Privacy statement

(Last amended: 9 January 2023)

We take the privacy of your personal data very seriously. All of our data processing procedures comply with the legal requirements. In accordance with Art. 12, 13 and 21 of the General Data Protection Regulation (GDPR), we would like to inform you of the following with regard to how we handle your personal information when you use our website

I. Responsible party

Responsible party in the context of the General Data Protection Regulation:

HARIBO Australia
Unit 1676
Reserve road Artarmon
New South Wales 2064

Phone: +61284247600

II. Data protection officer

Contact details of our data protection officer:

HARIBO Australia
Unit 1676
Reserve road Artarmon
New South Wales 2064

III. Purposes and legal bases for the data processing

1. Informational use of the website

You can visit our website without actively providing any personal information. We will then process the following personal information on a technical level:

a. Technical provision of the website

For the purpose of the technical provision of the website, it is necessary for us to process certain automatically transmitted information from you in order to enable your browser to display our website and you to use the website. This information is automatically collected each time our website is accessed and is stored in our server log files. This information relates to the computer system of the machine making the request. The following information is collected:

  • User’s IP address
  • Date and time accessed
  • URL accessed incl. HTTP method and GET parameters + log version
  • Byte size of server response
  • HTTP referrer
  • Browser used and version
  • Operating system used and version

In addition, we use the Friendly Captcha anti-bot solution to secure input fields against automated attacks. The following information will be processed:

  • Hash value (one-way encryption) of the incoming IP-address (the IP-address is discarded, only the hash value is stored)
  • HTTP-request header-data, especially user-agent, origin, and referrer
  • Date/time of the request
  • Version of the widget used
  • Number of requests from the (hashed) IP-address per time period
  • Answer of the arithmetic problem solved by the visitor's computer

We also use cookies to enable you to use our website. Cookies are text files that are stored in or by your web browser when you access a website on your computer system. A cookie contains a string of characters which enables the unique identification of your browser when you access a website again. We use these cookies exclusively to enable you to use the technical functions on our website. Some functions on our website are not available without the use of cookies. In the case of the cookies listed by name below, the specified information is stored and transmitted to us:

This enables us to improve the quality of our website. We do not use your information which we collect using the cookies mentioned above to create user profiles or evaluate your surfing behaviour.

We process your personal data for the technical provision of our website based on the following legal principles:

  • for the performance of a contract or for the implementation of pre-contractual measures pursuant to Art. 6(1)(b) GDPR, insofar as you visit our website to obtain information about our products and events; and
  • to safeguard our legitimate interests in accordance with Art. 6(1)(f) GDPR for the technical provision of the website. Our legitimate interest relates to the provision of an attractive, technically functional and user-friendly website as well as taking measures to protect our website from cyber risks and to prevent cyber risks to third parties from our website.

b. Statistical analysis of website use and increase in reach

For the purposes of statistical analysis of the use of our website, we use analysis tools with your consent. This enables us to improve the quality and content of our website. We learn how our website is bring used, which enables us to improve the website. The information obtained from the statistical analysis of our website is not merged with your other data collected as part of the website.

Piwik PRO

We use Piwik PRO Analytics Suite as our website analytics tool. This collects data about you as a website visitor based on cookies. The information collected may include the following data in particular:

  • IP address
  • operating system
  • browser ID
  • Browsing activity
  • Network location
  • Time of visit to the website
  • Pages viewed (a page URL and a page title)
  • Time spent on each page
  • HTTP referrer
  • Device type
  • Browser type
  • User ID
  • Visitor ID
  • Device ID
  • Session ID

We calculate metrics such as bounce rate, page views, sessions and similar usage parameters to understand how our website is used. We may also create visitor profiles based on browsing history to analyse visitor behaviour, display personalised content and run online campaigns.

For more information about the cookies used, consent you may have granted and how to manage your cookies, please see the section Technical provision of the website (a.).

