Data Protection Statement of gruppenhaus.ch GmbH

With this Data Protection Statement, we, the gruppenhaus.ch GmbH (hereinafter referred to as we or us), describe how we collect and further process personal data. This Data Protection Statement not necessarily a comprehensive description of our data processing. It is possible that other data protection statements [or General Terms and Conditions, Conditions of Participation or similar documents] are applicable to specific circumstances.
The term "personal data" in this Data Protection Statement to shall mean any information that identifies, or could reasonably be used to identify any person.
If you provide us with personal data of other persons (such as family members, work colleagues), please make sure the respective persons are aware of this Data Protection Statement and only provide us with their data if you are allowed to do so and such personal data is correct.
This Privacy Notice is aligned with the EU General Data Protection Regulation («GDPR»), the Swiss Data Protection Act («DPA») and the revised Swiss Data Protection («revDPA»). However, the application of these laws depends on each individual case.

The “controller” of data processing as described in this data protection statement (i.e. the responsible person) is gruppenhaus.ch GmbH, Seestrasse 112, Bäch, unless otherwise stated in individual cases. If you have any data protection concerns, you can send them to us at the following contact address:
Gruppenhaus.ch GmbH
Seestrasse 112, 8806 Bäch
office@gruppenhaus.ch
+41 62 961 3334

You can visit our website without providing any personal information. We only store access data in so-called server log files, such as the name of the requested file, the date and time of the request, the amount of data transferred and the forming provider. This data is evaluated exclusively to ensure trouble-free operation of the site and to improve our services and does not allow us to draw any conclusions about your person.
We primarily process the personal data that we obtain from our clients and other business partners in the course of our business relationship with them and other persons involved or that we collect from their users in the course of operating our websites and other applications. In addition to the data about you that you give us directly, the categories of personal data that we receive about you from third parties include, in particular, information about you in correspondence and meetings with third parties, information about you that people close to you (family, advisors, legal representatives, etc.) give us so that we can conclude or process contracts with you or involving you, information from other contractual partners of ours regarding the use or provision of services by you (e.g. payments made, services rendered, etc.), information from other contractual partners of ours regarding the use or provision of services by you. (e.g. payments made, bookings made), your addresses and, if applicable, interests and other socio-demographic data (for marketing), data in connection with the use of the website (e.g. IP address, MAC address of the smartphone or computer, details of your device and settings, cookies, date and time of the visit, pages and content accessed, functions used, referring website, location details).

We use the personal data we collect primarily for the processing of contracts and your enquiries.
In addition, in line with applicable law and where appropriate, we may process your personal
data and personal data of third parties for the following purposes, which are in our (or, as the
case may be, any third parties') legitimate interest, such as:
⎯ providing and developing our products, services and websites, apps and other platforms,
on which we are active;
⎯ Communication with third parties and processing of their enquiries (e.g. applications, media enquiries);
⎯ Checking and optimising procedures for needs analysis for the purpose of direct customer contact as well as collecting personal data from publicly accessible sources for the purpose of customer acquisition;
⎯ advertising and marketing (including the organisation of events), insofar as you have not objected to the use of your data (if we send you advertising as an existing customer, you can object to this at any time and we will then place you on a blacklist against further advertising mailings);
⎯ Market and opinion research, media monitoring;
⎯ assertion of legal claims and defence in connection with legal disputes and official proceedings;
⎯ Prevention and investigation of criminal offences and other misconduct (e.g. conducting internal investigations, data analysis to combat fraud);
⎯ Guaranteeing our operations, in particular IT, our websites, and other platforms;
⎯ video surveillance to maintain domiciliary rights and other measures for IT, building and facility security and protection of our employees and other persons and assets belonging to or entrusted to us (such as access controls, visitor lists, network and mail scanners, telephone records);
⎯ Acquisition and sale of business divisions, companies or parts of companies and other transactions under company law and the associated transfer of personal data as well as measures for business management and insofar as for compliance with legal and regulatory obligations as well as internal regulations by gruppenhaus.ch GmbH.
If you have given us consent to process your personal data for certain purposes (for example, when you register to receive newsletters or when you make an enquiry), we process your personal data within the scope of and based on this consent, unless we have another legal basis, provided that we require one. Consent given can be withdrawn at any time, but this does not affect data processed prior to withdrawal.

