Privacy Policy

Adjust cookie settings

Privacy Policy

In this privacy policy, we provide information about the processing of personal data in connection with our activities and operations, including our website at the domain name resilient-heritage.ch. In particular, we explain what personal data we process, for what purpose, in what manner and where. We also provide information about the rights of individuals whose data we process.

We have drafted this privacy policy in German. In the event of publication in another language, the German-language privacy policy shall prevail.

We may publish further privacy policies or other information on data protection for specific or additional activities and operations.

We are subject to Swiss law and, where applicable, foreign law, in particular that of the European Union (EU) with the European General Data Protection Regulation (GDPR).

In its decision of 26 July 2000, the European Commission recognised that Swiss data protection law ensures an adequate level of data protection. In its report of 15 January 2024, the European Commission confirmed this adequacy decision.

1. Contact details

The data controller within the meaning of data protection law is:

Bern
University of the Arts Institute for Materiality in Art and Culture
Fellerstrasse 11
CH-3027 Bern

resilientheritage(at)hkb.bfh.ch

In specific cases, third parties may be responsible for the processing of personal data, or there may be joint responsibility with third parties. We are happy to provide data subjects with information regarding the respective responsibility upon request.

Data Protection Officer or Data Protection Advisor

We have appointed the following data protection officer or data protection adviser as the point of contact for data subjects and authorities regarding enquiries relating to data protection:

Bern University
of Applied Sciences Data Protection
Office Falkenplatz 24
CH-3012 Bern

datenschutz(at)bfh.ch

2. Definitions and legal basis

2.1 Definitions

Data subject: A natural person in respect of whom we process personal data.

Personal data:Any information relating to an identified or identifiable natural person.

Sensitive personal data: Data relating to trade union, political, religious or philosophical views and activities; data relating to health, privacy or membership of an ethnic group or race; genetic data; biometric data that uniquely identifies a natural person; data concerning criminal or administrative sanctions or proceedings, and data concerning social welfare measures.

Processing:Any handling of personal data, regardless of the means and methods used, for example, the retrieval, comparison, adaptation, archiving, storage, reading, disclosure, collection, recording, erasure, disclosure, sorting, organisation, storage, alteration, dissemination, linking, destruction and use of personal data.

European Economic Area (EEA):Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland and Norway.

2.2 Legal basis

We process personal data in accordance with Swiss law, in particular the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).

We process personal data – insofar as the European General Data Protection Regulation (GDPR) applies – in accordance with at least one of the following legal bases:

  • Article 6(1)(b) of the GDPR for the processing of personal data necessary for the performance of a contract with the data subject and for the implementation of pre-contractual measures.
  • Article 6(1)(f) of theGDPR for the necessary processing of personal data to safeguard legitimate interests – including the legitimate interests of third parties – provided that the fundamental freedoms and rights as well as the interests of the data subject do not take precedence. Such interests include, in particular, the sustainable, people-friendly, secure and reliable conduct of our activities and operations, the safeguarding of information security, protection against misuse, the enforcement of our own legal claims and compliance with Swiss law.
  • Art. 6(1)(c) GDPR for the necessary processing of personal data to comply with a legal obligation to which we are subject under the applicable law of Member States within the European Economic Area (EEA).
  • Art. 6(1)(e) GDPR for the necessary processing of personal data to perform a task carried out in the public interest.
  • Article 6(1)(a) of the GDPR for the processing of personal data with the consent of the data subject.
  • Art. 6(1)(d) GDPR for the necessary processing of personal data to protect the vital interests of the data subject or another natural person.
  • Art. 9(2) et seq. GDPR for the processing of special categories of personal data, in particular with the consent of the data subjects.

The European General Data Protection Regulation (GDPR) defines the handling of personal data as the processing of personal data and the handling of sensitive personal data as the processing of special categories of personal data (Art. 9 GDPR).

3. Nature, scope and purpose of the processing of personal data

We process the personal data necessary to carry out our activities and operations in a sustainable, people-friendly, secure and reliable manner. The personal data processed may fall, in particular, into the categories of browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data and payment data. The personal data may also constitute special categories of personal data.

We also process personal data that we receive from third parties, obtain from publicly available sources or collect in the course of our activities and operations, insofar as such processing is permitted.

We process personal data, where necessary, with the consent of the data subjects. In many cases, we may process personal data without consent, for example to comply with legal obligations or to safeguard overriding interests. We may also ask data subjects for their consent even where their consent is not required.

We process personal data for the period necessary for the respective purpose. We anonymise or delete personal data, in particular in accordance with statutory retention and limitation periods.

4. Disclosure of personal data

We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties may, for example, be specialist providers whose services we use. Such third parties may in turn disclose personal data to other third parties.

