Data Protection Statement – executive consulting group

Introduction

1 September 2023

This Privacy Policy details how we, the Executive Consulting Group AG (henceforth xcg, we or us), obtain and process personal information. This is not a comprehensive description; in relevant situations, other privacy policies or general terms and conditions, participation conditions or similar document-specific facts may apply. Under the term personal data we define all information which pertains to a specific or specifiable person.

With the usage of our services you agree to our Privacy Policy. When providing us with the data of other person(s) (e.g. family members, colleagues, etc.), please ensure that they are aware of this Privacy Policy and only share their Personal information if you have the right to do so and the information is valid.

This Privacy Policy is designed with the General Data Protection Regulation (GDPR) of the EU, the Swiss Data Protection Law (Datenschutzgesetz; “DSG”), and the revised Swiss data Protection Law (revidierte Datenschutzgesetz; “revDSG”) in mind. If and in what ways these laws are applicable, however, is to be determined on a case-by-case basis.

1. Basis and important terms

xcg is a consulting firm domiciled in Zürich (Switzerland). xcg provides services in the scope of management consulting and concrete evaluation and development of candidates at the senior management level for its national as well as international customers.

Under “customer” or “client” we understand all of our customers and their employees, who want to evaluate or develop candidates through xcg and to whom we offer our services.

“Candidate” describes every candidate, applicant, customer employee or those interested, who in relation to our services is evaluated or developed by xcg.

“Reference” describes any person(s), who provides personal references or employment for a specific candidate.

“Provider” describes every legal entity other than xcg, who provides products or services for xcg according to a contract with xcg.

2. Responsibility / privacy officer / representative

Unless defined differently in individual cases, xcg (Thujastrasse 6, 8038 Zürich) is responsible for the processing of the data described in this document. For concerns regarding data protection and related legalities, we are reachable under the following addresses (if possible, please let us know what data this pertains to):

Executive Consulting Group AG, Thujastrasse 6, CH-8038 Zürich, info@xcg.ch

3. Collection and processing of personal data

We primarily obtain, collect and process the personal data that we, in context of our business connection with our clients, candidates, and their other business partners, obtain from them and other participating parties, or those that we collect through our website and other applications from the users.

3.1. Candidate data

3.1.1 Personal data provided from the candidates

In sending us your CV per email, or by communicating with xcg in connection to our services through our partners or other means of communications, we obtain personal data.

You are not obligated to provide information to xcg or to make use of the services offered by us. Therefore we see all information that we collect from you as information provided freely and knowingly.

Regarding the information that we receive (and/or collect) from candidates, they usually are:

• Contact data, such as name, E-Mail adresses, postal address, and telephone number.
• Information from the CV: e.g. your career history, your educational history, your professional qualifications as well as your language skills and other activites and competences.

Under specific circumstances we also obtain resp. collect the following additional information about the applicant:

• Identification data: e.g. marital status, photo, birthdate, gender, nationality, corporate identity, national identification (i.e. social security number or equivalent identification number of your nation, driving license, personal identification or passport number).
• Lifestyle preferences and personality profile: e.g. engagement and membership in the community, hobbies, social activities and/or individual preferences, intellectual abilities, personality, behaviour, leadership competencies and/or character attributes.
• Information regarding health, diversity and criminal convictions: If applicable, and only in accordance with the local laws, we can obtain information regarding your health, your diversity (including ethnic background, religious or similar beliefs, physical or mental health, including disability-related information) and/or details regarding criminal convictions.
• Financial information: for the reimbursement of costs that occur in connection to the services rendered (e.g. costs related to travel, accommodation, or catering when participating in an introductory interview with a customer), we can obtain certain financial information that are necessary for the documentation of the costs and the reimbursement to you (e.g. bank account number and/or credit card number).
• Other information: e.g. previous military service record, details regarding salary and social services (in accordance with local law), performance data, details regarding associated individuals, migration status and all other relevant information, that you want to share with us. We also save your marketing preferences and our contact history with you.

3.1.2 Information about candidates from third party sources

We can obtain all of the personal data regarding you mentioned above from publicly available sources or from third parties, for example (i) sources and reference persons can relay personal information about you; (ii) our customers can provide us with your personal information; (iii) we can obtain personal information about you from publicly available third-party sources (e.g. LinkedIn, news articles, press releases).

3.1.3 Information made available to us by the clients

Our customers can, in connection to the usage of our services, provide us with the personal data of the candidates (e.g. they can provide us with a list of candidates that they want to evaluate in the context of an assessment). Generally, we process this data in the name of our clients. We use this information to provide our services to our clients and as our clients request. Under these circumstances, our clients control what personal information we collect about you and how we use said information, as the party responsible for the processing. If you have questions regarding data protection or concerns about the data privacy practices of a client resp. customer or to the decisions the client resp. customer has made to share your data with us or other third parties, you should turn to the client resp. customer or check their data privacy guidelines. We are not responsible for the data privacy or security practices of our clients resp. customers.

