Privacy Policy
1. General information
In this Privacy Policy, we, GOMA Treuhand & Consulting Ltd (“GOMA,” “us,” or “we”), describe how we collect and process personal data. This Privacy Policy does not constitute a comprehensive description; there may be additional, supplementary documents that explain or regulate specific data protection topics in more detail. For the purposes of this Privacy Policy, personal data means any information relating to an identified or identifiable person.
​
2. Responsible Entity and Contact
The entity responsible for data processing is:
GOMA Treuhand & Consulting Ltd
Alfred-Escher-Strasse 24, 8002 Zurich
Contact for data protection inquiries:
GOMA Treuhand & Consulting Ltd
Alfred-Escher-Strasse 24, 8002 Zurich
info@gomatreuhand.ch
External ICT service provider:
PC FOX, Buehlwiesenstrasse 10, 8052 Zurich
info@pcfox.ch
​
3. Information about the external ICT service provider
We engage an external service provider (processor) for certain ICT services who processes personal data
on our behalf. These providers are contractually obligated to process the data only according to our
instructions and to comply with appropriate technical and organizational security measures. GOMA is the
data controller responsible for complying with data protection regulations. The processing is carried out
for the purpose of providing ICT services such as hosting, ICT support, cloud services, or technical
maintenance. The external provider ensures compliance with data protection requirements
(confidentiality obligations and notification duties in case of data breaches). If data is transferred abroad,
we ensure that an adequate level of data protection is maintained. The provider must implement
measures such as backup, disaster recovery, and emergency plans to ensure data availability and
business continuity even in case of disruptions. Upon termination of the cooperation, the data will be
deleted or returned.
​
4. Collection and Processing of Personal Data
We process personal data particularly in the following categories of processing:
• Customer data from clients for whom we provide or have provided services.
• Personal data that we have indirectly received from our clients during service provision.
• When visiting our website.
• When participating in an event organized by us.
• When communicating with us or during a visit.
• In other contractual relationships, e.g., as a supplier, service provider, or consultant.
• In job applications.
• When we are legally or regulatorily obligated to do so.
• When fulfilling our due diligence duties or other legitimate interests, such as avoiding conflicts of
interest, preventing money laundering or other risks, ensuring data accuracy, checking
creditworthiness, ensuring security, or enforcing our rights.
More detailed information can be found in the description of the respective categories of processing in section 6.
​
5. Categories of Personal Data
Which personal data we process depends on your relationship with us and the purpose for which we
process it. In addition to your contact details, we also process other information about you or persons
related to you. Some of this information may, under certain circumstances, include particularly sensitive
personal data.
We collect the following categories of personal data, depending on the purpose for which we process them:
• Contact information (e.g., name, first name, address, phone number, email)
• Customer information (e.g., date of birth, nationality, marital status, profession, title, job title,
passport/ID number, social security number)
• Risk assessment data (e.g., credit information, commercial register data)
• Financial information (e.g., bank account details)
• Mandate data, depending on the assignment (e.g., tax information, statutes, minutes, projects,
contracts, employee data such as salary, social insurance, accounting data, beneficial owners, ownership structures)
• Website data (e.g., IP address, device information (UDI), browser information, website usage
including analysis and use of plugins)
• Application data (e.g., CV, work references)
• Marketing information
• Security and network data (e.g., visitor lists, access controls, network and mail scanners, telephone
call logs)
​
As far as permitted, we also obtain certain data from publicly accessible sources (e.g., debt enforcement
registers, land registers, commercial registers, press, internet) or receive such data from our clients and
their employees, authorities, (arbitration) courts, and other third parties. In addition to the data you provide
to us directly, the categories of personal data we receive from third parties about you particularly include
information from public registers, information obtained in connection with official and judicial proceedings,
information related to your professional functions and activities (e.g., to conclude and manage business
with your employer with your assistance), information about you in correspondence and meetings with
third parties, credit information, information about you provided by persons in your environment (family,
advisors, legal representatives, etc.) to enable us to conclude or manage contracts with or involving you
(e.g., references, your delivery address, powers of attorney), information to comply with legal requirements such as anti-money laundering and export restrictions, information from banks, insurers, distributors, and
other contractual partners regarding your use or provision of services (e.g., payments made, purchases
made), information from media and the internet about you (where relevant, e.g., in the context of an
application), your addresses and possibly interests and other sociodemographic data (for marketing), and
data related to website usage (e.g., IP address, MAC address of smartphone or computer, device and
settings information, cookies, date and time of visit, accessed pages and content, used functions, referring
website, location data)
​
6. Purposes of data processing and legal basis
6.1. Provision of services
We primarily process the personal data that we receive from our clients and other involved persons in the
context of our mandate relationships with our clients and other contractual relationships with business
partners.
