H&Z
H&Z Management Consulting - Consulting with head, heart and hand

Privacy Policy

Status: November 1st, 2023

 

The protection of personal data is an important concern for H&Z Unternehmensberatung GmbH ("H&Z" or "we"). We process personal data exclusively in accordance with the legal requirements, in particular the EU General Data Protection Regulation ("GDPR") and the German Federal Data Protection Act ("BDSG"). This website privacy policy describes how we store and process your personal data when you visit our website or send us inquiries by email, contact form, telephone, fax, etc., and what rights you have in this regard.

 

1. Who is responsible for processing my data? How can I contact H&Z?

 

H&Z Unternehmensberatung GmbH is responsible for the processing of your personal data within the meaning of the GDPR. 

 

You can contact H&Z at any time using the contact details below: 

H&Z Unternehmensberatung GmbH,  

Max-Joseph-Straße 6  80333 Munich  

Phone: +49 892429690 

 

You can contact H&Z's data protection officer at:

E-Mail: datensicherheit@hz.group

 

2. Which of my data is processed? For what purposes and on what legal basis are they processed?

 

Depending on the type of business relationship or interaction with you, we collect, store and process different types of personal data

 

The categories of information we may collect include:

 

  • Personal data (e.g. name, title);

  • Contact details (e.g. telephone number, e-mail address, postal address or similar identifiers);

  • Communication content and data (e.g. content of e-mails that we have exchanged with you or notes on telephone calls made);

  • Information on marketing activities (e.g. documentation of marketing measures directed at you, logging of marketing consents obtained);

  • Information that we collect automatically from you or your device, including log files and internet or other electronic network activity data collected using device identification cookies (see section 3 of this privacy policy);

  • Commercial information about your use of our Services or the Websites (such as support requests, recordings of or information about telephone conversations with our sales or support teams, or information provided to us to resolve such support requests); and

  • Conclusions from the above information.

 

We collect information about you either directly from you or from publicly available sources.

 

Below we explain in more detail which of your data we collect and for which business or commercial purposes and on what legal basis we use it.

 

2.1 Processing of personal data in connection with the use of our website 

 

a) Server Log Files

 

As a rule, you can visit our website without providing any personal data. In this case, H&Z only collects and stores access data that is automatically transmitted to H&Z by your browser when you access the website. This is done for the purpose of the technical provision of the website and is necessary so that the website can be displayed in your browser and you can use it. When using the website for purely informational purposes, log data (so-called server log files) are automatically stored temporarily on our web server. These are

 

  • IP address of the requesting computer,

  • Date  and time of the page view,

  • Name and URL of the requested page,

  • website from which access is made (referrer URL),

  • Message indicating whether the call was successful (access status/http status code),

  • Browser type and browser version,

  • language browser software,

  • Hostname   of the accessing computer,

  • Transferred data volume,

  • operating system.

 

H&Z bases the processing of your data on your legitimate interest in ensuring the security and stability of the website, the optimization of the website and the services and functionalities offered to you in this context (Art. 6 para. 1 lit. f) GDPR).

 

b) Inquiries by e-mail, contact form, telephone, fax

 

The website offers you the opportunity to contact us in various ways, for example to make inquiries about our services. If you contact us by e-mail, contact form, telephone or directly, we will store and process your request, including all personal data resulting from it (name, contact details, request itself, e-mail address, any other documents / files provided to us) for the purpose of processing your request. 

 

If you use the contact form on our website to contact us, you must always provide the information marked with an asterisk as mandatory (e-mail address, title, first and last name and your message). You can also provide further information voluntarily. This optional data helps us to better allocate your request and process it more efficiently.

 

For the processing of your personal data that we receive via the various communication channels, we rely on the necessity of the processing to safeguard our legitimate interests in ensuring efficient and user-friendly communication and processing of your request as well as in the evaluation and optimization of our processes (Art. 6 para. 1 lit. f) GDPR). For the processing of your data in the context of a contract initiation or support of the business relationship with you as a customer or as an interested party of our services, we also rely on the necessity of processing for the implementation of (pre-)contractual measures that are carried out at your request in order to make a decision on the establishment of the contract with you or to fulfill a contract concluded with you (Art. 6 para. 1 lit. b) GDPR).

