Video Surveillance Privacy Notice Walder Wyss Ltd.

Status: 15 September 2025

1. What is this Video Surveillance Privacy Notice about?

Walder Wyss Ltd. (hereinafter also “we”, “us”) is a law firm with its registered office in Zurich, Switzerland, and branch offices in Basel, Bern, Geneva, Lausanne, and Lugano.

At our offices, we operate video surveillance cameras. Signs indicating the presence of video surveillance cameras are posted at the appropriate locations.

In this Video Surveillance Privacy Notice we inform you about our processing of personal data collected by and through our video surveillance cameras.

Please note that this Video Surveillance Privacy Notice is supplementary to our other data privacy notices, in particular our general data privacy notice which you can find here.

2. Who is responsible for processing your personal data?

For the processing of personal data within the scope of this Video Surveillance Privacy Notice, the following company is the data controller, i.e. the party primarily responsible for ensuring compliance with data protection laws:

Walder Wyss Ltd.
Seefeldstrasse 123, P.O. Box
8034 Zurich
Switzerland
privacy@walderwyss.com

3. For what purposes do we process which of your personal data?

As part of our operations, we may process different categories of personal data for different purposes. In particular, we process the following personal data from you for the following purposes:

• Security purposes and access controls: We process personal data (images/recordings of video surveillance cameras and related technical information as well as system/log data) to ensure appropriate security of our infrastructure (e.g., buildings and premises, IT and other equipment and work instruments) as well as other assets (data, documents), our staff and other individuals at Walder Wyss locations (such as clients, contractors, visitors, etc). Signs indicating the presence of video surveillance cameras are posted at the appropriate areas.
• Compliance with laws, directives and recommendations of authorities as well as internal regulations (“Compliance”): We process personal data (images/recordings of video surveillance cameras and related technical information as well as system/log data) to comply with applicable domestic and foreign law, self-regulations, certifications, industry standards, our corporate governance and for internal and external investigations to which we are a party (e.g. by a law enforcement or supervisory authority or an appointed private body).
• Risk management and corporate governance: We process personal data (images/recordings of video surveillance cameras and related technical information as well as system/log data) as part of risk management (e.g. to protect against criminal activities) and corporate governance.
• Other purposes: We process personal data (images/recordings of video surveillance cameras) for other legitimate operational purposes.

4. Where does the personal data come from?

The personal data is collected by/through our video surveillance cameras.

5. Who do we disclose your personal data to?

• Service providers: We work with service providers who (i) process personal data on our behalf (e.g. IT providers, consulting companies, insurance companies), (ii) process personal data in joint responsibility with us or (iii) process personal data that they have received from us or collected on our behalf on their own responsibility (e.g. other law firms, IT providers, consulting companies, insurance companies).
• Authorities and courts: We may disclose personal data to offices, courts, and other authorities (including police, prosecutors, our supervisory authority, etc.) in Switzerland and/or abroad if we are legally obligated or entitled to do so, or if this appears necessary to protect our interests. The recipients are themselves responsible for their processing of the personal data.
• Other persons: We may also disclose your personal data to other persons, provided we are legally obligated or entitled to do so, or if this appears necessary to protect our interests.

All these categories of recipients may involve third parties so your personal data may also become accessible to them. We can restrict processing by certain third parties (e.g. IT providers who process personal data on our behalf), but not by others (e.g. courts, authorities, etc.).

6. Is your personal data also transferred cross-border?

We process and store personal data mainly in Switzerland. However, depending on the circumstances, personal data may potentially be processed in the European Economic Area (EEA) any country in the world, for instance through subcontractors of our service providers or in proceedings before foreign courts or authorities.

If a recipient is located in a country without adequate data protection, we contractually obligate the recipient to comply with an adequate level of data protection (for this purpose, we use the revised standard contractual clauses of the European Commission, which can be accessed at https://eur-lex.europa.eu/eli/..., if necessary with the required adaptations for Switzerland), insofar as the recipient is not already subject to a legally recognized set of rules to ensure data protection. We may also disclose personal data to a country without adequate data protection without entering into a separate contract for this purpose if we can rely on an exception clause. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if disclosure is necessary to protect the life or the physical integrity of the data subject or a third party and it is not possible to obtain the consent of the data subject within a reasonable time frame, or if the data subject has made the personal data generally accessible or if the data subject has explicitly consented to such disclosure.

7. What rights do you have?

You have certain rights in connection with our data processing. In particular, you may, in accordance with applicable law, request information about the processing of your personal data, have inaccurate personal data rectified, request the deletion of personal data, object to data processing, request the release of certain personal data in a standard electronic format or its transfer to other data controllers.

If you wish to exercise your rights against us, please contact us; our contact details can be found in Section 2. To prevent misuse, we must verify your identity (e.g. with a copy of your ID, if necessary).

Please note that conditions, exceptions, or limitations apply to these rights (e.g. to protect third parties, trade secrets, and our professional obligation of confidentiality).

8. What else needs to be considered?

We do not presume that the EU General Data Protection Regulation (“GDPR”) is applicable to our data processing. Nonetheless, if the GDPR should apply to certain data processing on an exceptional basis, this Section 8 shall apply exclusively for the purposes of the GDPR and the data processing subject thereto.

In this case, we base the processing of your personal data in particular on the fact that

• it is necessary for the protection of legitimate interests of us or of third parties, e.g. for security purposes, for compliance with the law and internal regulations, for our risk management and corporate governance, implementation and follow-up of events and for the protection of other legitimate interests (see Article 6(1)(f) GDPR; see also Section 3);
• it is required or permitted by law due to our mandate or position under the law of the EU or the EEA or an EU member state (Article 6(1)(c) GDPR) or is necessary to protect your vital interests or those of other natural persons (Article 6(1)(d) GDPR).

We would like to point out that we process your personal data for as long as it is necessary for our processing purposes (cf. Section 3), the legal retention periods and our legitimate interests, in particular for documentation and evidence purposes, or if storage is technically required (e.g. in the case of backups or document management systems). If there are no legal or contractual obligations or technical reasons to the contrary, we generally delete or anonymize your personal data after the storage or processing period has expired as part of our usual processes and in accordance with our retention policy.

If you do not agree with our handling of your rights or data protection, please let us know (see contact details in Section 2). If you are located in the EEA, you also have the right to complain to the data protection supervisory authority in your country. You can find a list of authorities in the EEA here: https://www.edpb.europa.eu/abo...

9. Can this Video Surveillance Privacy Notice be changed?

This Video Surveillance Privacy Notice is not part of any contract with you. We may amend this Video Surveillance Privacy Notice at any time. The version published on this website is the current version.