MRI Data Protection Policy

Introduction

About this policy

This data protection policy sets out the basis on how MRI Trading AG and its affiliated companies (together “MRI”) will process any personal data. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. This policy is written to comply with the applicable provisions under data protection law, especially the new EU General Data Protection Regulation. Further details about the EU-GDPR can be found at EUGDPR.org.

Definitions

These definitions should help you to understand this policy.

  • “We”, ”us” or “our” means MRI (MRI TRADING AG and its affiliated companies).

  • “Website” means MRI TRADING AG websites, located at mri-group.com.

  • “You” means any data subjects.

  • “Personal data” means any information about a person, any information that identifies a person or can be used to identifies a person.

Data Privacy contacts

If you have any questions, comments or requests relating your personal data, or you have a concern about the way in which we have handled any personal data, please use our data privacy contact form to send us a message.

Data Protection Officer

You may also contact the Data Protection Officer:

  • Name: Keith Lomax
  • Phone: +41 41 727 2896
  • E-mail: dpo@mri-group.com
  • Address: Baarerstrasse 53, P.O. Box 7362, 6300 Zug, Switzerland

Data Controller

MRI Trading AG is the data controller for MRI Trading AG and its affiliated companies.

  • Phone: +41 41 727 2800
  • Address: Baarerstrasse 53, P.O. Box 7362, 6300 Zug, Switzerland

Scope

This policy covers the MRI Trading AG websites. Any other websites which may be linked to from our website (indicated by ) may be subject to their own privacy policy, which may differ from ours and we are not responsible for the content provided on any third-party web sites.

Data processing

Purposes of data processing

In the context of the business, MRI may process personal data for the following purposes:

  • Communicating with Business Partners about products, services and projects of MRI or Business Partners, e.g. by responding to inquiries or requests;
  • Planning, performing and managing the (contractual) relationship with Business Partners; e.g. by performing transactions and orders of products or services, processing payments, performing accounting, auditing, billing and collection activities, arranging shipments and deliveries, facilitating repairs and providing support services;
  • Managing und responding contact enquiries, whistleblowing-messages and job applications; using the form data (contact forms on websites);
  • Maintaining and protecting the security of our products, services and websites, preventing and detecting security threats, fraud or other criminal or malicious activities;
  • Ensuring compliance with legal obligations (such as record keeping obligations), Business Partner compliance screening obligations (to prevent white-collar or money laundering crimes), and MRI policies or industry standards;
  • Solving disputes, enforce our contractual agreements and to establish, exercise or defend legal claims.

Categories of personal data

For the aforementioned purposes, MRI may process the following categories of personal data

  • Contact information, such as full name, work address, work telephone number, work mobile phone number, work fax number and work email address;
  • Application documents, such as Curriculum Vitae, certifications, letter of motivation;
  • Payment data, such as data necessary for processing payments and fraud prevention, including credit/debit card numbers, security code numbers and other related billing information;
  • Further information necessarily processed in a project or contractual relationship with MRI or voluntarily provided by the Business Partner Contact, such as orders placed, payments made, requests, and project milestones;
  • Information collected from publicly available resources, integrity data bases and credit agencies;
  • If legally required for Business Partner compliance screenings: information about relevant and significant litigation or other legal proceedings against Business Partners.

The processing of personal data is necessary to meet the aforementioned purposes including the performance of the respective (contractual) relationship with Business Partners and further persons. Unless indicated otherwise, the legal basis for the processing of personal data is Article 6 (1) (b) or (f) of the General Data Protection Regulation or - if explicitly provided by Business Partner Contacts – the consent (Article 6 (1) (a) of the General Data Protection Regulation).

If MRI does not process the respective personal data, the purposes described may not be met by MRI.

Store locations and transfer of personal data

MRI is a global company. Your personal data may be stored and processed in the Switzerland or any other country in which MRI or associated third parties maintain facilities. If necessary to require the aforementioned purposes, your personal data will be forwarded to MRI affiliated companies or other companies.

Your personal data may be transferred to, and stored at, a destination outside the European Union. It may also be processed outside the European Union. By indicating consent when submitting your personal data, you agree to this transfer, storing or processing.

If legally permitted to do so, MRI may transfer personal data to courts, law enforcement authorities, regulators or attorneys if necessary to comply with the law or for the establishment, exercise or defence of legal claims.

Should MRI need to transfer your personal data, MRI will take all reasonable measures to safeguard the transfer of your personal data to third parties in a manner that complies with the applicable provisions under data protection law, especially the GDPR.

We take your privacy extremely seriously and we never sell personal data or email addresses.

Retention periods

We store your personal data only as long as required for the intended purpose. If data is processed for multiple purposes, it will be deleted, or only stored in a form that cannot be directly traced back to you, as soon as no longer needed for the final specified purpose.

Data processing to ensuring data security

We also process personal data wherever there is a legal obligation to do so – for example, where necessary to enable operation of IT systems, including the following activities:

  • backup and recovery of data processed in IT systems;
  • logging and monitoring of transactions to verify proper functioning of IT systems;
  • detection and prevention of unauthorised access to personal data;
  • incident and problem management for troubleshooting IT systems.

MRI is subject to a wide range of additional legal obligations. To comply with these obligations, we process your data to the required extent and, if necessary, submit it to the responsible authorities in accordance with legal reporting requirements.

