Skip to content

Privacy policy

1. Who are we?

Baumgartner Mächler Rechtsanwälte AG (“Baumgartner Mächler”, hereinafter also “we”, “us”) is a law firm with its registered office at Löwenstrasse 2, 8001 Zurich and a branch office in Berne. Baumgartner Mächler Rechtsanwälte AG is responsible for processing your data. Our company data protection officer can be contacted at the above address, for the attention of Ms. Leandra Fasan, or at lf@bmlaw.ch.

2. What is this privacy policy about?

We collect and process personal data as part of our business activities. In this privacy policy, we inform you about how we collect and process personal data (i.e. data that directly or indirectly identifies you). In addition to this privacy policy, we may inform you separately about the processing of your data (e.g. on forms or in our contractual terms and conditions).

We process your personal data responsibly, in accordance with the applicable laws and in accordance with this privacy policy or separate notices about the processing of your data.

If you provide us with data about other persons (e.g. family members, representatives, counterparties or other associated persons), we assume that you are authorized to do so and that this data is correct and that you have ensured that these persons are informed about this disclosure, insofar as a legal obligation to inform applies (e.g. by bringing this data protection declaration to their attention in advance).

3. What personal data do we process?

The personal data we process includes:

Your name and contact details (for example, name, address, telephone number or e-mail address), information about the company you work for, your position or title and/or your relationship with an individual and other basic information);

Identification and background information that you provide to us or that is collected from you as part of our onboarding process or in the course of the client relationship;

Financial information, such as payment information;

Information disclosed to us by or on behalf of our clients or which we create as part of our services to clients;

Information disclosed to us on the occasion of or for participation in meetings, seminars or events;

Information in connection with documents and communications that we send to you electronically, such as your use of promotional emails;

Data in connection with the use of our website, such as IP address, information about the operating system and settings of your terminal device, the region, the time and type of use;

All other information relating to you that you make available to us;

4. Where does the data come from?

You (or your end device) provide us with the majority of the data we process yourself (e.g. in connection with our services, the use of our website or communication with us). You are not obliged to disclose your data, with the exception of individual cases (e.g. legal obligations). However, if you wish to conclude contracts with us or make use of our services, for example, you must provide us with certain data. The use of our website is also not possible without data processing.

We may also collect data from publicly accessible sources (e.g. debt collection registers, land registers, commercial registers, media or the internet including social media) or receive such data from (i) authorities, (ii) your employer or client who either has a business relationship with us or is otherwise involved with us, as well as from (iii) other third parties (e.g. clients, counterparties, legal expenses insurers, credit reference agencies, address dealers, associations, contractual partners, internet analysis services). This includes, in particular, the data that we process in the context of the initiation, conclusion and execution of contracts as well as data from correspondence and discussions with third parties, but also all other categories of data in accordance with section 3 of this privacy policy.

5. For what purposes do we process which of your data?

When you make use of our services, use www.bmlaw.ch (hereinafter “website”), or otherwise deal with us, we collect and process various categories of your personal data. In principle, we may obtain and otherwise process this data for the following purposes in particular:

Communication: We process personal data so that we can communicate with you as well as with third parties, such as parties to proceedings, courts, or authorities, by e-mail, telephone, letter, or other means (e.g., to answer inquiries, in the context of legal advice and representation as well as pre-contractual measures or execution of contracts). This also includes sending information about events, legal changes, news about our law firm, or similar information to our clients, contractual partners, and other interested parties. This may, e.g., take the form of newsletters and other regular communication (especially electronically, via mail, and via telephone). You have the option to refuse or withdraw your consent to such communications at any time. In the context of communication, we process in particular the content and metadata of the communication as well as your contact data, but also image and audio recordings of video or phone calls. In the event of an audio or video recording of the communication, we will inform you separately, and you are free to inform us if you do not wish to be recorded or to terminate the communication. If we need or wish to confirm your identity, we may collect additional data (e.g., a copy of an ID).

