LEGAL
Privacy Policy
GIMASI – Privacy Policy
INTRODUCTION
This privacy policy (“Policy”) complies with the Swiss Federal Act on Data Protection (FADP) and,
where applicable, with the General Data Protection Regulation (GDPR). It provides transparent
information on how personal data is processed by the Data Controller, particularly for users
interacting with our website www.gimasi.com (“Site”) or our services.
DEFINITIONS
Data Subject: A natural person whose personal data is processed.
Personal Data: All information relating to an identified or identifiable natural person.
Processing: Any operation performed on personal data, such as collection, storage, use,
disclosure, erasure.
Data Controller: The entity determining the purposes and means of processing.
Data Processor: The entity processing personal data on behalf of the Controller.
DATA CONTROLLER
The main Data Controller is:
Gimasi SA
Piazzale Roncàa 4
6850 Mendrisio, Switzerland
Email: privacy@gimasi.com
The Gimasi Group also includes:
– Gimasi Deutschland GmbH, Lindwurmstraße 97a, 80337 Munich, Germany
– Gimasi Bulgaria Srl, Banat 1A, 1407 Sofia, Bulgaria
Personal data may be shared within the Gimasi Group for administrative, operational, and
technical purposes.
PERSONAL DATA SECURITY
We adopt appropriate technical and organizational measures to safeguard personal data against
unauthorized access, disclosure, alteration, or destruction. Despite our commitment, no
transmission of information over the Internet can ever be guaranteed to be completely secure
“Risk zero”
PURPOSES OF PROCESSING AND CATEGORIES OF DATA
1. User Communications
As a rule, we do not actively collect personal data through this website. Any personal
data is only processed if voluntarily provided by users (for example, when sending us an
email or contacting us by phone). Such data will be processed exclusively for the
purpose of handling the communication and responding to user requests.
2. Social Media Plugins
– LinkedIn: Our website integrates LinkedIn plugins to foster professional networking.
When visiting our site, LinkedIn may receive information about your visit, including your
IP address. If logged into your LinkedIn account, LinkedIn may associate the visit with
your profile.
– GitHub: Our website may provide plugins or links to our GitHub profile and
repositories. When you access GitHub via our site, GitHub may receive data such as your
IP address and the referring webpage.
DATA RECIPIENTS
Personal data may be transmitted to:
– Gimasi Group companies (Switzerland, Germany, Bulgaria)
– Technical service providers (hosting, email, analytics, newsletter distribution)
Data will not be sold to third parties.
INTERNATIONAL DATA TRANSFERS
– Transfers from Switzerland to Germany/EU are based on adequacy decisions under Swiss law.
– Transfers from Germany/EU to Switzerland are based on the EU adequacy decision recognizing
Switzerland as ensuring adequate protection.
– In all cases, Gimasi ensures that data transfers comply with applicable law.
DATA SUBJECT RIGHTS
Data Subjects have the following rights, which may be exercised at any time by writing to
privacy@gimasi.com:
– Right of access to your personal data
– Right to rectification of inaccurate or incomplete data
– Right to erasure (“right to be forgotten”) when applicable
– Right to restriction of processing in specific cases
– Right to data portability, where processing is automated
– Right to object to processing based on legitimate interests or direct marketing
– Right to withdraw consent, where processing is based on consent
You also have the right to lodge a complaint:
– In Switzerland: with the Federal Data Protection and Information Commissioner (FDPIC).
– In Germany: with the Federal Commissioner for Data Protection and Freedom of Information
(BfDI), or with the authority competent for your place of residence.
CHANGES TO THIS POLICY
We reserve the right to amend this Policy at any time in order to remain compliant with current
legal provisions. Updates will be published on this page with the revision date.
Last update: September 2025
Information Security
MOTIVATION
Companies’ lack of control over how data and information are generated, where they are stored, and to
whom they are transmitted poses the risk of security and regulatory compliance incidents that can
negatively impact the business itself. Information security is a primary asset for a company, and
implementing effective measures can be a strategy that ultimately turns into a competitive advantage.
For this reason, GIMASI DEUTSCHALAND GMBH, an information technology services company,
has always been at the forefront of data protection issues. A key measure in this regard has been the
implementation of an Information Security Management System, a set of organizational, technical,
and procedural processes based on best practices and reference standards, also in compliance with the
directives and the international standard ISO/IEC 27001:2022.
GOALS
The objective of GIMASI’s Information Security Management System is to ensure an adequate level of
protection and security for the circulation of information within the organization in order to best carry
out the design, development, and delivery of company services.
Without risk identification, assessment, and analysis procedures, the security risks to which company
services and procedures are exposed on a daily basis can jeopardize their proper functioning, with
significant economic consequences.
The set of organizational, technical, and procedural measures established by GIMASI’s Information
Security Management System satisfies the following basic security requirements:
• Confidentiality: Access to information is permitted only to those with privileges.
• Integrity: information management (and therefore also its modification) is subject to precise
constraints set by corporate governance
• Availability: rights holders can freely access information as soon as they feel the need to use it
within operational processes and retrieval occurs quickly and intuitively.
