Joint Privacy Policy
of
HANCA GMBH and the companies of the HANCA Group

In this joint privacy policy, we inform you about the collection and processing of your personal data by HANCA GMBH in Switzerland and the companies of the HANCA Group (hereinafter also referred to as “HANCA,” “we,” “us,” see also Part A, Section 2.1 below). Unless express-ly stated otherwise, the following statements in this privacy policy apply to all companies of the HANCA Group.

The protection of your privacy when processing personal data within the meaning of Art. 5 lit. a of the Swiss Data Protection Act (“DSG”) or processing personal data within the meaning of Art. 4 No. 1 of the EU General Data Protection Regulation (‘GDPR’) (hereinafter also referred to as “data”) is very important to us. To ensure data security, we have taken comprehensive technical and organizational measures that are always adapted to the current state of the art. All data we collect is treated confidentially and in accordance with the applicable legal data protection regulations.

This joint privacy policy explains what data we collect from you, for what purpose we do so and what we use the data for, how long we process your data, and what rights you have as a data subject. In addition to the general data protection information that applies to all pro-cessing operations (hereinafter referred to as Part A), we inform you about the processing of your data when you visit our website www.hanca.ch (hereinafter referred to as Part B) or our company pages on external social networks (hereinafter referred to as Part C), are our busi-ness partner and purchase our services or offers or are otherwise connected with us within the framework of a contract (hereinafter referred to as Part D), apply for a job with us (here-inafter referred to as Part E) or use our contact form, communicate with us by email or tele-phone or otherwise have dealings with us (hereinafter referred to as Part F). In addition, we may inform you separately about the processing of your data in individual cases, e.g., in dec-larations of consent, contractual terms and conditions, additional privacy statements, forms, and notices.

If you transmit or disclose data about other persons to us, we assume that you are authorized to do so and that this data is correct. By transmitting data about third parties, you confirm this. Please also ensure that these third parties have been informed about our privacy policy.

The privacy policy is designed to meet the European requirements of the GDPR and the ap-plicable national data protection laws in Switzerland and Germany. However, whether and to what extent these laws apply depends on the individual case.

Part A

General data protection information

1. Processing of personal data

Personal data or personal information is any information that can be directly or indirectly linked to you personally with the help of additional data, e.g., names, addresses, email addresses, telephone numbers, IP addresses, user behavior, and location data. In addi-tion, this may also include data from a contractual relationship with us, such as business partner history, sales data, payments, and comparable data.

Sensitive personal data within the meaning of Art. 5 lit. c DSG or special categories of personal data within the meaning of Art. 9 (1) GDPR (hereinafter also referred to as “sensitive data”) are sensitive data that are subject to special protection under the appli-cable data protection law. Data requiring special protection includes, for example, in-formation revealing racial or ethnic origin (e.g., if you send us a photograph of yourself as part of a job application), health data, information about religious or philosophical be-liefs, biometric data for identification purposes, and information about trade union mem-bership. As a rule, we do not process particularly sensitive data.

Processing within the meaning of Art. 5 lit. d DSG or processing within the meaning of Art. 4 No. 2 GDPR (hereinafter referred to collectively as “processing” for the sake of readability or “process”) means any operation involving data, whether with or without the aid of automated (i.e., technology-based) procedures, e.g., obtaining, collecting, storing, using, adapting, modifying, disclosing, transmitting, and deleting.

Legal entities are no longer covered by the new data protection laws. Only natural per-sons are protected in accordance with Art. 2 DSG and Art. 1, Art. 4 No. 1 GDPR, as well as Recital 14 to the GDPR. If you are our business partner, we mainly process data relating to legal entities. We conclude separate confidentiality agreements for their pro-tection. However, this privacy policy applies if the processing of our customers’ data al-so includes data from their employees, for example. In addition, it also serves as gen-eral information in this case.

2. Who is responsible for processing your data?

2.1 Unless otherwise communicated (e.g., if we are only acting as a processor within the meaning of Art. 5 lit. k DSG or Art. 4 No. 8 GDPR), the controller pursuant to Art. 5 lit. j DSG or Art. 4 No. 7 GDPR for the data processing described in this privacy policy de-pends on the individual case:

HANCA GMBH
Sumpfstrasse 26
CH-6312 Steinhausen
Email: hello@hanca.ch

HANCA DE GMBH
Kastanienallee 29-30
D-10435 Berlin
Email: hello@hanca.ch

The respective responsibility for the individual data processing operations can be found below in sections B to F of this joint privacy policy.

2.2 The controllers referred to in section 2.1 above also process your data in some cases as joint controllers within the meaning of Article 26 GDPR. The HANCA Group has set out in a joint controller agreement pursuant to Article 26 GDPR which company fulfills the obligations of data protection.

2.3 In the case of data processing described in this privacy policy, third parties may also be jointly responsible with us under data protection law if they decide on the purposes or means of processing. In this case, we remain your primary contact. Furthermore, this privacy policy contains information about third parties with whom we cooperate and who are responsible for their own processing. If you have any questions or wish to ex-ercise your rights vis-à-vis these third parties, please contact them directly.

3. What data do we process about you and where do we obtain it from?

3.1 We process the following categories of data from you:

  • Personal master data (e.g., name, address, email address, telephone number, and other contact details, gender, date of birth, nationality, and, where applicable, demographic data).
  • Communication data (e.g., type, location, and time of communication and, as a rule, its content, i.e., the content of emails, letters, chats, signatures, and associat-ed metadata such as timestamps, sender/recipient, message ID, etc.).
  • Contract and company data, e.g., if you are our business partner or work for one.
  • Technical and usage data, e.g., operating system, browser type and version, de-vice type, screen size, IP address, email opens, clicks, navigation, duration, pages visited, etc.
  • Marketing/preference data: Data about users’ preferences regarding marketing, e.g., consents or opt-ins for newsletters/communications, feedback, interactions with marketing emails, etc.
  • Other data, e.g., in connection with any administrative or legal proceedings.