 

Furthermore, we will process your data if we are legally obliged to do so (Art. 6 para. 1 lit. c) GDPR) or if the processing is necessary for the assertion, exercise or defense of legal claims (Art. 6 para. 1 lit. f) GDPR). 

 

c) Advertising communication on the basis of your consent

 

If you have separately given your consent to further use of your personal data, we may use your personal data provided in this context (in particular your first and last name, your e-mail address, possibly the name and address of your company and other information provided by you as part of the consent) for advertising purposes in accordance with the scope described in the consent in order to inform you via your preferred channel (by e-mail, fax and/or telephone) about selected offers for services of the H&Z Group. This direct marketing may include information on current H&Z consulting services and service information as well as news from your industry, announcements of upcoming events and other marketing information.

 

In addition, we may process the data mentioned in this section in order to meet organizational requirements with regard to your marketing consent, such as the validation of the e-mail address you have provided through a so-called double opt-in procedure. 

 

Your consent is logged in order to prevent misuse and to be able to document and prove your consent in accordance with the legal requirements. The logging is based on the necessity of processing to safeguard our legitimate interests in complying with legal requirements and ensuring a legally compliant and user-friendly design of our advertising communication (Art. 6 para. 1 lit. f) GDPR, Art. 6 para. 1 lit. c) in conjunction with Art. 5 para. 1 lit. a), para. 2, Art. 7 para. 1 GDPR). Art. 5 para. 1 lit. a), para. 2, Art. 7 para. 1 GDPR). The processing of your personal data in connection with advertising communication by H&Z is carried out exclusively for the purpose of sending you advertising communication. The legal basis for this is your consent in accordance with Art. 6 para. 1 lit. a) GDPR.

 

You can revoke your consent at any time with effect for the future at no additional cost, e.g. by sending an e-mail to datensicherheit@hz.group.

 

d) Existing customer marketing

 

We will only contact you by email without your consent if we have received your email address from you in connection with a service provided to you, the advertising content in the email relates to similar services and you have not objected to the use of your email address for advertising purposes. You can object to the use of your e-mail address for advertising purposes at any time without incurring any costs other than the transmission costs for the objection according to the basic rates of your telecommunications provider. We base the processing of your data in this regard on the protection of our legitimate interests in the marketing of our services (Art. 6 para. 1 lit. f) GDPR).

 

e) Applications

 

For information on how we process your personal data in the context of your application, please refer to our privacy policy for applicants (available at: Privacy Policy Applicants)

 

3. Cookies

 

Our website uses cookies and other device recognition technologies ("cookies") to deliver the website, to understand how our website is used and for advertising purposes. Below you can find out more about the types of cookies we use, why we use them and what choices you have in relation to the use of cookies.

 

a) What are cookies?

 

Cookies are small text files that can be downloaded to or read from your device by your internet browser when you use our website. Cookies can be used, among other things, to recognize you and your settings when you reconnect to our website, to provide you with a seamless and more interactive online experience, to ensure the operation or maintenance of our website or to analyze how you interact with our website in order to improve it and adapt its content to your needs.

 

Third-party technologies such as scripts, pixels and tags that we integrate into our websites for advertising purposes can also set cookies on your end device.

 

b) Categories of cookies that we use for our website

 

i. First-Party and third-party cookies

 

First party cookies are cookies that we use ourselves or via contracted service providers on our website and with which you interact when you continue your activities on our website.

 

However, our website may also contain content from other providers who may use their own cookies. Such third-party providers may set cookies during your visit to our website and request information, e.g. that you have loaded our websites. Please visit the websites of the third-party providers to find out how they use cookies. Further information about the respective third-party providers and the reference to their privacy policy can be found in the detailed list at " Cookie settings " and in section 6 of this privacy policy.

 

ii. Session cookies and permanent cookies

 

The cookies we use are either temporarily stored on your end device for the duration of a session ("session cookies") or beyond the duration of your session ("permanent cookies"). Session cookies are automatically deleted at the latest at the end of your visit (i.e. when you end your session and close your browser). Persistent cookies remain stored on your end device until the storage time of the cookies expires or you delete them yourself.

 

iii. Strictly necessary cookies on our website

 

Strictly necessary cookies are technically necessary to make our website usable and to provide basic functions, such as the ability to navigate between pages, to display multimedia content that meets your technical requirements and to make our website error-free. We do not require your consent to set strictly necessary cookies.

