Privacy Policy – Swiss Multiple Sclerosis Cohort

1. What is the purpose of this privacy policy?

The Swiss MS Cohort (hereinafter also referred to as “we”, “us”) collects and processes personal data concerning you or other persons (so-called “third parties”). We use the term “data” here interchangeably with “personal data”. “Personal data” means data that can be associated with a specific person, and “processing” means any handling thereof, such as obtaining, storing, using, adapting, disclosing, and deleting. In this privacy policy, we describe what we do with your data when you use www.smsc.ch or multiscript.smsc.ch, use our services, are otherwise connected to us under a contract, communicate with us, or otherwise interact with us. If you provide us with data about other persons, such as family members, colleagues, etc., we assume that you are authorized to do so and that this data is accurate. By providing data about third parties, you confirm this. Please also ensure that these third parties have been informed about this privacy policy. This privacy policy is designed to meet the requirements of the EU General Data Protection Regulation (“GDPR”), the Information and Data Protection Act Basel-Stadt (“IDG”), and the Swiss Data Protection Act (“DSG”). For data processing related to our statutory duties, the provisions of the IDG Basel-Stadt primarily apply. However, whether and to what extent these laws apply depends on the individual case.

2. Who is responsible for processing your data?

For the data processing described in this privacy policy, the SMSC, Swiss MS Cohort, c/o University Hospital Basel, Department of Neurology, Petersgraben 4, 4031 Basel, is responsible under data protection law, unless otherwise communicated in individual cases (e.g., in other privacy policies, on forms, or in contracts). If you have any questions about data protection, you can contact us at the following address:

University Hospital Basel Data Protection
Legal Services
Hebelstrasse 32
CH-4031 Basel
datenschutz@usb.ch

3. How do we work with service providers?

We use various services from third parties, especially IT services (examples include hosting, data analysis services), shipping and logistics services, and services from banks, postal services, consultants, etc. These service providers may also process personal data to the extent necessary. Where appropriate and justifiable, cloud-based solutions may be used (possibly also from foreign providers). Our service providers are contractually obligated to process the data exclusively on our behalf and according to our instructions.

4. Can we disclose data abroad?

Recipients of data are not only located in Switzerland. This particularly concerns certain service providers (especially IT service providers). These have locations both within the EU or the EEA and in other countries worldwide. We may also transfer data to authorities and other persons abroad if legally required or, for example, as part of a judicial process. Not all of these countries have adequate data protection. We compensate for the lower protection through appropriate contracts, especially the so-called Standard Contractual Clauses of the European Commission, which can be accessed here. In certain cases, we may also transfer data in accordance with data protection regulations without such contracts, e.g., if you have consented to the disclosure or if the disclosure is necessary for the performance of a contract, for the establishment, exercise, or enforcement of legal claims, or for overriding public interests.

5. How do we process data in connection with our website?

With each use of our website, certain data is automatically generated for technical reasons, which is temporarily stored in log files, especially the IP address of the device, information about the internet service provider and the operating system of your device, information about the referring URL, information about the browser used, date and time of access, and accessed content when visiting the website. We use this data to ensure that our website can be used, to ensure system security and stability, to optimize our website, and for statistical purposes. Deletion occurs as soon as the storage of access data is no longer required to achieve the collection purposes (usually after 10 to 30 days). Our website also uses cookies, i.e., files that your browser automatically stores on your device. This allows us to distinguish individual visitors, usually without identifying them. Cookies can also contain information about pages visited and the duration of the visit. Certain cookies (“session cookies”) are deleted when the browser is closed. Others (“persistent cookies”) are stored for a specific period so that we can recognize visitors on a subsequent visit. You can configure your browser settings to block certain cookies or similar technologies or to delete cookies and other stored data. You can find more information in the help pages of your browser (usually under “Privacy”). Our website can generally be used without accepting cookies, but then individual offers of our website can only be used to a limited extent or not at all. These cookies and other technologies can also come from third-party companies that provide us with certain functions. These may also be located outside of Switzerland and the EEA. For example, we use analytics services to optimize and personalize our website. Cookies and similar technologies from third parties also allow them to address you with personalized advertising on our websites or other websites and on social networks that also collaborate with this third party and to measure the effectiveness of advertisements (e.g., whether you came to our website via an advertisement and what actions you then took on our website). The corresponding third parties can record the use of the website and link their recordings with further information from other websites. This allows them to record user behavior across multiple websites and devices to provide us with statistical evaluations based on this. The providers may also use this information for their own purposes, e.g., for personalized advertising on their own website or other websites. If a user is registered with the provider, the provider can assign the usage data of the respective person.

Two of the most important third-party providers are Google and Facebook. Further details about them can be found below. Other third-party providers typically process personal and other data in a similar manner, such as Vimeo.

— We utilize Matomo, an analytics service provided by InnoCraft Ltd. (150 Willis St, 6011 Wellington, New Zealand), as an alternative to Google Analytics. Matomo collects certain information about user behavior on the website (such as duration, frequency of visited pages, etc.) and details about the used device. The IP addresses of visitors are anonymized in Europe before being transmitted to the USA. Matomo provides us with analyses based on the recorded data and processes certain data, which are not personal data for Matomo but also for its own purposes. You can find information about the privacy policy of Matomo here.

— On our website, we occasionally use plugins from YouTube (YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA; subsidiary of Google LLC). When you visit one of our pages with an embedded YouTube video, a connection is established to YouTube servers. YouTube is informed about which page was visited from which IP address. If you are simultaneously using a YouTube account, YouTube can directly assign this information to your personal account. You can find more information about the handling of user data in Google’s privacy policy here.

