Data protection declaration

In this data protection declaration we describe how Blockchain Research  SA (hereinafter “Blockchain”, “we”) acquires and processes personal data. This data protection declaration does not constitute an exhaustive description and, where applicable, other data protection declarations regulate specific cases. For the purposes of this data protection declaration, personal data means all information that refers to an identified or identifiable natural person pursuant to art. 5 of the Federal Act of 25 September 2020 on Data Protection (“LPD”). We process personal data in accordance with the requirements of the LPD and, if and to the extent applicable, in accordance with the European Union General Data Protection Regulation (“GDPR”) and local data protection laws.

1. Responsible body and contact

Blockchain Research is the data controller and can, in some cases, also assume the role of data controller pursuant to the LPD.

Requests for information regarding data protection can be sent to us by letter or email, attaching a copy of the identity card or passport for user identification:

Blockchain Research SA

Via Cantonale 112 – 6818 – Melano – Switzerland

Email: amministrazione@bckr.ch

Telephone: +41 91 922 58 50

2. Acquisition and processing of personal data

By the term “processing” we mean any operation relating to personal data, regardless of the means and procedures used, in particular the collection, recording, storage, use, modification, communication, archiving, deletion or data destruction.

Our processing of personal data concerns, in particular, the following categories:

• data of customers to whom we provide or have provided services;
• personal data, which we have received indirectly from our customers in the context of providing services;
• data obtained from viewing our website;
• data deriving from our newsletter;
• data obtained by participating in one of our events;
• data obtained when we communicate or meet a customer;
• in the context of other contractual relationships, e.g. e.g. as a supplier of goods or services or as a consultant;
• data received during applications;
• data that we are obliged to process for legal or administrative reasons;
• where we protect our duties of care or other legitimate interests, e.g. e.g. to avoid conflicts of interest, money laundering or other risks, or to ensure data accuracy, check creditworthiness, protect security or exercise our rights.

We aim to limit the collection of personal data only to personal data required for legitimate purposes.

Detailed information can be found in the description of the respective categories of treatments in point 4.

3. Categories of personal data

The personal data we process depends on your relationship with us and the purpose for which we process it. In addition to your contact data, we also process other information about you or people who are associated with you. Sometimes, this information may also include personal data worthy of particular protection.

Blockchain acquires the following categories of personal data, depending on the purpose for which it processes them:

• contact information (e.g. first name, last name, address, telephone number, e-mail);
• information concerning the customer (e.g. date of birth, nationality, marital status, profession, title, job description, passport/identity card number, AVS number);
• data for risk assessment (e.g. credit information, commercial register data);
• financial information (e.g. banking relationship data);
• data relating to the mandate, according to the type of mandate (e.g. tax information, statutes, minutes, projects, contracts, employee data (e.g. salary, social insurance), accounting data, beneficial owners, property relations);
• data relating to the web pages (e.g. IP addresses, device information (UID), browser information, use of the web pages (use and analysis of plug-ins, etc.);
• application data (e.g. curriculum vitae, employment certificates);
• marketing information (e.g. subscription to a newsletter);
• security and network data (e.g. visitor lists, access controls, network and email scanners, phone call lists);

To the extent permitted, we also obtain certain data from publicly available sources (e.g. debt collection registers, land registers, commercial register, press, internet) or receive them from our clients and their employees, from authorities, (arbitral) courts and other third parties. In addition to your data, which you provide to us directly, the categories of personal data concerning you and which we receive from third parties include in particular information from public registers, information that comes to our knowledge in the framework of judicial or administrative proceedings, information in relation to your professional functions and activities, information about you from correspondence and conversations with third parties, information about your creditworthiness, information about you provided by people in your environment (family, consultants, legal representatives, etc.), so that you can conclude or perform contracts with you or which involve your involvement, information to comply with legal requirements, for example in relation to money laundering or export restrictions, information from banks, insurance companies, distributors and our other contractual partners for the request or the provision of services by you, information about you from the media and the Internet (provided this is appropriate in the specific case, e.g. e.g. in the context of an application, etc.), your addresses and possibly interests, as well as other socio-demographic data (formarketing), data relating to your use of the website (e.g. IP address, MAC address of your smartphone or computer, information about your device and its settings, cookies, date and time of visit, pages and contents accessed, functions used, referring websites, location information).

4. Purposes of data processing and legal bases

4.1. Provision of services

We mainly process personal data that we receive from these and other persons involved within the framework of our mandate relationships with our customers and other contractual relationships with business partners.

