• H&Z
    H&Z Management Consulting - Consulting with head, heart and hand

    Privacy policy for business partners and customers

    1. Home
      2. /
    2. Privacy policy for business partners and customers

    Status: November 1, 2023

     

    This privacy policy for customers, suppliers and business partners describes how H&Z Unternehmensberatung GmbH (hereinafter referred to as "H&Z" or "we") processes your personal data in the context of our business relationship with you, your organization or the company you represent ("your company"). In addition, the Privacy Policy describes what types of personal data we collect about you, how we process, store and share the data and what rights you have in this context.


    1. WHO IS RESPONSIBLE FOR PROCESSING MY DATA? HOW CAN I CONTACT H&Z?

    H&Z Unternehmensberatung GmbH is responsible for the processing of your personal data within the meaning of the GDPR. You can contact H&Z at any time using the contact details below:
     

    H&Z Unternehmensberatung GmbH,
    Max-Joseph-Straße 680333 Munich
    Phone: +49 892429690
     

    If you have any questions about the protection of your personal data, you can contact the central data protection coordinator, Stefan Franz, at the following e-mail address;

    E-mail: stefan.franz@hz.group

    You can contact H&Z's data protection officer at:

    E-mail: datensicherheit@hz.group

     

    2. WHICH OF MY PERSONAL DATA IS PROCESSED?

    We collect and process personal data that you or your company provide to us in connection with the respective business relationship with us, insofar as this is necessary for the purposes of the business relationship, regardless of whether the information is transmitted to us verbally (e.g. by telephone), in writing (e.g. by e-mail, letter) or via our website.

     

    In particular, we may collect the following categories of personal data:
    • Name and contact information, e.g. first and last name, company/organization, business phone number, email address and other business contact information, and your job title;

    • Order, service and contract data, including sales information and payment terms, contract details, etc;

    • Payment and billing data, such as information required for payment processing and fraud prevention, including bank and account details, tax numbers and billing addresses;

    • Order history and history of transactions and business interactions, including commercial information about the use of services, including to the extent necessary to manage relationships with business partners;

    • Content of business communication relating to business relationships, products and services (e.g. correspondence by e-mail, letter, fax, etc.);

    • personal data that we collect from publicly accessible sources, information databases or receive from credit agencies;

    • where required by law as part of compliance screenings: date of birth, country of residence, results of screenings against recognized sanctions lists, information about relevant court proceedings and other legal disputes in which you or your company are involved.


    3. FOR WHAT PURPOSES IS MY DATA PROCESSED AND ON WHAT LEGAL BASIS?

    We process your personal data for the following legitimate business purposes and on the basis of the legal grounds set out below:

    • To enter into and/or perform a contract with your company, including the processing of orders, the provision of services and for related administrative, account management, accounting, billing and auditing purposes. Insofar as the business relationship between H&Z and you personally exists, we rely on the necessity of the processing for the performance of the contract with you or in order to take steps at your request prior to entering into a contract (Art. 6 para. 1 lit. b) GDPR). Insofar as the business relationship exists between us and your company, we rely on our legitimate interests in the establishment, implementation and support of this business relationship (Art. 6 para. 1 lit. f) GDPR).

    • To safeguard our legitimate interest in proper accounting and effective and service-oriented administration, support and maintenance of our business contacts (Art. 6 para. 1 lit. f) GDPR).

    • To communicate with you or your company in the context of the establishment or implementation of the business relationship, insofar as this is necessary to safeguard our legitimate interest in efficient communication with you and/or your company, e.g. if we inform you about changes to our GTC or you contact H&Z with questions and concerns (Art. 6 para. 1 lit. f) GDPR).

    • To carry out compliance checks of our business partners: We process your personal data to the extent that processing is necessary for the purposes of our legitimate interest in complying with legal requirements, in particular the obligations arising from applicable data protection laws and regulations (e.g. Art. 28 (1) GDPR) (Art. 6 (1) (f) GDPR).

    • Furthermore, we process your data insofar as this is necessary to comply with H&Z's legal obligations, including compliance with statutory retention obligations (e.g. pursuant to Section 257 HGB and Section 147 AO) (Art. 6 para. 1 lit. c) GDPR).

    • To safeguard our legitimate interests in ensuring and documenting compliance with applicable laws and in the assertion, exercise or defense of legal claims (Art. 6 para. 1 lit. f) GDPR), including the collection of receivables and the enforcement of payment claims.

    • For direct marketing purposes: If you have separately given your consent to further use of your personal data, we may use your personal data provided in this context (in particular your first and last name, your e-mail address, the name and address of your company and other information provided by you as part of the consent) for advertising purposes in accordance with the scope described in the consent in order to inform you via your preferred channel (by e-mail, fax and/or telephone) about selected offers for services of the H&Z Group. This direct marketing may include information on current H&Z consulting services and service information as well as news from your industry, announcements of upcoming events and other marketing information.

