The protection of your personal data is important to us. During all data processing procedures, we act in compliance with the statutory provisions. In the following text, we inform you in accordance with Articles 12, 13 and 21 of the UK GDPR about the handling of your personal data when you use our website https://www.haribo.com/enGB/ and interact with us.

Personal data comprises individual information on the personal or material circumstances of a certain or an identifiable natural person. This information includes the real name, the address, the telephone number and the date of birth.

I. Contact Details

When you use the Haribo website and interact with us, the controller of your personal data is Dunhills (Pontefract) PLC (trading as "Haribo" and referred to in this notice as "we" or "Haribo").

If you have any queries regarding this notice, please contact:
Dunhills (Pontefract) PLC
26 Front Street
Pontefract, West Yorkshire
WF8 1NJ
Email: dataprivacy@haribo.com
Telephone: +44 (0) 1977 600266

II. Purposes and legal bases of the data processing

i. Informational use of the website

You may visit our website without stating any personal information. If you merely use our website for informational purposes, without logging in, registering or otherwise transmitting us any personal information, then we shall not process any personal data with the exception of data transmitted by your browser in order to facilitate your visit to the website and information which is transmitted within the scope of cookies for the statistical analysis of the use of our website.

Technical provision of the website

For the purpose of the technical provision of this website, is is necessary that we process certain automatically-transmitted information purporting to you so that your browser can display our website and so that you can use our website. This information is recorded automatically every time you access our website and is stored in our server log files. This information refers to the computer system of the computer calling up the website. The following information is processed:

• IP
• Address of the user
• Date and time of access
• Retrieved URL incl. HTTP method and GET parameters + protocol version
• Byte size of the server response
• HTTP referrer
• Browser and version used
• Operating system and version used

In addition, we use the anti-bot solution Friendly Captcha to protect input fields against automated attacks. The following information is processed:

• Hash value (one-way encryption) of the incoming IP address (the IP address is discarded, only the hash value is stored)
• HTTP request header data, in particular user agent, origin and referrer
• Date/time of the request
• Version of the widget used
• Number of requests from the (hashed) IP address per period
• Answer to the arithmetic problem solved by the visitor's computer

Cookies

Furthermore, we use cookies to facilitate your use of our website. Cookies are text files which are stored in the Internet browser or by the Internet browser when you call up a website on your computer system. A cookie contains a characteristic sequence string which facilitates unambiguous identification of the browser should you call up the website again.

We use these so-called "necessary cookies" exclusively to provide you with our website with its technical functions. Some functions of our website cannot be offered without the use of cookies.

Please refer to our Cookie‘s page where you will find information on any consent you may have given to the processing of personal data using cookies and similar tracking measures ("cookies") on our website, as well as the possibility of changing the content of this consent. You can also find out about all cookies, in particular their purpose, type and storage period.

We process your personal data for the technical provision of our website based on the following legal bases:

• For the preservation of our legitimate interests in accordance with Article 6(1)(b) UK GDPR, so that we can ensure technical provision of the website. Our legitimate interest consists of being able to provide you with an appealing, technically functional and user-friendly website and to take measures for the protection of our website against cyber risks, and to prevent cyber risks being generated through our website for third parties.
• Where you consent to the application of any non-essential cookies, our lawful basis shall be consent in accordance with Article 6(1)(a) UK GDPR until such consent is withdrawn or such cookie expires (whichever is sooner).


Statistical analysis of the use of our website and range increase

For the purpose of the statistical analysis of the use of our website, we use analysis tools. In this way, we can improve the quality of our website and its contents. We learn about how the website is used and can thus consistently optimise our range of offers.

The information received within the scope of the statistical analysis shall not be merged with your other data collected within the scope of the website.

We process your personal data for the statistical analysis of the use of our website based on the following legal bases:

• Necessary for the fulfilment of our legitimate interests to ensure our website is secure and being used appropriately and to learn from how our website is used in order to identify improvements (Article 6(1)(f) UK GDPR)
• If you have issued your consent, then based on this consent, Article 6(1)(a) UK GDPR.

Piwik PRO

We use Piwik PRO Analytics Suite as our website analytics tool. This collects data about you as a website visitor based on cookies. The information collected may include the following data in particular:

• IP address
• operating system
• browser ID
•Browsing activity
• Network location
• Time of visit to the website
• Pages viewed (a page URL and a page title)
• Time spent on each page
• HTTP referrer
• Device type
• Browser type
• User ID
• Visitor ID
• Device ID
• Session ID

We calculate metrics such as bounce rate, page views, sessions and similar usage parameters to understand how our website is used. We may also create visitor profiles based on browsing history to analyse visitor behaviour, display personalised content and run online campaigns.

Further information on the cookies used, in particular on the specific purpose, the type of cookie and the storage period, any consent you may have given and the management of the cookies, can be found in our Cookie page.

