top of page

Privacy Policy

1. General
​

In this privacy policy, we, GOMA Treuhand & Consulting AG ("GOMA", "us" or "we"), describe how we collect and process personal data. This privacy policy is not a comprehensive description; there may be additional, supplementary documents that explain or regulate certain data protection topics in more detail. For the purposes of this privacy policy, personal data means all information relating to an identified or identifiable person.

​

2. Controller and Contact
​

Responsible entity for data processing:
GOMA Treuhand & Consulting AG, Alfred-Escher-Strasse 24, 8002 Zurich

 

Contact for data protection matters:
GOMA Treuhand & Consulting AG, Alfred-Escher-Strasse 24, 8002 Zurich
Email: info@gomatreuhand.ch

 

External ICT service provider:
PC FOX, Bühlwiesenstrasse 10, 8052 Zurich
Email: info@pcfox.ch

​

​3. Information about the External ICT Service Provider
​

We use an external service provider (data processor) for certain ICT services, who processes personal data on our behalf. These service providers are contractually obligated to process the data only according to our instructions and to implement appropriate technical and organizational security measures. GOMA is the data controller and responsible for compliance with data protection regulations.

Processing is carried out for the purpose of delivering ICT services such as hosting, IT support, cloud services, or technical maintenance. The external service provider ensures compliance with data protection requirements (confidentiality obligations and notification requirements in the event of data breaches). If data is transferred abroad, we ensure that an adequate level of data protection is guaranteed. The provider must maintain measures such as backups, disaster recovery, and emergency plans to ensure data availability and business continuity even in the event of disruptions. Upon termination of the collaboration, the data will be either deleted or returned.

​

​​4. Collection and Processing of Personal Data

​

We process personal data in the following categories:

  • Customer data for whom we provide or have provided services.

  • Personal data that we indirectly receive from our clients during service delivery.

  • When visiting our website.

  • When participating in an event organized by us.

  • When we communicate or a visit takes place.

  • In other contractual relationships, e.g., as supplier, service provider, or consultant.

  • In the case of applications.

  • When required by law or regulations.

  • When we fulfill due diligence obligations or other legitimate interests, e.g., to avoid conflicts of interest, money laundering, or other risks, ensure data accuracy, check creditworthiness, ensure security, or enforce our rights.

More detailed information can be found under section 6.

​

5. Kategorien von Personendaten
​

Which personal data we process depends on your relationship with us and the purpose for which we process the data.

In addition to your contact details, we also process other information about you or about individuals who are connected to you. This information may, in some cases, include sensitive personal data.

We collect the following categories of personal data, depending on the purpose for which we process them:

  • Contact information (e.g. name, first name, address, telephone number, email)

  • Customer information (e.g. date of birth, nationality, marital status, profession, title, job title, passport/ID number, AHV [social security] number)

  • Risk assessment data (e.g. credit information, commercial register data)

  • Financial information (e.g. bank account data)

  • Mandate data, depending on the assignment (e.g. tax information, statutes, protocols, projects, contracts, employee data such as salary, social insurance, accounting data, beneficial owners, ownership structures)

  • Website data (e.g. IP address, device information [UDI], browser information, website usage [analysis and use of plugins, etc.])

  • Application data (e.g. CV, reference letters)

  • Marketing information

  • Security and network data (e.g. visitor lists, access controls, network and email scanners, telephone call logs)

Where permitted, we also collect certain data from publicly accessible sources (e.g. debt enforcement register, land register, commercial register, press, internet), or receive such data from our clients and their employees, authorities, (arbitration) courts, and other third parties.

In addition to the data you provide directly to us, the categories of personal data we may receive from third parties about you include, in particular: information from public registers, information obtained in connection with official or legal proceedings, information related to your professional role and activities (e.g. so we can conduct and process transactions with your employer with your assistance), information about you from correspondence and meetings with third parties, credit ratings, information about you provided by persons in your environment (family, advisors, legal representatives, etc.) so that we can enter into or execute contracts with you or involving you (e.g. references, your address for deliveries, powers of attorney), information required to comply with legal requirements such as anti-money laundering laws and export restrictions, information from banks, insurance companies, distributors, and other business partners of ours regarding services used or provided by you (e.g. completed payments, purchases), information about you from media and internet sources (as relevant to the specific case, e.g. during an application process), your addresses and, if applicable, interests and other socio-demographic data (for marketing purposes), Data in connection with the use of the website (e.g. IP address, MAC address of smartphone or computer, details about your device and settings, cookies, date and time of visit, accessed pages and content, functions used, referring website, location data)

​

6. Purposes and Legal Bases of Data Processing

​

6.1. Service Provision

We primarily process the personal data that we receive in the context of our client relationships (mandates) with our customers and other contractual relationships with business partners, as well as from other individuals involved.