    In addition, we may process the data mentioned in this section in order to meet organizational requirements with regard to your marketing consent, such as the validation of the e-mail address you have provided through a so-called double opt-in procedure.

    Your consent is logged in order to prevent misuse and to be able to document and prove your consent in accordance with the legal requirements. The logging is based on the necessity of processing to safeguard our legitimate interests in complying with legal requirements and ensuring a legally compliant and user-friendly design of our advertising communication (Art. 6 para. 1 lit. f) GDPR, Art. 6 para. 1 lit. c) in conjunction with Art. 5 para. 1 lit. a), para. 2, Art. 7 para. 1 GDPR). Art. 5 para. 1 lit. a), para. 2, Art. 7 para. 1 GDPR). The processing of your personal data in connection with advertising communication by H&Z is carried out exclusively for the purpose of sending you advertising communication. The legal basis for this is your consent in accordance with Art. 6 para. 1 lit. a) GDPR.

    You can revoke your consent at any time with effect for the future at no additional cost, e.g. by sending an e-mail to datensicherheit@hz.group.

    • For the purposes of advertising to existing customers: We will only contact you by email for marketing purposes without your consent if we have received your email address in connection with a service you have provided to us , the advertising content in the email relates to similar services and you have not objected to the use of your email address for advertising purposes. You can object to the use of your e-mail address for advertising purposes at any time without incurring any costs other than the transmission costs for the objection according to the basic rates of your telecommunications provider. We base the processing of your data in this regard on the protection of our legitimate interests in the marketing of our services (Art. 6 para. 1 lit. f) GDPR).


    4. AM I OBLIGED TO PROVIDE MY DATA?

    You are neither contractually nor legally obliged to provide us with your personal data to the extent described above. However, if you do not provide us with certain data, we may be prevented from fulfilling our obligations, entering into and/or performing the contract with you or your company or otherwise managing the business relationship with you or your company.


    5. WHO WILL MY DATA BE PASSED ON TO?

    We may pass on your data to third parties in the following cases, insofar as this is necessary to achieve the purposes described in section 3 mentioned purposes:


    6. GROUP-INTERNAL PROCESSING

    Your data will be treated as strictly confidential and will only be passed on internally to the respective H&Z Group companies or the respective departments/employees at H&Z who need to have knowledge of your data in order to perform their respective tasks (e.g. insofar as this is necessary for the provision of the services provided by you or your company to H&Z to the contractually agreed extent, or for the management of inquiries and administration of your data in the central customer relationship management system of the H&Z Group). Insofar as we pass on your data to other H&Z Group companies in these cases, we process your data together with the respective H&Z Group company as joint controllers. With regard to the joint processing of your personal data, H&Z has concluded joint controllership agreements with its group companies that meet the requirements of Art. 26 GDPR. The contact details of the other H&Z Group companies can be found in section 9 of this privacy policy.


    7. EXTERNAL SERVICE PROVIDERS AND OTHER DATA RECIPIENTS

    • External service providers: We pass on your data to carefully selected external service providers who are contractually obliged in accordance with the relevant data protection regulations (e.g. hosting and IT service providers and other service providers, such as marketing agencies, providers of data analysis services, cloud service providers for CRM software, accounting software and ERP software). These process your personal data exclusively on our behalf on the basis of an order processing contract in accordance with Art. 28 GDPR, insofar as this is necessary for the provision of the services commissioned by us. Your data will not be sold to third parties or marketed in any other way.

    A current list of all service providers is available on request from H&Z at the addresses given in section 1 contact details given in section 1.

    • Authorities and courts: We may also disclose your personal data to regulatory authorities, law enforcement agencies and courts to the extent that (1) after careful consideration, we believe that this is (i) required by law or (ii) necessary to comply with a judicial or administrative order (e.g. a law enforcement agency's request for information), or (2) if disclosure is necessary and appropriate (i) to ensure compliance with applicable laws, (ii) to assert, exercise or defend our legal rights, or (iii) in connection with an investigation of illegal or suspected illegal activities. To the extent permitted by law and reasonable, we will attempt to notify you of such requests for information.


