Data protection is of the utmost importance to Yokoy. We use various technical, organisational and contractual measures to ensure that your data is always kept up to date, stored securely and processed in accordance with Swiss (Federal Act on Data Protection; FADP and the associated Ordinance) and European data protection regulations (in particular the General Data Protection Regulation GDPR). This applies both in our company and in the cooperation with our partners.
i. Contact person Yokoy Group AG
ii. Categories of personal data
iii. What data we process
iv. International data transfers
v. Directory of data processing
vi. Data security
vii. Storage and deletion of data
viii. Your rights
3. Responsibility and review
I. Contact person Yokoy Group AG Zurich
Our data protection officer is available to answer any questions you may have about data protection.
1. Headquarters Yokoy Group AG – Zurich
Yokoy Group AG
MLaw Claudio Berther, LL.M (University of California, Berkeley)
Legal Counsel and Data Protection Officer
Tel: +41 (0)43 508 15 77
2. Yokoy Germany GmbH – Munich
Yokoy Germany GmbH
Design Offices Munich Macherei
Weihenstephaner Str. 12 (Building M6)
Tel: +49 151 42 04 31 22
Germany Company register number: HRB 267689
3.Yokoy Austria – Vienna
Tel: +43 1 417 01 15
Managing Director: Mag.(FH) Stephan Hebenstreit, LL.M.
Commercial register court: Vienna Commercial Court
Number of the company register: FN 534254
Place of jurisdiction: Vienna Commercial Court
Chamber affiliation: Vienna Chamber of Commerce
II. Categories of personal data
The personal data we process are divided into the following categories
1. Inventory data (e.g. last name, first name)
2. Contact details (e.g. telephone, e-mail, postal address)
3. Browser and Device Data, Meta or Boundary Data and Usage Data, Content Data that you submit to us (e.g., through the contact form, registration for newsletters, webinars and gated content or applications)
4. Location data
5. Contact, sales, contract and payment data in our Customer Relationship Management System
III. What data we process
1. Data you give us
You voluntarily provide us with data in various situations. For example, when you contact us, subscribe to our newsletter, register in the customer portal, apply for a job, register for a webinar or download protected content. If you want to know more about how we process this data, for what purpose and on what legal basis, read “A. Data you give us” or click here.
2. Data we process
In order to provide our services, maintain our infrastructure and provide the best possible experience to all stakeholders, we also process personal data. If you would like to know more about the purposes and legal basis for this, read “B. Data we process” or click here.
3. Data processed by our partners
To deliver our services, maintain our infrastructure and provide the best possible experience for all stakeholders, we work with partners. They also process personal data. For example, when you visit our website, use the Yokoy app or as part of our marketing and social media activities. If you would like to know more about the purpose and legal basis for this, please read “C. Data processed by our partners” or click here.
IV. International data transmission
Even though we make every effort to work with Swiss providers, the outflow of data abroad cannot be prevented. You can find out how this is legally implemented by Yokoy and how your data is also transferred in a legally secure manner in connection with foreign transfers under “D. International data transmission” or click here.
V. Directory of data processing
Yokoy maintains an internal data processing directory in accordance with Art. 30 GDPR and Art. 12 FADP.
VI. Data security
Data shared us is treated confidentially and protected against unauthorized access, damage or loss by technical and organizational measures. If you would like to learn more about how we protect your data technically, read “F. Data security” or click here.
VII. Storage and deletion of data
We store the data only as long as it is necessary for the fulfilment of the contract. The legal retention periods and your right to deletion according to article 17 GDPR remain reserved, provided that the requirements for this are met. If you want to know more about this, see “G. Data storage and data deletion” or click here.
VIII. Your rights
The GDPR grants the person whose data is processed various rights with which the person can influence the data processing. For an overview of the rights and how you can exercise them, see “H. Your rights” or click here.
A. Data you give us
1. Contacting us
You can contact us through a variety of channels, including phone, email, contact form, chat, social media, webinar registration, and “gated content” registration. We collect your contact details and information from the enquiry. This may be stored in our CRM (customer relationship management) system. This data is stored for internal use only.