— Our website occasionally uses the Google Maps API from Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), for displaying an interactive map and creating directions. When using Google Maps, information about your use (e.g., IP address) may be stored and transmitted to a Google server in the USA. You have the option to deactivate the Google Maps service and thus prevent data transfer to Google Maps. However, we would like to point out that in this case, you will not be able to use the map display on our website. You can find more information about the handling of user data in Google’s privacy policy: here.

6. Data Processing Agreement and Hosting Provider

We have entered into a Data Processing Agreement (DPA) with all our third-party service providers, including Google, Facebook, and others, to ensure compliance with data protection regulations and to safeguard the privacy of our users. This agreement outlines the terms and conditions under which these providers handle and process data on our behalf.

Additionally, our website is hosted by nine.ch, a leading Swiss hosting provider known for its commitment to data security and privacy. You can find more information about nine.ch and their data protection measures on their website or by contacting them directly at the following address:

nine.ch AG
Thurgauerstrasse 40
8050 Zurich
Switzerland

Data Processing Agreement: https://docs.nine.ch/docs/legal-documents/data-processing-agreement/

This section emphasizes our commitment to data protection and privacy and provides users with transparency regarding our hosting provider and the measures in place to ensure the security of their data.

7. How do we process data through social media?

We operate our own presences on social networks and other platforms (Facebook fan pages, LinkedIn, X (former Twitter), and a YouTube channel) to offer information or to engage with you on topics that are important to you. When you communicate with us there or comment on or share content, we collect information for communication with you, for marketing purposes, and for statistical evaluations. Please note that the platform provider also collects and uses data (e.g., user behavior), possibly in conjunction with other known data (e.g., for marketing purposes or for personalizing platform content). Where we are jointly responsible with the provider, we enter into a corresponding agreement, which you can inquire about with the provider.

8. Are there any further processing activities?

For the Swiss MS Cohort, many processes are not possible without processing personal data. This cannot always be precisely determined in advance, nor can the extent of the data processed therein, but you will find information on typical (although not necessarily frequent) cases afterwards:

— Communication: When you communicate with us via the contact form, by email, telephone, letter, social media platforms, or other means of communication, we collect the data exchanged between you and us, including your contact details and the incidental data of communication. For identification purposes, we may also process information for identity verification. We use the information voluntarily provided by you (e.g., name, email address, telephone number, inquiry) solely for processing your request and involve the internally responsible bodies and persons accordingly. We would like to point out that communication via email does not take place via a secure or encrypted data connection. This means that your data may be lost or accessible to unauthorized persons during transmission. Contacting us via email is therefore at your own risk; in this context, we do not assume any responsibility and reject any liability claims made in this regard

— Compliance with legal requirements: We may disclose data to authorities within the framework of legal obligations or authorizations and to comply with internal regulations.

— With contractual partners who are companies, we process fewer personal data because data protection law only covers data of natural persons (i.e., of individuals). However, we process data of contact persons with whom we are in contact, e.g., name, contact details, professional information, and information from communication, and information about executives, etc., as part of general information about companies with which we cooperate.

— Transactions: When we sell or acquire receivables, other assets, business units, or companies, we process data to the extent necessary to prepare and carry out such transactions, e.g., information about customers or their contact persons or employees, and disclose corresponding data to buyers or sellers.

— Other purposes: We process data to the extent necessary for other purposes such as IT security, training and education, administration (e.g., contract management, accounting, enforcement and defense of claims, evaluation and improvement of internal processes, creation of anonymous statistics and evaluations; acquisition or sale of receivables, businesses, business units, or companies, and protection of other legitimate interests.

9. How long do we process personal data?

We process your personal data for as long as it is necessary for the purpose of processing (usually for the duration of the contractual relationship), as long as we have a legitimate interest in storage (e.g., to enforce legal claims, for archiving, or to ensure IT security), and as long as data is subject to legal retention and archiving obligations. After these periods have expired, we delete or anonymize your personal data.

10. Further remarks

Depending on the applicable law, data processing is only permitted if the applicable law specifically permits it. This does not apply under the Swiss Data Protection Act, but e.g., under the GDPR, if applicable (which can only be determined on a case-by-case basis). In this case, we base the processing of your personal data on the fact that it is necessary for the preparation and execution of contracts, that it is necessary for legitimate interests of ours or third parties, e.g., for statistical evaluations or for marketing purposes, that it is legally required or permitted, or that you have separately consented to the processing. You will find the corresponding provisions in Articles 6 and 9 of the GDPR.

11. What are your rights?

You have certain rights under applicable data protection law so that you can obtain further information about our data processing and influence it:

— You can request further information about our data processing. We are happy to provide this to you. You can also make a so-called access request if you wish to obtain further information and a copy of your data;

— You can object to our data processing, especially in connection with direct marketing;

— You can correct or complete incorrect or incomplete personal data or have them supplemented by a denial note;

— You also have the right to receive the personal data you have provided us in a structured, common, and machine-readable format, provided that the corresponding data processing is based on your consent or is necessary for the fulfillment of a contract;

— If we process data based on your consent, you can revoke the consent at any time. The revocation only applies to the future, and we reserve the right to continue processing data on another basis in the event of revocation. Please note that there are conditions, exceptions, or restrictions for these rights under applicable data protection law (e.g., for the protection of third parties or trade secrets). If you wish to exercise such a right, please feel free to contact us (see section 2). In general, we may need to verify your identity (e.g., by providing a copy of your ID). You also have the option of submitting a complaint about our processing of your data to the competent supervisory authority, which in the canton of Basel-Stadt is the cantonal data protection officer of Basel-Stadt.

12. Can this privacy policy be changed?

We reserve the right to adjust this privacy policy at any time. The version published on this website is the current version.

Last updated: January 2024