Privacy Policy

Last update: 12 June, 2025

1. Who we are

Eraneos Group AG and its subsidiaries and affiliates (hereafter referred to as “we”, “us”, “the service” or “Eraneos”) are a global management and technology consultancy. The Group’s headquarters are in Zurich, Switzerland. To run our business, Eraneos processes information about individuals (“Personal Data”). This Privacy Policy provides clients, prospects, contractors, suppliers, job candidates, attendees of our events, and all visitors of our website with detailed information on how we process personal data. 

If you have any concerns regarding this document or the processing of your personal data, please contact our representatives:

If you are located in Switzerland:
Fokko Oldewurtel
Domenig & Partner Rechtsanwälte AG
Eraneos Group AG
Andreasstrasse 11
8050 Zurich, Switzerland
+41 58 411 95 00
Email: compliance.ch@eraneos.com

If you are located in Germany, Austria, Singapore, China or the US: You can reach out to our appointed Data Protection Officer (“Datenschutzbeauftragter”):
Eraneos Germany Holding GmbH
Data Protection Officer / Datenschutzbeauftragter: Tobias Block
Zeughausmarkt 33
D-20459 Hamburg, Germany
Email to: dataprotection.de@eraneos.com or phone: +49 (0)40 – 809081-172

If you are located in the Netherlands or Spain:
Privacy Representative Eraneos Netherlands
De Passage 126-136
1101 AX Amsterdam
+31 20 305 3700
Email to: privacy.nl@eraneos.com

EU and EEA residents or residents outside of the EEA:
Privacy Representative Eraneos Netherlands
De Passage 126-136
1101 AX Amsterdam
+31 20 305 3700
Email to: privacy.nl@eraneos.com

If you are located in the UK:
 
Contact & Data Protection Officer: Julian Meyrick
Eraneos UK Ltd
1 Angel Court
London EC2R 7HJ
Email: julian.meyrick@eraneos.com

This Privacy Policy is aligned with the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA). However, the application of these laws depends on the location of the data subjects and/or the location where the services are offered. 

2. Note for California, based visitors

If you are a resident of California, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to access, delete, and opt-out of the sale of your personal data. Please note that we do not sell your personal data under any circumstances.

We uphold high privacy standards based on EU privacy principles, including purpose limitation, lawfulness of processing, consent, security, and transparency.

For more details on your rights under CCPA/CPRA, please refer to Section 10 below.

3. Data we process and activities we perform

You can generally visit our websites without providing any personal data. However, in certain circumstances, we may need to collect and process personal data to provide you with our services and improve your experience.

We only process your personal data when we have a valid legal reason to do so. This includes: performing contracts with you, complying with legal obligations, pursuing legitimate business interests (balanced against your rights), or with your explicit consent.

Important Note: We apply data minimization principles, collecting only personal data necessary for the specified purposes. We do not process your data in ways incompatible with these purposes.

3.1 Service Delivery

We process personal data to fulfill our contractual obligations when delivering consulting services, including but not limited to:

We may use analytical tools to support our consulting work, but all recommendations involve human judgment.

3.2 Marketing and Business Development

Based on your explicit consent, we process contact details and preferences to send newsletters, event invitations, and service updates. We may personalize content based on your interests. You can unsubscribe anytime.

3.3 Recruitment

We process applicant data to take steps at your request prior to entering into an employment contract and based on our legitimate interest in finding suitable candidates. This includes but is not limited to CV/resume, references, and assessment results.

3.4 Website Analytics

We process website usage data based on our legitimate interest in improving our digital services, including technical data (e.g., IP address, browser type) and usage patterns. We use Google Analytics with IP anonymization. See our Cookie Policy for details.

3.1 Service Delivery

We process personal data to fulfill our contractual obligations when delivering consulting services, including but not limited to:

3.7 Security

We process limited data based on our legitimate interest in ensuring security, including access logs and visitor registration.

Social Media widgets and tools

Our websites will typically include functionality to enable sharing via third party social media applications, such as the Facebook Like button. These social media applications will collect and use information regarding your use of Eraneos websites. Any personal information that you provide via such social media applications will often be collected and used by other members of that social media application and such interactions are governed by the privacy policies of these external companies that provide the application. We do not have control over, or responsibility for, those companies or their use of your information and employment history (and other information typically contained in a detailed CV/resume). 