In the case of personal data of our customers, this concerns in particular the following information:

• contact information (e.g. first name, last name, address, telephone number, e-mail, other contact information);
• personal information (e.g. date of birth, nationality, marital status, profession, title, job description, passport/identity card number, AVS number, family situation, etc.);
• data for risk assessment (e.g. creditworthiness information, commercial register data, sanctions lists, specialized databases, data obtained from the internet);
• financial information (e.g. data concerning banking relationships, investments or shareholdings);
• data relating to the mandate, according to the type of mandate, p. e.g. tax information, statutes, minutes, employee data (e.g. salary, social insurance), accounting data, etc.;
• personal data particularly worthy of protection: this data may include data on health, religious beliefs or social welfare measures, in particular when we provide services in the field of payroll or accounting.

We process your personal data for the purposes indicated above, depending on the situation, in particular on the following legal bases:

• stipulation or execution of a contract with the interested party or in favor of him, including pre-contractual negotiations and possible implementation (e.g. consultancy, trustee);
• compliance with a legal obligation (e.g. when we fulfill our obligations as an auditor or are obliged to disclose information);
• protection of legitimate interests (e.g. for administrative purposes or to improve our quality, ensure security, manage risks, exercise our rights, defend ourselves against unjustified claims or verify the possibility of conflicts of interest);< /li>
• consent (e.g. to send you marketing information).

4.2. Indirect processing of data from the provision of services

When we provide services to our customers, it may happen that we also process personal data that we have not acquired directly from the data subjects or personal data of third parties. As a rule, these third parties are employees, contact persons, family members or people who for other reasons have a relationship with customers or interested parties. We need this personal data to honor contracts with our customers. We receive this personal data from our customers or third parties commissioned by them. Third parties, whose information we process for this purpose, are informed of this processing by our customers. To this end, our customers can refer to this data protection declaration. The data concerning people who have a relationship with our customers consists in particular of the following information:

• contact information (e.g. first name, last name, address, telephone number, e-mail, other contact information, marketing data);
• personal information (e.g. date of birth, nationality, marital status, profession, title, job description, passport/identity card number, AVS number, family situation, etc.);
• financial information (e.g. data concerning banking relationships, investments or shareholdings);
• data relating to the mandate, according to the type of mandate, p. e.g. tax information, statutes, minutes, employee data (e.g. salary, social insurance), accounting data;
• personal data particularly worthy of protection: this personal data may also include data particularly worthy of protection, such as. e.g. data on health, religious beliefs or social welfare measures, in particular when we provide services in the field of payroll or accounting.

We process your personal data for the purposes indicated above, depending on the situation, in particular on the following legal bases:

• entering into or performing a contract with the person iinterested or in its favor, including pre-contractual negotiations and possible implementation (e.g. when we fulfill our contractual obligations);
• compliance with a legal obligation (e.g. when we fulfill our obligations as an auditor or are obliged to disclose information);
• protection of legitimate interests, in particular our interest in providing our customers with optimal performance.

4.3. Use of our website

To use our website, you do not need to disclose any personal data. However, when you access the site, the server collects a series of information about the user, which is temporarily saved in the server logfiles.

The use of this generic information does not imply any attribution to a specific person. The acquisition of such information or data is necessary for technical reasons, to be able to view our site and guarantee its stability and security. This information is also acquired to improve the site and analyze its use.

More precisely, this is the following information:

• contact information (e.g. first name, last name, address, telephone number, e-mail);
• other information that you transmit to us via the site;
• technical information, information on user behavior or site settings (e.g. IP address, UDI, device type, number of page clicks, newsletter opening, link clicks, etc.) that are transmitted directly to us or to our service providers.

We process your personal data for the purposes indicated above, depending on the situation, in particular on the following legal bases:

• protection of legitimate interests (e.g. for administrative purposes, to improve our quality, analyze data or make our services known);
• consent (e.g. for the use of cookies or for the newsletter).

4.4. Use of the newsletter

If you subscribe to our newsletter, we use your email address and other contact details to send it to you. With your consent, you can subscribe to our newsletter. Mandatory information for sending the newsletter is your full name and your email address, which we save after your registration. The legal bases for the processing of your data, in relation to our newsletter, are constituted by your consent to the sending of the same. This consent can be revoked at any time by unsubscribing from the newsletter.