Further information and details on the data we process can be found below in Parts B to F on the individual data processing operations.

3.2 Much of the data we process is provided to us by you, e.g. when you visit our website, in the context of a contractual relationship with you, pre-contractual contact, or any oth-er inquiry.

To the extent necessary for the fulfillment of our contractual or legal obligations, we also process data that we have lawfully collected from publicly accessible sources (e.g., commercial registers, land registers, or other public registers, the press, the internet, so-cial media) or that is transmitted to us by authorities or other third parties (e.g., contrac-tual partners, if your employer is our business partner, or credit agencies, insofar as we conduct business with you personally).

The provision of this data is generally voluntary, subject to individual cases, e.g. in the context of legal obligations. If you wish to conclude contracts with us or make use of our services, you must also provide us with data within the scope of your contractual obligations under the relevant contract. If you or a person representing you (e.g., your employer) concludes or fulfills a contract with us, we must collect the data from you that is necessary for the conclusion and execution of the contract. If you do not provide us with this data, you must expect that we will refuse to comply with the contract, that you will be in breach of contract, or that we will not fulfill the contract. Similarly, we can only send you a response to a request from you if we process the relevant communica-tion data.

4. On what basis do we process your data?

4.1 HANCA GMBH

According to the principles of Swiss data protection law, the processing of your data is generally permitted and only prohibited in exceptional cases if it unlawfully infringes on your privacy (Art. 30 DSG).

According to Art. 31 DSG, a violation of privacy is unlawful if it is not justified by the consent of the person concerned, by overriding private or public interest, or by law.

Where we do not ask for your express consent to process your data, we base the pro-cessing of your data in particular on the fact that the processing is directly related to the conclusion or execution of a contract with you (or the entity you represent) or that we or third parties have a legitimate interest in doing so, in particular for the purposes set out in section 4 below. Our legitimate interests also include compliance with legal require-ments, insofar as these are not already recognized as a legal basis by the applicable da-ta protection law.

If we receive particularly sensitive data from you, we may also process it on other legal grounds, e.g., in the event of disputes arising from the need to process it for a possible lawsuit or to enforce or defend legal claims. In individual cases, other legal grounds may apply, about which we will inform you separately if necessary.

4.2 HANCA DE GMBH

In accordance with the principles of the GDPR and the Federal Data Protection Act (BDSG), we only process your data if there is a legal basis for doing so. The processing of your data may be based on the following legal grounds in particular:

  • Art. 6 para. 1 subpara. 1 lit. b) GDPR, insofar as the processing of your data is necessary for the performance of a contract or for the implementation of pre-contractual measures (e.g. in the case of inquiries about our offers and services).
  • Art. 6 para. 1 subpara. 1 lit. c) GDPR, insofar as we are subject to a legal obliga-tion that requires the processing of your data, e.g. to fulfill tax or accounting obli-gations.
  • Art. 6 para. 1 subpara. 1 lit. f) GDPR, insofar as your interests, fundamental rights, and freedoms that warrant protection do not outweigh our legitimate inter-ests in processing, such as for the optimization of internal IT processes (customer database, etc.) or the assertion or defense of legal claims.
  • Art. 6 para. 1 subpara. 1 lit. a) GDPR, insofar as we obtain your consent in ad-vance for processing operations for a specific processing purpose.

We will only process your particularly sensitive data if there is a legally regulated excep-tion within the meaning of Art. 9 (2) GDPR, in particular if you expressly consent to the processing of such data in accordance with Art. 9 (2) (a) GDPR or if the processing is necessary for the assertion, exercise, or defense of legal claims in accordance with Art. 9 (2) (f) GDPR. exercise or defense of legal claims pursuant to Art. 9 (2) (f) GDPR.

4.3 If we ask for your consent for certain processing operations, we will inform you sepa-rately about the specific purposes of the processing. You can revoke your consent at any time by email or writing (by post) to the body responsible with effect for the future. As soon as we receive notification of the revocation of your consent, we will no longer process your data for the purposes to which you originally consented, unless we have another legal basis for doing so. The revocation of your consent does not affect the le-gality of the processing carried out based on the consent until revocation.

5. For what purposes do we process your data?

Your data will be processed for the following purposes:

  • Communication with you, in connection with our offers and services, to respond to your inquiries, to assert your rights, and to contact you in case of queries.
  • Initiating, executing, or processing contractual relationships with you.
  • Marketing and customer care, e.g., to send you personalized advertising about our offers and services, and to contact you if we have an ongoing customer rela-tionship with you. This can take the form of newsletters and other channels (elec-tronically, by mail, by telephone) or as part of individual marketing campaigns. In doing so, we may also send personalized direct marketing communications, place interest-based advertising via third-party partners, and analyze user interactions to optimize our marketing campaigns (e.g., with Instantly.ai). You can refuse such contact at any time or revoke your consent to be contacted for advertising pur-poses at any time. In addition, we may operate a customer relationship manage-ment system (“CRM system”) in which we store the data necessary for maintain-ing the relationship during a business relationship with you.
  • Reviewing your application, planning and conducting the application process, and, if applicable, establishing an employment relationship.
  • Fulfilling our contractual and legal obligations under European or applicable na-tional law, as well as complying with the instructions and recommendations of au-thorities, industry standards, internal regulations (“compliance”) and our own cor-porate governance. This also includes, for example, implementing measures to combat money laundering and terrorist financing (“Know Your Customer”), ful-filling disclosure, information, reporting, or archiving obligations, and preventing, detecting, and investigating criminal offenses and other violations, including re-ceiving and processing complaints and other reports.
  • Risk management and prudent corporate governance, e.g., in planning our re-sources and organizing our operations.
  • Administrative purposes, e.g., operation, technical administration, and ongoing improvement of our website, customer management, accounting, data archiving, and implementation of other internal processes such as the evaluation and im-provement of internal procedures.
  • Security purposes, e.g., controlling access to electronic systems (e.g., logging into user accounts) or to our building.
  • Protecting our rights, e.g. to enforce claims in court, in or out of court, and before authorities in Germany and abroad, or to defend ourselves against claims.