1.1 Purpose of the processing
We store personal data in order to be able to respond to your inquiry or contact. Furthermore, this storage enables us to carry out the contract or pre-contractual measures in case of questions in an existing contractual relationship. In addition, Yokoy may conduct analyses about possible future contractual relationships, e.g. the size of the company, where the company is present and through which channels you have heard about Yokoy.
1.2 Legal basis
The basis for the data processing is Art. 6 I b GDPR, which allows us to process data for the performance of a contract or pre-contractual measures. The analysis purposes are based on the legal basis of legitimate interests according to Art. 6 para. 1 lit. f GDPR to find out whether you fit into our customer portfolio in terms of size and geographical presence. The data processing is carried out in accordance with the data protection principles according to Art. 6 FADP. We use the Hubspot software to enable this service. You can find a link to the data protection principles here.
2. Registration for the newsletter
2.1 Purpose of the processing
Creation and dispatch of our newsletter.
2.2 Legal basis
If you subscribe to the newsletter, you give us permission to use your data for sending the newsletter. You also agree to the information described below. On the basis of article 7 III GDPR, you can revoke your consent at any time for the future; for this purpose, you will find an unsubscribe link in every email sent. For sending our newsletter, we use the software HubSpot and Sendgrid, a service of Twilio Inc. An overview of all partners with whom we cooperate for internal and external purposes as well as links to their data protection statements can be found under ” D. International data transmission” or click here.
2.3 Double-Opt-In-Procedure for the purpose of verifiability
An important principle of the General Data Protection Regulation is accountability. I.e. in article 5 II GDPR requires not only compliance with data protection regulations, but also proof thereof. For this reason, registration takes place in a double opt-in process. After your registration, you will receive an email in which you must confirm your email address. This prevents misuse with registrations from other email addresses. Registrations are stored in our CRM system so that we can legally prove the registration process. This includes the following data: Sign-up and confirmation time, type of newsletter, IP address and your contact details. The legal basis for this is the fulfilment of a legal obligation according to Art. 6 I c GDPR.
2.4 National specifics
Germany: The dispatch and performance measurement of the newsletter is based on the consent of the recipients pursuant to Art. 6 para. 1 lit. a, Art. 7 GDPR in conjunction with. Section 7 (2) No. 3 UWG or on the basis of the legal permission pursuant to Section 7 (3) UWG.
Austria: The dispatch of the newsletter and the associated measurement of success is based on the consent of the recipients in accordance with Art. 6 Para. 1 lit. a, Art. 7GDPR in conjunction with Section 107 (2) TKG or on the basis of the legal permission pursuant to Section 107 (2) TKG.§ 107 para. 2 and 3 TKG. The logging of the registration process is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. Our interest is directed towards the use of a user-friendly and secure newsletter software. In addition, there is a legal obligation to provide proof of registration. This obligation also results from the accountability according to article 5 III GDPR.
Switzerland Data processing is carried out in accordance with the data protection principles set out in article 6 of the FADP.
3. Webinar registrations
You can also register for webinars via the Hubspot tool to get to know our products better. We store the data you provide so that we can contact you if necessary, e.g. if it becomes necessary to cancel the event. We base our data processing on your consent according to Art. 6 I a GDPR. This consent can also be revoked for the future. To do so, contact us via a channel as per point I. The data processing is carried out in accordance with the data protection principles pursuant to Art. 6 FADP.
4. Gated content downloads
Gated content is about sharing knowledge that is valuable to the user in exchange for contact information of the user that is valuable to us. In Yokoy’s case, this could be, for example events on topics such as digitalization, artificial intelligence or data protection.
4.1 Purpose of the processing
4.2 Legal basis
We base our data processing on your consent pursuant to article 6 I a GDPR. This consent can also be revoked for the future in accordance with Art. 7 III GDPR. Contact us for this purpose in accordance with point A. The data processing is carried out in compliance with the data protection principles in accordance with Art. 6 FADP.