Pre-contractual measures and conclusion of contracts: With regard to the conclusion of a contract, such as, in particular, a contract for the establishment of an attorney-client relationship with you or your mandator or employer, which also includes checks for any conflicts of interest, we may in particular process your name, contact details, powers of attorney, declarations of consent, information about third parties (e.g., contact persons, family details, as well as counterparties), contract contents, date of conclusion, creditworthiness data, as well as all other data that you provide to us or that we collect from public sources or third parties (e.g., commercial register, credit agencies, sanctions lists, media, legal protection insurance companies, or the Internet).

Administration and performance of contracts: We process personal data in order to comply with our contractual obligations to our clients and other contractual partners (e.g., suppliers, service providers, correspondent law firms, project partners) and, in particular, to provide and claim contractual services. This also includes data processing for the management of mandates (e.g., legal advice to our clients, representation of our clients in court and before authorities, and correspondence) as well as data processing for the enforcement of contracts (debt collection, court proceedings, etc.), accounting and public communication. For this purpose, we process in particular the data that we receive or have collected in the course of initiating and concluding the contract, as well as data that we create in the course of our contractual services or that we collect from public sources or other third parties (e.g., courts, authorities, counterparties, information services, media, detective agencies or the Internet). Such data may include, in particular, minutes of conversations and consultations, notes, internal and external correspondence, contractual documents, documents that we create and receive in the course of proceedings in courts and before authorities (e.g., legal documents, judgments and decisions), background information about you, counterparties or other persons, image and audio recordings, as well as other mandate-related information, documents, transcripts of records, invoices, and financial and payment information. In this context, we may also process sensitive personal data.

Operation of our websites: In order to operate our website in a secure and stable manner, we collect technical data, such as IP address, information about the operating system and settings of your end device, region, time and type of use. Additionally, we use cookies and similar technologies. More information about this can be found in Section 9.

Security purposes and access controls: We collect and process personal data in order to ensure and continuously improve the appropriate security of our IT and other infrastructure (e.g. buildings). This includes, for example, monitoring and controlling electronic access to our IT systems and physical access to our premises, analyzing and testing our IT infrastructures, system and error checks and creating backup copies.

Compliance with laws, directives and recommendations of authorities as well as internal regulations (“Compliance”): We process personal data to comply with applicable domestic and foreign law (e.g., to combat money laundering or to comply with tax or professional obligations), self-regulations, certifications, industry standards, our “corporate governance” and for internal and external investigations in which we are a party (e.g., by a law enforcement or supervisory authority or an appointed private body).

Risk management and corporate governance: We process personal data as part of risk management (e.g., to protect against criminal activities) and corporate governance. This includes, among other things, our operational organization (e.g., resource planning) and corporate development (e.g., acquisition and sale of parts of businesses or companies).

Job application: If you apply for a job with us, we process the relevant data for the purposes of reviewing and assessing the application, carrying out the application process, and, in the case of successful applications, preparing and concluding a contract. For this purpose, in addition to your contact data and the information from the corresponding communication, we also process in particular the data contained in your application documents, possibly also criminal record extracts, and the data that we can additionally collect about you, for example from job-related social networks, the Internet, the media and references (if you consent to obtaining references).

Other purposes: Other purposes include, for example, training and education purposes as well as administrative purposes (e.g. accounting). We may listen to or record telephone or video conferences for training, evidence and quality assurance purposes. In such cases, we will inform you separately (e.g. by displaying a message during the video conference in question) and you are free to inform us if you do not wish to be recorded or to terminate the communication (if you simply do not wish your image to be recorded, please turn off your camera). In addition, we may process personal data for the organization, implementation and follow-up of events, in particular participant lists and the content of presentations and discussions, as well as image and audio recordings made during these events. The protection of other legitimate interests is also one of the other purposes, which cannot be listed exhaustively.