These purposes and the underlying objectives also represent legitimate interest on our part.

6. Who do we share your data with?

6.1 Within the HANCA Group

Within the HANCA Group, those departments (e.g., financial accounting, human re-sources) or companies (see Part A, Section 2.1) that need your data for the respective processing purposes, particularly those specified in Part A, Section 5, will have access to it. This may occur, for example, within the framework of joint responsibility via our CRM system.

A transfer within the HANCA Group also constitutes processing and only takes place if the relevant legal requirements are met. Please also note our information below in sec-tion 7 regarding the transfer of data from HANCA DE GMBH in Germany to HANCA GMBH in Switzerland.

6.2 External third parties

In addition, to provide our services and website, we work with external service providers in Germany and abroad who process data about you on our behalf or in joint responsi-bility with us, or who receive data about you from us on their own responsibility. In order to provide our products and services efficiently and to focus on our core competencies, we obtain services from third parties in numerous areas.

The following third parties may receive your data:

  • Auditors, tax advisors, lawyers, and other consultants
  • Financial service providers, e.g., banks, insurance companies, collection agencies
  • IT service providers in connection with the operation and provision of our IT sys-tems and website; our main IT service providers are Microsoft and Swisscom.
  • Shipping and logistics service providers
  • Marketing, sales, communications, or printing service providers
  • Building management, security, and cleaning
  • Organization and execution of events and receptions

We disclose to these service providers the data necessary for their services, which may also concern you. In addition, we conclude contracts with these service providers that include provisions for data protection, unless such provisions are already required by law or other regulations (e.g., the standard data protection clauses of the Federal Data Protection and Information Commissioner or the EU Commission). External service providers provide information about independent data processing in their own privacy policies.

Other recipients of your data may include:

  • Our contractual partners and customers, especially if you work for such a con-tractual partner yourself (e.g., as an employee)
  • Authorities and other public bodies in Germany and abroad (e.g., social security institutions, financial and law enforcement authorities, courts, government agen-cies)
  • Other persons in cases where the data transfer results from the purposes speci-fied in section 5 above, e.g., delivery recipients specified by you or third-party payment recipients, partners in the context of our corporate development, third parties within the scope of agency relationships (e.g., if we send your data to your lawyer or bank) or persons involved in official or court proceedings.

All these categories of recipients may in turn involve third parties, meaning that your da-ta may also become accessible to them.

6.3 We will only disclose your data to third parties if we are authorized to do so.

HANCA GMBH acts as the controller if we have an overriding interest in the disclosure, in particular if

  • the transfer is directly related to the conclusion or performance of a contract with you (Art. 31 para. 2 lit. a DSG) or
  • the disclosure is related to our website, our services and offers, our legal obliga-tions, or otherwise to protect our legitimate interests and the other purposes men-tioned in section 5 above.

HANCA DE GMBH acts as the controller, this is particularly the case if

  • the transfer is necessary pursuant to Art. 6 (1) (b) GDPR for the performance of a contract with you or for the implementation of pre-contractual measures,
  • there is a legal obligation to disclose the data pursuant to Art. 6 (1) (c) GDPR (e.g., fulfillment of tax or accounting obligations),
  • the transfer is necessary to safeguard our legitimate interests pursuant to Art. 6 (1) (f) GDPR and you do not have any overriding interests worthy of protection in the data not being transferred (e.g., transfer to HANCA GMBH for internal admin-istrative purposes or for the establishment, exercise, or defense of legal claims), or

a) you have given your consent in accordance with Art. 6 (1) (a) GDPR.

7. Do we also transfer your data abroad or to a (different) third country outside the European Union or the European Economic Area?

7.1 Your data will generally be processed in Switzerland and within the European Union or the European Economic Area (e.g., in the Federal Republic of Germany).

7.2 In exceptional cases, your data may be transferred to any country in the world, i.e., also to a (different) third country outside the European Union or the European Economic Ar-ea. When you visit our website (see Part B below), it cannot be ruled out that some third-party cookies, e.g., Google services, may transfer your data to the US or other third countries outside the European Union or the European Economic Area, where the data may be further processed.

Furthermore, if HANCA DE GMBH acts as the controller, your data will be transferred within the group to HANCA GMBH in Switzerland.

When data is processed in a third country, an adequate level of data protection compa-rable to that provided by the DSG or the GDPR is generally not guaranteed. In such cases, your data will only be transferred if the specific requirements of Art. 16 ff. DSG or Art. 44 ff. GDPR are met. Transfer may be considered on the basis of an adequacy decision by the Federal Council (Art. 16 para. 1 DSG) or the EU Commission (Art. 45 GDPR) or subject to appropriate safeguards, such as the standard data protection clauses of the Federal Data Protection and Information Commissioner (Art. 16 para. 2 lit. d DSG) or the EU Commission (Art. 46 GDPR) in their currently applicable version.

Data transfers to the USA are carried out, depending on which company of the HAN-CA Group acts as the controller, on the basis of the adequacy decision of the Federal Council on the Swiss-U.S. Data Privacy Framework of August 14, 2024, or on the basis of the adequacy decision of the EU Commission on the EU-U. S. Data Privacy Frame-work of July 10, 2023.