GIMASI aims to position itself in the field of information security as:
• A reliable and competent supplier to best preserve the company’s image
• A hub where corporate information assets are stored, safeguarded and protected
• A facilitator of business process continuity
• A tool that complies with the provisions of current and binding legislation, with the consequent
growth of corporate skills in safety matters.
POLICY CONTENT
Any information required for internal operations, from product/service data to its configuration, must
be protected throughout its lifecycle, from creation to use to disposal. The Information Security
Management System fits into this process, enabling secure, accurate, and reliable information
management and timely recovery.
In accordance with the current ISO/IEC 27001:2022 regulation Among the preventative measures required by the Information Security Management System is the mandatory assessment of security risks and their potential impact on the company, which must be performed periodically by the Information Security Manager. This assessment assesses whether the aforementioned security requirements are being met, analyzes the critical factors that led to incidents, and places them within a broader context of strategic, business, and technological changes already implemented or to be implemented.
This analysis aims to assess the risk associated with each asset to be protected against the identified
threats. The procedure adopted by the Information Security Manager in performing this assessment is shared with Management, which must approve the document detailing the methodology to be applied.
Furthermore, Management also contributes to defining the parameters that define the risk level. Once
the Manager has completed his or her analysis, the results are jointly evaluated with Management, which
determines whether the risk threshold is acceptable or not based on the previously established metrics.
Finally, risk mitigation measures, if deemed necessary, are defined, along with the actions to be taken
to improve system security, based on company priorities and budget, and the need to comply with
applicable regulations. All of this will be carefully considered, taking into account the value of the
information to be protected and the presence of events that could significantly impact system security.
RESPONSIBILITY
Responsibilities are distributed as follows:
– the STAFF who are responsible for compliance with the agreed privacy policy and who must report
any anomalies to the manager, if they find them
– the INFORMATION SECURITY COMMITTEE, which meets at least twice a year. Its members
include Management and the Information Security Manager, but the involvement of company personnel
with the technical expertise necessary to assess specific aspects is not excluded. As already mentioned,
Management is responsible for establishing priorities and promoting security initiatives, ensuring
compliance with company strategies and project budgets.
– the INFORMATION SECURITY MANAGER: his or her responsibility is to draft and design the
Information Security Management System.
Specifically, the risk analysis and management team identifies the most appropriate criteria and
methodologies, and oversees the necessary regulations, including those regarding document
classification, so that the company can operate smoothly and securely. The assessment also involves
the Manager proposing appropriate security measures and reviewing any incidents that have occurred,
which are then addressed with the appropriate countermeasures. The team is also committed to
promoting a culture of information security and offering training programs for staff.
– EXTERNAL PARTIES who come into contact with GIMASI must respect the indicated security
principles and sign, unless clearly stated in the contract, a “confidentiality agreement” upon assignment.
APPLICABILITY
This privacy policy applies to all internal and external company bodies and is valid for all GIMASI
personnel. It also applies to any external party who gains access to information handled within the
company, requiring prior agreement to ensure external communication complies with applicable rules
and regulations.
REVIEW
GIMASI will ensure the periodic review of the effectiveness and efficiency of the Information Security
Governance System. Where necessary and appropriate to the context and business objectives, it will
adopt the necessary measures to improve security policies and ensure their correct implementation to
ensure the continuous and secure execution of all company processes.
Your trust is important to us: we’re here to protect it. Don’t hesitate to contact us if you have any questions.
Certifcation
ISO/IEC 27001:2022
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). It defines best practices for managing sensitive company and customer data, ensuring confidentiality, integrity, and availability through a risk-based approach. Achieving this certification demonstrates our commitment to data protection, regulatory compliance, and operational security across all digital processes.
Quality Policy
VISION AND MISSION
GIMASI DEUTSCHALAND GMBH aims to be recognized as an information technology services company capable of designing and
implementing high value-added products that meet customer needs.
PRINCIPLES AND VALUES
• Be oriented towards continuous improvement in compliance with the rules and regulations of quality and mandatory
standards.
• Conduct business while respecting and protecting the environment, without compromising the health and safety of
workers and customers.
• Provide high-quality products and services, being aware and conscious that the competence and involvement of our
collaborators is fundamental to achieving the product/service quality and performance objectives set.
OUR COMMITMENT:
• Pay ever greater attention to the quality of the service offered.
• Ensure that the Quality Policy and the general objectives set by Top Management are understood, implemented, and
supported at all levels within and outside the Organization.
• Determine and assign roles and responsibilities at all levels in order to inform, involve, and empower human resources
in achieving the quality objectives themselves.
• Define and implement control and monitoring programs to prevent non-compliance.
• Promote the use of the process approach and risk-based thinking
• Implement continuous improvement processes for the company’s quality system, customer satisfaction, internal
communications, resource management, process indicators, and compliance with applicable laws and regulations.
• Implement ongoing expansion strategies on the national and international markets, pursuing a quality policy aimed at
offering customers a high-quality product/service that exceeds their expectations.
• All GIMASI
DEUTSCHALAND GMBH personnel, at all levels, are responsible for the provisions contained in the
Management and Operational Procedures. Therefore, each person is responsible, according to their roles, for the
quality of the company system and the products supplied.