We process your personal information for the statistical analysis of the use of our website with your consent, pursuant to Art. 6(1)(a) GDPR.

c. Marketing

For the purposes of personalising advertising, measuring the effectiveness of advertising, integrating external content and protecting our website, cookies or similar technical means from third parties are placed on our website, in which or with the help of which personal data may be stored and which may be collected and processed by these third parties. This enables us to improve the quality of our website. The information obtained in this way is not merged with your other data collected within the framework of the website.

We use videos from the YouTube service on our website; the provider is Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: "YouTube"). We use the "extended data protection mode" option provided by YouTube.

By calling up videos, YouTube receives the information that you have called up the corresponding sub-page of our website. In addition, the data mentioned under III.1.a. of this declaration as well as information about the video you have viewed are transmitted. This takes place regardless of whether YouTube provides a user account via which you are logged in or whether no user account exists. If you are logged into YouTube or another Google account, your data will be directly assigned to your account there and processed independently by the provider; you can avoid this by logging out before visiting our site. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You can find more information on the associated transfer of personal data to the USA below under "VI. Third country transfer". You have a right to object to the creation of these user profiles, and you must contact YouTube to exercise this right.

Further information on the purpose and scope of data collection and processing by YouTube can be found in YouTube's privacy policy. There you will also find further information on your rights and setting options to protect your privacy: For more information about the cookies used, consent you may have granted and how to manage your cookies, please see the section Technical provision of the website (a.).

We process your personal information for the statistical analysis of the use of our website with your consent, pursuant to Art. 6(1)(a) GDPR.

2. Active use of the website

In addition to the purely informational use of our website, you can also actively use our website to get in contact with us or sign up for our newsletter or fan pool. In addition to the aforementioned processing of your personal data for purely informational purposes, we also process other personal data for the purposes of addressing and responding to your enquiry.

a. Contact request

In order to address and respond to your enquiries, e.g. via the various contact forms provided, we process the personal data you provide in this context. This will always include your first and last name and your email address in order to respond to you, as well as any other information that you send us as part of your message.

We process your personal data to respond to enquiries in accordance with the following legal principles:

  • to safeguard our legitimate interests pursuant to Art. 6(1)(f) GDPR; our legitimate interest relates to properly responding to enquiries from end users or other interested parties.

b. Newsletters, promotional emails and fan pool

With your consent, we use your data for advertising and market research purposes, such as distribution of our newsletter or participation in the fan pool. In this case, we will process your mandatory information, which consists of your first and last name, your email address and your declaration that you are at least 16 years of age. The fan pool also requires the postcode of your place of residence. We process your personal information for the purposes specified here with your consent, pursuant to Art. 6(1)(a) GDPR.

You can unsubscribe from the newsletter at any time by clicking on the link provided in the newsletter and confirming that you wish to unsubscribe.

IV. Links

Some parts of our website contain links to the websites of third parties. These websites are subject to their own privacy policies. We are not responsible for the operation of these websites and how they handle your data. If you send information to or through such third-party sites, we recommend that you consult the privacy policies of these sites before providing them with any personally identifiable information.

V. Categories of recipients

Initially, only our employees will have access to your personal data. In addition, to the extent permitted or required by law, we may share your personal information with other recipients who provide services to us in connection with our website. We will only share your personal information where strictly necessary. Some of our service providers receive your personal information as data processors and are then strictly bound by our instructions in how they handle your personal data. In some cases, the recipients act independently with your personal information that we provide to them.