Automated decision-making

Not applicable; no automated decision-making take place at MRI.

Cookies

The websites of MRI contain no cookies (exception: Embedded google maps)

Website Analytics

MRI does not use any third-party analytical services.

Website hosting

The websites of MRI may be simultaneously hosted at numerous third-party locations around the world for performance purposes. Your visit to our websites might be redirected to a particular location according to numerous factors, such as your location (GeoIP).

Web pages and log files

Personal data

Every time our web page is called up, our system automatically records data and information from the computer system of the computer making contact. The following data may be collected for this (access data):

  • Information about the browser type and version used
  • The user’s operating system
  • The user’s IP address
  • The date and time of access
  • Websites from which the user’s system has reached our web page
  • Internal web pages called up by the user’s system via our web page

The data are similarly stored in the log files for our system. No storage takes place for this data together with other personal data of the user.

The temporary storage of the IP address by the system is necessary in order to make it possible to deliver the web pages to the user’s computer. For this, the user’s IP address needs to remain stored for the duration of the session. Storage takes place in log files, in order to guarantee the functionality of the web pages. In addition, the data help us to optimise the web pages and to ensure the security of our IT systems. These purposes also constitute our legitimate interest in data processing pursuant to Art. 6 (1) (f) GDPR. No evaluation of data for marketing purposes takes place in this connection.

Duration of storage and data erasure

The data are erased as soon as they are no longer necessary for achievement of the purpose for which they were collected. In the situation of recording data for provision of the web pages, this is the case if the respective session has ended. In the situation of storing the data in log files, this is the case after seven days at the latest.

Opportunity to object and for removal

The recording of data for provision of the web pages and storage of the data in log files is fundamentally necessary for operation of the web pages. There is consequently no opportunity for the user to object.

Rights of the data subject

As the party affected by the processing of your data, you may claim certain rights under the GDPR and other relevant data protection regulations. For future information about your rights, please consult EUGDPR.org. Under the GDPR, you are entitled to claim the following specific rights vis-à-vis MRI as the data subject.

Right of access by the data subject (Art. 15 GDPR):

You have the right to request information on the data we hold about you from us at any time. This information includes, but is not limited to, the categories of data we process, the purposes for which it is processed, the source of the data if not collected directly from you, and, if applicable, the recipients with whom we have shared your data. You can obtain a copy of your data from us free of charge. If you require additional copies, we reserve the right to charge you for these copies.

Right to rectification (Art. 16 GDPR):

You have the right to request that we rectify inaccurate data relating to you. We will take appropriate steps to keep the data we store and process on an ongoing basis accurate, complete and current, based on the most up-to-date information available.

Right to erasure (Art. 17 GDPR):

You have the right to request that we erase your data, as long as the legal requirements for this are satisfied. This may be the case under Art. 17 GDPR if

  • the data is no longer required for the purposes for which it was collected or otherwise processed,
  • you withdraw the consent on which data processing is based, and there is no other legal basis for processing,
  • you lodge an objection to the processing of your data and there are no legitimate reasons for processing, or you object to data processing for direct marketing purposes,
  • the data was processed unlawfully, and provided that processing is not required
  • to ensure compliance with a legal obligation that requires us to process your data,
  • especially with regard to statutory retention periods,
  • to establish, exercise or defend legal claims.

Right to restriction of processing (Art. 18 GDPR):

You have the right to request that we restrict processing of your data if

  • you dispute the accuracy of the data – in which case processing may be restricted during the time it takes to verify the accuracy of the data,
  • processing is unlawful, and you reject erasure of your data, requesting that its usage be restricted instead,
  • we no longer need your data, but you need it to establish, exercise or defend your rights,
  • you have lodged an objection to its processing, as long as it is not certain that our legitimate reasons outweigh yours.

Right to data portability (Art. 20 GDPR):

You have the right to request that we transfer your data – if technically possible – to another responsible party. However, you may only enforce this right if data processing is based on your consent or is necessary for the performance of a contract. Rather than receiving a copy of your data, you may also ask us to submit the data directly to another responsible party specified by you.

Right to object (Art. 21 GDPR):

You have the right to object to the processing of your data at any time for reasons that arise from your particular situation, as long as data processing is based on your consent, on our legitimate interests or those of a third party. In this case, we will cease to process your data. This does not apply if we can show that there are compelling legitimate grounds for processing that outweigh your interests, or if we need your data for the establishment, exercise or defence of legal claims.

Right to complain to the regulator

MRI takes your concerns and rights very seriously. However, if you believe that we have not responded in an appropriate manner to your complaints or concerns, you have the right to lodge a complaint with your local data protection authority.

Further information about your rights

Time limits for compliance with the rights of the data subject

We make every effort to comply with all requests within 30 days. However, this period may be extended for reasons relating to the specific right or complexity of your request.

Restriction of information for compliance with the rights of the data subject.

In certain situations, we may be unable to provide you with information about all your data, due to legal requirements. If we are unable to fulfil your request for information in such a case, we will notify you of the reasons.

You have the right to withdraw your declaration of consent for data processing. Your revoking of consent does not affect lawfulness of the processing that has taken place by reason of the consent up to the time of withdrawal.

© 2018 MRI TRADING AG