We strongly believe in responsible action towards our end customers, by all our staff and society at large. We consider quality
a fundamental value in the provision of our products and/or services.
To ensure product/service quality and regulatory compliance, we require all our staff to understand and apply company
procedures and standards. We believe that each individual is responsible for quality in all their daily activities.
Information Security
MOTIVATION
Companies’ lack of control over how data and information are generated, where they are stored, and to
whom they are transmitted poses the risk of security and regulatory compliance incidents that can
negatively impact the business itself. Information security is a primary asset for a company, and
implementing effective measures can be a strategy that ultimately turns into a competitive advantage.
For this reason, GIMASI DEUTSCHALAND GMBH, an information technology services company,
has always been at the forefront of data protection issues. A key measure in this regard has been the
implementation of an Information Security Management System, a set of organizational, technical,
and procedural processes based on best practices and reference standards, also in compliance with the
directives and the international standard ISO/IEC 27001:2022.
GOALS
The objective of GIMASI’s Information Security Management System is to ensure an adequate level of
protection and security for the circulation of information within the organization in order to best carry
out the design, development, and delivery of company services.
Without risk identification, assessment, and analysis procedures, the security risks to which company
services and procedures are exposed on a daily basis can jeopardize their proper functioning, with
significant economic consequences.
The set of organizational, technical, and procedural measures established by GIMASI’s Information
Security Management System satisfies the following basic security requirements:
• Confidentiality: Access to information is permitted only to those with privileges.
• Integrity: information management (and therefore also its modification) is subject to precise
constraints set by corporate governance
• Availability: rights holders can freely access information as soon as they feel the need to use it
within operational processes and retrieval occurs quickly and intuitively.
GIMASI aims to position itself in the field of information security as:
• A reliable and competent supplier to best preserve the company’s image
• A hub where corporate information assets are stored, safeguarded and protected
• A facilitator of business process continuity
• A tool that complies with the provisions of current and binding legislation, with the consequent
growth of corporate skills in safety matters.
POLICY CONTENT
Any information required for internal operations, from product/service data to its configuration, must
be protected throughout its lifecycle, from creation to use to disposal. The Information Security
Management System fits into this process, enabling secure, accurate, and reliable information
management and timely recovery.
In accordance with the current ISO/IEC 27001:2022 regulation Among the preventative measures required by the Information Security Management System is the mandatory assessment of security risks and their potential impact on the company, which must be performed periodically by the Information Security Manager. This assessment assesses whether the aforementioned security requirements are being met, analyzes the critical factors that led to incidents, and places them within a broader context of strategic, business, and technological changes already implemented or to be implemented.
This analysis aims to assess the risk associated with each asset to be protected against the identified
threats. The procedure adopted by the Information Security Manager in performing this assessment is shared with Management, which must approve the document detailing the methodology to be applied.
Furthermore, Management also contributes to defining the parameters that define the risk level. Once
the Manager has completed his or her analysis, the results are jointly evaluated with Management, which
determines whether the risk threshold is acceptable or not based on the previously established metrics.
Finally, risk mitigation measures, if deemed necessary, are defined, along with the actions to be taken
to improve system security, based on company priorities and budget, and the need to comply with
applicable regulations. All of this will be carefully considered, taking into account the value of the
information to be protected and the presence of events that could significantly impact system security.
RESPONSIBILITY
Responsibilities are distributed as follows:
– the STAFF who are responsible for compliance with the agreed privacy policy and who must report
any anomalies to the manager, if they find them
– the INFORMATION SECURITY COMMITTEE, which meets at least twice a year. Its members
include Management and the Information Security Manager, but the involvement of company personnel
with the technical expertise necessary to assess specific aspects is not excluded. As already mentioned,
Management is responsible for establishing priorities and promoting security initiatives, ensuring
compliance with company strategies and project budgets.
– the INFORMATION SECURITY MANAGER: his or her responsibility is to draft and design the
Information Security Management System.
Specifically, the risk analysis and management team identifies the most appropriate criteria and
methodologies, and oversees the necessary regulations, including those regarding document
classification, so that the company can operate smoothly and securely. The assessment also involves
the Manager proposing appropriate security measures and reviewing any incidents that have occurred,
which are then addressed with the appropriate countermeasures. The team is also committed to
promoting a culture of information security and offering training programs for staff.
– EXTERNAL PARTIES who come into contact with GIMASI must respect the indicated security
principles and sign, unless clearly stated in the contract, a “confidentiality agreement” upon assignment.
APPLICABILITY
This privacy policy applies to all internal and external company bodies and is valid for all GIMASI
personnel. It also applies to any external party who gains access to information handled within the
company, requiring prior agreement to ensure external communication complies with applicable rules
and regulations.
REVIEW
GIMASI will ensure the periodic review of the effectiveness and efficiency of the Information Security
Governance System. Where necessary and appropriate to the context and business objectives, it will
adopt the necessary measures to improve security policies and ensure their correct implementation to
ensure the continuous and secure execution of all company processes.
We care about transparency and quality. With our services we want to guarantee you efficiency and professionalism.