The personal data of our clients particularly includes the following information:
• Contact information (e.g., name, first name, address, phone number, email, other contact details)
• Personal information (e.g., date of birth, nationality, marital status, profession, title, job title,
passport/ID number, social security number, family relationships, etc.)
• Risk assessment data (e.g., credit information, commercial register data, sanction lists, specialized
databases, data from the internet)
• Financial information (e.g., bank account details, investments, or holdings)
• Mandate data, depending on the assignment, such as tax information, statutes, minutes, employee
data (e.g., salary, social insurance, accounting data, etc.)
• Particularly sensitive personal data: These personal data may also include particularly sensitive
data, such as health information, religious beliefs, or social assistance measures, especially when
we provide services in payroll processing or accounting.
We process these personal data for the described purposes based on the following legal grounds:
• Conclusion or execution of a contract with or for the benefit of the data subject, including
contract initiation and possible enforcement (e.g., consulting, fiduciary services)
• Fulfillment of a legal obligation (e.g., when we are required to disclose information)
• Protection of legitimate interests (e.g., for administrative purposes, to improve our quality, ensure
security, conduct risk management, enforce our rights, defend against claims, or examine
potential conflicts of interest)
• Consent (e.g., to send you marketing information).
6.2. Indirect data processing from service provision
When we provide services for our customers, we may also process personal data that we have not collected
directly from the data subjects or personal data of third parties. These third parties are usually employees,
contact persons, family members or persons who have a relationship with the customers or data subjects
for other reasons. We require this personal data in order to fulfil contracts with our customers. We receive
this personal data from our customers or from third parties commissioned by our customers.
Third parties whose information we process for this purpose are informed by our customers that
we process their data. Our customers can refer to this privacy policy for this purpose.
The personal data of persons related to our clients particularly includes the following information:
• Contact information (e.g., name, first name, address, phone number, email, other contact details,
marketing data)
• Personal information (e.g., date of birth, nationality, marital status, profession, title, job title,
passport/ID number, social security number, family relationships, etc.)
• Financial information (e.g., bank account details, investments, or holdings)
• Mandate data, depending on the assignment, such as tax information, statutes, minutes, employee
data (e.g., salary, social insurance), accounting data
• Particularly sensitive personal data: These may include especially sensitive data such as health
information, religious beliefs, or social assistance measures, especially when we provide services in
payroll processing or accounting.
We process these personal data for the described purposes based on the following legal grounds:
• Conclusion or execution of a contract with or for the benefit of the data subject (e.g., when we
fulfill our contractual obligations)
• Fulfillment of a legal obligation (e.g., when we are required to disclose information)
• Protection of legitimate interests, in particular our interest in providing optimal services to our clients.
6.3. Use of Our Website
To use our website, you do not have to disclose any personal data. However, the server collects a range of
user information with each visit, which is temporarily stored in the server's log files.
When using this general information, no assignment to a specific person takes place. The collection of this
information or data is technically necessary to display our website and to ensure its stability and security.
This information is also collected to improve the website and analyze its usage.
This particularly includes the following information:
• Contact information (e.g., name, first name, address, phone number, email)
• Additional information you submit to us via the website
• Technical information automatically transmitted to us or our service providers, information about
user behavior or website settings (e.g., IP address, UDI, device type, browser, number of clicks on
the page, newsletter openings, link clicks, etc.)
We process these personal data for the described purposes based on the following legal grounds:
• Protection of legitimate interests (e.g., for administrative purposes, to improve our quality,
analyze data, or promote our services)
• Consent (e.g., for the use of cookies)
6.4. Participation in Events
When you participate in an event organized by us, we collect personal data to organize and conduct the
event and, if applicable, to send you additional information afterward. We also use your information to
inform you about further events. It may happen that you are photographed or filmed at these events, and
we may publish this image material internally or externally.