 

The legal basis for the setting of strictly necessary cookies by our website is Section 25 (2) No. 2 TTDSG. Insofar as we also process personal data using strictly necessary cookies, this is done on the basis of our legitimate interests in being able to provide you with a technically optimized, user-friendly and needs-based website and to ensure the security of our systems (Art. 6 para. 1 lit. f) GDPR).

 

iv. Cookies on our website that require consent

 

Other cookies that are not absolutely necessary in the above-mentioned sense in order to provide the online services you have requested require your consent in accordance with § 25 para. 1 TTDSG, Art. 6 para. 1 lit. a) GDPR. These cookies are therefore not set by us unless you have consented to this in advance. 

 

Consent includes all cookies selected by you as well as the storage and reading of information on your end device associated with their use, including any subsequent processing of personal data. 

 

If you have given us your consent to do so, we may use the following types of cookies  as part of the provision of our website:

 

  • Statistic cookies help us to understand how visitors interact with our website by collecting and reporting information about your use of the website.

  • Marketing cookies are used to recognize you when you return to our website. The purpose of this is to show you ads and content that are relevant and appealing to you based on your user behavior and preferences. 

 

The specific cookies that we use on our website, as well as their categorization, purposes, duration of function and possible third-party providers of cookies, are listed and explained in the cookie settings. These can also be accessed at any time via the symbol in the footer under "Cookie settings" on our websites. 

 

v. Withdrawal of your consent and adjustment of your preferences and browser settings

 

For all cookies other than strictly necessary cookies, you can revoke your consent once given at any time with effect for the future by calling up the cookie banner again and changing your settings in the consent options and, for example, deactivating activated categories/purposes. To access the consent options in the cookie banner, you can click on the "Cookie settings" icon, which is displayed in the footer on every page of our website. To go directly to the settings without scrolling down, please click here.

 

Most browsers are set by default to accept cookies automatically. You can change the settings of your browser so that you are informed about the setting of cookies, decide on a case-by-case basis whether to accept them or generally exclude the acceptance of cookies. However, if you make use of this option, some areas of our website may not function properly. 

 

4. How long will my data be stored?

 

Depending on the type of business relationship or interaction with you, we collect, store and process different types of personal data. In principle, we only store your data for as long as is necessary for the respective purpose for which we collect and process your data.

 

The following data categories are stored as follows:

 

  • Server log files: The log files listed under section 2.1(a) of this Privacy Policy is required by us for the duration of your session in order to enable the technical delivery of the content of our website to your end device. In addition, the data is stored by us in log files for a short period of time for the purposes of the technical security of our website, in particular for the prevention, detection and defense of attempted attacks and fraud on our web server.

  • Inquiries by e-mail, contact form, telephone, fax: The data you transmit to us when contacting us (Section 2.1(b)) will be stored by us for as long as is necessary for the complete processing and handling of your request. We may continue to store your data for as long as this is necessary to manage the business relationship with you as a customer or as a prospective customer of our products and services.

  • Marketing: We will process your personal data that we have collected in accordance with section 2.1(c) and 2.1(d) for marketing purposes for the duration of our business relationship with you or your company with regard to the marketing purposes described above. We generally delete data that we process in this context on the basis of your consent as soon as your data is no longer required for the above-mentioned marketing purposes or you withdraw your consent to the use of your data for marketing purposes. We store data that we have received from you in connection with the provision of our services in compliance with the statutory provisions for the purposes of advertising to existing customers for as long as this is necessary for these purposes or you object to the processing of your data for marketing purposes.

  • Cookie lifespan: The session cookies used on our website are only stored for the duration of your session. The persistent cookies used on our website are stored for a period of one day up to a maximum of two years , unless you withdraw your consent at an earlier point in time. The specific lifespan of the respective cookies can be found in the detailed list in the " Cookie settings" .

 

After expiry of the above-mentioned periods, this data will be completely deleted or anonymized by shortening your IP address, unless deletion is contrary to statutory retention obligations or longer storage is necessary in the specific case to fulfill other legal obligations or to protect our legitimate interests (assertion, exercise or defense of our legal claims).

 

5. Am I obliged to provide my data?

 

In most cases, there is no obligation for you to disclose certain personal data about yourself to us. However, we may need to collect certain personal data about you to fulfill our legal obligations or to perform a contract with you or your company. Failure to provide this information may prevent or delay the fulfillment of our obligations. We will inform you at the time of data collection whether certain data is mandatory and the consequences of not providing this data.