4.5. Participation in events

If you participate in an event organized by us, we acquire the personal data necessary to organize and carry out the event and, possibly, subsequently provide you with additional information. We also use your information to notify you of additional events. It may happen that during such events, you are photographed or filmed and that the images are then published by us internally or externally.

More precisely, this is the following information:

• contact information (e.g. first name, last name, address, telephone number, e-mail);
• personal information (e.g. profession, function, title, employer’s company, eating habits);
• images or videos;
• payment information (e.g. banking relationship).

We process your personal data for the purposes indicated above, depending on the situation, in particular on the following legal bases:

• fulfillment of a contractual obligation with the interested party or in favor of him, including pre-contractual negotiations and the possible realization (possibility of participating in the event);
• protection of legitimate interests (e.g. organization of events, dissemination of information about our event, provision of services, efficient organisation);
• consent (e.g. to send you marketing information or create artwork).

4.6. Direct communication and visits

If you contact us (by telephone, email or in person) or we contact you, we process your personal data as necessary, depending on the purpose. In this case, you may have to leave us your contact details before your visit or when you show up at reception. We retain this personal data for a certain period of time in order to protect our infrastructure and information.

To organize telephone conferences, online meetings, video conferences and/or teleseminars, we use the «Zoom» or «Microsoft Teams» service.

In particular, we process the following information:

• contact information (e.g. first name, last name, address, telephone number, e-mail);
• marginal information about the communication (e.g. IP address, durationata and communication channel);
• recording of interviews, p. e.g. in the framework of video conferences;
• other information, which the user uploads, makes available or creates during the use of the videoconferencing service, as well as the metadata used for the maintenance of the provided service, as well as additional information on the processing of personal data by « Zoom” or Microsoft Teams can be found in their data protection notices;
• personal information (e.g. profession, function, title, employer’s company);
• time and time of the visit.

We process your personal data for the purposes indicated above, depending on the situation, in particular on the following legal bases:

• fulfillment of a contractual obligation with the interested party or in favor of him, including pre-contractual negotiations and the possible implementation (provision of a service)
• protection of legitimate interests (e.g. security, traceability, as well as care and administration of customer relationships).

4.7. Nominations

You can send us your application for a job in our company by letter or to the e-mail address indicated on our website. The documents and all personal data communicated with the application are treated with the utmost confidentiality and only for the purpose of processing your application, to be hired by us. In the absence of your objection, at the end of the application procedure, your file will be returned to you or cancelled/destroyed, if there is no legal obligation to keep it. However, we reserve the right to keep your file if we deem your profile suitable for future vacancies at our company. The legal bases for processing your data are your consent, the performance of the contract with you and our legitimate interests.

In particular, we process the following information:

• contact information (e.g. first name, last name, address, telephone number, e-mail);
• personal information (e.g. profession, function, title, employer’s company);
• application documents (e.g. motivation letter, certificates, diplomas, curriculum vitae);
• evaluation information (e.g. evaluation of the personnel consultant, references, assessment).

We process your personal data for the purposes indicated above, depending on the situation, in particular on the following legal bases:

• protection of legitimate interests (e.g. hiring of new collaborators);
• consent

4.8. Suppliers of goods and services, other contractual partners

When we enter into a contract with you to provide us with a service, we process personal data relating to you or your collaborators. We need this data to communicate with you to request your services. We sometimes also process this personal data to check whether a conflict of interest may exist in connection with our activity as an auditor and to ensure that we do not unintentionally incur any risks through our cooperation, e.g. e.g. regarding money laundering or possible sanctions.

In particular, we process the following information:

• contact information (e.g. first name, last name, address, telephone number, e-mail);
• personal information (e.g. profession, function, title, employer’s company);
• financial information (e.g. banking relationship data).

We process your personal data for the purposes indicated above, depending on the situation, in particular on the following legal bases:

• stipulation or execution of a contract with the person concerned or in favor of him, including pre-contractual negotiations and possible implementation
• protection of legitimate interests (e.g. avoidance of conflicts of interest, protection of the company, exercise of legal rights).

5. Tracking technologies

We use cookies on our site. These are small files that your browser automatically creates and saves on your terminal (laptop, tablet, smartphone, etc.) when you visit our site.

Information obtained from the specific terminal used is inserted into the cookie. However, this does not mean that we immediately learn your identity. The use of cookies serves on the one hand to make the use of our offer more pleasant for you. For example, we use so-called session cookies to know whether you have already visited certain pages of our website. When you leave our page, these cookies are automatically deleted.