We typically use "cookies" and similar technologies on our websites to identify your browser or device. A cookie is a small file that is sent to your computer or automatically stored on your computer or mobile device by the web browser you are using when you visit our website. This allows us to recognise you when you return to this website, even if we do not know who you are. In addition to cookies that are only used during a session and deleted after your visit to the website ("session cookies"), cookies can also be used to store user settings and other information for a certain period of time (e.g. two years) ("permanent cookies"). However, you can set your browser to reject cookies, save them for one session only or otherwise delete them prematurely. Most browsers are preset to accept cookies. We use persistent cookies to remember user preferences (e.g. language, autologin), to help us better understand how you use our offers and content, and to show you offers and advertisements tailored to you (which may also happen on other companies' websites; however, they will not learn from us who you are, if we even know, because they will only see that the same user is on their website who was on a particular page with us). Some of the cookies are set by us, and some are set by contractors with whom we work. If you block cookies, certain functionalities (such as language selection, other processes) may no longer work.
In our newsletters and other marketing emails, we sometimes, where permitted also include visible and invisible image elements, which we retrieve from our servers to determine whether and when you have opened the email, so that we can also measure and better understand how you use our offers and tailor them to you. You can block this in your email program; most are set to do this by default.
By using our websites and agreeing to receive newsletters and other marketing emails, you consent to the use of these techniques. If you do not wish to do so, you must set your email program accordingly.
We sometimes use Google Analytics or similar services on our websites. This is a service provided by third parties that may be located in any country in the world (in the case of Google Analytics, it is Google Ireland (based in Ireland), Google Ireland relies on Google LLC (based in the USA) as an order processor (both "Google"), www.google.com), with which we can measure and evaluate the use of the website (not on a personal basis). Permanent cookies set by the service provider are also used for this purpose. We have configured the service in such a way that the IP addresses of visitors are shortened by Google in Europe before being forwarded to the USA and thus cannot be traced. We have turned off the "data sharing" and "signals" settings. Although we can assume that the information we share with Google is not personal data for Google, it is possible that Google can draw conclusions about the identity of visitors from this data for its own purposes, create personal profiles and link this data to the Google accounts of these individuals. If you have registered with the service provider yourself, the service provider also knows you. The processing of your personal data by the service provider is then carried out under the responsibility of the service provider in accordance with its data protection regulations. The service provider only informs us how our respective website is used (no information about you personally).
We also use so-called plug-ins from social networks such as Facebook, YouTube, LinkedIn or Instagram on our websites. This is visible to you in each case (typically via corresponding symbols). In order to increase the protection of your data when visiting our website, the plug-ins are not integrated into the page without restrictions, but only using an HTML link (so-called "Shariff solution" from c't). This integration ensures that when you call up a page of our website that contains such plugins, no connection is established with the servers of the provider of the respective social network.
If you click on one of the buttons, a new window of your browser opens and calls up the page of the respective service provider on which you can (if necessary after entering your login data) e.g. click the Like or Share button. The purpose and scope of the data collection and the further processing and use of the data by the providers on their pages, as well as your rights in this regard and setting options for protecting your privacy, can be found in the data protection information of the providers.
http://www.facebook.com/policy.php
https://twitter.com/privacy
http://www.google.com/intl/de/+/policy/+1button.html
https://help.instagram.com/155833707900388
https://about.pinterest.com/de/privacy-policy

In the context of our business activities and in line with the purposes of the data processing set out in Section 3, we may transfer data to third parties, insofar as such a transfer is permitted and we deem it appropriate, in order for them to process data for us or, as the case may be, their own purposes. In particular, the following categories of recipients may be concerned:

- our service providers (within the gruppenhaus.ch GmbH or externally, such as e.g. banks, insurances), including processors (such as e.g. IT providers);
- dealers, suppliers, subcontractors and other business partners;
- clients;
- domestic and foreign authorities or courts;
- the media;
- the public, including users of our websites and social media;
- competitors, industry organizations, associations, organizations and other bodies;
- acquirers or parties interested in the acquisition of business divisions, companies or other parts of the gruppenhaus.ch GmbH;
- other parties in possible or pending legal proceedings;
- affiliates of the gruppenhaus.ch GmbH;
together Recipients.
Certain Recipients may be within Switzerland but they may be located in any country worldwide. In particular, you must anticipate your data to be transmitted to any country in which the gruppenhaus.ch GmbH is represented by affiliates, branches or other offices as well as to other countries in Europe and the USA where our service providers are located (such as Microsoft).