3.1.4 Data in connection with the use of our website

We can collect and process data such as e.g. the IP address and/or MAC address of the smartphone or computer, details regarding your device and settings, cookies, the date and time of your visit, pages and contents opened, functions utilized, forwarded websites, and location data.

3.2. Client data

Information that customers provide us with: In the context of performing our services we obtain and use information pertaining to you or at most persons in your organisation. Generally, we only require your contact data or the data of singular contact persons in your company (such as e.g. name, phone number, e-mail address and position) to ensure a frictionless procedure or to ensure that the design of our services is as close to reality as possible (e.g. the description of a realistic situation for a conversation simulation). We can also save additional information about you provided to us from someone in your organisation. Further customer data pertains information that we obtain in briefings from the clients themselves, or data that is included in business documents or in strategy papers or concepts that were made available to us.

3.3. Reference data (data provided by reference persons)

Information, that were provided to us from reference persons: when we receive a reference from you for one of our candidates, we can process your contact data (such as name, e-mail, address and phone number). We can also process certain professional information (e.g. your professional title, your profession, your academic- as well as professional qualifications and your professional history) and your connection to the candidate (e.g. your relationship with the candidate, your experiences with them and your opinions regarding them). Generally, we ask that the candidates provide us with the majority of this information, but we can substantiate this further with information that we obtain through publicly available sources (such as LinkedIn) or through direct queries to you.

4. Reasons for data processing and legal basis

We can use the personal data, which we collect during the process of performing our services, in different ways in context of the management consulting for the evaluation and development of high-level leaders as well as to comply with our legal duties within and outside of the country. If you are employed by one of our customers of business partners, you and your personal data may of course also be affected by this.

Furthermore, we process your and the personal data of further persons, if it is allowed and we deem it beneficial for the following reasons, for which we (and sometimes also third-parties) have a purposeful, justified interest:

4.1. Candidate data

We process candidate data for consulting services for our customers, including the evaluation and development of candidates according to expert assessments by xcg using psychometric evaluations or through requesting information from third parties (e.g. reference persons). We can use your personal data also for other business purposes, for example for data analysis, the investigation of usage trends, the creation of anonymised data sets for the purposes of research, statistics, and analysis, the creation of knowledge documents (e.g. White Papers), the evaluation of the effectivity of our services and/or the expansion, adjustment and improvement of our functions, products and services.

As long as you provide us with the consent to process your personal information for specific purposes, we will process your data in context of and based on this consent, as long as we do not have any other legal bases to do so and do not require such a basis. Your consent can at any time be revoked, which however will have no effect on the data processed up until that point.

4.2. Client data

We generally use customer data for the following purposes:

to provide the consulting service for your organisation; to manage our business relationship between you and your organisation; and/or for our other business purposes, for example data analysis, creation of anonymous data sets for the sake of research, statistics and analyses, the creation of knowledge contributions (such as White Papers), the assessment of the effectivity of our services and/or for the expansion, adjustment and improvement of our functions, products and services.

4.3. Reference data

We use reference data to bring in an additional data point about candidates in the context of fulfilling our services for our clients.

5. Cookies / tracking and other technologies in connection with the use of our website

We typically use “cookies” and comparable technologies on our websites, with which your browser or your device can be identified. A cookie is a small piece of data which is sent automatically to your computer or resp. saved on your device by your web browser when you visit our website. On re-visiting the website, we can recognize you, even if we do not know who you are. Next to cookies, which are only used during a session and are deleted at the end of your website visit (“session cookies”), cookies can also be used to save user settings and other information over a specific time period (“permanent cookies”). You can, however, set up your browser in such a way that it rejects cookies, only saves them for a single session, or otherwise deletes them prematurely. Most browsers are pre-configured in such a way that they accept cookies.

Both the technical data collected by us as well as the cookies generally do not contain any personal data. However, personal data, which we or by us commissioned third parties save regarding you (e.g. if you have a user account with us or one of these third parties) can be connected with the technical data collected from you resp. the data saved in the cookies, and therefore can be possibly attached to your person.

We can also partially use social media plug-ins, that is to say small software building blocks, which creates a connection between your visit to our website and a third party. The social media plug-in informs the third party that you have visited our website and can then transfer cookies over to the third party that they placed in your web browser beforehand. Further information regarding how these third parties use the data gathered from you through their social media plug ins can be ascertained from their privacy policies.

Furthermore, we use the services of third parties (who may implement cookies of their own) on our website, especially to improve the functionality or content of our website (e.g. the integration of maps) or to generate statistics.

On our website and in the digital area we make use of the services of the following service providers and advertisement partners. Their contact data as well as the information regarding their own data processing is available in their specific privacy policies.

Google Analytics and Google Tag Manager

• Provider: Google Ireland Ltd., Ireland
• Privacy notice: policies.google.com/privacy

Google Maps

• Provider: Google LLC, USA
• Privacy notice: policies.google.com/privacy

LinkedIn

• Provider: LinkedIn Ireland Unlimited Company, Ireland
• Privacy notice: https://de.linkedin.com/legal/privacy-policy?