The transfer of your data within the group from HANCA DE GMBH to HANCA GMBH in Switzerland is based on Decision 2000/518/EC of the EU Commission dated July 26, 2000, amended by Decision (EU) 2016/2295 of the EU Commission dated December 16, 2016, in which the EU Commission decided that Switzerland ensures an adequate level of protection for personal data.

If a recipient is located in a country without adequate legal data protection, we contrac-tually oblige the recipient to comply with the applicable data protection regulations (we use the revised standard data protection clauses of the EU Commission for this pur-pose) and take further technical and organizational measures to ensure an adequate level of data protection.

Further information on data transfers to third countries when visiting our website can be found in Part B, Section 2 of this privacy policy.

8. How long do we process your data?

8.1 We will only process your data until the respective processing purpose has been fulfilled and will then delete it, unless longer storage is required due to statutory retention periods or our legitimate interests (e.g., for documentation and evidence purposes) or is neces-sary for technical reasons. Documentation and evidence purposes include the assertion or defense of legal claims, IT and infrastructure security, and proof of good corporate governance and compliance. Storage may be necessary for technical reasons if certain data cannot be separated from other data and we therefore store it together with this da-ta (e.g., in the case of backups). If there are no legal or contractual obligations to the contrary, we will delete your data after the processing period has expired as part of our usual procedures or restrict processing.

8.2 If you visit our website and use it for informational purposes only (i.e., you do not con-tact us), the log data and session cookies collected by us will be automatically deleted when the respective session ends. For further data collected by means of cookies, you will find more detailed information on the duration of storage and deletion in Part B, Sec-tion 2 of this privacy policy.

8.3 If you are our business partner (see Section C below), the accounting and tax retention periods in both Switzerland and the Federal Republic of Germany are generally ten years. If we do not have a contract with you, we generally retain your data until the ex-piry of the periods for retaining evidence in connection with the assertion, exercise, or defense of legal claims, which are governed by the applicable statutory limitation provi-sions. Insofar as HANCA GMBH acts as the controller, we will delete your data three years after the last exchange with you. If HANCA DE GmbH acts as the controller, the regular limitation period is three years in accordance with Section 195 of the German Civil Code (BGB). The data you provide in the context of an application (see Part D be-low) will generally be deleted by us immediately, but no later than six months after completion of the application process.

8.4 If the processing of your data has been restricted on the basis of Art. 18 GDPR, we will, apart from storage, only process and delete it with your consent or for the purposes specified in Art. 18 (2) GDPR as soon as other retention periods do not preclude this and there is no reason to assume that deletion would adversely affect your interests worthy of protection.

9. How do we protect your data?

9.1 We have taken appropriate and reasonable technical and organizational measures to protect your personal data against accidental or intentional manipulation, partial or com-plete loss, destruction, or unauthorized access by third parties. These technical and or-ganizational measures include, for example, encryption and pseudonymization of data, logging, access restrictions, storage of backup copies, instructions to our employees, confidentiality agreements, and controls. In addition, only those persons entrusted with processing have access to the data. This ensures that data is treated with the utmost confidentiality within HANCA. We also require our contractors to take appropriate secu-rity measures.

We use SSL or TLS encryption on our website to protect the transmission of confiden-tial content. This means that data you exchange with our website cannot be viewed by third parties.

9.2 As a rule, we require the client to provide us with the laptops, etc., necessary for the performance of the services so that the processing can be carried out at the respective client’s premises. If, however, the processing is carried out at HANCA itself, secure da-ta carriers are used for this purpose.

9.3 Our security measures are continuously improved in line with technological develop-ments. However, we would like to point out that residual risks cannot be completely ruled out and are unavoidable. Data transmission over the Internet (e.g. when com-municating by email) may be subject to security vulnerabilities, meaning that it is not possible to completely protect your data from access by third parties.

10. What rights do you have as a data subject?

10.1 Under the legal conditions, which we check in each individual case depending on which company of the HANCA Group acts as the body responsible, you have the following rights with regard to your data stored by us:

  • Request information about the data and its processing (Art. 25 DSG, Art. 15 GDPR).
  • Request the correction or completion of the data (Art. 32 (1) DSG, Art. 16 GDPR).
  • Request the deletion of the data (Art. 32 para. 2 lit. c DSG, Art. 17 GDPR).
  • Request the restriction of data processing (Art. 18 GDPR).
  • Receive the data in a structured, commonly used, and machine-readable format and request its transfer to another controller (Art. 28 DSG, Art. 20 GDPR).
  • Object to the processing of data that we process on the basis of Art. 6 (1) (e) or (f) GDPR (Art. 21 GDPR).

Please note that these rights are subject to the requirements, exceptions, or restrictions applicable under applicable data protection law (e.g., for the protection of third parties or trade secrets). We will inform you accordingly if necessary.

10.2 You also have the right to revoke your consent to the processing of your data at any time with future effect. As a result, we will no longer be permitted to continue processing data based on this consent. The legality of the data processing carried out up to that point remains unaffected by this.

10.3 If you wish to exercise any of the above rights, simply send us a message. You can contact us in writing using the contact details provided or send an email to hel-lo@hanca.ch. In order to prevent misuse, we must identify you (e.g., with a copy of your ID, unless otherwise possible).

10.4 You also have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data violates the applicable data protection regulations.

In Switzerland, this is the Federal Data Protection and Information Commissioner. The consequences of a complaint in Switzerland are governed by Art. 49 ff. DSG.

In Germany, you can contact the supervisory authority of your usual place of residence or workplace or the place of the alleged infringement in accordance with Art. 77 GDPR. For HANCA DE GMBH, the Berlin Commissioner for Data Protection and Freedom of Information is the competent supervisory authority. The consequences of a complaint in Germany are governed by Art. 82 ff. GDPR.