5. Job applications
We collect, process and transmit your personal data with automated data processing systems. For this purpose we work with the software join. This is an offer from JOIN Solutions AG, Landsgemeindeplatz 6, 9043 Trogen.
For example, the following types of personal data may be covered by the collection:
• Personal information
e.g. name, address, date of birth, telephone number
• Work permit or residence status
• Information about education and training
At this point, it should be noted that the decision to hire will, of course, still be made by our HR team. For further information on data protection at JOIN Solutions AG, please refer to the JOIN Solutions AG data protection policy.
5.1 Purpose of the processing
We process the personal data provided to us in order to take pre-contractual measures for the possible conclusion of an employment contract with you. If your application is unsuccessful or you withdraw your application, the data will be deleted within 30 days. If your application is successful, the data will be retained until the purpose is fulfilled, usually for the duration of the contractual relationship, plus a period if required by applicable law.
5.2 Legal basis
The data is stored on the basis of article 6 I b GDPR or the consent of the person in accordance with article 6 I a GDPR. This consent can also be revoked for the future on the basis of article 7 III GDPR. To do so, contact us via a channel in accordance with point A. The data processing is carried out in accordance with the data protection principles pursuant to Art. 6 FADP.
B. Data we processed by us
1. Server log files
When you use our website, information that your browser transmits to us is automatically collected and stored. These are:
• Browser type and browser version
• The operating system
• IP address
• Referrer URL
• Host name of the computer
• Date of request
We do not draw any conclusions about your person when using this data. Logging is done in accordance with our internal logging and monitoring policy.
1.1 Purpose of the processing
The data is required, for example, to deliver the content of our website correctly, to ensure the functionality of our website or to provide law enforcement authorities with the relevant information in the event of a cyber attack. The anonymous data of the server log files are stored separately from your personal data.
1.2 Legal basis
We base the collection of this anonymised data in the legitimate interest of a functioning website in accordance with article 6 I f GDPR.
2. Customer login/customer portal
The data protection provisions are agreed and signed with each customer upon conclusion of the contract. The processing of customer data in our CRM system is carried out in accordance with point 3.In addition, our system automatically records the following log data for each call:
• Browser type
• Amount of data sent in bytes
• Date and time of access
• IP address
• Setting the language
2.1 Purpose of the processing
This data is collected for the purpose of providing the portal. In addition, this data is processed and stored to ensure the functionality of the portal and security.
2.2 Legal basis
Article 6 I b and f GDPR. The data is only stored as long as it is necessary for the fulfilment of the purpose. To provide the portal, data is also passed on to technically necessary partners, e.g. the website hoster and the cloud provider. An overview of all partners, their services, the legal basis of processing and contact options can be found here. An internal logging and monitoring policy regulates the details.
3. Customer data (CRM Customer Relationship Management)
3.1 Purpose of the processing
In order to perform our contractual services, we need to process data about our customers. In doing so, we process inventory data (e.g. customer master data, such as names or addresses), contact data (e.g. email, telephone numbers), content data (e.g. charts of accounts), contract data (e.g. subject matter of the contract, term), payment data (e.g. bank details, payment history). This mainly concerns customers, employees and suppliers. The purpose of the processing is the provision of contractual services, billing and our customer service.
3.2 Legal basis
C. Data collected from our partners
When we involve partners, this is done in accordance with the requirements of Art. 9 FADP and article 5 GDPR. There are data processing contracts that include the requirements of article 28 (3) of the GDPR and article 9 GDPR.
1. When visiting the website
In order to be able to operate a website technically, certain technical requirements are necessary, for which we depend on partners.
1.1.1 Purpose of the processing
Our hosting provider provides us with infrastructure and platform services, database services, computing capacity, security services and storage space as well as technical maintenance services, which we use for the purpose of operating our online offer.
1.1.2 Legal basis
1.2 Content Delivery Network (CDN)
1.2.1 Purpose of the processing
1.2.2 Legal basis
1.3 Google Web Fonts
1.3.1 Purpose of the processing
This website uses so-called web fonts provided by Google to display fonts. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This is a service of the American Google LLC. For users in the European Economic Area (EEA) and Switzerland, the Irish company Google Ireland Limited is responsible. When you call up a page, your browser loads the required web fonts into the browser cache in order to display texts and fonts correctly. For this purpose, the browser you are using must establish a connection to Google’s servers. In this way, Google learns that our website was accessed via your IP address.
