Data Protection

Data protection is a Group-wide priority and one that is closely linked to cybersecurity. At its core, data protection safeguards individuals and their right to privacy. Protecting stakeholder data, preventing misuse, and ensuring transparent data governance are essential to maintaining trust in the SMG’s platforms and services.

SMG processes personal data at various touchpoints across its marketplaces, internal systems, human resources (HR) tools, customer support, and marketing activities, and in operational processing within business units. Personal data may also be handled by external partners who host, process, and access data on behalf of SMG.

The 2025 DMA underscored the relevance of this topic, highlighting impacts that may arise from the processing, transfer, storage, and deletion of personal data. Inadequate protection – such as insufficient encryption, access management, or retention and deletion practices – can lead to privacy violations. Ambiguous and non-transparent data use – including opaque sharing practices and unclear consent mechanisms – can lead to unsolicited communications and targeted marketing and undermine the right to privacy guaranteed by Switzerland’s Federal Act on Data Protection (FADP), the EU’s General Data Protection Regulation, and similar laws.

The revised FADP raises regulatory standards, increasing potential exposure to scrutiny, sanctions, and related reputational impacts for companies that fail to meet requirements. At the same time, increasing user rights and transparency through clear access, deletion, and objection mechanisms can generate positive impacts by enhancing user control and reinforcing trust in SMG’s platforms.

Data Protection Policy Landscape

SMG’s data protection processes are supported by a comprehensive data protection management system (DPMS) that standardising internal processes, managing incidents and data subject access requests, identifying risks, safeguarding personal data, and substantiating compliance with data protection regulations. The DPMS enables structured tracking of processing activities, incident documentation, and compliance reporting. It also issues reminders via internal communication tools where retention periods are missing.

This proactive approach is anchored in the Data Protection Policy and supported by risk-based assessments and audits to ensure that personal data is handled in line with the FADP and other applicable laws.

The Data Protection Policy defines key principles governing data privacy, outlines the organisational structure of data protection, and assigns roles and responsibilities to ensure accountability and compliance. Together with the Data Governance Policy and guidelines covering the data lifecycle – such as the Data Deletion Concept and business unit-specific deletion and retention policies – it provides a structured approach to managing data protection risks and clarifies expectations. The policy applies to all employees and, where applicable, to third parties.

These policies and supporting processes are reviewed annually. Data protection and cybersecurity are also embedded in the Code of Conduct, with employees responsible for compliance within their area of work.

Data Protection Controls, Prevention, and Mitigation

SMG applies controls, procedures, and preventive measures to manage data protection risks, reduce the likelihood of privacy breaches, enforce compliance with applicable regulations, and safeguard the personal data entrusted to it. The Data Protection Team, led by the Data Protection Officer, drives operational implementation of activities throughout the business. Further responsibilities and oversight are detailed under Data Protection and Cybersecurity Governance.

The Group regularly conducts data protection impact assessments and other risk-based assessments to identify and mitigate privacy risks. SMG strives for a “data protection by design” approach that ensures privacy and data protection considerations are embedded in the design phase of every system, service, product, AI tool, and process, and applied throughout the lifecycle.

User Rights

A dedicated contact channel to the Data Protection Officer enables customers and individuals to raise concerns and request clarification on how their personal data is handled. In 2025, SMG improved its process for managing user access and deletion requests by developing a secure, user-friendly interface. This enables users to exercise their rights to access, delete, or object to the use of their personal data. Each request follows a standardised workflow to ensure timely processing in line with industry best practice.

Third-Party Handling of User Data

SMG has data processing agreements in place with all its providers to ensure compliance with data protection laws and safeguard the security and privacy of the data processed on its behalf. These agreements set clear obligations for providers and ensure regulatory compliance across SMG’s operations and the supply chain. In the event of data transfer to third countries without an adequate level of protection, providers are subject to standard contractual clauses that ensure data protection.

Incident Response Handling

At SMG, structured guidance outlines when and how to escalate security incidents and data breaches for rapid response, including engagement with third-party support centres for major incidents. This is in line with the National Institute of Standards and Technology (NIST) Framework,¹² covering identification, detection, protection, response, and recovery. The SMG Security Incident Management Guideline contains protocols for handling incidents and ensures consistent, effective execution.

Employees are required to immediately report suspected data breaches to the incident to the Data Protection and Security Team using the incident report form. The Data Protection Officer assesses and triages each report, treating it as a potential data breach and initiating an investigation. Based on the findings, the team provides instructions on immediate remedial actions, identifies the relevant jurisdiction, and ensures affected individuals and relevant authorities are notified, as required by law.

Monitoring Data Protection Activities

SMG monitors the effectiveness of its data protection activities through audits, maturity assessments, incident monitoring, and feedback from employees and stakeholders. These activities support the consistent application of policies and processes, continuous improvement, and accountability.

In 2025, SMG completed eleven privacy maturity assessments covering all its platforms, building on work from the previous year. Each tech stack is subject to regular maturity assessments, with findings communicated to the Executive Leadership Team and relevant teams for implementation. The Data Protection Team also conducts internal audits and reviews of data privacy controls on SMG’s tools and processes in the various locations.

In 2025, there were no substantiated complaints by regulatory bodies or outside parties concerning breaches of customer privacy.¹³ Two inquiries by Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) relating to alleged non-compliance with data-protection requirements – including one case carried over from previous financial years – concluded in 2025. One confidentiality breach occurred during the year due to a system bug on anibis.ch and tutti.ch. The issue was remediated promptly, and enhanced safeguards were deployed.

Continuous Improvement

Monitoring results, internal audits, and lessons learned from incidents guide updates to processes, training content, and internal guidelines. The reporting year reaffirmed the need for sustained employee engagement and regular training updates, highlighting the value of audits in identifying areas for improvement. Training materials are updated annually with sector-specific modules and internal communications promote awareness.

SMG has internal targets for reduction of data protection incidents and improved response times. It monitors progress through audits supported by employee input and other stakeholder feedback. Engagement with partners, regulators and external experts informs continuous updates to policies and risk-based assessments.

Looking ahead, SMG plans to further improve its data protection culture by enhancing training, scaling awareness initiatives, and improving risk assessments and policies.

Employee Ownership of Data Protection

Employee engagement is a core component of SMG’s data protection approach. Under the onboarding process and annual compliance requirements, employees are expected to complete mandatory data protection training, supplemented by targeted awareness campaigns. In 2025, 91% of employees completed the updated SLU data protection training module.

SMG provides tailored data protection training that addresses specific regulatory or organisational requirements to employees in relevant positions. Additional technical privacy training is available for Privacy and Security Champions. A number of campaigns advanced awareness efforts in 2025, including the SMG Global Data Protection Day.

Employees also take ownership of updating records of processing activities (RoPA) within the DPMS.¹⁴ A self-service portal enables employees responsible for specific tools and processes to add and update their assets and workflows. Dedicated communication channels, including a Privacy and Security Champions network comprising between three and twenty engineers per business unit, enable direct engagement with the Data Protection Team and foster collaboration and confidence in maintaining high data protection standards.

External Engagement

Through external engagement with various associations and alliances, SMG contributes its expertise in safeguarding user data throughout the technology sector. Membership in the Association of Swiss Companies for Corporate Data Protection and the International Association of Privacy Professionals promotes knowledge exchange and the adoption of best practice, while providing access to resources from leading Swiss law firms and industry specialists.