We may disclose personal data in the course of our activities and operations, in particular to banks and other financial service providers, public authorities, educational and research institutions, consultants and solicitors, accounting and fiduciary service providers, debt collection agencies, interest groups, IT service providers, cooperation partners, credit and business information agencies, logistics and delivery companies, marketing and advertising agencies, media, parent, sister and subsidiary companies, organisations and associations, social institutions, telecommunications companies, insurance companies and payment service providers.

5. Communication

We process personal data in order to communicate with individuals as well as with public authorities, organisations and companies. In doing so, we process, in particular, data that a data subject provides to us when making contact, for example by post or email. We may store such data in an address book or using similar tools.

Third parties who provide us with data relating to other individuals are legally obliged to ensure the data protection of those data subjects themselves. In particular, they must ensure that they are authorised to provide such data and must also guarantee the accuracy of the data provided.

6. Data security

We take appropriate technical and organisational measures to ensure data security commensurate with the respective risk. Through our measures, we ensure in particular the confidentiality, availability, traceability and integrity of the personal data processed, without, however, being able to guarantee absolute data security.

Access to our website and our other digital presence is provided via transport encryption (SSL/TLS, in particular using the Hypertext Transfer Protocol Secure, abbreviated to HTTPS). Most browsers warn users before visiting a website without transport encryption.

Our digital communications – like all digital communications in general – are subject to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA) and other countries. We have no direct influence over the processing of personal data by intelligence services, police forces and other security authorities. Nor can we rule out the possibility that a data subject may be subject to targeted surveillance.

7. Personal data abroad

We generally process personal data in Switzerland and within the European Economic Area (EEA). However, we may also export or transfer personal data to other countries, in particular to process it there or have it processed there.

We may export personal data to any country in the world and elsewhere in the universe, provided that the law of that country guarantees adequate data protection in accordance with a decision of the Swiss Federal Council and – where and to the extent that the General Data Protection Regulation (GDPR) applies – also in accordance with a decision of the European Commission.

We may transfer personal data to countries whose laws do not guarantee adequate data protection, provided that data protection is ensured for other reasons, in particular on the basis of standard data protection clauses or other suitable safeguards. In exceptional cases, we may export personal data to countries without adequate or appropriate data protection if the specific data protection requirements are met, for example the explicit consent of the data subjects or a direct connection to the conclusion or performance of a contract. We are happy to provide data subjects, upon request, with information regarding any such safeguards or to supply a copy of any such safeguards.

8. Rights of data subjects

8.1 Data protection rights

We grant data subjects all rights in accordance with applicable law. Data subjects have the following rights in particular:

  • Right of access: Data subjects may request information as to whether we process personal data concerning them and, if so, what personal data is involved. Data subjects shall also receive the information necessary to exercise their data protection rights and to ensure transparency. This includes the personal data being processed as such, but also, amongst other things, details regarding the purpose of processing, the duration of storage, any disclosure or export of data to other countries, and the origin of the personal data.
  • Rectification and restriction: Data subjects may have inaccurate personal data rectified, incomplete data completed, and the processing of their data restricted.
  • Right to express a view and human review: Data subjects may, in the case of decisions based solely on the automated processing of personal data which produce legal effects concerning them or significantly affect them (automated individual decisions), present their own point of view and request a review by a human being.
  • Erasure and objection: Data subjects may have personal data erased (‘right to be forgotten’) and object to the processing of their data with effect for the future.
  • Data disclosure and data portability: Data subjects may request the disclosure of personal data or the transfer of their data to another controller.

We may defer, restrict or refuse the exercise of data subjects’ rights within the legally permissible scope. We may inform data subjects of any conditions that must be met for the exercise of their data protection rights. For example, we may refuse to provide information in whole or in part, citing confidentiality obligations, overriding interests or the protection of other individuals. We may also, for example, refuse to erase personal data in whole or in part, in particular citing statutory retention obligations.

We may, in exceptional cases, charge a fee for the exercise of these rights. We will inform data subjects in advance of any costs involved.

We are obliged to identify data subjects who request information or assert other rights by taking appropriate measures. Data subjects are obliged to cooperate.

8.2 Legal Remedies

Data subjects have the right to enforce their data protection claims through legal proceedings or to lodge a complaint with a data protection supervisory authority.

The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection supervisory authorities are organised as members of the European Data Protection Board (EDPB). In some Member States of the European Economic Area (EEA), the data protection supervisory authorities have a federal structure, particularly in Germany.

9. Use of the website

9.1 Cookies

We may use cookies. Cookies – both our own cookies (first-party cookies) and cookies from third parties whose services we use (third-party cookies) – are data stored in the browser. Such stored data need not be limited to traditional text-based cookies.

Cookies can be stored in the browser temporarily as ‘session cookies’ or for a specific period as so-called permanent cookies. ‘Session cookies’ are automatically deleted when the browser is closed. Persistent cookies have a specific storage period. In particular, cookies enable a browser to be recognised on the next visit to our website and thereby, for example, to measure the reach of our website. However, persistent cookies can also be used for online marketing, for example.

