Information on processing personal data in accordance to Art. 13, 14 GDPR and Art. 19 revFADP (CH)

The person responsible for data processing is:

EAO AG
⁠Tannwaldstrasse 86
⁠4600 Olten
⁠Switzerland

Data protection officer Mr. Andreas Siegemund, E-mail: privacy.policies@eao.com

Which data categories do we use as an employer and where do they come from?

Various types of data are processed when using the record function of "Microsoft Teams". The scope of the data also depends on the data you provide before or when participating in an "online meeting". The following personal data is processed:

• User data (e.g. display name, e-mail address if applicable, profile picture (if provided), preferred language)
• Meeting metadata (e.g. date, time, meeting ID, telephone numbers, location, chat data)
• Biometric data (e.g. audio and video data)

For what purposes and on what legal basis is data processed?

We use the "Microsoft Teams" tool to hold conference calls or online meetings. We may use the recording function to make missed online meetings available for these employees who were unable to attend. Recordings will only be made with your consent. "Microsoft Teams" is a service of the Microsoft Corporation.

If it is necessary to log the results of an online meeting, we may log chat content, but this will typically not be the case.

We process your personal data for the processing based on your consent according to (Art. 6 (1) lit. a GDPR and Art. 31 (1) revFADP). We obtain this separately.

Personal data of our Chinese employees might be processed at EAO locations outside the territory of the People’s Republic of China. However, the consent of the employees concerned is mandatory.

If we wish to process your data in a permissible manner for a purpose not mentioned above, we will inform you in advance and, if necessary, obtain your consent.

Who receives your data?

Within the company, only those persons and departments (e.g., IT) that require access to your personal data for the above-mentioned purposes will receive it. Personal data processed in connection with participation in "online meetings" is not intentionally shared with third parties.

Even though employees are instructed to handle the link carefully and to only share it with participants, it cannot be ruled out that the link may be shared beyond the intended group. As a result, unauthorized third parties may gain access to the meeting content.

Other recipients: The provider of "Microsoft Teams" necessarily can receive knowledge of the above-mentioned data, insofar as this is provided for in data processing agreement with Microsoft Cooperation.

Transfer to third countries

Due to the group structure of EAO AG, the transfer of personal data to other countries cannot be ruled out. EAO AG endeavors to ensure that an appropriate level of data protection is always guaranteed in the countries concerned or by the partners based there. The transfer to third countries therefore only takes place if

• the third country has a level of data protection deemed adequate by the European Commission or Switzerland, or
• so-called appropriate safeguards are used, e.g. standard data protection clauses, binding corporate rules or
• or one of the derogations as per Art. 49 GDPR is relevant or the consent of the data subject has been obtained.
• or in the case of our Chinese employees if they have consented to the processing.

How long will your data be stored?

We process your personal data for as long as is necessary for the above-mentioned purposes, but for a maximum of 60 days. Non-recorded data will be retained according to standard data retention policies.

Are you obliged to provide your data?

You are not obliged to provide the data. There are no consequences if you do not provide it.

What data protection rights can you assert as a data subject?

Every data subject has the right of access (Art. 15 GDPR and Art. 25 revFADP), the right to

Rectification (Art. 16 GDPR Art. 32 (1) revFADP), the right to erasure (Art. 17 GDPR and Art. 25), the right to restriction of processing (Art. 18 GDPR and Art. 26 revDADP), the right to notification (Art. 19 GDPR and Art. 28 revFADP) and the right to data portability (Art. 20 GDPR and Art. 28 revFADP). You also have the right to file a complaint with a data protection supervisory authority (Art. 77 GDPR and Art. 24 revFADP).

If the processing of data is based on your consent, you are entitled to withdraw your consent to the use of your personal data at any time to revoke your consent at any time. Please note that the revocation is only effective for the future.

Automated individual decision-making

Automated individual decision-making within the meaning of Art. 22 GDPR and Art. 21 revFADP is not used.

Thank you for your co-operation and your trust in our company!