The personal data collected in connection with your participation in events particularly includes the
following information:
• Contact information (e.g., name, first name, address, phone number, email)
• Personal information (e.g., profession, function, title, employer company, dietary habits)
• Images or videos
• Payment information (e.g., bank details).
We process these personal data for the described purposes based on the following legal grounds:
• Fulfillment of a contractual obligation with or for the benefit of the data subject, including
contract initiation and possible enforcement (enabling participation in the event)
• Protection of legitimate interests (e.g., conducting events, disseminating information about our
events, providing services, efficient organization)
• Consent (e.g., to send you marketing information or to create image material).
​
6.5. Direct communication and visits
When you contact us (e.g., via phone, email, or chat) or we contact you, we process the personal data
necessary for this purpose. We also process personal data when you visit us; in this case, you may be
required to leave your contact details before your visit or at reception. These data are retained by us for a
certain period to protect our infrastructure and information.
For conducting teleconferences, online meetings, video conferences, and/or webinars ("online meetings"),
we use the services "Zoom" or "Microsoft Teams".
We process the following information in particular:
• Contact information (e.g., name, first name, address, phone number, email)
• Communication metadata (e.g., IP address, duration of communication, communication channel)
• Recordings of conversations, e.g., during video conferences
• Other information that the user uploads, provides, or creates while using the video conferencing
service, as well as metadata used for maintaining the provided service. Additional details about the
processing of personal data by "Zoom" or "Microsoft Teams" can be found in their privacy policies
• Personal information (e.g., profession, function, title, employer company)
• Time and reason for the visit.
We process these personal data for the described purposes based on the following legal grounds:
• Fulfillment of a contractual obligation with or for the benefit of the data subject, including
contract initiation and possible enforcement (provision of a service)
• Protection of legitimate interests (e.g., security, traceability, as well as handling and
administration of customer relationships).
6.6. Applications
You can submit your application for a position with us by mail or via the email address provided on our
website. The application documents and all personal data disclosed to us in this context are treated with
strict confidentiality, are not disclosed to any third party, and are processed only for the purpose of
handling your application for employment with us. Without your contrary consent, your application
file will either be returned to you or deleted/destroyed after the conclusion of the application process, unless it is subject to a legal retention obligation. The legal bases for processing your data are your consent, the
fulfillment of the contract with you, and our legitimate interests.
We process the following information in particular in connection with your application:
• Contact information (e.g., name, first name, address, phone number, email)
• Personal information (e.g., profession, function, title, employer company)
• Application documents (e.g., cover letter, certificates, diplomas, resume)
• Evaluation information (e.g., assessments by personnel consultants, reference information, assessments).
We process these personal data for the described purposes based on the following legal grounds:
• Protection of legitimate interests (e.g., hiring new employees)
• Consent.
6.7. Suppliers, service providers, other contractual partners
When we enter into a contract with you for the provision of a service, we process personal data of you
or your employees. We need this data to communicate with you and to utilize your services. Additionally, we
may process these personal data to check for any potential conflicts of interest related to our role as an
audit firm and to ensure that our collaboration does not expose us to unintended risks, such as those
related to money laundering or sanctions.
We process the following information in particular:
• Contact information (e.g., name, first name, address, phone number, email)
• Personal information (e.g., profession, function, title, employer company)
• Financial information (e.g., bank account details).
We process these personal data for the described purposes based on the following legal grounds:
• Conclusion or execution of a contract with or for the benefit of the data subject, including contract
initiation and possible enforcement
• Protection of legitimate interests (e.g., avoidance of conflicts of interest, protection of the
company, enforcement of legal claims).
​
7. Tracking technologies
On our website, we use cookies. These are small files that your browser automatically creates and stores
on your device (laptop, tablet, smartphone, etc.) when you visit our site.
Information is stored in the cookie that relates specifically to the device used. However, this does not
mean that we directly obtain knowledge of your identity. The use of cookies serves, on the one hand, to make
your use of our offer more pleasant. For example, we use so-called session cookies to recognize that you
have already visited certain pages of our website. These are automatically deleted after you leave our site.
