Privacy policy for participation in online events, tele­con­ferences and webinars

Data protection is a question of trust. In this privacy policy, Participants can see what personal data is collected, processed, used and stored, for what purposes, who has access to the personal data, how long personal data is stored, what rights Participants have and how questions relating to data protection can be directed to the Organiser.

The Organiser in question is responsible for processing data in line with this privacy policy. Participants can contact the Organiser directly or BKW Management AG, Viktoriaplatz 2, 3013 Bern with the addendum “Data protection”, or send an email to datenschutz@bkw.ch to exercise their rights or raise concerns relating to data protection. This privacy policy is not a component of a contract, even if a contract makes reference to it, and BKW reserves the right to amend this privacy policy at any time. The version published at bkw.ch/en/privacy-policy is always the applicable version.

Where Participants visit the Microsoft website in connection with their participation in Events of BKW, Microsoft is responsible for data processing. Participants with questions about data protection at Microsoft can refer to the privacy policy of Microsoft.

Personal data is information that can be associated with a specific person. The Organiser processes various categories of such personal data. The most important categories in connection with participation in Events are listed below for orientation purposes:

• User information, such as a Participant’s first name, surname, phone number, email address, password and profile picture;
• Meeting metadata, such as the subject, description, IP address, devices and hardware information;
• Dial-in information, such as information about the incoming and outgoing phone numbers, country name, start and end times and connection data; and
• Text, audio and video data when chat, query or survey tools are used. In this regard, text input by the Participant is processed in order to display and log it. To enable transmission of video and audio, the data from the end device’s microphone and any camera the device might have is processed for the duration of the Event. Participants can turn off or mute the camera or microphone at any time in Microsoft Teams;
• If an Event is recorded (see below for more details), speech (voices) and images/video will also be processed.

To participate in an online Event, Participants must provide personal data such as their surname, first name, title, address, post code, town/city, email address and phone number. If necessary for the purposes of logging the outcomes of an Event, for example, chat and text content will be processed. If, for example, a Participant signs up for Microsoft Teams or takes part in an Event as a guest, reports about the Events (such as metadata or dial-in data) can be stored.

The following personal data is processed for the purposes of organising Events and marketing purposes, including responding to questions prior to and after the Event:

• Master data, such as the Participant’s salutation, title, surname and first name;
• Contact data, such as the Participant’s address, email address and phone number;
• Information about the planned or completed Event; and
• Occupational data, such as the Participant’s company, position and job title.

In particular, the Organiser processes contact data to send the log-in details to Participants. The Organiser can also process this data to gauge the satisfaction of Participants and conduct surveys. By participating in an Event, the data subjects authorise the Organiser to send such messages.

The Organiser can also record Events. Participants will be notified that the Event is to be recorded and of any intention to publish the recording, and the active recording status will normally be displayed continuously, depending on the software being used. Participation in an Event with such notice is considered consent to being recorded.

In individual cases, this processed data can be highly sensitive (e.g. if reference is made to a person’s health during a teleconference). However, the Organiser does not process highly sensitive data specifically under this privacy policy.

In some cases, the European General Data Protection Regulation (GDPR) might apply. In particular, this applies to Organisers based in the EEA, although it can also affect other Organisers in individual cases. 

In such cases, processing is based on Art. 6(1)(1)(a) and potentially Art. 9(2)(a) GDPR. When the Organiser asks for content, it will provide information about the specific purpose of the processing it intends to carry out (especially the publication of the Event). Once given, consent can be withdrawn at any time with future effect.

Ultimately, the Organiser processes personal data if it has a legitimate interest that is not overridden by the interests of the Participants. In this case, data processing is based on Art. 6(1)(1)(f) GDPR. This processing includes recording the Event so that frequently asked questions and contributions can be incorporated into future Events directly. The goal of the Organiser here is to optimise Events and content. Data is processed for the purposes of communication before and after the Event and for direct marketing – where consent to the latter has not been obtained – on the basis of legitimate interests and to comply with Swiss law.

The Organiser processes the data collected during the Event to present the content and for communication with the Participants. In this case, where it is for the performance of a contract, the processing is based Art. 6(1)(b) GDPR; otherwise it is based on Art. 6(1)(f) GDPR (legitimate interests).