11. Profiling and automated individual decisions

We may automatically evaluate certain of your personal characteristics for the purpos-es mentioned above based on your data (“profiling”) if we wish to determine preference data, but also to identify abuse and security risks, perform statistical evaluations, or for operational planning purposes. For the same purposes, we may also create profiles, i.e., we may combine behavioral and preference data, as well as master and contract data and technical data assigned to you, in order to better understand you as a person with your different interests and other characteristics. However, we may also create anony-mous and, with your consent, personalized movement profiles of you.

In certain situations, for reasons of efficiency and consistency in decision-making pro-cesses, it may be necessary for us to automate discretionary decisions concerning you (“automated individual decisions”). In this case, we will inform you accordingly and take the measures required by applicable law.

12. Changes to the privacy policy

We may amend this privacy policy at any time. The version published on this website is the current version.

Part B

Additional data protection information for visitors to our website

1. Collection and processing of data

1.1 HANCA GMBH is responsible for collecting and processing data in connection with the use of our website www.hanca.ch.

1.2 When using the website for purely informational purposes, i.e. if you do not provide us with any other information (e.g. by contacting us), we only collect the data that is auto-matically transmitted to our server by the browser used on your device and temporarily stored in a log file (“log data”). We also use cookies and similar technologies on our website. Further information on this can be found below in Part B, Section 2 of this pri-vacy policy.

When you visit our website, we process the following log data relating to you until it is automatically deleted:

  • IP-Adresse Ihres anfragenden Rechners,
  • IP address of your requesting computer,
  • date and time of the request,
  • time zone difference to Greenwich Mean Time (GMT),
  • name of the URL and content of the request (specific page),
  • access status/HTTP status code,
  • website from which access is made (referrer URL),
  • browser and language and version of the browser software,
  • operating system of your computer and the name of your access provider,
  • amount of data transferred in each case.

1.3 We process the mentioned data for the following purposes:

  • Ensuring smooth connection to the website,
  • Ensuring comfortable use of our website,
  • Evaluating system security and stability,
  • Other administrative purposes, and
  • Statistical purposes, without the possibility of assigning this information to your person.

The collection of this data is technically necessary in order to display our website to you, to ensure and optimize the functionality and stability of our website, and to guarantee the security of our information technology systems.

2. Cookies

2.1 We use cookies and similar technologies on our website. These process data about you (e.g., IP address, information about your browser and operating system) in order to per-sonalize content (such as fonts), integrate third-party media, or analyze access to our website. Cookies are small text files that are assigned to the browser you use when you visit our website and are stored on your computer, and through which certain infor-mation (e.g., about your usage behavior) flows to the entity that sets the cookie. Cook-ies may contain data that enables the device you use to be recognized when you visit the website again later. However, some cookies only contain information about certain settings that are not personally identifiable. Without being linked to other data, cookies cannot directly identify you. Cookies cannot execute programs or transmit viruses and therefore cannot cause any damage.

2.2 There are different types of cookies, all of which have different functions and are distin-guished according to their respective characteristics. “First-party cookies” are usually used directly by us as the operator of this website. These include, for example, cookies that store your settings (such as your preferred language), login data, or your user be-havior on our website. These cookies are needed, for example, to recognize you as a user when you visit our website again and are primarily used to make our offer more user-friendly and effective, i.e., more pleasant for you. There is no cross-website track-ing. Third-party cookies, on the other hand, come from third-party providers. These in-clude, for example, advertisements that are not stored on our website’s servers. These cookies can observe your user behavior over a longer period of time and across several websites from different providers, thus enabling the creation of comprehensive user profiles. A distinction is also made between temporary cookies (“session cookies”), which are automatically deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session (e.g., two years). In terms of their function, a distinction is made between the following four types of cookies in par-ticular:

  • Necessary/essential cookies: These cookies are technically essential in order to make the website available to you, to use basic functions, and to ensure the secu-rity and stability of the website. This includes, for example, the necessary session management (e.g., cookies for storing language settings, log-in status) or the stor-age of user entries in an online form, if the website has such functions and you in-teract with them. This also includes the management of your consent via a con-sent management platform and cookies for user-oriented fraud prevention and IT security. Without these cookies, the website cannot function properly. These cookies do not analyze your user behavior, collect data about you for marketing and/or advertising purposes, and are not used for geolocation or cross-website tracking of your person.
  • Functional cookies: These cookies are not technically necessary, but they im-prove the overall user-friendliness of the website through enhanced and personal-ized functions. For example, information you have entered once, such as your username, language settings, location, form data, or similar, can be stored beyond the session so that this information is immediately displayed when you visit the website again. In addition, functions that go beyond the essential functionality, such as more attractive fonts, video and audio files, blogs, forums, etc., can be in-tegrated into the website.
  • Performance/statistics cookies: These cookies store information about how you use the website. For example, data may be collected on which subpages you visit, how often and for how long, which search terms you use, and whether errors occur when using the website. Loading times and the behavior of the website in different browsers are also measured. These cookies are needed to collect pseu-donymized data about website visitors in aggregate form. This data is used to im-prove the website and tailor it to individual user needs.
  • Marketing/advertising cookies, tracking cookies, targeting cookies: These cookies are used to analyze your user behavior on the website, to display person-alized advertising or offers from third-party providers (e.g., online map services, content and/or plug-ins from video and social media platforms) on the website, and to measure the effectiveness of these offers. These cookies make it possible to track you across several different websites and create comprehensive user profiles.

