This Privacy Statement applies to all of GRZ’s business processes and websites, areas of operation, mobile solutions, cloud services, and other services offered by GRZ. Unless otherwise separately stated, this Privacy Statement also applies to the processing of personal data carried out by other companies belonging to GRZ.
GRZ’s websites and other services may furthermore, from time to time, include links to the social networks of third parties. Such social networks of third parties, and any processing of personal data occurring through them, are subject to the privacy statements of the third parties in question.
This Privacy Statement pertains to the processing of personal data carried out by GRZ when GRZ is the controller. We always process your personal data only to the extent necessary for the delivery of our services, and always in accordance with the applicable legislation.
By providing us with your personal data, you indicate that you have read and are aware of the processing methods and terms applicable to the processing of personal data pursuant to this Privacy Statement. If you do not accept the processing principles described in this Privacy Statement, please do not provide us with your personal data.
Unless otherwise separately stated, the controller with regard to the personal data processed pursuant to this Privacy Statement is:
Route de la Plaine 47
GRZ processes the personal data it collects primarily for the purpose of delivering and producing those GRZ services which the person has subscribed to or ordered, or which the person has registered for as a user. The personal data is processed for the management and analysis of the relationship with the customer – or some other appropriate connection – along with the production of services, business development and planning, as well as opinion and market research and customer communication, which may also be implemented digitally and in a targeted manner.
GRZ may also process the personal data it collects for marketing purposes, provided that the person in question has given their consent to this or, in certain cases, has not separately forbidden it. The person has, at any time, the right to withdraw their consent for the use of their data in marketing purposes either by using the contact details provided in this Privacy Statement or by exercising the opt-out possibility given in the marketing communications (such as a ‘Unsubscribe’ link).
GRZ does not sell or disclose the personal data it processes to third parties for the marketing purposes of these parties, unless the person in question has given their separate consent to this. GRZ’s marketing measures carried out on behalf of other controllers in its capacity as a processor for these controllers are described below.
When GRZ itself is the controller, the processing of your personal data is based on either a) the implementation of the agreement on the GRZ services which the data subject has ordered from GRZ, b) the implementation of GRZ’s legitimate interests related to the data subject’s customer relationship, or c) the consent provided by the data subject.
The provision of personal data to GRZ is not primarily a condition for the agreement or the delivery of services. If this is nevertheless the case and GRZ cannot, for instance, implement the services you have ordered without your personal data, the provision of this data is separately indicated as being required. A failure to provide such data, indicated as required, may prevent GRZ from delivering the services you have ordered or limit their delivery to a considerable degree.
GRZ may process the following personal data, among others, for the purposes of customer relationship management and marketing:
In addition, GRZ may process, in connection to the management of customer relationships, the following data on persons who have bought a product and/or service:
The personal data of data subjects is collected primarily directly from the data subjects themselves when, for instance, data subjects themselves disclose their personal data in connection to subscribing to a newsletter, through various GRZ services used by the data subjects, and in connection to different marketing measures, such as marketing prize draws or competitions and events.
Furthermore, personal data may be collected and updated from the registries of our partners and from companies providing services pertaining to personal data, to whom a data subject has given their consent for the disclosure of their personal data. Third parties of this kind, from whom GRZ may collect data related to the data subjects, can include various companies providing credit references and address data.
GRZ discloses personal data only in cases and to the extent to which is necessary for the proper delivery of services. GRZ always complies with appropriate protective measures to ensure the protection of personal data in connection to disclosures.
GRZ may occasionally have to disclose the personal data it processes to competent authorities or other equivalent parties in the manner required by said competent authorities or other parties pursuant to valid legislation.
Transfer of data outside the EU or the EEA. We do not, as a rule, transfer data outside the EU or the EEA. In some situations (such as where our service provider or servers are located outside the EEA) we may nevertheless also have to transfer the personal data we have collected to non-EEA countries, in which the level of data protection has not necessarily been found to be adequate by the European Commission (such as the United States).
If we transfer data outside the EU or the EEA to countries with an inadequate level of data protection, we ensure the personal data’s adequate level of data protection by, among other things, agreeing on matters related to the confidentiality and processing of personal data as required by legislation, such as by using standard contractual clauses adopted by the European Commission or by means of other equivalent protective mechanisms. The European Commission’s standard contractual clauses are available on the European Commission’s website.
We use any necessary and appropriate technological and organisational information security measures to protect personal data against unauthorised access, disclosure, destruction or other unauthorised use. Such measures include the use of firewalls and secure hardware facilities, appropriate physical access control, the managed granting of access rights and the monitoring of their use, the employment of encryption technologies, training the personnel participating in the processing of personal data, and the careful selection of subcontractors.
GRZ stores your personal data only for as long as they are needed for the aforementioned purposes of use or the fulfilment of statutory obligations. When the personal data we have collected is no longer needed, we destroy or erase it in a secure manner.
Data protection legislation guarantees data subjects several rights with regard to their personal data, which GRZ has also undertaken to implement. Among other things, the user of GRZ’s services has the right to check the personal data stored on them and to request a copy of the personal data collected on them. When the processing of the personal data of an GRZ user is based on the user’s consent, the user has the right to withdraw the consent they have given at any time.
At the request of a user, we will rectify, erase or complete any personal data erroneous, unnecessary, incomplete or outdated in terms of the processing purpose. Users also have the right to request the erasure of their personal data (what is referred to as the right to be forgotten) if the processing has been based on the user’s consent and the user withdrawn their consent; the user’s personal data has been processed illegally; or if the user objects to the processing of their personal data and there are no legitimate grounds for the processing.
In some cases, the user also has the right to request the restriction of processing, object to the processing, and to request the data’s transmission from one system to another, or to another controller. Users may have this right in a situation where there is no longer a legal basis for the processing, but in which, in lieu of the data’s erasure, the user merely wants to restrict the processing, or when the processing has been based on consent and has been automatic.
Users have the right to file a complaint with a competent supervisory authority concerning the processing of a user’s personal data carried out by GRZ, should the user perceive GRZ not to have processed the user’s data as required by the applicable data protection legislation, or if the user’s requests related to their rights guaranteed by law have not been implemented appropriately.
If you wish to exercise one of the aforementioned rights guaranteed to you by law, you can do so by contacting GRZ. In some cases, GHS may have to request further information from you to ensure that you are the person you claim to be. In terms of some services, GRZ also offers you the possibility to check, modify, and erase your own data by signing in to GRZ’s user portal. If you are provided with such an opportunity, GRZ recommends that you primarily update your data through the user portal in question.
GRZ employs widely used digital marketing methods and tools to gather data on your movements on our websites. This data is collected to improve the usability and content of our website, target advertising, and marketing as well as to investigate the interests of visitors. For the most part, such data is gathered with the help of cookies and does not allow for attribution to a person.