1. Subject to Contract

We have created this Privacy Policy to demonstrate the commitment of the Competence Center for Diversity, Disability and Inclusion at the University of St.Gallen (‘the CCDI’, ‘we’, ‘us’, ‘our’) to the individual`s right to data protection and privacy. This Privacy Policy describes how diversityworks.ch (‘the platform’, ‘platform’ or ‘Diversity Works’) operates and how the CCDI collects, uses, and shares information, including personal data, gathered in the course of activities conducted by users that logon to the platform, when the CCDI acts as the controller of that data and when its processing is governed by the Swiss data protection law or the European Union's (‘EU’s’) General Data Protection Regulation (‘GDPR’), or any other applicable regulation.

You can notify us of any data protection related concerns using the following contact details: support-diversityworks@unisg.ch

2. Purpose of Data Processing

We primarily use collected data for the purpose of fulfilling our services, in particular in connection with the services and products of Diversity Works, as well as in order to comply with our domestic and foreign legal obligations.

The CCDI is a Competence Center at the University of St.Gallen that carries out statistical analyses on the topics of diversity, equity and inclusion of organisations to create transparency, provide guidance and monitoring for companies signing up for one of the offered services on the platform. To ensure secure data transmission, we will set up an account for you on the University of St.Gallen's sharepoint, where you can upload the data. They will then be stored on a local server in St.Gallen.

Additionally, the CCDI uses the personal data provided by you in your user profile to track service bookings, the organization's industry, the names of the persons involved in the data gathering process as well as to store the information necessary for invoicing you for the services received. In summary this includes the following use of your user information:

• to administer log-ins (where applicable) to Diversity Works services and deliver the services under the agreed terms of service;
• to issue and send invoices for the services provided, in accordance with our contractual and legal obligations.
• to respond to questions and provide support, including providing you with information about the services the CCDI offers via the platform;
• to send updates to your email inbox with information on platform updates, data processing updates and updates about Diversity Works services

3. Types of Data being Processed

Data for analysis: For the purpose of fulfilling our services on the platform, pseudonymised data for employees and, if available for applicants is required to conduct the analyses. The employee data you share must be pseudonymised, i.e. names have to be replaced with a random ID. Only this data is being shared with the CCDI, using a personalized user account on the University of St.Gallen’s sharepoint. Accordingly, the data we store on our local server is non-sensitive and anonymized, while the personal data retained pertains to non-vulnerable individuals.

User Information: When you interact with our platform and the services provided there, we ask you to provide us with personal information to enable you to access our services. The categories of personal information we may collect include: your full name, contact information, the organization with whom you are associated and invoice information. We do not intentionally collect sensitive personal information.

4. Data Retention Period

This section sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data. Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. We process and retain your personal data as long as required for the performance of our contractual obligation and compliance with legal obligations or other purposes pursued with the processing, i.e. for the duration of the entire business as well as beyond this duration in accordance with legal retention and documentation obligations. It is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the following criteria:

• (a) the period of retention of usage data will be determined based on user requests for deletion or the data is no longer required.
• (b) the period of retention for correspondence data will be determined based on user requests for deletion or the data is no longer required, and the correspondence has been completed.

5. Your rights regarding information

The CCDI will take steps in accordance with applicable law to keep your personal data accurately, complete, and up to date. You are entitled to have inadequate, incomplete, or incorrect personal data corrected (that is, rectified). You also have the right to request access to your personal data as well as to obtain additional information about the processing.

Further, you are entitled to object to the processing of your personal data and have your personal data erased by using the account deletion functionality in your profile or by asking for the deletion of your account at any time by contacting us at support-diversityworks@unisg.ch. Upon deletion, we will remove your personal data, except where retention is required for legal, regulatory, or legitimate business purposes (such as fraud prevention or compliance with financial regulations). Please note that some data may remain in backup systems for a limited period before being permanently deleted.

6. Data sharing with third parties

We may share your personal information with third parties who help us in the delivery of our products and services to you. This means we may share your personal data as mentioned above as follows:

• Survalyzer: To conduct our survey “Implemented DE&I measures” we may share your name and email address with Survalyzer, a swiss company providing us with a survey software based on their SaaS application.
• If applicable, Ringier: If you have booked the service EqualVoice-Factor we may share your name and email address with Ringier that will analyze your companies’ gender visibility gap using the EqualVoice-Factor.

We require these third-party vendors to maintain personal information as confidential information and to not share the information with any other party or use that data for any other purpose.

7. Use of Cookies

We use only strictly necessary cookies to ensure the proper functioning of our platform. These cookies are essential for security, navigation, and core features, such as maintaining session integrity. They do not collect personal data for marketing or analytics purposes.

Since these cookies are required for the platform to operate, they cannot be disabled. However, you can configure your browser settings to block cookies, but this may affect the functionality of platform.

8. Confidentiality

We treat all information and documents handed over during the execution of the contract as confidential, even in the event that they have not been specified as confidential. We will protect this information and documents from unauthorised access by third parties. These confidentiality obligations shall remain in effect after termination of the service.

9. Data Security

We place a strong emphasis on security and data protection, assuming the imperative need to comply with various data protection regulations and standards. The security layer of Diversity Works is designed to deliver comprehensive protection for both the platform and its users. We refrain from storing any sensitive user data, ensuring that the company's data for analysis is pseudonymised. This layer covers various aspects of security, incorporating robust user authentication mechanisms (2FA), rigorous data access controls, and encryption techniques for data in transit and at rest. Compliance with industry-standard security protocols and regulations is a fundamental commitment, fostering trust and reliability.

10. Rights of Data Subjects

In this section, we have summarized the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. In accordance with and as far as provided by applicable law (as is the case where the GDPR and FADP is applicable), you have the right to access, rectification and erasure of your personal data, the right to restriction of processing or to object to our data processing, in addition to right to receive certain personal data for transfer to another controller (data portability). Please note, however, that we reserve the right to enforce statutory restrictions on our part, for example if we are obliged to retain or process certain data, have an overriding interest (insofar as we may invoke such interests) or need the data for asserting claims. If exercising certain rights will incur costs on you, we will notify you thereof in advance. Please further note that the exercise of these rights may be in conflict with your contractual obligations, and this may result in consequences such as premature contract termination or involve costs. If this is the case, we will inform you in advance unless it has already been contractually agreed upon.In general, exercising these rights requires that you are able to prove your identity (e.g., by a copy of identification documents where your identity is not evident otherwise or can be verified in another way). In order to assert these rights, please contact us at the email address provided in section 1 above. In addition, every data subject has the right to enforce his/her rights in court or to lodge a complaint with the competent data protection authority. The competent data protection authority of Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).

11. Liability

We are not liable for any damage resulting from lack of operation or disruption of the product or facilities by the hosting provider, the internet provider and/or telecommunications provider(s). The contracting party shall fully indemnify us against all damage and expenses, including claims of third parties, based on the fact that text and visual material placed, distributed or presented via us may be considered as infringing, illegal, unethical or offensive.

12. Amendments of this Data Protection Statement

We may update this policy from time to time by publishing a new version on our platform. You should check this page occasionally to ensure you are in agreement with any changes to this policy.