Personal data processed in connection with participation in Events is shared with other Participants, where participation itself results in its disclosure. Otherwise, it is not normally shared with third parties. Within the organisation of the Organiser, access to the data is given to the departments that need it to plan and execute the Event (e.g. so the Sales department can send invitations). Furthermore, the departments that process the personal data on the basis of a legitimate interest are given access to it, such as the Marketing department, for marketing purposes. The Organiser can also disclose personal data to service providers (primarily IT service providers for the purposes of executing the Event or sending notifications, but also to mail service providers, for example).

Due to the use of the video conferencing software Microsoft Teams, personal data may be disclosed to Microsoft Ireland Ltd. The Organiser has therefore entered into a processing agreement with Microsoft Ireland Ltd. Data is only shared with third parties if there is a legal obligation to do so (e.g. law enforcement agencies).

Although data is generally processed in computing centres in Switzerland or within the European Union, the Organiser cannot rule out the possibility that data might be routed through servers located outside of Switzerland or the EU, especially in the USA. Certain service providers might also be based outside of the EU. To protect the personal data of Participants, the data is encrypted when transmitted over the Internet.

If, in future, the Organiser should utilise other providers of video conferencing software that process the personal data of Participants outside of Switzerland or the European Union, this will only occur if there is an adequate level of protection in the third country in question or if sufficient personal data protection guarantees are in place, normally based on the standard contractual clauses of the European Union, unless the recipient is already subject to a legally recognised data protection regime and the Organiser cannot make use of an exemption. An exemption can apply in the event of legal proceedings abroad, but also in cases of overriding public interest or if such disclosure is required for the performance of a contract, if the Participant has consented to the disclosure or if the data has been made generally accessible and the Participant has not objected to its processing.    

The Organiser retains the personal data of Participants during the preparation and execution of the Events, and for a reasonable period of time thereafter, to allow contact with the Participants. If the personal data of the Participants is processed for other purposes in accordance with other privacy policies, a longer retention period may apply.

If the Organiser also stores the personal data for advertising purposes in line with a legitimate interest, the Organiser shall erase the data as soon as the Participant objects to continued advertising. This does not apply if the personal data is subject to a retention period. In this case, however, the personal data will no longer be usable for marketing purposes. The same applies if the Participant withdraws their consent to the processing of personal data. If the Organiser is obliged to store personal data under fiscal, commercial or other law, it shall store the data until the expiry of the retention periods.

Depending on the applicable law and subject to statutory restrictions and exceptions, Participants have the right of information, the right to rectification, the right to erasure, the right to restriction of processing and the right to withdraw consent with future effect. The Participants are free to file a complaint with a supervisory authority if they have concerns about whether their personal data is being processed lawfully. The supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

Participants have the right to object to the processing of personal data for reasons that may arise from particular situations. If a Participant objects to processing, their personal data will no longer be processed unless the Organiser can demonstrate compelling legitimate grounds to process the data that override the interests, rights and freedoms of the Participant, or if the processing is necessary for the establishment, exercise or defence of legal claims.

The Organiser also processes the personal data for marketing purposes, to which end it processes data to align marketing material with the interests of Participants. This processing for direct marketing purposes takes place on the basis of the Organiser’s legitimate interest, provided that consent has not been obtained. Participants can object to data processing for marketing purposes at any time. This also applies to profiling if it is linked to marketing. If Participants object to processing for direct marketing purposes, the data will no longer be processed for that purpose. Participants can send an informal objection to the Organiser.

For participation in Events, the aforementioned personal data must be collected and processed. Without this personal data, the Organiser is unable to hold Events. If the Organiser asks for consent, the consent and the processing of personal data on the basis of that consent are voluntary.

«Automated decision-making» refers to decisions that are based solely on automated processing, i.e. with no human intervention, and which have legal consequences for the data subject or otherwise significantly affect them. In the event of such a decision, you will be notified separately. You can then have the decision reviewed by a human being if you do not agree with it.

The Organiser uses partially automated methods to process personal data to make Participants aware of products and services that align with their interests as much as possible. In doing so, the Organiser takes into account user behaviour, such as the frequency of participation in Events, the content of webinars attended and enquiries relating to products and services.