The personal data of our clients typically includes the following information:

  • Contact information (e.g. name, first name, address, telephone number, email, and other contact details)

  • Personal information (e.g. date of birth, nationality, marital status, profession, title, job title, passport/ID number, AHV [social security] number, family relationships, etc.)

  • Risk assessment data (e.g. credit information, commercial register data, sanctions lists, specialized databases, data from the internet)

  • Financial information (e.g. bank account data, investments, or ownership interests)

  • Mandate-related data, depending on the assignment (e.g. tax information, statutes, protocols, employee data such as salary, social insurance, accounting data, etc.)

  • Sensitive personal data: Among this data, there may also be particularly sensitive personal data, such as information about health, religious beliefs, or social assistance measures—especially when we provide services in the area of payroll processing or accounting.

We process this personal data for the purposes described based on the following legal grounds:

  • Conclusion or execution of a contract with the affected person or for their benefit, including contract initiation and any enforcement (e.g. consulting, fiduciary services)

  • Compliance with a legal obligation (e.g. when we are required to disclose information)

  • Legitimate interests, (e.g. for administrative purposes, to improve our quality, ensure security, manage risk, enforce our rights, defend against claims, or check for potential conflicts of interest)

  • Consent (e.g. to send you marketing information)

​

​6.2. Indirect data processing from service provision

​

When we provide services to our clients, it may occur that we also process personal data that we have not collected directly from the data subjects themselves or that pertains to third parties. These third parties typically include employees, contact persons, family members, or individuals who are otherwise connected to our clients or the affected persons.

We require this personal data in order to fulfill contracts with our clients. We receive this data either from our clients or from third parties who have been instructed by our clients.

Third parties whose information we process for this purpose are informed by our clients that we are processing their data. Our clients may refer them to this privacy policy for more information.

The personal data of individuals associated with our clients generally includes the following information:

  • Contact information (e.g. name, first name, address, telephone number, email, other contact details, marketing data)

  • Personal information (e.g. date of birth, nationality, marital status, profession, title, job title, passport/ID number, AHV [social security] number, family relationships, etc.)

  • Financial information (e.g. bank account data, investments, or ownership interests)

  • Mandate-related data, depending on the assignment (e.g. tax information, statutes, protocols, employee data such as salary, social insurance, accounting data)

  • Sensitive personal data: Among this personal data, there may also be particularly sensitive data, such as information on health, religious beliefs, or social assistance measures—especially when we provide payroll or accounting services.

We process this personal data for the purposes described based on the following legal grounds:

  • Conclusion or execution of a contract with or for the benefit of the affected person (e.g. when fulfilling our contractual obligations)

  • Compliance with a legal obligation (e.g. when we are required to disclose information)

  • Legitimate interests, in particular our interest in providing optimal service to our clients.

  • ​

6.3. Use of our Website

​

To use our website, no personal data needs to be disclosed. However, with each access, the server records a series of user information, which is temporarily stored in the server’s log files. When using this general information, no association with a specific person takes place. The collection of this information or data is technically necessary in order to display our website and to ensure its stability and security. This information is also collected to improve the website and to analyze its usage. In particular, this includes the following information:

  • Contact information (e.g., name, first name, address, telephone number, email)

  • Other information you provide to us via the website

  • Technical information automatically transmitted to us or our service providers, information on user behavior, or website settings (e.g., IP address, UDI, device type, browser, number of clicks on the page, opening of the newsletter, clicking on links, etc.)

We process this personal data for the purposes described above on the basis of the following legal grounds:

  • Legitimate interests (e.g., for administrative purposes, to improve our quality, analyze data, or promote our services)

  • Consent (e.g., for the use of cookies).