 

6. Who will my data be passed on to?

 

6.1 Group-internal processing

 

Your data will be treated as strictly confidential and will only be passed on internally to the respective H&Z Group companies or the respective departments/employees at H&Z who need to have knowledge of your data in order to fulfill their respective tasks (e.g. for the support of inquiries and administration of your data in the central customer relationship management system of the H&Z Group). Insofar as we pass on your data to other H&Z Group companies in these cases, we process your data together with the respective H&Z Group company as joint controllers. With regard to the joint processing of your personal data, H&Z has concluded joint controllership agreements with its group companies that meet the requirements of Art. 26 GDPR. The contact details of the other H&Z Group companies can be found in section 7 of this privacy policy.

 

6.2 External Data Recipients / Service Providers

 

In order to achieve the objectives set out in section 3 above, we also pass on your data to carefully selected external service providers (such as hosting and IT service providers) who are contractually obliged to do so in accordance with the relevant data protection regulations. These process your personal data exclusively on our behalf on the basis of an order processing contract in accordance with Art. 28 GDPR, insofar as this is necessary for the provision of the services commissioned by us. 

 

In some cases, these service providers may be based in countries outside the European Union and the contracting states of the European Economic Area ("third countries"), in particular in the case of transfers to service providers in the USA. The laws of these countries may not guarantee a level of data protection that has been deemed adequate by the European Commission as part of an adequacy decision. Insofar as the transfer of data to the respective recipient is not covered by an adequacy decision of the EU Commission, we have taken suitable and appropriate measures in these cases to ensure that your data is also adequately protected by the recipients in third countries and that the level of data protection required by European law is not undercut. The measures include, for example, the conclusion of EU standard contractual clauses that impose special obligations on the data recipient with regard to the processing of your data and aim to comply with European data standards and, if necessary, the implementation of additional technical and organizational measures to protect your data. Some of the service providers commissioned by us have joined the Data Privacy Framework Program concluded between the European Union and the USA and are certified accordingly. These companies are therefore obliged to comply with the standards and regulations of European data protection law. Further information on the Data Privacy Framework Program and its validity can be found HERE.

 

The external service providers that we use for the provision and operation of our website are the following companies:

 

Vercel Inc ("Vercel"), 340 S Lemon Ave #4133, Walnut, CA 91789, USA, as a cloud platform. Depending on the server location, Vercel may also process your personal data in the USA. The corresponding data transfer to the USA takes place on the basis of the EU standard contractual clauses, which have been included in the order processing contract we have concluded with Vercel. You can view the order processing contract at https://vercel.com/legal/Vercel_Inc_-_Data_Processing_Addendum.pdf. Further information on Vercel's data protection provisions can be found at https://vercel.com/legal/privacy-policy

 

HubSpot, Inc. ("HubSpot"), 25 First Street, Cambridge, MA 02141 USA, for the implementation of marketing campaigns, the management of customer and business partner data and for contact management measures. HubSpot has joined the Data Privacy Framework Program concluded between the European Union and the USA and is certified accordingly. HubSpot has therefore undertaken to comply with the standards and regulations of European data protection law. Further information on the Data Privacy Framework Program and its validity can be found here: Link. Further information on HubSpot's data protection provisions can be found at: https://legal.hubspot.com/de/privacy-policy.

 

Google Ireland Limited ("Google"), Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland. (parent company: Google LLC, USA) for web analytics and internet advertising services. We use the service Google Analytics 4 to analyze your user behavior on our website regardless of the use of different devices. For this purpose, Google assigns a unique, permanent ID  to one or more sessions (and the activities within these sessions) on our website. If you have given your consent, Google will store cookies on your device to enable analysis of your use of the website. The information collected by the cookies about your use of our website is usually transferred to a Google LLC server in the USA and stored there. In Google Analytics 4, the anonymization of IP addresses is activated by default. Due to IP anonymization, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google LLC server in the USA and truncated there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. With regard to the transfer of the above-mentioned data to Google LLC, we would like to point out that Google has joined the Data Privacy Framework Program concluded between the European Union and the USA and is certified accordingly. Google has therefore undertaken to comply with the standards and regulations of European data protection law. You can find more information about the Data Privacy Framework Program HERE

 

During your visit to the website, your user behavior is recorded by Google Analytics 4 in the form of "events", in particular page views, first visit to the website, start of the session, web pages visited, your "click path", interaction with the website, scrolls (whenever a user scrolls to the end of the page (90%)), clicks on external links, internal search queries, interaction with videos, file downloads, ads viewed / clicked on, language setting.

