MRI Data Protection Policy

Introduction

About this policy

This data protection policy sets out the basis on how MRI Trading AG and its affiliated companies (together “MRI”) will process any personal data. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. This policy is written to comply with the applicable provisions under data protection law, especially the new EU General Data Protection Regulation (GDPR) and the new Swiss Federal Act on Data Protection (FDPA).

Definitions

These definitions should help you to understand this policy.

“We”, ”us” or “our” means MRI (MRI TRADING AG and its affiliated companies).
“Website” means MRI TRADING AG websites, located at mri-group.com.
“You” means any data subjects.
“Personal data” means any information about a person, any information that identifies a person or can be used to identify a person.

Data Privacy contacts

If you have any questions, comments or requests relating to your personal data, or you have a concern about the way in which we have handled any personal data, please use our data privacy contact form to send us a message.

Data Controller

MRI Trading AG is the data controller for MRI Trading AG and its affiliated companies.

E-mail: daco1@mri-group.com
Phone: +41 41 727 2800
Address: Baarerstrasse 53, P.O. Box 7362, 6300 Zug, Switzerland

Data processing

Purposes of data processing

In the context of the business, MRI may process personal data for the following purposes:

Communicating with Business Partners about products, services and projects of MRI or Business Partners, e.g. by responding to inquiries or requests;
Planning, performing and managing the (contractual) relationship with Business Partners; e.g. by performing transactions and orders of products or services, processing payments, performing accounting, auditing, billing and collection activities, arranging shipments and deliveries, facilitating repairs and providing support services;
Managing and responding to contact enquiries, whistleblowing-messages and job applications; using the form data (contact forms on websites);
Maintaining and protecting the security of our products, services and websites, preventing and detecting security threats, fraud or other criminal or malicious activities;
Ensuring compliance with legal obligations (such as record keeping obligations), Business Partner compliance screening obligations (to prevent white-collar or money laundering crimes), and MRI policies or industry standards;
To solve disputes, enforce our contractual agreements and to establish, exercise or defend legal claims.

Categories of personal data

For the aforementioned purposes, MRI may process the following categories of personal data

Contact information, such as full name, work address, work telephone number, work mobile phone number, work fax number and work email address;
Application documents, such as Curriculum Vitae, certifications, letter of motivation;
Payment data, such as data necessary for processing payments and fraud prevention, including credit/debit card numbers, security code numbers and other related billing information;
Further information necessarily processed in a project or contractual relationship with MRI or voluntarily provided by the Business Partner Contact, such as orders placed, payments made, requests, and project milestones;
Information collected from publicly available resources, integrity data bases and credit agencies;
If legally required for Business Partner compliance screenings: information about relevant and significant litigation or other legal proceedings against Business Partners.

The processing of personal data is necessary to meet the aforementioned purposes including the performance of the respective (contractual) relationship with Business Partners and further persons. Unless indicated otherwise, the legal basis for the processing of personal data is described in the GDPR and FDPA.

If MRI does not process the respective personal data, the purposes described may not be met by MRI.

Store locations and transfer of personal data

MRI is a global company. Your personal data may be stored and processed in the Switzerland or any other country in which MRI or associated third parties maintain facilities. If necessary to require the aforementioned purposes, your personal data will be forwarded to MRI affiliated companies or other companies.

Your personal data may be transferred to, stored at and processed in a destination outside Switzerland or the European Union. By indicating consent when submitting your personal data, you agree to this transfer, storing or processing.

If legally permitted to do so, MRI may transfer personal data to courts, law enforcement authorities, regulators or attorneys if necessary to comply with the law or for the establishment, exercise or defence of legal claims.

Should MRI need to transfer your personal data, MRI will take all reasonable measures to safeguard the transfer of your personal data to third parties in a manner that complies with the applicable provisions under data protection law, especially the GDPR and FDPA.

We take your privacy extremely seriously and we never sell personal data or email addresses.

Retention periods

We store your personal data only as long as required for the intended purpose. If data is processed for multiple purposes, it will be deleted, or only stored in a form that cannot be directly traced back to you, as soon as no longer needed for the final specified purpose.

Data processing to ensuring data security

We also process personal data wherever there is a legal obligation to do so – for example, where necessary to enable operation of IT systems, including the following activities:

backup and recovery of data processed in IT systems;
logging and monitoring of transactions to verify proper functioning of IT systems;
detection and prevention of unauthorised access to personal data;
incident and problem management for troubleshooting IT systems.

