclusions can be drawn about your identity. Only in exceptional cases will the full IP address be sent to a Google server in the USA and shortened there. Google may associate your IP address with other Google data. For data transfers to the USA, Google has committed to signing and complying with the EU Standard Contractual Clauses.

5.3 Google Maps

On our website we use Google Maps (API) from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Google Limited Ireland, “Google”) is responsible for Europe. Google Maps is a web service for displaying interactive (land) maps to visually display geographic information. By using this service, you will be shown our location and any journey will be made easier. When you access the subpages in which the Google Maps map is integrated, information about your use of our website (such as your IP address) is transmitted to Google servers in the USA and stored there. This occurs regardless of whether Google provides a user account through which you are logged in or whether there is no user account. If you are logged in to Google, your data will be assigned directly to your account. If you do not want your profile to be associated with Google, you must log out before activating the button. Google saves your data (even for users who are not logged in) as usage profiles and evaluates them.

For data transfers to the USA, Google has committed to signing and complying with the EU standard contractual clauses.

5.4 Google Web Fonts

The website uses so-called web fonts provided by Google for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into your browser cache in order to display text and fonts correctly. If your browser does not support web fonts, a standard font will be used by your computer.

Further information about Google Web Fonts can be found at https://developers.google.com/fonts/faq and in Google's privacy policy: https://www.google.com/policies/privacy

6 Data sharing and data transmission

We only pass on your data to third parties if this is necessary to provide our services, if these third parties provide a service for us, if we are legally or officially obliged to do so or if we have an overriding interest in passing on the personal data. We will also pass on personal data to third parties if you have given your consent or asked us to do so.

Not all personal data is transmitted in encrypted form by default. Unless explicitly agreed, accounting data, payroll administration data, pay slips and statements are transmitted unencrypted.

The following categories of recipients may receive personal data from us:

  • Branch offices, subsidiaries or sister companies
  • Service providers (e.g. IT service providers, hosting providers, suppliers, consultants, lawyers, insurance companies).
  • Third parties within the scope of our legal or contractual obligations, authorities, state institutions, courts.

We conclude contracts with service providers who process personal data on our behalf, which oblige them to guarantee data protection. Most of our service providers are located in Switzerland or in the EU / EEA. Certain personal data can also be sent to the USA (e.g. Google Analytics data) or, in exceptional cases, to other countries around the world. If it is necessary to transfer data to other countries that do not have an adequate level of data protection, this is done on the basis of the EU standard contractual clauses (e.g. in the case of Google) or other suitable instruments.

7 Duration of the retention of personal data

We process and store your personal data for as long as it is necessary to fulfill our contractual and legal obligations or for other purposes pursued by the processing, i.e. for example for the duration of the entire business relationship (from initiation, processing to termination of a contract) as well as in accordance with the legal retention and documentation obligations. It is possible that personal data will be stored for the time in which claims can be asserted against our company (i.e. in particular during the statutory limitation period) and insofar as we are otherwise legally obliged to do so or legitimate business interests require this (e.g. for evidence and documentation purposes). As soon as your personal data is no longer required for the purposes mentioned above, it will generally be deleted or anonymized as far as possible. In principle, shorter retention periods of twelve months or less apply to operational data (e.g. system protocols, logs).

8 Data security

We take appropriate technical and organizational security precautions to protect your personal data from unauthorized access and misuse, such as issuing instructions, training courses, IT and network security solutions, access controls and restrictions, encryption of data carriers and transmissions, pseudonymization and controls.

9 Obligation to provide personal data

As part of our business relationship, you must provide the personal data that is required to establish and conduct a business relationship and to fulfill the associated contractual obligations (as a rule, you do not have a legal obligation to provide us with data). Without this data, we will not be able to enter into or process a contract with you (or the entity or person you represent). The website cannot be used if certain information to ensure data traffic (such as IP address) is not disclosed.

10 Your rights

You have the following rights in connection with our processing of personal data:

  • Right to information about your personal data stored by us, the purpose of processing, the origin and recipients or categories of recipients to whom personal data is passed on.
  • Right to rectification if your data is incorrect or incomplete.
  • Right to restrict the processing of your personal data
  • Right to request the deletion of the processed personal data
  • Right to data portability
  • Right to object to data processing or to revoke consent to the processing of personal data at any time without giving reasons.
  • Right to lodge a complaint with a competent supervisory authority, where provided for by law.

In order to assert these rights, please get in touch with the contact given under point 1.

Please note, however, that we reserve the right to enforce the restrictions provided for by law, for example if we are obliged to store or process certain data, have an overriding interest in doing so (to the extent that we are entitled to rely on this) or use them for the assertion of require claims. If you incur any costs, we will inform you in advance.

11 Change of the privacy policy

We expressly reserve the right to change this privacy policy at any time.


Last modified: August 2023