6. Who do we disclose your information to?

In connection with the purposes listed in Section 5 of this privacy policy, we transfer your personal data in particular to the categories of recipients listed below. If necessary, we will obtain your consent for this or have our supervisory authority release us from our professional duty of confidentiality.

Service providers: We work with service providers in Switzerland and abroad who (i) process data on our behalf (e.g. IT providers), (ii) on our joint responsibility or (iii) on their own responsibility, which they have received from us or collected for us. (These service providers include, for example, IT providers, banks, insurance companies, debt collection agencies, credit reference agencies, address auditors, other law firms or consulting firms). We generally agree contracts with these third parties on the use and protection of personal data.

Clients and other contractual partners: This initially refers to clients and other contractual partners of ours for whom the transfer of your data arises from the contract (e.g. because you work for a contractual partner or they provide services for you). This category of recipients also includes bodies with which we cooperate, such as legal expenses insurers. The recipients generally process the data under their own responsibility.

Authorities and courts: We may pass on personal data to offices, courts and other authorities in Switzerland and abroad if this is necessary for the fulfillment of our contractual obligations and in particular for the performance of our mandate, or if we are legally obliged or entitled to do so or if this appears necessary to protect our interests. These recipients process the data under their own responsibility.

Counterparties and persons involved: Insofar as this is necessary for the fulfillment of our contractual obligations, in particular for the management of the mandate, we also pass on your personal data to counterparties and other persons involved (e.g. guarantors, financiers, affiliated companies, other law firms, persons providing information or experts, etc.).

Other persons: This refers to other cases where the inclusion of third parties results from the purposes in accordance with section 5 of this data protection declaration. This applies, for example, to delivery recipients or payment recipients specified by you, third parties in the context of representation relationships (e.g. your lawyer or your bank) or persons involved in official or judicial proceedings. We may also pass on your personal data to our supervisory authority, in particular if this is necessary in individual cases to release you from our professional confidentiality obligation. If we collaborate with the media and transmit material to them (e.g. photos), you may also be affected. As part of our corporate development, we may sell or acquire businesses, parts of businesses, assets or companies or enter into partnerships, which may also result in the disclosure of data (including your data, e.g. as a client or supplier or as their representative) to the persons involved in these transactions. In the course of communication with our competitors, industry organizations, associations and other bodies, data relating to you may also be exchanged.

All these categories of recipients may in turn involve third parties, so that your data may also become accessible to them. We can restrict the processing by certain third parties (e.g. IT providers), but not by other third parties (e.g. authorities, banks, etc.).

7. Is your personal data also transferred cross-border?

We process and store personal data mainly in Switzerland and the European Economic Area (EEA), but potentially in any country in the world, depending on the case – for example via subcontractors of our service providers or in proceedings before foreign courts or authorities. Your personal data may also be transferred to any country in the world as part of our work for clients.

If a recipient is located in a country without adequate data protection, we contractually oblige the recipient to comply with an adequate level of data protection (we use the revised standard contractual clauses of the European Commission, which are available here, including the adaptions required for Switzerland), unless the recipient is already subject to a legally recognized set of rules to ensure data protection. We may also disclose personal data to a country without adequate data protection without concluding a separate contract if we can rely on an exception. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the execution of a contract that is in your interest requires such disclosure (e.g, if we disclose data to our correspondence offices), if you have given your consent, or if it is not possible to obtain your consent within a reasonable period of time and the disclosure is necessary to protect your life or physical integrity or that of a third party, or if it concerns data that you have made generally accessible and the processing of which you have not objected to. We may also rely on the exception for data from a register provided for by law (e.g. HR), which we have been legitimately granted access.

8. What rights do you have?

You have certain rights in connection with our data processing. In accordance with applicable law, you may in particular request information about the processing of your personal data, have incorrect personal data corrected, request the erasure of personal data, object to data processing, request the disclosure of certain personal data in a commonly used electronic format or its transfer to other controllers.