MRI is subject to a wide range of additional legal obligations. To comply with these obligations, we process your data to the required extent and, if necessary, submit it to the responsible authorities in accordance with legal reporting requirements.

Automated decision-making

Not applicable; no automated decision-making take place at MRI.

Rights of the data subject

As the party affected by the processing of your data, you may claim certain rights under the GDPR, FDPA and other relevant data protection regulations. For future information about your rights, please consult EUGDPR.org. or FDPA. The FDPA is largely aligned with the EU’s General Data Protection Regulation (GDPR).

Under the GDPR and FDPA, in summary, you are entitled to claim the following specific rights vis-à-vis MRI as the data subject.

Right of access by the data subject

You have the right to request information on the data we hold about you from us at any time. This information includes, but is not limited to, the categories of data we process, the purposes for which it is processed, the source of the data if not collected directly from you, and, if applicable, the recipients with whom we have shared your data. You can obtain a copy of your data from us free of charge. If you require additional copies, we reserve the right to charge you for these copies.

Right to rectification

You have the right to request that we rectify inaccurate data relating to you. We will take appropriate steps to keep the data we store and process on an ongoing basis accurate, complete and current, based on the most up-to-date information available.

Right to erasure

You have the right to request that we erase your data, as long as the legal requirements for this are satisfied. If

the data is no longer required for the purposes for which it was collected or otherwise processed,
you withdraw the consent on which data processing is based, and there is no other legal basis for processing,
you lodge an objection to the processing of your data and there are no legitimate reasons for processing, or you object to data processing for direct marketing purposes,
the data was processed unlawfully, and provided that processing is not required,
to ensure compliance with a legal obligation that requires us to process your data,
especially with regard to statutory retention periods, to establish, exercise or defend legal claims.

Right to restriction of processing

You have the right to request that we restrict processing of your data if

you dispute the accuracy of the data – in which case processing may be restricted during the time it takes to verify the accuracy of the data,
processing is unlawful, and you reject erasure of your data, requesting that its usage be restricted instead,
we no longer need your data, but you need it to establish, exercise or defend your rights,
you have lodged an objection to its processing, as long as it is not certain that our legitimate reasons outweigh yours.

Right to data portability

You have the right to request that we transfer your data – if technically possible – to another responsible party. However, you may only enforce this right if data processing is based on your consent or is necessary for the performance of a contract. Rather than receiving a copy of your data, you may also ask us to submit the data directly to another responsible party specified by you.

Right to object

You have the right to object to the processing of your data at any time for reasons that arise from your particular situation, as long as data processing is based on your consent, on our legitimate interests or those of a third party. In this case, we will cease to process your data. This does not apply if we can show that there are compelling legitimate grounds for processing that outweigh your interests, or if we need your data for the establishment, exercise or defence of legal claims.

Right to complain to the regulator

MRI takes your concerns and rights very seriously. However, if you believe that we have not responded in an appropriate manner to your complaints or concerns, you have the right to lodge a complaint with your local data protection authority.

Further information about your rights

Time limits for compliance with the rights of the data subject

We make every effort to comply with all requests within 30 days. However, this period may be extended for reasons relating to the specific right or complexity of your request.

Restriction of information for compliance with the rights of the data subject.

In certain situations, we may be unable to provide you with information about all your data, due to legal requirements. If we are unable to fulfil your request for information in such a case, we will notify you of the reasons.

You have the right to withdraw your declaration of consent for data processing. Your revoking of consent does not affect lawfulness of the processing that has taken place by reason of the consent up to the time of withdrawal.

Website

Cookies

The websites of MRI contain no cookies.

Website Analytics

MRI does not use any third-party analytical services.

Website hosting

The websites of MRI may be simultaneously hosted at numerous third-party locations around the world for performance purposes. Your visit to our websites might be redirected to a particular location according to numerous factors, such as your location (GeoIP).

External websites

Any other websites which may be linked to from our website may be subject to their own privacy policy, which may differ from ours and we are not responsible for the content provided on any third-party web sites.

Logs

Each time you use the Internet, your browser automatically transmits certain data which our provider(s) then store in log files.

Information about the browser type and version used
The user’s operating system
The user’s IP address
The date and time of connection
Websites from which the user’s system was referred our website
Websites that the user’s system connects to from our website

Our provider(s) store the log files for troubleshooting and security purposes. They are stored for up to 10 days and then deleted. Log files that need to continue to be stored for evidence purposes, are excluded from this deletion until the respective incident has been cleared up and may, in isolated cases, be passed on to the investigating authorities.