Please visit our cookie policy for further information. 

4. Sharing of your personal information

We disclose your personal information only when a valid legal ground exists, and specifically to the following:

5. Transfer to third parties and guarantees

We may transfer your personal data to countries outside Switzerland, the EU, or the EEA. Where applicable, we ensure appropriate safeguards are in place, such as the European Commission’s Standard Contractual Clauses (SCCs) or rely on other legal mechanisms such as adequacy decisions or legal exceptions.

6. Retention / deletion policies

Personal data is retained only as long as necessary to fulfill the purposes for which it was collected, or to meet legal retention requirements. Once no longer needed, data is either anonymized or securely destroyed.

If the processing is based on your consent, we will delete your personal data after you withdraw your consent.

7. Security of your data

We implement appropriate technical and organizational measures, such as encryption and access controls, to protect your personal data from unauthorized access, loss, or misuse.

We restrict access to your personal information to those persons who need to use it for the relevant purpose(s).

Because the internet is an open system, the transmission of information via the internet is
never completely secure. Although we will implement reasonable measures to protect your personal data, we cannot guarantee the security of the data transmitted to us using the internet (including email). We are not responsible or liable for the security of your data whilst in transit via the internet. Any such transmission is at your own risk, and you are responsible for ensuring that any personal data that you send to us is sent securely.

7.1 Data Breach Response

In the event of a personal data breach that poses a high risk to your rights and freedoms, we will:

8. Your rights

Under the GDPR and/or Swiss data protection laws, you have the following rights:

Please consider that some of these rights (in particular deletion and restriction) are not absolute and only apply in certain circumstances.

If you wish to exercise any of these rights, please contact us using the contact details provided in Section 1.

You also have the right to lodge a complaint with your relevant data protection authority.

9. US Requirements

Under the California Consumer Privacy Act (CCPA), we confirm that we do not sell your personal data. We also adhere to CPRA regulations regarding the collection and use of personal data.

California residents have the right to designate an authorized agent to make requests on their behalf. To do so, we will require proof of the agent’s authority.

10. Your rights under the California Privacy Protection Act (CPPA) and California Privacy Rights Act (CPRA)

If you are a resident of California, you have certain rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) regarding your personal data. These rights include:

1. Right to Know
You have the right to request information about the categories and specific pieces of personal data we have collected about you, the sources of that data, the purposes for which we collect it, and whether we share that data with third parties.

2. Right to Delete
You have the right to request that we delete the personal data we have collected about you, subject to certain exceptions. For example, we may not be required to delete data if it is necessary for us to comply with legal obligations or perform a contract.

3. Right to Correct
You have the right to request that we correct any inaccurate personal data we hold about you.

4. Right to Opt-Out of Sale or Sharing
Under the CPRA, you have the right to opt out of the “sale” or “sharing” of your personal information with third parties, if applicable. Please note that we do not sell or share your personal data.

5. Right to Limit Use of Sensitive Personal Information
You have the right to request that we limit the use of your sensitive personal information to certain purposes permitted by law.

6. Right to Non-Discrimination
You have the right to exercise the above rights without being discriminated against. For example, we cannot deny you services or charge you different prices for exercising your rights under the CPPA/CPRA.

7. Right to Data Portability
You have the right to request a copy of the personal data we have collected about you in a structured, commonly used, and machine-readable format so that it can be transferred to another organization if you choose.
 
To exercise any of these rights, you can contact us at the details provided in Section 1 above. In your request, please include sufficient information to verify your identity and help us process your request. We will respond within the time frame set by law (usually within 45 days of receiving your request, with one extension allowed).

If you would like to designate an authorized agent to make a request on your behalf, we will verify the agent’s authority to act on your behalf. We may require a signed permission from you or other verification to ensure the agent’s legitimacy.

In addition to the rights provided by the CPRA, California law allows you to request a list of third parties with whom we have shared personal information for direct marketing purposes in the preceding calendar year. To request this information, please contact us at the contact details provided in Section 1 above.

11. Updates

We may update this Privacy Policy from time to time to reflect changes in our data processing practices or legal requirements. We will notify you of any significant changes by posting an updated version on our website or by other means.