​

6.4. Event Participation

​

When you participate in an event organized by us, we collect personal data in order to organize and carry out the event, and possibly to send you additional information afterwards. We also use your information to inform you about future events.

You may be photographed or filmed during these events, and we may publish this image or video material internally or externally.

The data collected typically includes the following:

  • Contact information (e.g. name, first name, address, telephone number, email)

  • Personal information (e.g. profession, position, title, employer, dietary preferences)

  • Images or videos

  • Payment information (e.g. bank account details)

We process this personal data for the purposes described, based on the following legal grounds:

  • Fulfillment of a contractual obligation with or for the benefit of the data subject, including contract initiation and potential enforcement (e.g. enabling participation in the event)

  • Legitimate interests (e.g. hosting events, sharing information about our events, delivering services, ensuring efficient organization)

  • Consent (e.g. to send marketing information or to create image/video material)

​

6.5. Direct communication and visits

​

When you contact us (e.g. via telephone, email, or chat) or when we contact you, we process the personal data necessary for that communication. We also process this personal data when you visit us. In such cases, you may be required to provide your contact details either before your visit or at the reception. These details are stored by us for a certain period to protect our infrastructure and information.

To conduct telephone conferences, online meetings, video conferences, and/or webinars ("online meetings"), we use the services Zoom or Microsoft Teams. In doing so, we process in particular the following information:

  • Contact information (e.g. name, first name, address, phone number, email)

  • Communication metadata (e.g. IP address, duration of communication, communication channel)

  • Recordings of conversations, e.g. in the case of video conferences

  • Other information provided, uploaded, or created by the user during use of the video conferencing service, as well as metadata used for the maintenance of the service

Additional details on how personal data is processed by Zoom or Microsoft Teams can be found in their respective privacy policies.

  • Personal information (e.g. profession, role, title, employer)

  • Time and reason for the visit

We process this personal data for the purposes described above based on the following legal grounds:

  • Fulfillment of a contractual obligation with or for the benefit of the data subject, including contract initiation and possible enforcement (e.g. delivery of a service)

  • Legitimate interests (e.g. security, traceability, and administration of client relationships)

​

6.6. Applications

​

You may submit your application for a position with us either by post or via the email address provided on our website. The application documents and all personal data disclosed to us in this context will be treated strictly confidentially, will not be disclosed to third parties, and will be processed solely for the purpose of handling your application for employment with us. Unless you provide your consent to the contrary, your application documents will, after the conclusion of the recruitment process, either be returned to you or deleted/destroyed, insofar as they are not subject to a statutory retention obligation. The legal bases for processing your data are your consent, the performance of the contract with you, and our legitimate interests.

In particular, we process the following information:

  • Contact information (e.g., name, first name, address, telephone number, email)

  • Personal information (e.g., profession, position, title, current employer)

  • Application documents (e.g., cover letter, references, diplomas, CV/resumé)

  • Assessment information (e.g., evaluations by HR consultants, reference checks, assessments)

We process this personal data for the purposes described above on the basis of the following legal grounds:

  • Legitimate interests (e.g., hiring new employees)

  • Consent.

​​​

6.7. Suppliers, service providers, and other contractual partners

​

If we enter into a contract with you for the provision of services, we process personal data relating to you or your employees. We require this information in order to communicate with you and to make use of your services. We may also process this personal data to check whether a conflict of interest could arise in connection with our activities as an audit firm and to ensure that our cooperation does not involve unintended risks, e.g., in relation to money laundering or sanctions.

In particular, we process the following information:

  • Contact information (e.g., name, first name, address, telephone number, email)

  • Personal information (e.g., profession, position, title, employer)

  • Financial information (e.g., bank account details)

We process this personal data for the purposes described above on the basis of the following legal grounds:

  • Conclusion or performance of a contract with the data subject or for the benefit of the data subject, including contract initiation and possible enforcement

  • Legitimate interests (e.g., avoidance of conflicts of interest, protection of the company, enforcement of legal claims)

​​​

7. Cookies

 

We use cookies on our website. Cookies are small files that are automatically created by your browser and stored on your device (laptop, tablet, smartphone, etc.) when you visit our website. A cookie stores information related to the specific device used. However, this does not mean that we directly gain knowledge of your identity.