In addition, we use temporary cookies to optimize user-friendliness, which are stored on your device for a
specific, defined period. When you visit our site again to use our services, it is automatically recognized
that you have been with us before and which inputs and settings you made, so you do not have to enter
them again. Furthermore, we use cookies to statistically record the use of our website and to evaluate it
for the purpose of optimizing our offer for you. These cookies enable us to automatically recognize that
you have visited our site before during a subsequent visit. These cookies are automatically deleted after a
defined period. The data processed through cookies are necessary for the purposes mentioned. Most
browsers accept cookies automatically. However, you can configure your browser so that no cookies are
stored on your computer or that you are always notified before a new cookie is set. Please note that
completely disabling cookies may result in you not being able to use all functions of our website.
​
8. Web analysis
To gain insights into the use of our website, improve our online offerings, and enable advertising targeting
on third-party websites or social media, we use the following web analytics and re-targeting technologies:
Google Analytics.
These tools are provided by third parties. Typically, the information collected for this purpose about website
usage is transmitted via cookies or similar technologies to the third party's servers. Depending on the
provider, these servers may be located abroad, which can have implications for data protection and cross-
border data transfers. The transmission of data normally takes place with the truncation of IP addresses, which prevents the identification of individual devices. The transfer of this information by third parties occurs only due to legal requirements or within the scope of commissioned data processing.
8.1. Google Analytics
We use Google Analytics, the web analytics service of Google LLC, Mountain View, California, USA; for
Europe, Google Limited Ireland is responsible ("Google"). To disable Google Analytics, Google
provides a browser plug-in at https://tools.google.com/dlpage/gaoptout?hl=de. Google Analytics uses cookies - small text files that allow specific, user-related information to be stored on the user's device.
These enable Google to analyze the usage of our website offering.
The information collected by the cookies about your use of our pages (including your IP address) is
usually transmitted to a Google server in the USA and stored there. We point out that on this website,
Google Analytics has been extended with the code gat._anonymizeIp(); to ensure anonymized collection
of IP addresses (so-called IP masking). When anonymization is active, Google shortens IP addresses
within member states of the European Union or other contracting states of the Agreement on the
European Economic Area, so no conclusions can be drawn about your identity. Only in exceptional cases
is the full IP address transmitted to a Google server in the USA and shortened there. Google may
associate your IP address with other data held by Google. For data transfers to the USA, Google has
committed to signing and complying with the EU Standard Contractual Clauses.
8.2. Google Maps
On our website, we use Google Maps from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA
94043, USA; responsible for Europe is Google Limited Ireland, "Google"). Google Maps is a web service for
displaying interactive maps to visually present geographic information. By using this service,
our location is shown to you and any possible directions are facilitated. When you access those subpages in which the Google Maps map is embedded, information about your use of our website (such as your IP address) is transmitted to Google servers in the USA and stored there. This happens regardless of whether Google
provides a user account through which you are logged in or whether no user account exists. If you are
logged into Google, your data will be directly assigned to your account. If you do not wish this assignment
to your Google profile, you must log out before activating the button. Google stores your data
(even for users not logged in) as usage profiles and evaluates them. For data transfers to the USA, Google has
committed to signing and complying with the EU standard contractual clauses.
8.3. Social Media Plugins
On our website, so-called social media plugins ("plugins") from third-party providers are used.
The plugins can be recognized by the logo of the respective social network. Through the plugins, we offer you the possibility to interact with the social networks and other users. We use the following plugins on our website: Facebook, LinkedIn. When you visit our website, your browser establishes a direct connection to the servers of the third party. The content of the plugin (e.g., YouTube videos) is transmitted directly from
the respective third party to your browser and integrated into the page. The data transfer for displaying content (e.g., publications on Twitter) occurs regardless of whether you have an account with the third party and are logged in there. If you are logged in with the third party, the data collected by us is also directly assigned to your existing account with the third party. When you activate the plugins, the information is also
published on the social network and shown to your contacts there. For the purpose and scope of data
collection and the further processing and use of the data by the third parties, as well as your related rights
and settings options to protect your privacy, please refer to the privacy notices of the third parties. The
third party stores the data collected about you as usage profiles and uses them for advertising, market
research, and/or needs-based design of its website. Such evaluation is carried out especially for users not
logged in to display targeted advertising and to inform other users of the social network about your
activities on our website.