2.3 Cookies are generally used on the basis of our legitimate interests, when they are tech-nically necessary for the proper functioning of the website. However, you can object to the use of cookies that are not technically necessary (opt-out). The further use of cook-ies with a high degree of intervention (e.g., advertising tracking using high-risk profiling) only takes place with your express and active consent (opt-in). When you visit the web-site, you can agree to the use of all cookies via the cookie banner, make individual set-tings, or completely reject the use of non-essential cookies and change your settings at any time. You can also configure your browser according to your preferences and, for example, set it so that you are always informed about the setting of cookies, reject the acceptance of cookies in certain cases or in general, and activate the automatic dele-tion of cookies when you close your browser. If you deactivate cookies, the functionali-ty of our website may be limited, meaning that you may not be able to use all functions.

2.4 We currently use the following services on our website that store cookies:

  • Google Analytics

Responsible body for processing in the EU
Google Ireland Ltd.
Gordon House, Barrow Street, Dublin 4, Irland

Responsible body for processing in the USA
Google LLC
1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Google Ireland Ltd. and Google LLC are part of the Alphabet Inc. group of com-panies based in Mountain View, CA, USA (hereinafter referred to as “Google”).

Google Analytics enables us to analyze your behavior on our website. This pro-vides us with various usage data, e.g., page views, length of stay, operating sys-tems used, and user origin. This data is assigned to the user’s respective device. It is not assigned to a user ID. Furthermore, Google Analytics allows us to record your mouse and scroll movements and clicks, among other things. Google Ana-lytics also uses various modeling approaches to supplement the collected data sets and uses machine learning technologies for data analysis. Google Analytics uses technologies that enable user recognition for the purpose of analyzing user behavior (e.g., cookies or device fingerprinting).

The legal basis for the use of this service and the associated data processing is your consent. Consent can be revoked at any time.

The information collected by Google about the use of this website is usually trans-ferred to a Google server in the USA and stored there. Data transfer and further processing in the USA is based on the adequacy decision of the Federal Council on the Swiss-U.S.

Data Privacy Framework dated August 14, 2024 (“DPF”). The DPF is an agree-ment designed to ensure compliance with data protection standards when pro-cessing data in the US. Every company certified under the DPF undertakes to comply with these data protection standards. Google is an organization certified under the DPF. Further information is available from Google at the following link: https://www.dataprivacyframework.gov/participant/5780. In addition, the transfer is based on the standard data protection clauses of the EU Commission. Details can be found at https://privacy.google.com/businesses/controllerterms/mccs/.

Google Analytics IP anonymization is activated. This means that your IP address is truncated by Google before being transmitted to the USA. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and trun-cated there. Google will use this information on our behalf to evaluate your use of our website, to compile reports on website activity, and to provide us with other services related to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Google will only store the data for as long as is necessary for the aforementioned processing purposes. Further information can be found at https://policies.google.com/privacy and https://policies.google.com/technologies/cookies.

  • reCAPTCHA

Responsible body for processing in the EU
Google Ireland Ltd.
Gordon House, Barrow Street, Dublin 4, Irland

Responsible body for processing in the USA
Google LLC
1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Google Ireland Ltd. and Google LLC are part of the Alphabet Inc. group of com-panies based in Mountain View, CA, USA (hereinafter referred to as “Google”).

reCAPTCHA is used to protect us from abusive automated spying and spam by checking whether data entered on our website (e.g., in a contact form) is entered by a human or by an automated program. To do this, reCAPTCHA analyzes your user behavior based on various characteristics. The analysis begins automatically as soon as you visit our website. For the analysis, reCAPTCHA evaluates various information completely in the background (e.g., your IP address and length of stay on the website, as well as your mouse movements). The data collected dur-ing the analysis is forwarded to Google.

The legal basis for the use of this service and the associated data processing is your consent. Consent can be revoked at any time.

The data collected by Google is usually transferred to a Google server in the USA and stored there. Data transfer and further processing in the USA is based on the adequacy decision of the Federal Council on the Swiss-U.S. Data Privacy Framework of August 14, 2024 (“DPF”). The DPF is an agreement designed to ensure compliance with data protection standards when processing data in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Google is an organisation certified under the DPF. Fur-ther information is available from Google at the following link: https://www.dataprivacyframework.gov/participant/5780. In addition, the transfer is based on the standard data protection clauses of the EU Commission. Details can be found at https://privacy.google.com/businesses/controllerterms/mccs/.

Google will only store the data for as long as is necessary for the aforementioned processing purpose. Further information can be found at https://policies.google.com/privacy and https://policies.google.com/technologies/cookies.

2.5 Furthermore, we use links on the website to our company profiles on social networks (e.g., LinkedIn, Instagram). You can find more information on this in Part C of this pri-vacy policy below.

3. Storage period and data subject rights

Information on the storage period for log data and session cookies, as well as your rights as a data subject, can be found in Part A, Sections 8 and 10 of this privacy policy.

Part C

Supplementary data protection information for company pages on social networks

1. Our company pages on social networks, responsible bodies

1.1 We operate publicly accessible company pages in the following social networks along-side our website:

  • LinkedIn (https://de.linkedin.com/company/hanca_gmbh), the responsible party is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (for pro-cessing in Switzerland, the EU, and EEA) or LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA (for processing in the USA, hereinafter re-ferred to as ‘LinkedIn’). LinkedIn is part of the corporate group of Microsoft Corpo-ration based in Redmond, WA, USA.
  • Instagram (https://www.instagram.com/hanca_gmbh/), the responsible party is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland (for processing in Switzerland, the EU, and EEA) or Meta Platforms Inc., 1 Meta Way, Menlo Park, CA 94025, USA (for processing in the USA) (hereinafter referred to as ‘Meta’).
  • WhatsApp Business, the responsible party is WhatsApp Ireland Limited, Merrion Road, Dublin 4, Ireland (for processing in Switzerland, the EU, and EEA) or WhatsApp LLC, 1 Meta Way, Menlo Park, CA 94025, USA (for processing in the USA) (hereinafter referred to as ‘WhatsApp’). WhatsApp is part of the corporate group of Meta Platforms Inc. based in Menlo Park, CA, USA.