The use of cookies serves, on the one hand, to make the use of our services more pleasant for you. For example, we use so-called session cookies to recognize that you have already visited individual pages of our website. These are automatically deleted once you leave our site.

In addition, we use temporary cookies to optimize user-friendliness, which are stored on your device for a defined period of time. If you visit our site again to use our services, it will automatically be recognized that you have already been with us and which inputs and settings you made, so that you do not need to enter them again.

We also use cookies to statistically record the use of our website and to evaluate it for the purpose of optimizing our services for you. These cookies allow us to automatically recognize that you have already visited us when you return to our site. Such cookies are automatically deleted after a defined period of time.

The data processed by cookies is necessary for the purposes mentioned. Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or so that a warning always appears before a new cookie is set. Please note that completely disabling cookies may result in you not being able to use all the functions of our website.​

​

8. Webanalysis

​

In order to gain insights into the use of our website, improve our online offering, and address you with advertising on third-party websites or on social media, we use the following web analytics and re-targeting technologies: Google Analytics. These tools are provided by third-party providers.

As a rule, the information collected for this purpose about the use of a website through cookies or similar technologies is transmitted to the server of the third-party provider. Depending on the provider, these servers may be located abroad. The transmission of the data usually takes place with shortened IP addresses, thereby preventing the identification of individual devices.

Any transfer of this information by third-party providers takes place only on the basis of legal requirements or within the framework of commissioned data processing.

 

8.1. Google Analytics
 

We use Google Analytics on our websites, a web analytics service provided by Google LLC, Mountain View, California, USA, with responsibility for Europe held by Google Limited Ireland (“Google”). To deactivate Google Analytics, Google provides a browser plug-in at https://tools.google.com/dlpage/gaoptout?hl=en.

Google Analytics uses cookies. These are small text files that make it possible to store specific, user-related information on the user’s device. This enables Google to analyze the use of our website. The information generated by the cookies about the use of our website (including your IP address) is generally transmitted to a Google server in the USA and stored there.

Please note that this website has been extended with the code “gat._anonymizeIp();” to ensure the anonymized collection of IP addresses (so-called IP masking). When anonymization is active, Google shortens IP addresses within member states of the European Union or in other contracting states of the Agreement on the European Economic Area, so that no conclusions can be drawn about your identity. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.

Google may combine your IP address with other Google data. For data transfers to the USA, Google has committed to sign and comply with the EU Standard Contractual Clauses.

​

8.2. Google Maps

​

On our website, we use Google Maps from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; responsibility for Europe lies with Google Limited Ireland, “Google”). Google Maps is a web service for displaying interactive maps to visually present geographic information. Using this service, our location is displayed, and directions to our premises can be facilitated.

When you access the pages on which the Google Maps map is embedded, information about your use of our website (e.g., your IP address) is transmitted to Google servers in the USA and stored there. This occurs regardless of whether Google provides a user account through which you are logged in or whether no user account exists.

If you are logged into Google, your data is directly associated with your account. If you do not wish your data to be linked to your Google profile, you must log out of your account before activating the map. Google stores your data (even for users who are not logged in) as usage profiles and evaluates them.

For data transfers to the USA, Google has committed to sign and comply with the EU Standard Contractual Clauses.

 

8.3. Social Media Plugins

​

Our website uses so-called social media plugins (“plugins”) from third-party providers. The plugins can be recognized by the logo of the respective social network. Through these plugins, we provide you with the ability to interact with social networks and other users. On our website, we use the following plugins: Facebook, LinkedIn.

When you access our website, your browser establishes a direct connection to the servers of the third-party provider. The content of the plugin (e.g., YouTube videos) is transmitted directly from the respective third-party provider to your browser and embedded in the page. The data transfer for displaying content (e.g., posts on Twitter) occurs regardless of whether you have an account with the third-party provider and are logged in.

If you are logged into the third-party provider, the data collected by us is also directly associated with your existing account on that provider. By activating the plugins, this information may also be published on the social network and displayed to your contacts.