Cookies can be disabled, restricted or deleted in full or in part at any time via the browser settings. Browser settings often also allow for the automatic deletion and other management of cookies. Without cookies, our website may no longer be available in its entirety. We actively seek your express consent to the use of cookies – at least to the extent required by applicable law.

For cookies used for performance and reach measurement or for advertising, a general opt-out is available for numerous services via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

9.2 Logging

For every visit to our website and our other digital presence, we may log at least the following information, provided that this is determined or transmitted as standard during such visits to our digital infrastructure: Date and time, including time zone, IP address, access status (HTTP status code), operating system, including user interface and version, browser, including language and version, individual sub-pages of our website accessed, including the amount of data transferred, and the last webpage accessed in the same browser window (referrer).

We record such information, which may also constitute personal data, in log files. This information is necessary to ensure that our digital presence can be provided on a permanent, user-friendly and reliable basis. The information is also required to ensure data security – including through third parties or with the assistance of third parties.

9.3 Web beacons

We may incorporate tracking pixels into our digital presence. Tracking pixels are also known as web beacons. Tracking pixels – including those from third parties whose services we use – are usually small, invisible images or scripts written in JavaScript that are automatically retrieved when you access our digital presence. Tracking pixels can be used to collect at least the same information as is recorded in log files.

10. Notifications and communications

10.1 Performance and reach measurement

Notifications and communications may contain web links or tracking pixels that record whether an individual message has been opened and which web links were clicked. Such web links and tracking pixels may also record the use of notifications and communications on a personal basis. We require this statistical tracking of usage for performance and reach measurement in order to be able to send notifications and communications effectively and in a user-friendly manner, as well as permanently, securely and reliably, based on the needs and reading habits of the recipients.

10.2 Consent and Objection

You must generally consent to the use of your email address and other contact details, unless such use is permitted for other legal reasons. We may use the ‘double opt-in’ procedure to obtain double-confirmed consent where necessary. In this case, you will receive a message containing instructions for double confirmation. We may log consent obtained, including IP address and timestamps, for evidential and security reasons.

You may, in principle, object at any time to receiving notifications and communications such as newsletters. By doing so, you may also object to the statistical recording of usage for the purposes of measuring success and reach. This is subject to any necessary notifications and communications relating to our activities and operations.

11. Social Media

We are present on social media platforms and other online platforms in order to communicate with interested parties and to provide information about our activities and operations. In connection with such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).

The General Terms and Conditions (GTC) and Terms of Use, as well as privacy policies and other provisions of the individual operators of such platforms, also apply in each case. These provisions provide information in particular on the rights of data subjects directly vis-à-vis the respective platform, including, for example, the right of access.

12. Third-party services

We use services provided by specialised third parties to enable us to carry out our activities and operations in a sustainable, user-friendly, secure and reliable manner. Such services allow us, amongst other things, to embed functions and content into our website. When such embedding takes place, the services used collect users’ IPaddresses, at least temporarily, for technically necessary reasons.

For necessary security-related, statistical and technical purposes, third parties whose services we use may process data relating to our activities and operations in an aggregated, anonymised or pseudonymised form. This includes, for example, performance or usage data required to provide the relevant service.

In particular, we use:

12.1 Digital infrastructure

We use services provided by specialist third parties to access the digital infrastructure required in connection with our activities and operations. These include, for example, hosting and storage services from selected providers.

In particular, we use:

12.2 Map material

We use third-party services to embed maps on our website.

In particular, we use:

12.3 Fonts

We use third-party services to embed selected fonts, icons, logos and symbols into our website.

In particular, we use:

13. Measuring success and reach

We endeavour to measure the success and reach of our activities and operations. In this context, we may also measure the impact of third-party content or test how different parts or versions of our digital presence are used (the ‘A/B testing’ method). Based on the results of success and reach measurement, we can, in particular, rectify errors, enhance popular content or make improvements.

In most cases, the IP addresses of individual users are collected for performance and reach measurement. In this case, IP addresses are generally truncated (‘IP masking’) in order to comply with the principle of data minimisation through the corresponding pseudonymisation.

Cookies may be used to measure success and reach, and user profiles may be created. Any user profiles created may include, for example, the individual pages visited or content viewed on our digital presence, details of the screen size or browser window, and the – at least approximate – location. In principle, any user profiles created are exclusively pseudonymised and are not used to identify individual users. Individual third-party services with which users are registered may, where applicable, link the use of our online offering to the user account or user profile with the respective service.

In particular, we use:

14. Final notes on the privacy policy

We have created this privacy policy using the privacy policy generator from Datenschutzpartner.

We may update this privacy policy at any time. We will notify you of any updates by publishing the latest version of the privacy policy on our website.