Below are the categories of recipients of your personal data:

  • External service provider for support of the website Scholz & Volkmer GmbH, Schwalbacher Straße 72, 65183 Wiesbaden, Germany,
  • External service provider for programming of the website Nion digital GmbH, Luise-Ulrich-Straße 20, 80636 München,
  • External service provider for hosting of the website PlusServer GmbH, Hohenzollernring 72, 50672 Cologne, Germany, die Akamai Technologies GmbH, Parkring 20-22, 85748 Garching, Germany, and Cloudinary Inc., 111 W Evelyn Ave, Suite 206, Sunnyvale, CA 94086, USA,
  • External service provider for sending newsletters via email: Newsletter2Go GmbH, Köpenicker Str. 126, 10179 Berlin, Germany,
  • External service providers for an anti-bot solution on the website, specifically Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany,
  • External service provider for implementation of the search function on the website Elasticsearch B.V., Keizersgracht 281, Amsterdam 1016 –Ed, Netherlands,
  • External IT service provider for website analysis: Piwik PRO GmbH, Kurfürstendamm 21, 10719 Berlin, Germany,
  • Internal IT service provider for the group: HARIBO IT Dienstleistungs GmbH & Co. KG, Dr.-Hans-und-Paul-Riegel-Straße 1, 53501 Grafschaft, Germany,
  • External service providers for responding to or reviewing enquiries or processing competitions,
  • Logistics service providers to send you goods, letters or other items,
  • Insurers for claims made against us,
  • Payment service providers and banks for processing payments,
  • IT service providers for administration and hosting of our website,
  • Legal counsel for assertion of or defence against claims.
  • YouTube
  • Monotype

VI. Transfer to third countries

When using the Youtube service from Google, personal data is transferred to the USA. The US is considered a non-secure third country with regard to data protection, for which neither adequacy decisions of the EU Commission nor other guarantees exist. Neither the protection of personal data known from the EU exists there, nor do corresponding rights or legal remedies of the data subjects exist with regard to their personal data. In particular, there is a risk that secret and intelligence services as well as other authorities can access your personal data unhindered, for example within the framework of the CLOUD Act, and that there are no effective legal remedies against this. Such data transfer to the USA is covered by your consent, e.g. to the use of cookies. Otherwise, we do not transfer your personal data to countries outside the EU or the EEA or to international organisations.

VII. Retention period

1. Informational use of the website

When using our website for purely informational purposes, we store your personal data in the following ways:

  • Server logs are stored for up to three months.
  • For the retention period of cookies set, please see the section Technical provision of the website (a.).
  • The personal data collected via the Piwik PRO Analytics Suite will be stored for 25 months.
  • The personal data collected via the YouTube service is stored for a period determined by Google, regularly between 9 and 24 months, but in individual cases (e.g. when you are linked to your Google account if you are logged in to one while visiting our website; reuse of YouTube or other Google applications; business and legal requirements) even longer.
  • The data collected by Friendly Captcha will be deleted after 30 days.
  • Otherwise, your personal data is deleted immediately once you leave our website.
  • You can also delete the stored cookies yourself at any time.

2. Active use of the website

In the case of active use of our website, we store your personal information for as long as is required:

  • The information provided by you in the context of sending a request will initially be stored for the duration of dealing with your request. If necessary, we will continue to store your personal information until any legal claims arising from the relationship with you become statute-barred, so it can be used as evidence if necessary. The limitation period is usually between 12 and 36 months, but it can also be up to 30 years. When the statute of limitations comes into effect, we will delete your personal information, unless there is a legal retention requirement, for example from the German Commercial Code (sections 238, 257(4) German Commercial Code) or from the German Fiscal Law (section 147(3),(4) German Fiscal Law). These retention requirements can last from two to eleven years.
  • If you sign up to our fan pool or newsletter, your data will be stored until you unsubscribe from the fan pool or newsletter.
  • In the case of competitions, your data will be deleted no later than four weeks after the winners are determined.

VIII. Your rights as a data subject

In accordance with legal requirements, you have the following rights as a data subject, which you can assert against us:

Right to information: You are entitled at any time, in accordance with Art. 15 GDPR, to request confirmation from us as to whether we are processing personal data relating to you; if this is the case, you are also entitled, in accordance with Art. 15 GDPR, to obtain information regarding this personal data as well as certain other information (such as the purposes of processing, categories of personal data, categories of recipients, planned retention period, origin of the data, the use of automated decision making and, in the case of transfer to third countries, suitable guarantees) and a copy of your data.