1.3.2 Legal basis
1.4.1 Purpose of the processing
1.4.2 Legal basis
2. When using the Yokoy app
The Yokoy app is hosted on the Google Cloud. The Google Cloud is a service provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Specific privacy information about the Google Cloud can be found here https://cloud.google.com/terms/cloud-privacy-notice. Specific information about the data security of the Google Cloud and our products can be found in the Data Security section.
Customers can download a mobile app to their device. The information required for this process is transmitted to the app store without our intervention. The information includes, for example, the email address, your App Store account customer number or the time of the download. We are not responsible for this data collection and have no influence on it.
• Date and time of access
• IP address
• Access to the site
• The operating system
Personal data as agreed in the data protection regulations with the respective company. Name, first name, e-mail and personnel number or cost center for publication.
To use the app in connection with the expense tool, the following categories are processed by the app: Last name, first name, email address and personnel or vendor number (for posting in the client’s system). For the invoice module, only the supplier name and ID is required. Additional data can be provided by the user, but is not mandatory. For the card module it is first name, last name, address, birthday and phone number.
The data is stored in an encrypted private cloud and the transfer to the Google Cloud is also secured with 256-bit AES encryption. By using the app, no employee data of the users is stored in our CRM.
2.1 Purpose of the data processing
This data is only processed for the provision of the Yokoy app.
2.2 Legal basis
This is done on the basis of article 6 I a, b and f GDPR.
3. Our marketing activities
On our website, we use the software HubSpot for various purposes. HubSpot is a US software company with a branch office in Berlin. Am Postbahnhof 17, 10243 Berlin.
3.1.1 Purpose of the processing
In the context of optimizing our marketing measures, the following data, among others, may be collected and processed via HubSpot:
• Geographical position
• The operating system
• IP address
• Duration of the visit
• Reference URL
• Information about how often the website is visited
• Newsletter registration data
• Pages accessed
We also use HubSpot to provide contact forms.
3.1.2 Legal basis
3.2 Google Tag Manager
3.2.1 Purpose of the processing
Our website uses the Google Tag Manager. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Tag Manager is a solution that allows website tags to be managed via an interface. The Tag Manager tool (which implements the tags) is a cookieless domain and does not collect any personal data. The tool takes care of forwarding data and triggering other tags, which in turn may collect data. Google Tag Manager does not have access to this data. If a deactivation has been made at the domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager.
3.2.2 Legal basis
The legal basis for the use of the Google Tag Manager is your consent according to Art. 6 I lit. a GDPR. This can be revoked at any time with effect for the future. To do so, contact us on a channel according to point I.
3.3 Google reCaptcha
3.3.1 Purpose of the processing
The purpose of reCAPTCHA is to check whether the data entry on our website (e.g. in a contact form) is made by a human or an automated program. The reCAPTCHA analyses run completely in the background. Visitors to the website are not made aware that an analysis is being carried out.
3.3.2 Legal basis
4. Social media activities
D. International data transmission
Whenever possible and commercially reasonable, Yokoy endeavors to work with providers from Switzerland, the EEA or the EU, or with countries for which the EU Commission has recognized an adequate level of data protection pursuant to article 45 of the GDPR.
Alternatively, the data transfer takes place on the basis of standard contractual clauses pursuant to Art. 46 of the General Data Protection Regulation. We are aware that the judgment of the European Court of Justice C-118-311 of 16.7.2021 has annulled the Privacy Shield and that the “old” standard contractual clauses still require additional safeguards. To the extent necessary, we will ensure that our partners switch to the new standard contractual clauses by the end of the transition period on 27 December 2022 at the latest if they rely on standard contractual clauses for data transfers, in particular in the USA. If available at the partner, we base the data transfer on Binding Corporate Rules according to Art. 47 GDPR.