If you wish to exercise your rights against us, please contact us; our contact details can be found in section 1 of this privacy policy. So that we can rule out misuse, we must identify you (e.g. with a copy of your ID, if necessary).

Please note that conditions, exceptions or restrictions apply to these rights (e.g. for the protection of third parties or business secrets or due to our professional duty of confidentiality). We reserve the right to black out copies for reasons of data protection or confidentiality or to supply only excerpts.

9. How are cookies, similar technologies and social media plug-ins used on our websites?

When using our website (including newsletters and other digital offers), data is collected that is stored in logs (in particular technical data). In addition, we may use cookies and similar technologies (e.g. pixel tags or fingerprints) to recognize website visitors, evaluate their behavior and identify preferences. A cookie is a small file that is transmitted between the server and your system and makes it possible to recognize a specific device or browser.

You can set your browser so that it automatically rejects, accepts or deletes cookies. You can also deactivate or delete cookies in individual cases. You can find out how to manage cookies in your browser in the help menu of your browser.

We may currently use offers from the following service providers and advertising partners in particular, whereby their contact details and further information on the individual data processing can be found in the respective privacy policy:

Google Analytics
Provider: Google Ireland
Data protection information
Information for Google accounts

Some of the third-party providers we use may be located outside Switzerland. Information on the disclosure of data abroad can be found in section 7 of this privacy policy. In terms of data protection law, some of them are “only” contract processors of ours and some are controllers. Further information on this can be found in the data protection declarations.

10. What else needs to be considered?

We do not assume that the EU General Data Protection Regulation (“GDPR”) is applicable in our case. However, should this be the case in exceptional cases for certain data processing, this section 10 shall also apply exclusively for the purposes of the GDPR and the data processing subject to it.

We base the processing of your personal data in particular on the fact that

it is necessary as described in Section 5 for the initiation and conclusion of contracts and their administration and enforcement (Art. 6 para. 1 lit. b GDPR);

it is necessary for the purposes of the legitimate interests pursued by us or by third parties as described in para. 5, in particular for communication with you or third parties, to operate our website, to improve our electronic offers and registration for certain offers and services, for security purposes, for compliance with Swiss law and internal regulations for our risk management and corporate governance and for other purposes such as training and education, administration, evidence and quality assurance, organization, implementation and follow-up of events and to safeguard other legitimate interests (see section 5 of this data protection declaration) (Art. 6 para. 1 lit. f GDPR);

it is required or permitted by law on the basis of our mandate or our position under the law of the EEA or a member state (Art. 6 para. 1 lit. c GDPR) or is necessary to protect your vital interests or those of other natural persons (Art. 6 para. 1 lit. d GDPR);

you have consented to the processing separately, e.g. via a corresponding declaration on our website or by concluding a mandate agreement (Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. a GDPR).

Please note that we generally process your data for as long as required by our processing purposes (see section 5 of this privacy policy), the statutory retention periods and our legitimate interests, in particular for documentation and evidence purposes, or if storage is technically necessary (e.g. in the case of backups or document management systems). If there are no legal or contractual obligations or technical reasons to the contrary, we generally delete or anonymize your data after the storage or processing period has expired as part of our normal processes.

If you do not provide certain personal data, this may mean that it is not possible to provide the associated services or conclude a contract. We will always indicate where the personal data requested by us is mandatory.

The right to object to the processing of your data set out in section 8 of this privacy policy applies in particular to data processing for the purpose of direct marketing. If you do not agree with our handling of your rights or data protection, please let us know (see contact details in Section 1). If you are located in the EEA, you also have the right to lodge a complaint with the data protection supervisory authority in your country. A list of authorities in the EEA can be found here.

11. Can this privacy policy be changed?

This privacy policy is not part of any contract with you. We may amend this privacy policy at any time. The version published on this website is the current version.

Status May 2025