Sonova AG is incorporated under the laws of Switzerland, as a data controller, with its registered address at Laubisrütistrasse 28, 8712 Stäfa, Switzerland, and operates with its affiliates located around the world (collectively referred to as the “Company” or “we” or “our”).
By "Personal Data" we mean any information relating to an identified or identifiable natural person.
By “processing”we mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The Company undertakes to comply with the applicable data protection law (“Applicable Law”). Thus, depending on the countries where the Company is established, the processing of Personal Data will be subject to the local Applicable Law. Although certain requirements may vary from one country to another, the Company is particularly concerned about the privacy of Data Subjects, and this Policy constitutes a global guideline to which the Company is committed.
In particular, the Company is committed to complying with the following laws, where applicable:
The Company may process the following Personal Data:
In addition, as our activity is mainly focused on manufacturing innovative solutions for hearing aids, we may be required to collect sensitive Personal Data and more specifically health data. Depending on the country where the Data Subject reside, those sensitive Personal Data may benefit from special protection, particularly in terms of security and confidentiality measures implemented.
The following legal bases constitute the foundation on which the Company relies to carry out the processing of Personal Data. Other legal bases may be used depending on where the Data Subject resides and the relevant Applicable Law.
Some processing of Personal Data may be based on the consent of Data Subjects. The processing of Personal Data for this purpose may involve:
The processing of Personal Data that the Company carries out may also be based on the execution of a contract or pre-contractual measures with Data Subjects. The processing of Personal Data for this purpose may involve:
The Company may also process Personal Data based on its legitimate interest, in particular in order to improve our products and services, customer experience and internal processes. The processing of Personal Data for this purpose may involve:
The Company may also process Personal Data in order to respond to legal requirements. Processing based on legal requirement depends on the Applicable law.
Personal Data will not be kept longer than necessary for the above-mentioned purposes. This means that Personal Data will be deleted as soon as the purpose of the processing of Personal Data has been achieved. However, the Company may retain Personal Data longer if necessary to comply with Applicable Law, or if necessary to protect or exercise our rights, to the extent permitted by applicable data protection law.
At the end of the retention period, the Company may also need to archive Personal Data, to comply with Applicable Law, for a limited period of time and with limited access.
These retention periods may vary depending on the country where the Data Subjects reside and in accordance with Applicable Law.
The Company may share Personal Data, subject to your consent or other relevant legal basis, with the following third-parties:
Depending on Applicable Law, we implement contracts with some third-parties to ensure that Personal Data are processed based on our instructions and in compliance with this Policy and any other appropriate confidentiality and security measures.
The above-mentioned third-parties such as affiliates and subsidiaries, as well as business partners, public authorities to whom we may disclose Personal Data, may be located outside of a Data Subject’s country of domicile, potentially including countries whose data protection laws may differ from those in the country in which Data Subjects are located.
If Personal Data are processed within the European Union/European Economic Area, and in the event Personal Data are disclosed to third parties in a country not considered as providing an adequate level of protection according to the European Commission, the Company will ensure:
If Personal Data are not processed within the European Union/European Economic Area, and in the event Personal Data are disclosed to third parties located outside the Data Subject's jurisdiction, the Company will ensure that appropriate safeguards are in place to protect Personal Data by implementing appropriate legal mechanisms. Those mechanisms may differ depending on the country and relevant Applicable Law.
The Company implements a variety of security measures, according to Applicable Law, in order to protect Personal Data from security incidents or unauthorized disclosure, and more generally from a Personal Data breach. These security measures are recognized as appropriate security standards in the industry and include, inter alia, access controls, password, encryption and regular security assessments.
If a Personal Data breach occurs, and in particular if there is a breach of security resulting, accidentally or unlawfully, in the destruction, loss, alteration, unauthorized disclosure or access to Personal Data transmitted, stored or otherwise processed, the Company will take appropriate measures such as:
Appropriate measures and procedures in the event of a Personal Data breach may differdepending on the country where it occurs, the type of breach and depending on the relevant Applicable Law.
As may vary based on relevant Applicable Law, Data Subjects have rights related to their Personal Data, such as the right to request access, rectification, erasure of their Personal Data, restriction of processing, object to processing, request data portability, to be informed and withdraw their consent for processing of Personal Data based on their consent. Data Subjects may also object to automated individual decision-making if they are concerned by such processing.
In addition, in some jurisdictions you may provide instructions relating to the retention, communication and erasure of your Personal Data posthumously.
The exercise of such rights is not absolute and is subject to the limitations provided by Applicable Law.
Data Subjects may have the right to lodge a complaint with the local supervisory authority or the competent regulator if they consider that the processing of their Personal Data infringes Applicable Law.
To exercise those privacy rights, Data Subjects may contact us as described in the section “How to contact us” below. We may ask proof of identity in order to respond to the request. If we can’t satisfy your request (refusal or limitation), we will motivate our decision in writing.
If necessary, we may from time to time need to update this Policy in order to reflect new or different privacy practices. In this case, we will post updated versions of this Policy on this page. A revised Policy will apply only to data collected subsequent to its effective date. We encourage you to periodically review this page for the latest information on our privacy practices.
For any questions, comments, or concerns about this Policy, or in order to exercise the privacy rights permitted by Applicable Law related to Personal Data, please contact our Data Protection Officer at the following address: Sonova AG, Laubisruetistrasse 28, 8712 Stäfa, Switzerland or by sending an e-mail at: firstname.lastname@example.org
Valid from: October 2022
Owner: Headof Global Compliance & Data Privacy