We work exclusively with major international partners who share our conviction regarding the importance of data protection. The guarantee of data protection is further secured by data processing contracts.
Below is an overview of our foreign partners, in which country they are located and for what purpose they process Yokoy data. In addition, an internal policy states that we support any international sanctions against states, territories or persons and do not have business relationships with such states, territories or persons.
|Sub-processor||Location||Basis of data transmission||Purpose of processing||Address|
|Sendgrid LLC, Denver||USA||International data transfer is carried out via the Twilio Binding Corporate Rules in accordance with Art. 47 GDPR of Twilio, Inc. For more information on the privacy statement, please click here Twilio Privacy Statement.||Sending platform emails (optional) – the employee’s email is shared with Sendgrid.||1801 California Street Suite 500, Denver, CO 80202 USA |
Twilio, Inc. 375 Beale Street Suite 300 San Francisco, CA 94105 USA (Binding Corporate Rules applicable to Sendgrid, Inc.)
|Microsoft Company||USA||International data transfers are carried out via the current standard contractual clauses in accordance with Art. 46 III c GDPR as amended.||Use of cloud services for customer communication (Microsoft Teams)||Microsoft Corp.One Microsoft Way, Redmond, WA 98052-6399, USA|
New Rothofstraße 13-19
Rue Saint-Georges, 75009 Paris,
|Mortgage Bank Lenzburg||CH||Data transmission only within the EU (to CleverReach GmbH und CO KG for newsletter dispatch, otherwise no transmission) For further information, please refer to the legal information of Hypothekarbank Lenzburg.||Establishment and management of the billing account and thus necessary fulfilment of legal requirements (in accordance with article 6 I b, c, f) GDPR) In addition, for the purpose of issuing the Yokoy Card and the associated legal requirements (pursuant to article 6 I b, c and f) GDPR).||Mortgage Bank Lenzburg|
5600 Lenzburg, Switzerland
Legal basis: Art. 6 Ib) and f) GDPR
|NiD SA, Le Crêt-du-Locle 10, P.O. Box 1161, 2301 La Chaux-de-Fonds, Switzerland|
|Legal Monster||DK||Standard contractual clauses For more information, visit https://www.legalmonster.com/legal/privacy-policy/||Cookie management tool on our website.||Legal Monster ApS|
Njalsgade 21E, 5th floor 2300 Copenhagen S,
E. Directory of data processing
For more information, please see our Directory of Data Processing pursuant to article 30 of the General Data Protection Regulation and article 12 of the FADP.
F. Data security
1. Physical security
The building in which the offices are located is supervised around the clock by a receptionist. Access to the offices is only granted with a key, which is handed in personally by the supervisor. Entrances and exits to the engineering offices are also logged for better traceability. There is an internal physical security policy which is included in regular staff training.
Access to our online offer takes place via transport encryption (SSL / TLS, in particular with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate the transport encryption by a padlock in the address bar.
Even when the data is with us, it is in good hands. We chose Google as our cloud provider because Google has always evolved in terms of data security and offers us a reliable service. Google’s collaboration with SAP ensures high data availability. The security and data protection of Google products are independently audited on a regular basis (ISO/IEC 27001, 27017, 27018, SOC 1/2/3, GDPR).
Data in the cloud is encrypted with a 256 AES (Advanced Encryption Standard) and all data is also encrypted in transit.
3. Access management
Access is based on the need-to-know principle and is role-based. All activities are logged in order to be able to verify and prove access to the data. In addition, all access management issues are documented in an internal policy.
4. Availability of data
Data is provided on demand and there are automatic backups every 24 hours in an encrypted cloud (storage period 30 days) to ensure data availability at all times.
5. External review
In addition to the internal measures, we have our data security checked annually by an external partner using so-called penetration tests. The results of these tests also include improvement measures, which we subsequently implement in accordance with the internal penetration test governance policy.
6. Emergency plan
Should a data incident occur despite all measures, we are prepared for it and will put our internal emergency plan into action to minimize the damage.