1.2 We use the technical platform and services of the respective provider for our appear-ances on the aforementioned social networks. The contents of our company pages are the responsibility of the respective company of the HANCA Group that operates the page (see Part A, Section 2 of this privacy policy). This company is jointly responsible for the processing of your data along with the respective provider. We would like to point out that you use the offered services and their functions (e.g., commenting, shar-ing, rating) at your own risk.

2. Collection and processing of data by the providers of the social networks, trans-fer of data and transmission to third countries

2.1 When you visit our company pages on the aforementioned social networks, the respec-tive provider collects your data (e.g., IP address, device and browser information, web-site activities) and can analyze your user behavior. The data collection occurs, for ex-ample, through the use of cookies that are stored on your device. This information is used, among other things, to provide us as the operators of the company pages with statistical information about interactions with us. We have no influence over the scope and further processing, including the transfer of your data by the respective provider. If you visit our company pages and are logged into your account on the network, the re-spective provider can assign this visit to your user account. Such data collection may also occur if you are not logged into or registered with the corresponding network. Based on this data, the respective provider can display personalized advertisements to you (provided you have allowed this).

2.2 It cannot be ruled out that LinkedIn transmits your data to third countries outside of Switzerland or the European Union, particularly to the USA.

3. Collection and processing of personal data by HANCA

We process your data when you interact with us through the respective social network (e.g., through the comment function) or actively provide it to us (e.g., via Messenger). We process this data to address your respective concerns. Furthermore, we do not have full access to your profile data and can only see the information from your profile that you have made publicly accessible in your settings. You have the option to follow our company pages, so your profile will appear in our list of followers. Additionally, we receive anonymized statistics from the respective provider regarding the use of our company pages (e.g., the number of people who view a specific post). We use these statistics to improve our company pages and cannot draw any conclusions about you from them. We cannot influence the data processing carried out by the respective pro-vider to supply these statistics. The legal basis for this is our legitimate interest.

4. Data subject rights

To exercise your data subject rights, you can contact us or the provider of the social network. If one party is not responsible for the response or needs to obtain information from the other party, we or the provider will forward your request to the respective other party. For general inquiries about the processing of your data when using the social network, please contact the respective platform provider directly. For specific questions regarding the processing of your interaction with us, you can use the contact details provided in Part A, Section 2 of this privacy policy.

Further information on the processing of your data and your rights can be found in the privacy notices of the respective providers:

  • https://de.linkedin.com/legal/privacy-policy
  • https://privacycenter.instagram.com/policy
  • https://www.whatsapp.com/legal/business-app-privacy-policy

Part D

Supplementary privacy notices for processing in business relationships

1. Collection and processing of data

1.1 In the context of a business relationship with you, especially if you are our customer or acting on behalf of one, we process additional data concerning you, which may be stored in our internal CRM system or a comparable system. This data includes, for ex-ample:

  • Salutation and gender,
  • First and last names, as well as any other identification data that may be included in official documents,
  • Date of birth and age, nationality, information about associated persons,
  • Email address, phone number (landline, mobile), and other contact details,
  • Information about your relationship with us (customer, employee, supplier, etc.),
  • Information about your role and function in the company,
  • Information about your interactions with us (e.g., customer history),
  • Communication data (e.g., manner and place of communication, time of commu-nication, contents of emails, letters, chats, and other correspondence),
  • Contract data (e.g., type and date of contract conclusion, ordered products and commissioned services, duration, complaints about deficiencies, reminders),
  • Delivery and billing address,
  • Tax and other identification numbers,
  • Information about the payment method you selected (e.g., bank details, account number, and credit card data),
  • Company data (e.g., business activities, internal processes, IT systems, financial details including expenses, investments, and payroll),
  • Other data necessary for contract execution (e.g., details about contact persons).

1.2 The responsible party for processing is the company of the HANCA Group (see Part A, Section 2 of the Privacy Policy), which has concluded the contract with you.

1.3 The processing of your data is carried out

  • to identify you as a business partner,
  • for correspondence and other communication with you,
  • to initiate, execute, and/or process contracts with you and fulfill our contractual obligations (including handling your inquiries regarding our services, delivery, in-voicing),
  • to fulfill our legal obligations (including tax and accounting retention periods, busi-ness partner screening),
  • for internal administrative purposes (e.g., financial accounting),
  • to assert or defend legal claims (including conducting court and administrative proceedings), and
  • for other measures necessary in connection with the contractual relationship.

1.4 The legal basis for processing is — insofar as HANCA GMBH acts as the responsible party — our legitimate interest, as the processing is directly related to the conclusion or execution of a contract with you (or the entity you represent). If the responsible entity is HANCA DE GMBH, the processing is carried out according to Article 6, Paragraph 1, Subparagraph 1, lit. b) of the GDPR for the fulfillment of a contract with you (or the enti-ty you represent) or for the undertaking of pre-contractual measures and, where legally permissible, based on our legal obligations according to Article 6, Paragraph 1, Subpar-agraph 1, lit. c) of the GDPR and our legitimate interests according to Article 6, Para-graph 1, Subparagraph 1, lit. f) of the GDPR. If you do not provide us with your data, we may not be able to execute the contract with you or fulfill the aforementioned com-munication purposes.

2. Disclosure of data within the HANCA Group and to external third parties

In the context of a business relationship with you, your data will be shared with those en-tities (e.g., financial accounting) or companies within the HANCA Group that need the data for the purposes mentioned in Section D, Item 1. Additionally, we may, as far as legally permissible, transmit your data for these purposes to the external service provid-ers and public authorities mentioned in Section A, Item 6.2 of this privacy policy (e.g., financial and law enforcement authorities, courts).

