SMG Swiss Marketplace Group AG Sustainabilty Report 2024

Data protection

Data protection is, first and foremost, about protecting individuals and their right to privacy. Preventing data issues and safeguarding stakeholder data are critical to our business and trust in our brands. These principles are deeply ingrained in our culture.

Our data protection approach

SMG’s data protection processes include a range of measures designed to ensure that we handle personal data in compliance with the Swiss Data Protection Act (FADP) and other applicable laws. Our Data Protection Team, led by the DPO, drives the operational implementation of activities across the business. Further responsibilities and oversight are detailed earlier in the Governance and accountability section.

Our key activities comprise regular employee training on data protection, implementing data protection agreements, running maturity assessments, and conducting internal audits. The data protection processes are underpinned by a comprehensive and well-structured Data Protection Management System (DPMS) to standardise internal processes, manage incidents and data subject access requests, identify risks, safeguard personal data, and demonstrate compliance with data protection regulations.

A data protection by design approach ensures that privacy and data protection considerations are embedded in the design phase of any system, service, product, AI tool or process, and then throughout the lifecycle.

We have Data Processing Agreements (DPA) with all of our providers to ensure compliance with data protection laws and safeguard the security and privacy of the data processed on our behalf. These agreements establish clear obligations for our providers, helping to protect personal data and maintain regulatory compliance across all our business operations and throughout the supply chain. For data transfers to providers in third countries that lack an adequate level of protection, Standard Contractual Clauses (SCCs) are signed with the respective providers.

Our data protection policy landscape

Our Data Protection Policy serves as the overarching framework for data protection within SMG. Complemented by the Data Governance Policy and various guidelines covering the complete data lifecycle, it applies to all employees who access or process personal data on behalf of SMG and, where applicable, third parties that process personal data on our behalf. The policy establishes key principles governing data privacy, defines the organisational structure of data protection, and assigns roles and responsibilities to ensure accountability and compliance. By outlining clear guidelines, obligations, and expectations, it provides a structured approach to managing data protection risks, ensuring that all employees and stakeholders understand their roles.

Additionally, we have implemented policies regulating internal processes for responsible data handling, including a Data Deletion Concept and Data Sharing Policy. These policies are reviewed annually, and, as with our security policies, all employees are expected to uphold the principles outlined in the documents. Furthermore, both data protection and cybersecurity are anchored in our CoC, with all employees taking responsibility for compliance within their area of work.

Employee ownership of data protection

As part of their onboarding and annual compliance requirements, employees complete online data protection training. This training builds a strong understanding of personal data, key data protection principles, incident response procedures, and each employee’s role in ensuring compliance with applicable statutory requirements.

We also provide tailored data protection training for employees in relevant positions, ensuring they receive targeted guidance to address specific regulatory or organisational requirements. In 2024, we held eight training sessions, covering almost 25% of our total workforce (over 230 employees).

Employees also take ownership of updating our Records of Processing Activities (RoPA) in our DPMS.⁸ Our self-service portal empowers those responsible for specific tools and processes, such as asset owners and business process owners to independently add and update their assets or processes. Dedicated communication channels provide direct support from the Data Protection Team, fostering collaboration and confidence in maintaining high data protection standards.

Data access and deletion requests

We maintain a streamlined and transparent process for managing user access and deletion requests, ensuring full compliance with data protection regulations. Through a secure and user-friendly interface, users can easily exercise their rights. Each request follows a standardised workflow, enabling efficient and timely processing in line with industry best practices, further reinforcing user trust and our commitment to data protection.

Our coordinated incident response

We have clear measures in place to enable a swift response to potential security incidents or data breaches, helping to manage risks and minimise impacts. For security incidents, we provide structured guidance on when and how to escalate an incident, including third-party support centres for major incidents. Our approach follows the NIST Framework,⁹ covering identification, detection, protection, response, and recovery. The SMG Security Incident Management Guideline underpins this approach, detailing protocols for incident handling and response to ensure consistency and effectiveness.

In the event of a suspected data breach, employees must immediately report it to the data protection and security teams through our established Incident Report Form. The DPO triages and assesses each report, treating it as a potential data breach and initiating a comprehensive investigation process. Based on the findings, the team provides instructions on immediate remedial actions, identifies the relevant jurisdiction, and ensures proper notifications are made to affected individuals and authorities as required by law.

Data protection complaints

In 2024, no substantiated complaints were identified concerning breaches of customer privacy.¹⁰ In 2017, the Swiss Federal Data Protection and Information Commissioner (FDPIC) opened a formal investigation against Ricardo regarding an update to its privacy notice. The investigation was concluded in October 2024 with the publication of the FDPIC's final report (on a redacted basis), which contained non-binding recommendations. At our request, the FDPIC also published our response to the report. Following publication of the final report, the FDPIC informed Ricardo that a third party had requested access to the FDPIC's unredacted report under the Swiss Freedom of Information Act. Despite our objections, the FDPIC made the unredacted report available to the third party in March 2025. We remain committed to constructive engagement with authorities and continue to enhance our privacy practices in line with evolving regulatory expectations.