Furthermore, also to optimize ease of use, we use ctemporary cookies, which are saved on your terminal for a pre-established period of time. If you then visit our page again to use our services, the system automatically recognizes that you have already visited us, which data you have entered and which settings you have activated, so that you do not have to enter/activate them again. We use cookies to statistically record the use of our website and to analyze our offer in order to optimize it for you. When you revisit our page, these cookies automatically let us know that you have been to us before. These cookies are automatically deleted after a pre-established time.

The data processed via cookies are necessary for the purposes mentioned. Most cookies are automatically accepted by browsers. However, you can configure your browser so that it does not save any cookies on your computer or that a warning appears before a new cookie is inserted. Furthermore, completely deactivating cookies may prevent you from using all the functions of our site. In this regard, we refer to our Cookie Policy published at the following link: https://…….. ………………………………………….. ……………………………………..

6. Web and newsletter analysis

To be informed about the use of our website, to improve our internet offering or to be able to draw your attention with our advertising also on third-party websites or on social media, we use the following web analysis tools and the following retargeting technologies : Google Analytics.

These tools are made available by third-party providers. As a rule, the information acquired for this purpose about the use of a site is transmitted to the third-party provider’s server via cookies or similar technologies. Depending on the third-party provider, these servers may be located abroad. Normally, data transmission occurs by shortening IP addresses, which prevents individual terminals from being able to be identified. The transmission of this information by third-party providers takes place exclusively on the basis of legal requirements or within the framework of mandated data processing.

6.1. Google Analytics

On the pages of our website we use Google Analytics, the web analysis service of Google LLC, Mountain View, California, USA; responsible for Europe is Google Limited Ireland («Google»). To deactivate Google Analytics, Google provides a browser plug-in at https://tools.google .com/dlpage/gaoptout?hl=it. Google Analytics uses cookies. These are small text files, which allow specific information concerning the user to be saved on the user’s terminal. These cookies allow Google to analyze the use of our website offerings. Generally, the information acquired by the cookie and concerning the use of our pages (including your IP address) is transmitted to a Google server in the USA, where it is stored. We would like to point out that on this site Google Analytics has been integrated with «gat._anonymizeIp();», in order to guarantee anonymized acquisition of IP addresses (so-called IP-masking). If anonymization is active, within the member states of the European Union and in other member states of the European Economic Area, Google shortens IP addresses, so as to make it impossible to trace your identity. Only in exceptional cases will the entire IP address be transmitted to a Google server in the USA and shortened there. In special circumstances, Google may connect your IP address with other Google data. For data transmission to the USA, Google has undertaken to sign up to and comply with the EU Standard Contractual Clauses.

6.2. Google Maps

On our website we use Google Maps (API) from Google Inc. (1600 Amphitheater Parkway, Mountain View, CA 94043, USA; responsible for Europe is Google Limited Ireland, «Google»). Google Maps is a web service for representing interactive (geographical) maps, in order to display geographical information. Through this service, we can show you where we are and make any itinerary easier for you. By calling up the pages below, in which the Google Maps map is integrated, information about your use of our website (such as your IP address) is transmitted to Google servers in the USA and stored there. This occurs regardless of whether Google provides a user account to which you are logged in or whether no such account exists. If you are logged into Google, your data is assigned directly to your account. If I wantTo avoid this assignment to your Google profile, you must log out before activating the button. Google stores your data (even if you are not logged in as a user) as user profiles and analyzes them. For data transmission to the USA, Google has undertaken to sign and comply with the EU standard contractual clauses.

6.3. Social media plug-in

So-called social media plug-ins (“plug-ins”) from third-party providers are used on our website. The plug-ins are recognizable by the logo of the respective social network. Through plug-ins, we offer you the possibility to interact with social networks and other users. We use the following plug-ins on our website: Facebook, Twitter, LinkedIn, YouTube. When you access our site, your browser establishes a direct connection to the servers of the third-party provider. The content of the plug-in (e.g. YouTube videos) is transmitted directly by the third-party provider in question to your browser and integrated into the page.