For the purpose and scope of data collection and the further processing and use of the data by the third-party providers, as well as your related rights and privacy settings, please refer to the privacy policies of the respective providers. The third-party provider stores the data collected about you as usage profiles and uses it for advertising, market research, and/or the tailored design of its website. Such evaluations also occur for users who are not logged in, in order to display targeted advertising and to inform other users of the social network about your activities on our website.

If you wish to prevent the third-party providers from linking the data collected via our website to your personal profile on the respective social network, you must log out of the relevant social network before visiting our website. You can also completely block the loading of plugins using specialized browser add-ons such as Ghostery (https://www.ghostery.com/) or NoScript (http://noscript.net/).


9. Data Sharing and Data Transfer

​

We only share your data with third parties if this is necessary to provide our services, if these third parties perform a service on our behalf, if we are legally or officially obliged to do so, or if we have a legitimate interest in sharing the personal data. We will also share personal data with third parties if you have given your consent or requested us to do so.

Not all personal data is transmitted in encrypted form by default. Unless explicitly agreed otherwise with the customer, only payroll administration data, payslips, salary statements, and tax data of natural persons are transmitted in encrypted form.

The following categories of recipients may receive personal data from us:

  • Service providers (e.g., IT service providers, hosting providers, suppliers, consultants, lawyers, insurance companies)

  • Third parties in the context of our legal or contractual obligations, authorities, government agencies, courts

We enter into contracts with service providers who process personal data on our behalf, obliging them to ensure data protection. The majority of our service providers are located in Switzerland. Certain personal data may also be transferred to Europe, the USA (e.g., Google Analytics data), or, in exceptional cases, to other countries worldwide.

If a data transfer to other countries that do not provide an adequate level of data protection is necessary, this will be carried out on the basis of EU Standard Contractual Clauses (e.g., in the case of Google) or other appropriate instruments.


10. Retention period of personal data

​

We process and store your personal data for as long as it is necessary to fulfill our contractual and legal obligations or for other purposes related to processing. This means, for example, for the duration of the entire business relationship (from initiation, execution, to termination of a contract) and beyond, in accordance with statutory retention and documentation obligations.

It is possible that personal data will be retained for the period during which claims against our company may be asserted (i.e., in particular, during the statutory limitation period) and as long as we are otherwise legally obliged to retain them or have legitimate business interests (e.g., for evidence and documentation purposes).

Once your personal data is no longer required for the purposes mentioned above, it will generally be deleted or anonymized wherever possible. For operational data (e.g., system logs), shorter retention periods of twelve months or less generally apply.


11. Data security

​

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access and misuse. These measures include, for example, issuing internal guidelines, conducting training, implementing IT and network security solutions, access controls and restrictions, encryption of data storage and transmissions, pseudonymization, and regular audits.


12. Obligation to provide personal data

​

As part of our business relationship, you must provide the personal data that is necessary for initiating and conducting the business relationship and for fulfilling the associated contractual obligations (in general, you are not legally obliged to provide us with this data). Without this information, we will not be able to enter into a contract with you (or with the entity or person you represent) or to process it.

Certain information is also required to use the website, such as data necessary to ensure data transmission (e.g., IP address); without providing this information, the website cannot be used.


13. Your Rights

​

In connection with our processing of personal data, you have the following rights:

  • The right to obtain information about the personal data we hold about you, the purpose of processing, the origin of the data, and the recipients or categories of recipients to whom personal data is disclosed

  • The right to rectification if your data is inaccurate or incomplete

  • The right to restriction of processing of your personal data

  • The right to request the deletion of processed personal data

  • The right to data portability

  • The right to object to the processing of your data or to withdraw consent to the processing of personal data at any time without giving reasons

  • The right to lodge a complaint with a competent supervisory authority, where legally provided

To exercise these rights, please contact us at the address provided under section 2. Please note that we reserve the right to invoke legally permitted restrictions, for example, if we are obliged to retain or process certain data, have a legitimate overriding interest (where we are entitled to rely on it), or require the data for asserting claims. If any costs are incurred for you, we will inform you in advance.


14. Changes to Privacy Policy

​

We expressly reserve the right to amend this Privacy Policy at any time. Last updated: May 2025

bottom of page