We process your personal data for statistical analysis of the use of our website based on the following legal basis:

• If you have issued your consent, then based on this consent, Article 6(1)(f) UK GDPR.

ii. Marketing

For the purpose of personalising advertising, measuring the effectiveness of advertising, integrating external content and protecting our website, cookies or similar technical means from third parties are placed on our website in which or with the help of which personal data can be stored and which can be collected and processed by these third parties. This allows us to improve the quality of our website. The information obtained in this way will not be merged with your other data collected as part of the website.

Youtube

We use videos from the YouTube service on our website; The provider is Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: "YouTube"). In doing so, we use the "extended data protection mode" option provided by YouTube.

By retrieving videos, YouTube receives the information that you have accessed the corresponding subpage of our website. In addition, the data referred to in our Cookie page. of this declaration as well as information about the video you have viewed. This occurs regardless of whether YouTube provides a user account through which you are logged in or whether no user account exists. If you are logged in to Youtube or another Google account, your data will be directly assigned to your account there and processed independently by the provider; You can avoid this by logging out before visiting our site. YouTube stores your data as user profiles and uses them for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. Further information on the associated transfer of personal data to the USA can be found below under "V”. You have the right to object to the creation of these user profiles, whereby you must contact YouTube to exercise this right.

For more information on the purpose and scope of data collection and processing by YouTube, please refer to YouTube's privacy policy. There you will also find further information about your rights and setting options to protect your privacy: https://www.google.de/intl/de/policies/privacy. You can find more detailed information on the cookies used, in particular on the specific purpose, the type of cookie and the storage period, any consent you may have given and how to manage the cookies, in our Cookie page.

In this respect, your personal data is processed on the basis of your consent in accordance with Article 6(1)(a) of the UK GDPR.

III. Active use of the Website and Social Media

In addition to the purely informational use of our website and social media platforms, you can also use our website and social media platforms actively in order to get in contact with us. In addition to the abovementioned processing of your personal data for purely informational use, we then also process further personal data which we require to process and respond to your request.

i. Contact Request

To be able to process and respond to your requests to us, for example via the different contact forms, we process the personal data of which you have informed us accordingly. This data always includes your name and your email address so that we can send you a reply, as well as the other information which you send to us within the scope of your notification. In the event of product complaints, we will also process your postal address.

We process your personal data when responding to user requests based on the following legal bases:

• For the preservation of our legitimate interests in accordance with Article 6(1)(f) of the UK GDPR; our legitimate interest consists of the proper response to customer requests.

ii. Social Media Marketing

We may use your data for advertising and market research purposes, for example posting advertising communications to our social media platforms which include but not limited to Instagram, LinkedIn, Facebook, and X. We typically process your social media handle, gender profile, age range and the content which you view or interact with.

You can unfollow HARIBO at anytime by updating your preferences on the appropriate social media platform.

We may share and receive personal data about you with social media providers for advertising purposes. This is based on the following legal basis:

• Where the data we share with them is collected using cookies, our lawful basis is your consent to these cookies under Article 6(1)(a) of the UK GDPR (see comments under "Cookies Declaration" above).
• Otherwise, our lawful basis for sharing and receiving your personal data with social media providers is based on our legitimate interests to promote our business and products on social media.

If you have any queries about how social media providers collect and use your personal data, we would refer you to the privacy notices available on their applications and websites.

iii. Events and Prize Draws

We may collect and process your personal data when we are running prize draws, raffles or online scavenger hunts or giveaways (whether on our website, in person or on our social pages).

This collection and processing of personal data is necessary to enable you to partake in these events, and to enable us to send prizes to winners. Please note that if you are a winner your name and location may need to be published on our website and / or our social pages.

The types of personal data we may use for this include:

• Prize Draws: name, email address, phone number, postal address, date of birth, social media handle
• Raffles: name, postal address, phone number, email address
• Scavenger Hunt: name, social media handle, email address, phone number, postal address, date of birth, photos / videos posted on social
• Giveaways: name, social media handle, email address, postal address, phone number

This personal data is gathered when you enter into the event, which may be directly via our website or via third party or social media pages.

Your information may be shared with third party suppliers who help support us in running these events (such as our PR and advertising agencies, our social media providers, promotional partners and courier service providers who deliver prizes).

We process your personal data for the purposes stated here on the following legal basis:

• necessary for the performance of our contracts with entrants (Article 6(1)(b)); and
• necessary for the fulfilment of our legitimate interests to promote our products and encourage engagement with our products by hosting these types of events (Article 6(1)(f) UK GDPR

IV. Links

Some sections of our website contain links to third party websites. These websites are subject to their own data protection principles. We are not responsible for their operation, including the handling of data. Should you send information to or via such third party websites, then you should inspect the Data Protection Declarations for these websites before you send them information which can be assigned to you.

