Privacy Policy
Key commitments
IOTA Group places fundamental importance on the protection of personal data. As the data controller, IOTA Group is responsible for the collection and processing of your personal data in the course of its activities.
This notice aims to inform you in a clear and transparent manner: 1) in which cases your personal data is collected, used, and protected; 2) about your associated rights, in accordance with the General Data Protection Regulation (GDPR) and the Swiss Data Protection Act (DPA).
1. Are you concerned by this notice?
This notice applies to you if you are:
Internally within IOTA Group
- Employee of IOTA Group, regardless of your status or position
- Emergency contact person with a familial or personal link to an employee
- Representative of a staff body or external organization in relation with the Group
Externally to IOTA Group
- Job applicant within the Group
- Client
- Supplier
- Subcontractor
- Partner
- Prospect
- Visitor
- Other external stakeholder
2. How can you control your data in the processing activities we carry out?
We hereby inform you of the rights you have regarding your personal data and the procedures for exercising them with IOTA Group:
- Access to your personal data.
- Rectification of inaccurate or incomplete data.
- Erasure of your data within the limits of the law.
- Restriction of processing in certain cases.
- Objection to processing for reasons related to your particular situation.
- Portability of your data.
- Right not to be subject to a decision based solely on automated processing that produces legal effects or significantly affects you.
- Withdrawal of your consent at any time.
- Post-mortem directives.
- Complaint to the authority responsible for monitoring data protection rules.
To exercise your rights, you may submit your request (including your email address and a copy of your identity document) to the Data Protection Officer (DPO) of IOTA Group:
📬 IOTA – 26 route de la gare – 1295 Mies – Suisse
3. Why and on what legal basis do we use your personal data in our processing activities?
This section lists (in a non-exhaustive manner) the various purposes for which your data is processed, as well as the legal basis underlying each processing activity.
| Purpose of Processing | Legal Basis / Justification |
|---|---|
| Management of professional elections | Legal obligation |
| Monitoring of occupational health, medical visits, workplace accidents | Legal obligation |
| Declarations to administrative and social authorities | Legal obligation |
| Management of professional alert systems | Legal obligation |
| Management of working hours | Legal obligation |
| Fulfillment of reporting and information obligations to administrative authorities (tax and social) | Legal obligation |
| Management and monitoring of occupational health (sick leave, workplace accidents, occupational illness) | Legal obligation and legitimate interest |
| Management of professional records | Performance of the employment contract |
| Payroll management | Performance of the employment contract |
| Management of occasional business travel | Performance of the employment contract |
| Management of international mobility | Performance of the employment contract |
| Management of careers, performance, and training (including certifications) | Performance of the employment contract and legitimate interest |
| Management of commercial contracts (suppliers, clients, etc.) | Performance of the commercial contract |
| Management of invoicing, payments, and outstanding amounts | Performance of the commercial contract |
| Management of clients, suppliers, and service providers | Performance of the commercial contract and legitimate interest |
| Management and monitoring of disputes/disciplinary sanctions | Legitimate interest |
| Security of premises (video surveillance, access control) | Legitimate interest |
| Management of access authorizations to applications and networks | Legitimate interest |
| Management of systems (controls, etc.) to ensure the security and proper functioning of IT and networks | Legitimate interest |
| Use of IT tools (email, calendars) | Legitimate interest |
| Conducting satisfaction surveys and statistics | Legitimate interest |
| Management of calls for tenders and consultation letters | Legitimate interest |
| Conducting commercial prospecting activities | Legitimate interest |
| Planning and monitoring activities (organizational needs) | Legitimate interest |
| Management of applications and recruitment | Your consent and legitimate interest |
| Use of your image | Your consent |
4. What types of personal data do we collect?
This section informs you about the categories of personal data that may be collected as part of our activities:
- Identification data (surname, first name, employee number, ID)
- Personal and family data (address, telephone number, residence permit, visa, emergency contacts)
- Professional data (degrees, languages, career history)
- Health data (declared disability)
- Banking and social data (social security number, Tax ID, IBAN)
- Trade union data (only for elections)
- Data concerning your devices (see Cookie Policy)
5. From whom do we collect personal data?
Primarily from you, but occasionally from third parties such as service providers and subcontractors (for example, as part of reference checks or Jobboard subscriptions)
6. With whom do we share your personal data and why?
Your data may be shared with:
- Internal departments of IOTA Group (HR, IT, security, communications, etc.)
- Entities belonging to IOTA Group as part of our internal organization
- Subcontractors and service providers (hosting, maintenance, security, audit)
- Clients (access to premises, compliance obligations)
- Authorities (administrative, judicial)
- Social security organizations, pension and provident institutions, statutory auditors, auditors
7. International transfers of personal data
Transfers may take place to entities of IOTA Group located both within and outside the European Union. IOTA Group ensures that such transfers are governed by contractual clauses that comply with applicable regulations and guarantee an adequate level of protection. These transfers are carried out in accordance with internal procedures and current legal or regulatory obligations, in order to ensure the security and confidentiality of the processed data.
8. How long do we retain your personal data?
Examples of retention periods:
| Data Type | IOTA Retention Period | Trigger |
|---|---|---|
| Payslips | 10 years | Date of payslip issuance |
| Job applications | 3 months if rejected; 2 years with consent | Date of recruitment closure |
| Working hours records | 5 years | Date of clock-in or entry |
| Cookies / trackers | 13 months | Date of cookie or tracker placement |
| Accounting documents | 10 years | Date of fiscal year closure or document creation |
| Absence data | 5 years | Date of the event (absence, leave, sick leave) |
| Data related to the employment contract (including medical certificate) | 10 years | End date of the employment contract |
| Data related to commercial contracts | 10 years | End date of the contract |
| Data related to prospects | 3 years | Date of last contact |
| Connection logs | 6 à 12 months | Date of log (continuous collection) |
| Vidéo surveillance | 1 month | Date of video recording |
Subject to an explicit legal basis, certain retention periods may vary or be extended depending on the legal basis justifying the collection and processing of such data (notably legitimate interest), or in the event of renewed consent for data collected and processed on this legal basis.
9. How to monitor changes to this privacy policy?
This policy is updated regularly. The current version is available at the headquarters of IOTA Group. – 26 route de la gare – 1295 Mies – Switzerland
Updated on November 25th 2025