SBB

• Provider: Schweizerische Bundesbahnen AG, Switzerland
• Privacy notice: https://www.sbb.ch/de/meta/legallines/datenschutz.html

XING

• Provider: New Work SE, Germany
• Privavy notice: privacy.xing.com/de/datenschutzerklaerung

From a legal perspective in the context of data protection, these third parties are partially contractors of ours (e.g. Google Analytics) and partially the parties responsible. Further information regarding this can be obtained from their privacy statements.

With the usage of our website, you agree to the employment of these techniques. If you would like to avoid this, you must set your browser resp. your e-mail software up in accordance with your wishes.

6. The sharing of your data and the transfer of the data overseas

We give data to third parties in accordance to figure 4 as far as permitted and in our view fitting, be it for the processing of the data for us in accordance with a contract, or for their own purposes. This is generally in regards to the following parties:

• Service providers (e.g. banks or insurance companies), including order processors (such as an IT-provider);
• Merchants, suppliers, subcontractors and other business partners;
• Customers;
• Local and foreign authorities, offices and courts;
• Media;
• The public, including visitors to websites and social media;
• Co-applicants, branch organisations, associations, organisations and further committees;
• Acquirers or those interested in purchasing business areas, companies, or other parts of xcg;
• Other parties in possible or actual legal proceedings;

and all joint recipients.

These recipients are partially domestic, but can be in rare cases in any location on the planet. You must, in particular, expect the transmittance of your data to other countries in Europe and the USA, where the by us employed services providers are located (such as Microsoft).

If a recipient finds themselves in a country without a fitting lawfully mandated data protection policy, we contractually require the recipient to keep the applicable data protection rules (for this, we use the revised standard contractual clauses of the European commission, which can be found here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?), as long as this person is not already subject to a lawfully recognized framework for the upholding of the relevant data protection clauses or is given an exception. An exception can be made during foreign legal proceedings, but also in cases of exceptional public interest or if the completion of a contract requires such information to be publicized, the publishing or such information has been authorized by you or if it regards your private data which is publicly available, the processing of which has not been vetoed by you.

7. Storage duration of your private information

We process and save your personal data as long as it is necessary for the fulfilment for our contractual and legal commitments or for the processing of pursued goals, that is to say for example for the duration of the entire business relations (from the initiation, handling, and the completion of a contract) as well as the legally mandated storage and documentation obligations. As such it is possible that personal data may be stored for a time in which claims may be substantiated against our company and as far as we otherwise are legally obligated to do so or authorized business interested require this (for example, for the sake of evidence and documentation). As soon as your personal data is not necessary for the abovementioned uses, they will be generally and as far as possible deleted or anonymized. For operational data (e.g. system protocols, logs) generally shorter storage times of twelve months or less apply.

8. Data security

We take appropriate technical and organisational security measures for the protection of your personal data from unauthorized access and misuse, such as through issuing instructions, schoolings, IT- and network solutions, access control and -restrictions.

9. Oligatory providing of personal data

In the context of our business relationship, you must provide the personal data which for the initiation and execution of a business relationship and the fulfilment of the with this relationship bound legal obligations is necessary (however, generally there is no legal duty to provide us with data). The use of our website can also be restricted if certain disclosures necessary for the safeguarding of the data transfer (for example, the IP-address) are not provided.

10. The rights of the affected party

You have, in accordance with the data protection laws applicable to you and in the extent provided therein (such as in the case of the DSGVO), the right to the disclosure, correction, deletion, the right to the restriction of the processing of the data and also the opposition against our data processing as well as the giving out of certain personal information for the transference to another location (so-called data portability). Please note however, that that we reserve the right to follow legally mandated restrictions, for example when we are obligated to keep or process certain data, in which we have a predominant interest (as long as we are allowed to call upon it) or data which is necessary for the assertion of certain claims. If costs are incurred on your behalf, we will inform you beforehand. Regarding your right to rescind your consent, we have already informed you under figure 4. Please note, that claiming these rights may stand in conflict to contractual agreements and can have consequences such as the premature annulment of the contract or the may have financial consequences. We will inform you of this beforehand, unless it is already defined contractually.

Exercising such rights does require that you can with absolutely certainty prove your identity (e.g. for example through a copy of an identity document, if your identity is not otherwise clear or cannot be verified). To exercise your rights in this way, please contact the address given in figure 2.

Every person affected also has the right to enforce their entitlements or to file a complaint with the responsible data protection agency. The relevant data protection agency of Switzerland is the Eidgenössische Datenschutz- und Öffentlichkeitsbeauftragte (http://www.edoeb.admin.ch).

11. Changes

We can change and adjust this privacy policy without any prior announcements. The current version published on our website is always considered to be applicable. If the privacy policy is a part of a contractual agreement with you, we will inform you of any updates per e-mail or any other fitting method of communication.