    8. WILL MY PERSONAL DATA BE STORED AND PROCESSED OUTSIDE THE EU/EEA?

    In some cases, it is possible that the information provided under point 5 may be located in countries outside the European Union and the contracting states of the European Economic Area ("third countries"), in particular in the case of transfer to service providers in the USA. The laws of these countries may not guarantee a level of data protection that has been deemed adequate by the European Commission as part of an adequacy decision. Insofar as the transfer of data to the respective recipient is not covered by an adequacy decision of the EU Commission, we have taken suitable and appropriate measures in these cases to ensure that your data is also adequately protected by the recipients in third countries and that the level of data protection required by European law is not undercut. The measures include, for example, the conclusion of EU standard contractual clauses that impose special obligations on the data recipient with regard to the processing of your data and aim to comply with European data standards and, if necessary, the implementation of additional technical and organizational measures to protect your data. Some of the service providers commissioned by us have joined the Data Privacy Framework Program concluded between the European Union and the USA and are certified accordingly. These companies are therefore obliged to comply with the standards and regulations of European data protection law. Further information on the Data Privacy Framework Program and its validity can be found HERE.


    9. HOW IS MY DATA PROTECTED?

    We have taken comprehensive technical and organizational measures to ensure a level of protection appropriate to the risk of processing your personal data. This includes, in particular, measures to protect your data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access and misuse. When implementing the measures, we have taken into account the state of the art, the nature, scope, context and purpose of the processing as well as the existing risks to your personal data. These measures are aimed at ensuring the continued integrity, availability and confidentiality of your data and the resilience of our data processing systems. The measures taken are regularly reassessed and improved. For more information on the technical and organizational measures we have taken, please contact us at the contact details provided in section 1 of this privacy policy.


    10. HOW LONG WILL MY DATA BE STORED?

    We only store your data for as long as is necessary for the fulfillment of the purposes described in section 3 mentioned purposes. The following storage periods apply in detail:

    • Personal data that we process for the purpose of fulfilling the contract will be stored for as long as necessary to safeguard our rights and obligations under the contract, including for accounting, invoicing, auditing and compliance purposes.

    • Personal data stored to manage, maintain and support our business relationship with you or your company, including business emails, will be stored for a period of three years from the last business interaction with you.

    • We store personal data that we process on the basis of your consent to carry out direct marketing measures until you withdraw your consent or we stop carrying out the relevant marketing measures.

    • Personal data that is required to fulfill our retention obligations under tax and commercial law is stored for a period of up to ten years. After expiry of the above-mentioned periods, this data will be completely deleted, unless deletion is contrary to statutory retention obligations or longer storage in the specific case is necessary to fulfill other legal obligations (Art. 6 para. 1 lit. c) GDPR) or to protect our legitimate interests in asserting, exercising or defending our legal claims (Art. 6 para. 1 lit. f) GDPR).


    11. WHAT RIGHTS DO I HAVE AND HOW CAN I EXERCISE THEM?

    You have the right in accordance with the statutory provisions:• to request information about the personal data processed by you and a copy of this data (right to information);

    • to request the rectification of inaccurate personal data and, taking into account the purposes of the processing, the completion of incomplete personal data (right to rectification); please let us know whether your data and, if applicable, which of your data that we store has changed so that we can correct or update the relevant data.

    • to demand the deletion of your personal data if there are legitimate reasons for doing so (right to deletion);

    • to demand the restriction of the processing of your personal data, provided that the legal requirements are met (right to restriction of processing);

    • if the legal requirements are met, to receive the personal data provided by you in a structured, commonly used and machine-readable format and to transmit this data to another controller or, if technically feasible, to have it transmitted by us (right to data portability); and

    • not to be subject to a decision based solely on automated processing, unless the legal requirements for this are met. Automated decision-making does not take place at H&Z.
     

     

    You also have the right to object, on grounds relating to your particular situation, to processing of your data which is necessary for the purposes of the legitimate interests pursued by H&Z or by a third party (right to object). If personal data is processed by H&Z for the purpose of direct marketing, you have the right to object to this processing at any time without the need for special reasons.
     

     

    If your data is processed on the basis of consent, you have the right to withdraw your consent at any time without affecting the lawfulness of the processing of your data based on consent before its withdrawal.
     

     

    To exercise your rights and to revoke any declaration of consent, please contact H&Z at the address given in section 1 listed contact details. Your rights with regard to the processing of personal data for the purposes of carrying out the application procedure within the scope of the data protection regulations set out in section 5.1 described in section 5.1, you can assert your rights with and against each of the aforementioned controllers, i.e. against H&Z or against h&z Unternehmensberatung GmbH (Hietzinger Kai 133/Top 201, 1130 Vienna, Austria, e-mail: datensicherheit@hz.group ), H&Z Unternehmensberatung GmbH (Steinstrasse 21, 8003 Zurich, Switzerland, e-mail: datensicherheit@hz.group ) and against H&Z Management Consulting Ltd (United Kingdom, 48 Dover Street, London W1S 4FF, e-mail: datensicherheit@hz.group ). However, in order to exercise your rights effectively, we recommend that you contact H&Z as the central point of contact using the details set out in section 1 contact details listed in section 1.
     

    In addition, without prejudice to other legal remedies, you have the right to lodge a complaint with a supervisory authority at any time.