If a recipient is located in a country without adequate statutory data protection, we require the recipient to undertake to comply with data protection (for this purpose, we use the revised European Commission’s standard contractual clauses, which can be accessed here: https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?), unless the recipient is subject to a legally accepted set of rules to ensure data protection and unless we cannot rely on an exception. An exception may apply for example in case of legal proceedings abroad, but also in cases of overriding public interest or if the performance of a contract requires disclosure, if you have consented or if data has been made available generally by you and you have not objected against the processing.

We process and retain your personal data as long as required for the performance of our contractual obligation and compliance with legal obligations or other purposes pursued with the processing, i.e. for the duration of the entire business relationship (from the initiation, during the performance of the contract until it is terminated) as well as beyond this duration in accordance with legal retention and documentation obligations. Personal data may be retained for the period during which claims can be asserted against our company or insofar as we are otherwise legally obliged to do so or if legitimate business interests require further retention (e.g., for evidence and documentation purposes). As soon as your personal data are no longer required for the above-mentioned purposes, they will be deleted or anonymized, to the extent possible. In general, shorter retention periods of no more than twelve months apply for operational data (e.g., system logs).

We have taken appropriate technical and organizational security measures to protect your personal data from unauthorized access and misuse such as training, IT and network security solutions, encryption of data carriers and
transmissions, pseudonymisation, inspections.

In the context of our business relationship, you must provide us with any personal data that is necessary for the conclusion and performance of a business relationship and the performance of our contractual obligations (as a rule, there is no statutory requirement to provide us with data). Without this information, we will usually not be able to enter into or carry out a contract with you (or the entity or person you represent). In addition, the website cannot be used unless certain information is disclosed to enable data traffic (e.g. IP address).

We may partially process your personal data automatically with the aim of evaluating certain personal aspects (profiling). In particular, profiling allows us to inform and advise you about products possibly relevant for you more accurately. For this purpose, we may use evaluation tools that enable us to communicate with you and advertise you as required, including market and opinion research.
In establishing and carrying out a business relationship, we generally do not use any fully automated individual decision-making (such as pursuant to article 22 GDPR). Should we use such procedures in certain cases, we will inform you separately on this and advise you of your relevant rights if required by law.

In accordance with and as far as provided by applicable law (as is the case where the GDPR is applicable), you have the right to access, rectification and erasure of your personal data, the right to restriction of processing or to object to our data processing, in particular for direct marketing purposes, for profiling carried out for direct marketing purposes and for other legitimate interests in processing in addition to right to receive certain personal data for transfer to another controller (data portability). Please note, however, that we reserve the right to enforce statutory restrictions on our part, for example if we are obliged to retain or process certain data, have an overriding interest (insofar as we may invoke such interests) or need the data for asserting claims. If exercising certain rights will incur costs on you, we will notify you thereof in advance. We have already informed you of the possibility to withdraw consent in Section 3 above. Please further note that the exercise of these rights may be in conflict with your
contractual obligations and this may result in consequences such as premature contract termination or involve costs. If this is the case, we will inform you in advance unless it has already been contractually agreed upon.

In general, exercising these rights requires that you are able to prove your identity (e.g., by a copy of identification documents where your identity is not evident otherwise or can be verified in another way). In order to assert these rights, please contact us at the addresses provided in Section 1 above.

In addition, every data subject has the right to enforce his/her rights in court or to lodge a complaint with the competent data protection authority. The competent data protection authority of Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).

This privacy policy is currently valid and has the status July 2023.
We may amend this privacy policy at any time without prior notice. The current version published on our website will apply. If the privacy policy is part of an agreement with you, we will inform you of the change by e-mail or other suitable means in the event of an update.