 

The following information may also be collected: Your approximate location (region), date and time of the visit, your IP address (in abbreviated form), technical information about your browser and the end devices you use (e.g. language setting, screen resolution), your internet provider, the referrer URL (via which website/advertising medium you came to this website). 

 

Google will use this information on our behalf to evaluate your use of the website and to compile reports on this. The reports provided by Google are used to analyze the performance of our website and the success of our marketing campaigns. 

 

The legal basis for the use of Google Analytics is your consent. By accepting the corresponding cookies, you also consent to the processing of your personal data in this regard (Section 25 (1) TTDSG, Article 6 (1) (a) GDPR). You can revoke your consent at any time with effect for the future via our cookie settings. You can also prevent the storage of cookies from the outset by setting your browser software accordingly. However, if you configure your browser to reject all cookies, this may restrict the functionality of our website and other websites. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser add-on to deactivate Google Analytics HERE.

 

When configuring Google Analytics, care was taken to ensure that Google acts as a processor and may not use the data for its own purposes . However, data may be transferred by Google to third parties if Google is legally obliged to do so.

 

The data linked to the cookies is automatically deleted after 14 months . The maximum lifespan of Google Analytics cookies is 2 years. Data whose retention period has been reached is automatically deleted once a month.

 

Your data will not be sold to third parties or marketed in any other way. To find out more about the specific recipients of your data, the respective third countries and the measures we have taken to protect your data, including the possibility of obtaining a copy of the measures, please contact H&Z at the contact details provided in section 1 above.

 

7. What rights do I have and how can I exercise them?

 

You have the right in accordance with the statutory provisions:

  • to request information about the personal data processed by you and a copy of this data (right to information);

  •  to request the rectification of inaccurate personal data and, taking into account the purposes of the processing, the completion of incomplete personal data (right to rectification); please let us know whether your data and, if applicable, which of your data that we store has changed so that we can correct or update the relevant data.

  • to demand the deletion of your personal data if there are legitimate reasons for doing so (right to deletion);

  • to demand the restriction of the processing of your personal data, provided that the legal requirements are met (right to restriction of processing);

  • if the legal requirements are met, to receive the personal data provided by you in a structured, commonly used and machine-readable format and to transmit this data to another controller or, if technically feasible, to have it transmitted by us (right to data portability); and

  • not to be subject to a decision based solely on automated processing, unless the legal requirements for this are met. Automated decision-making does not take place at H&Z.

     

You also have the right to object, on grounds relating to your particular situation, to processing of your data which is necessary for the purposes of the legitimate interests pursued by H&Z or by a third party (right to object). If personal data is processed by H&Z for the purpose of direct marketing, you have the right to object to this processing at any time without the need for special reasons.

 

If your data is processed on the basis of consent, you have the right to withdraw your consent at any time without affecting the lawfulness of the processing of your data based on consent before its withdrawal.

 

To exercise your rights and to revoke any declaration of consent, please contact H&Z at the address given in section 1 listed contact details. Your rights with regard to the processing of personal data for the purposes of carrying out the application procedure within the scope of the data protection regulations set out in Section 6.1 you can assert your rights with and against each of the aforementioned controllers, i.e. against H&Z or against h&z Unternehmensberatung GmbH (Hietzinger Kai 133/Top 201, 1130 Vienna, Austria, e-mail: datensicherheit@hz.group), h&z Business Consulting AG (Steinstrasse 21, 8003 Zurich, Switzerland, e-mail: datensicherheit@hz.group) and against H&Z Management Consulting Ltd (United Kingdom, 48 Dover Street, London W1S 4FF, e-mail: datensicherheit@hz.group.). However, in order to exercise your rights effectively, we recommend that you contact H&Z as the central point of contact using the details set out in section 1 contact details listed in section 1.

 

In addition, without prejudice to other legal remedies, you have the right to lodge a complaint with a supervisory authority at any time.