The retransmission of data for the display of content (e.g. publications on Twitter) occurs regardless of whether or not you have an account with the third-party provider and are logged in. Furthermore, if you have connected to the third-party provider, the data collected by us is assigned directly to the account you have with that provider. Finally, if you activate the plug-ins, the information is published on the social network and shown to your contacts. To find out about the purpose and scope of the data collection, as well as the further processing and use of the data by third-party providers as well as your rights in this regard and possible settings to protect your privacy, please Please consult the third party provider’s data protection notices. The third-party provider stores the data collected about you in the form of a user profile and uses it for the purposes of advertising, market research and/or needs-based configuration of its website. Such an analysis is also carried out for users who are not logged in, in order to present need-based advertising and to inform other users of the social network about your activities on our website. If you want to prevent third-party providers from assigning the data acquired on our site to your personal profile in the respective social network, disconnect from the social network in question before visiting our site. You can also completely prevent the loading of plug-ins with specialized add-ons for your browser, such as «Ghostery» (https://www. ghostery.com/) or «NoScript» (https://noscript.net/).

7. Retransmission and transmission of data

We only pass on your data to third parties if this is necessary to provide our service, if such third parties provide us with a service, if there is a legal or administrative obligation in this regard or if we have an overriding interest in the forwarding of the personal data. We also transmit personal data to third parties when you have given us your consent or asked us to do so.

We would also like to point out that if you transmit data to us about third parties, we will assume that you are authorized to do so and that this data is correct. The transmission of such data to third parties itself constitutes confirmation. We therefore invite you to inform these third parties about our processing of their data and to provide them with a copy of this data protection declaration.

Personal data is not always transmitted encrypted. Unless otherwise expressly agreed with the customer, accounting data, salary administration data, salary statements and certificates are not transmitted in encrypted form.

The following categories of recipients may receive personal data from us:

• branches, affiliated and sister companies;
• service providers (e.g. IT service providers, hosting providers, suppliers, consultants, lawyers, insurance companies);
• third parties in the framework of our legal or contractual obligations, such as authorities, state institutions, courts.

We conclude contracts with service providers who process personal data on our behalf in which they undertake to ensure data protection. Our service providers are predominantly located in Switzerland or in the EU/EEA. Certain personal data may also be sent to the USA (e.g. Google Analytics data) or, in exceptional cases, also to other countries around the world. If it is necessary to send data to other countries, which do not have a sufficient level of data protection, this is done on the basis of EU standard contractual clauses (e.g. in the case of Google) or other suitable instruments.

8. Duration of retention of personal data

We process and store your personal data as long as necessary for the fulfillment of our contractual or legal obligations or the achievement of the objectives pursued by the processing, i.e. for example for the duration of the entire business relationship (from pre-contractual negotiations, to the execution and upon termination of a contract), as well as in accordance with legal archiving and documentation obligations. Furthermore, personal data may be stored for as long as claims could be asserted against our company (in particular until the statutory limitation period expires), and insofar as we are, for other legal reasons, obliged to do so or legitimate commercial interests require it (e.g. for evidence and documentation purposes). As soon as your personal data is no longer necessary, in principle and as far as possible, it will be deleted or anonymized. Basically, retention periods of twelve months or shorter apply to operational data (e.g. system protocols, logs).

9. Data security

We take appropriate technical and organizational security measures to protect your personal data from misuse and illicit access, such as the dissemination of guidelines, training, IT and network security solutions, access controls and restrictions, encryption of data carriers and data transmissions, pseudonymisation and controls.

10. Obligation to communicate personal data

In the framework of our business relationship, you must communicate the personal data necessary for the establishment and execution of this relationship, as well as for the fulfillment of the contractual obligations relating to it (as a rule, you do not have a legal obligation which requires us to provide data layout). Without this data we will be unable to enter into a contract with you (or the service or person you represent) or perform it. Our website cannot also be used if certain information (such as the IP address) is not provided to ensure data transmission.

11. Your rights

In relation to our processing of personal data, you have the following rights:

• right to be informed about the personal data concerning you and stored by us, the purpose of the processing, the origin and the recipients or categories of recipients to whom the personal data are forwarded;
• right to rectification, if your data is incorrect or incomplete;
• right to limit the processing of your personal data;
• right to request the deletion of personal data processed;
• right to data portability;
• right to object to data processing, or to withdraw consent to the processing of personal data, at any time without giving reasons;
• right to submit a complaint to a competent supervisory authority, if legally required.

To assert these rights, please contact the address indicated in point 1. Please note, however, that we reserve the right to assert the restrictions provided for by law, if we are, for example, obliged to keep or process certain data, if we have an overriding interest in it (to the extent that we can invoke it) or if we need it for the assertion of rights. If this incurs costs for you, we will inform you in advance.

12. Amendment of the data protection declaration

We expressly reserve the right to change this data protection declaration at any time.

Last modified: October 2023