3. Retention Period and Rights of the Data Subjects

You can find information regarding the retention period of your data and your rights as data subjects in Section A, Items 8 and 10 of this privacy policy.

Part E

Supplementary Data Protection Information for Applications

1. Collection and Processing of Data

1.1 We process your data when you apply to us by post, by email, or through a recruitment agency and send us your application documents or provide information in other ways (e.g., in interviews). We specifically process the following data contained in application documents (e.g., cover letter, resume, certificates) or otherwise communicated by you:

  • Salutation and gender,
  • First and last name,
    Address,
  • Email address, phone number (landline, mobile), and other contact details,
  • Date of birth and age,
  • Marital status,
  • Professional background,
  • Qualifications and education,
  • Application data (e.g., position applied for, availability date, etc.), and
  • Salary expectations.

If you send us your application, for example, via email, the following technical data may also be processed:

  • IP address,
  • Date and time of the application,
  • Website from which access is made (referrer URL),
  • Browser and version of the browser software,
  • Operating system of the computer.

1.2 The responsibility is determined according to Part A, Section 2 of this privacy policy.

1.3 The processing of your data is carried out for the purpose of reviewing your application, planning, and conducting the application process.

1.4 The legal basis for processing is, insofar as HANCA GMBH acts as the responsible par-ty, our legitimate interest, as the processing is necessary in direct connection with the conclusion of a contract with you (establishment of an employment relationship). If the responsible party is HANCA DE GMBH, the processing is carried out in accordance with Art. 6 para. 1 subpara. 1 lit. b) GDPR in conjunction with § 26 para. 1 sentence 1 BDSG. If the application documents you submit contain particularly sensitive data within the meaning of Art. 5 lit. c GDPR or Art. 9 para. 1 GDPR (e.g., a photo from which your racial or ethnic origin can be derived, information about your health status, or your membership in a union, party, or religion, or information about your marital status from which your sexual orientation can be inferred), their storage occurs based on your con-sent according to Art. 9 para. 2 lit. a) GDPR.

2. Disclosure of data within the HANCA Group and to external third parties

In the context of the application, your data may be shared with those departments (e.g., Human Resources) or companies within the HANCA Group that require the data for the purposes mentioned in Part E, Section 1. Furthermore, we may, as far as legally per-missible, also transmit your data for these purposes to the external service providers and public authorities mentioned in Part A, Section 6.2 of this privacy policy (e.g., social security agencies, courts).

3. Storage duration and rights of the data subjects

3.1 In the case of a successful application, we will retain the data contained in your applica-tion documents as part of the personnel file. In the event of an unsuccessful application, your data will generally be deleted immediately after the rejection, but at the latest six months after the conclusion of the application process, unless a longer storage period is required by legal regulations or for the defense of legal claims, or you have expressly consented to a longer storage period.

3.2 Information about your rights can be found in Part A, Section 10 of the privacy policy.

Part F

Supplementary data protection information for contact and virtual conferences

1. Contact

When you contact us (e.g., via the contact form on our website, by email, or by phone), the data you provide, such as names, email addresses, and phone numbers, will be processed by us. The basis for this is our legitimate interest in responding to your in-quiry. The responsibility for this is outlined in Part A, Section 2 of this privacy policy. We will delete the data collected in this context once the storage is no longer necessary. This will generally be the case if no contract is concluded with you, once the respective conversation with you is concluded and the matter in question has been finally clarified. If there are legal retention obligations, we will restrict processing.

2. Virtual conferences via Microsoft Teams

2.1 We use the service ‘Microsoft Teams’ to conduct telephone or video conferences (‘online meetings’) with you. Microsoft Teams is a service of Microsoft Ireland Opera-tions Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Microsoft Ireland Operations Ltd. is part of the Microsoft Corporation group, One Microsoft Way, Redmond, WA 98052, USA (hereinafter referred to as ‘Microsoft’). In connection with the conduct of an online meeting, we process your data as far as necessary for communication and collaboration with you. Responsibility is governed by Part A, Section 2 of the privacy policy. Please note that this privacy policy only informs you about the processing of your data by HANCA when you conduct an online meeting with us. As far as you access the Microsoft Teams website or the corresponding soft-ware application, Microsoft is responsible for processing.

2.2 When using Microsoft Teams, various categories of data are processed by us. The scope of the data also depends on what information you provide before or during partic-ipation in an online meeting. We primarily process the following data from you:

  • User and communication data (e.g., name and display name, email address, IP address, preferred language, device information, profile picture),
  • Metadata of the virtual conference (e.g., date, time, location, meeting ID),
  • Content data (e.g., text entries through a chat function), as well as
  • Your voice and possibly your image through the microphone and camera of your device to enable audio playback and video display.

You can turn off the camera or mute the microphone at any time through the Microsoft Teams application or directly on your device.

2.3 The purposes and legal bases for processing your data arise from the respective con-text of communication or collaboration. Such contexts and the corresponding legal ba-ses are described in Part A, Sections 4 and 5 of this privacy policy.

2.4 Data processed in connection with participation in online meetings is generally not shared with third parties unless it is intended for sharing. Please note that content from online meetings is often used to communicate information with customers, prospects, or third parties and is therefore intended for sharing. Additionally, Microsoft, as the provider of the service, becomes aware of the aforementioned data. We have concluded a cor-responding data processing agreement with Microsoft. It cannot be ruled out that, in this context, data may be transmitted to Microsoft Corporation in the USA. Furthermore, Microsoft may also perform remote access from other third countries. If you need in-formation about the independent processing of your data by Microsoft, please refer to the privacy statement at Microsoft (https://privacy.microsoft.com/de-de/privacystatement).

3. Retention Period and Rights of Affected Individuals

Further information on the retention period of your data and your rights as affected indi-viduals can be found in Part A, Sections 8 and 10 of this privacy policy.

index of data privacy