G. Data storage and data deletion
We respect your data and only store it for as long as is absolutely necessary for the intended purpose. (Principle of data minimization according to article 5 c GDPR and article. 6 IV FADP. We delete the data at the latest after termination of the contractual relationship. This is subject to legal warranty and comparable obligations. In the case of statutory archiving obligations, deletion takes place after their expiry according to country specific legal requirements. In the case of data provided to us by the client as part of an order, we delete the data in accordance with the specifications of the order. Personal data is only collected, processed and used to the extent that it is necessary for the establishment, content or amendment of the legal relationship (inventory data). This is done on the basis of article 6 I b GDPR, which allows us to process data to fulfil a contract or pre-contractual measures. The right to deletion in accordance with article 17 GDPR is always reserved, provided that the legal requirements for this are met. In addition, we store daily backups of our data in order to comply with the principle of data availability. The backup data is automatically deleted after 30 days. The data deletion procedure is documented in an internal policy.
H. Your rights
1. Right to confirmation Art. 15 GDPR
On the basis of article 15 GDPR and article 19 of the FADP, you have the right to request confirmation from us as to whether personal data concerning you is being processed. To do so, contact us via one of the channels mentioned under point I.
2. Right to information Art. 15 GDPR
Pursuant to article 15 GDPR and article 19 FADP, you also have the right to obtain from us, at any time and free of charge, information about the data stored about you, as well as a copy of this data in accordance with the legal provisions, by contacting us through a channel as described in Section A.
3. Right of rectification Article 16 GDPR
You have the right to request the rectification of inaccurate personal data concerning you. You also have the right to request the completion of incomplete personal data, taking into account the purpose of the processing. This obligation to correct data also arises under Swiss law from article 6 of the Data Protection Act, if the legal requirements are met.
4. Right to erasure Article 17 GDPR
You have the right to demand from us the immediate deletion of the personal data concerning you, provided that one of the reasons provided for by law exists and insofar as the processing or storage is not necessary. A similar situation arises from Art. 6 IV FADP.
5. Restriction of processing Article 18 GDPR
You have the right to request that we restrict processing if one of the legal requirements is met.
6. Data portability Article 20 GDPR
You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. You also have the right to transfer this data to another controller without hindrance from us to whom the personal data has been provided, provided that the processing is based on consent pursuant to article 6 I a GDPR or article 9 II a GDPR or on a contract pursuant to article 6 I b GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
Furthermore, when exercising your right to data portability pursuant to article 20 I DPA, you have the right to obtain that the personal data be transferred directly from one controller to another controller where technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals. The right to data portability has also been included in article 28 of the DPA.
7. Objection Article 21 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 I e or f GDPR.
This also applies to profiling based on these provisions within the meaning of Art. 4 No. 4 GDPR.If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
In individual cases, we process personal data in order to conduct direct advertising. You may object to the processing of personal data for the purpose of such advertising at any time. This also applies to profiling, insofar as it is associated with such direct advertising. If you object to the processing for direct marketing purposes, we will no longer process the personal data for these purposes.
You also have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to article 89 I GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
You are free to exercise your right to object in relation to the use of information society services by automated means using technical specifications, notwithstanding Directive 2002/58/EC.
8. Revocation of consent under data protection law
You have the right to revoke your consent to the processing of personal data in accordance with article 7 III GDPR at any time with effect for the future.
9. Complaint to a supervisory authority
You have the right to lodge a complaint about our processing of personal data with a supervisory authority responsible for data protection in accordance with article 77 of the GDPR. In Switzerland, our supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC):
Federal Commissioner for Data Protection and Freedom of Information
CH – 3003 Bern
Telephone: +41 (0)58 462 43 95 (Mon. to Fri., 10.00 to 12.00)
Fax: +41 (0)58 465 99 96
For data subjects from the EU area, our lead supervisory authority is
Bavarian State Office for Data Protection Supervision (BayLDA)
Phone: +49 (0) 981 180093-0
We can adapt and supplement this data protection declaration at any time. We will inform you about such adjustments and additions in an appropriate form, in particular by publishing the respective current data protection declaration on our website and by email.