Right to amendment: In accordance with Art. 16 GDPR, you are entitled to request that we amend the personal data stored about you if this data is inappropriate or incorrect.

Right to deletion: Under the conditions of Art. 17 GDPR, you are entitled to request that we delete any personal data concerning you immediately. The right to deletion does not apply in certain cases, such as if the processing of the personal data is necessary for (i) the exercise of the right to freedom of expression and information, (ii) the fulfilment of a legal obligation to which we are subject (e.g. legal retention requirements), or (iii) the assertion, exercise or defence of legal claims.

Right to limitation of processing: Under the conditions of Art. 18 GDPR, you are entitled to request that we limit the processing of your personal data.

Right to data portability: In accordance with Art. 20 GDPR, you are entitled to request that we provide you with the personal data concerning you that you have provided us with in a structured, common, machine-readable format.

Right of revocation: You have the right to revoke your consent to the processing of your personal data at any time with future effect.

Right of objection: In accordance with Art. 21 GDPR, you are entitled to object to the processing of your personal data, in which case we must stop processing your personal data. The right of objection exists only within the limits specified in Art. 21 GDPR. Furthermore, our interests may conflict with a termination of the data processing, in which case we are entitled to process your personal data despite your objection.

Right of appeal to a supervisory authority: You are entitled, under the conditions set out in Art. 77 GDPR, to lodge an appeal with a supervisory authority, in particular in the Member State in which you are resident, in which you work or in which the suspected infringement took place, if you consider that the processing of your personal data is in breach of the GDPR. The right of appeal is without prejudice to any other administrative or judicial remedy.

The responsible supervisory authority for us is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz (state commissioner for data protection and freedom of information of Rhineland-Palatinate)
Professor Dieter Kugelmann
Office address: Hintere Bleiche 34, 55116 Mainz, Germany
Postal address: P.O. Box 3040, 55020 Mainz, Germany
Telephone: +49 (0)6131 208 2449
Fax: +49 (0)6131 208 2497
Email: ed.plr.ztuhcsnetad@elletstsop

However, we recommend that you always address an appeal to our data protection officer first.

Your requests to exercise your rights should, if possible, be addressed in writing to the above address or directly to our data protection officer.

IX. Scope of your obligations to provide data

In general, you are not obliged to provide us with personal data. However, if you do not do so, we will not be able to make our website available to you, nor will we be able to respond to your requests. Personal data that is essential for the aforementioned processing purposes is marked accordingly.

X. Automated decision making/profiling

We do not use automated decision making or profiling (automated analysis of your personal details).

Information about your right of objection Art. 21 GDPR

You have the right to object at any time to the processing of your data, which is carried out on the basis of Art. 6 (1)(f) GDPR (data processing based on a balancing of interests) or Art. 6(1)(e) GDPR (data processing in the public interest), if there are reasons for doing so arising from your particular situation. This also applies to profiling based on this provision within the meaning of Art. 4(4) GDPR.

If you submit an objection, we will no longer process your personal data unless we can provide compelling legitimate grounds for the processing which outweigh your interests, basic rights and freedoms, or if the processing relates to the enforcement, exercise or defence of legal claims. In individual cases, we also process your personal data for the purposes of direct advertising. If you do not wish to receive advertising, you have the right to object to this at any time; this also applies to profiling if this is associated with such direct advertising. We will take this objection into account for the future.

We will no longer process your data for the purposes of direct advertising if you object to the processing for these purposes.

The objection can be made in any form and should be addressed to:

Dr.-Hans-und-Paul-Riegel-Str. 1
53501 Grafschaft, Germany
Telephone: +49 (0)2641 300 0
Fax: +49 (0)2641 300 289

XI. Changes

We reserve the right to modify this Privacy Policy at any time. Any changes will be announced through publication of the amended Privacy Policy on our website. Unless otherwise specified, such changes will take effect immediately. Therefore, please check this Privacy Policy regularly to find the latest version.