If you want to prevent third parties from assigning the data collected through our website to your
personal profile in the respective social network, you must log out of the corresponding social network
before visiting our website. You can also completely prevent the loading of the plugins with specialized
browser add-ons such as "Ghostery" (https://www.ghostery.com/) or "NoScript" (http://noscript.net/).
​
9. Data transfer and data transmission
We only share your data with third parties if this is necessary to provide our service, if these third parties
perform a service for us, if we are legally or officially obliged to do so, or if we have a legitimate interest in
sharing the personal data. We will also share personal data with third parties if you have given your consent
or have requested us to do so.
Not all personal data is transmitted encrypted by default. Unless explicitly agreed otherwise with the
customer, in particular only payroll administration data, payroll statements, salary certificates, and tax data
of natural persons are transmitted encrypted.
The following categories of recipients may receive personal data from us:
• Service providers (e.g., IT service providers, hosting providers, suppliers, consultants, lawyers,
insurers)
• Third parties within the scope of our legal or contractual obligations, authorities, government
agencies, courts.
With service providers who process personal data on our behalf, we conclude contracts that obligate
them to ensure data protection. The majority of our service providers are located in Switzerland. Certain
personal data may also be transferred to Europe, the USA (e.g., Google Analytics data), or, in exceptional
cases, to other countries worldwide. If a data transfer to countries without an adequate level of data
protection is necessary, this is done based on the EU standard contractual clauses (e.g., in the case of
Google) or other suitable instruments.
​
10. Duration of storage of personal data
We process and store your personal data for as long as is necessary for the fulfilment of our contractual
and legal obligations or otherwise for the purposes pursued with the processing, i.e. for the duration of
the entire business relationship (from the initiation, processing to the termination of a contract) and
beyond that in accordance with the statutory retention and documentation obligations.
It is possible that personal data will be retained for the period during which claims can be made against
our company (i.e., in particular during the statutory limitation period) and as long as we are otherwise
legally obligated or legitimate business interests require it (e.g., for evidence and documentation
purposes). As soon as your personal data is no longer needed for the purposes mentioned above, it will
generally be deleted or anonymized as far as possible. For operational data (e.g., system logs), generally
shorter retention periods of twelve months or less apply.
​
11. Data protection
We take appropriate technical and organisational security precautions to protect your personal data from
unauthorised access and misuse, such as issuing instructions, training, IT and network security solutions,
access controls and restrictions, encryption of data carriers and transmissions, pseudonymisation and
controls.
​
12. Obligation to provide personal data
As part of our business relationship, you must provide the personal data that is necessary for the
establishment and execution of a business relationship and the fulfilment of the associated contractual
obligations (as a rule, you do not have a legal obligation to provide us with data).
Without this data, we will not be able to enter into or fulfil a contract with you (or the entity or person you represent). The website can also not be used if certain information to secure data traffic (such as IP address) is not disclosed.
​
13. Your rights
You have the following rights in connection with our processing of personal data:
• Right to information about the personal data we store about you, the purpose of the processing,
the origin, and recipients or categories of recipients to whom personal data is disclosed
• Right to correction if your data is incorrect or incomplete
• Right to restriction of the processing of your personal data
• Right to request the deletion of the processed personal data
• Right to data portability
• Right to object to data processing or to revoke consent to the processing of personal data at any
time without giving reasons
• Right to lodge a complaint with a competent supervisory authority, if legally provided.
To exercise these rights, please contact the address provided under item 2.
Please note, however, that we reserve the right to assert the legally provided restrictions on our part, for
example, if we are obligated to retain or process certain data, have a overriding interest in doing so
(as far as we are entitled to invoke it), or need the data to assert claims. If any costs arise for you, we will inform
you in advance.
​
14. Amendment of the privacy policy
We expressly reserve the right to change this privacy policy at any time. Last updated: May 2025.
​
​
​
​