V. Categories of Recipients

Initially, only our employees will be aware of your personal data. To the extent permitted or required by law, or to the extent that you have consented, we will also share your personal data with other recipients who provide us with services in connection with our website. We limit the disclosure of your personal data to what is necessary. In some cases, our service providers receive your personal data as processors and are then strictly bound by our instructions when handling your personal data. In some cases, the recipients act independently with your data, which we transmit to them.

Below is a list of the recipient categories regarding your personal data:

• External services providers for the maintenance, programming, hosting, search function, font of the website www.haribo.com
• External IT service provider of an anti-bot solution
• External IT service provider for website analysis
• External IT service provider for providing the YouTube service on our website
• Inhouse IT service provider for administration
• Both internal and external service providers for answering or reviewing inquiries or processing prize draws, giveaways
• Internal service provider for reviewing customer complaints
• Logistics service providers to be able to send you goods, letters or other items
• Insurers in the event of claims asserted against us
• Payment service providers and banks in the processing of payments
• Legal advisor in the assertion or defence of claims

VI. Transfer to Non-Member States

As part of the use of Google's YouTube service, personal data is transferred to the USA. In terms of data protection, the USA is considered an unsafe third country for which there are neither adequacy decisions by the EU Commission nor other guarantees. Neither does the protection of personal data known from the EU exist there, nor are there corresponding rights or legal remedies of the data subjects with regard to their personal data. In particular, there is a risk that intelligence and intelligence services as well as other authorities will be able to access your personal data unhindered, for example within the framework of the CLOUD Act, and that there will be no effective legal remedies against it. Such a data transfer to the USA is covered by your consent, e.g. to the use of cookies. Otherwise, we do not transfer your personal data to countries outside the EU or the EEA or to international organisations.

VII. Duration of Storage

i. Informational Use of the Website

When using our website for purely informational purposes, we store your personal data as follows:

• Server logs are stored for up to 3 months.
• The storage period of cookies set can be found in the Cookie page.
•The personal data collected via the Piwik PRO Analytics Suite is stored for 25 months.
• The personal data collected via the YouTube service is stored for a period determined by Google, usually between 9 and 24 months, but in individual cases (e.g. when linking to your Google account, if you are logged in to one during your visit to our website; reuse of YouTube or other Google applications; business and legal requirements) or longer.
• The data collected by Friendly Captcha will be deleted after 30 days.
• Otherwise, your personal data will be deleted immediately after you have left our website.

In addition, you have the option of deleting installed cookies yourself at any time.

ii. Active use of the Website and Social Media

In addition to the purely informational use of our website, you can also actively use our website, for example to contact us. In addition to the processing of your personal data described above in the case of purely informational use, we then process further personal data from you that you actively make available to us.

In case of active use of our website, we shall only save your personal data as long as this is required:

The data transmitted by you within the scope of requests shall initially be stored for the duration of the response to your request. If applicable, we shall continue to save your personal data up until the statute of limitation for any legal claims from the relationship with you, so that we can if applicable use these as evidence. We will hold for you information for a period of 6 years for these purposes, following which your information will be securely deleted.

iii. Events and Prize Draws

When you enter one of our events, we may retain your data for the duration of the event and up to two months. If you are a winner of one of our events, we may retain your data for up to six months.

VIII. Your Rights as the Person Affected

You are entitled to the following rights as the person affected, which you may assert against us:

Right of information: You are authorised at any time within the scope of Article 15 UK GDPR to request a confirmation as to whether we process appropriate personal data; if this is the case, you shall furthermore be authorised within the scope of Article 15 UK GDPR to receive information on this personal data and certain other information (amongst other things the processing purposes, categories of personal data, categories of recipients, the planned storage duration, the origin of the data, the use of automated decision-making and, in case of the transfer of data to a non-member state, the appropriate guarantees) and a copy of your data.

Right of rectification: You are authorised to request acc. Article 16 UK GDPR a rectification of the personal data we have stored if this is incorrect or erroneous.

Right of deletion: You are authorised subject to the prerequisites laid down in Article 17 UK GDPR to request that we delete personal data concerning you without delay. The right of deletion shall not, amongst other things, exist if the processing of the personal data is required for (i) the exercising of the right to freedom of opinion and information, (ii) the fulfilment of a legal obligation to which we are obligated (e.g. statutory storage obligations) or (iii) the assertion or exercising of legal claims or the defence against legal claims.

Right of limitation of processing: You are authorised subject to the prerequisites laid down in Article 18 UK GDPR to request that we limit the processing of your personal data.

Right of data portability: You are authorised subject to the prerequisites laid down in Article 20 UK GDPR to request that we hand over to you the personal data concerning you and which you have provided to us, in a structured, conventional and machine-readable format.

Right of revocation: You have the right to revoke your consent to the processing of personal data at any time with effect for the future.

Right of objection: You are authorised subject to the prerequisites laid down in Article 21 UK GDPR to file an objection against the processing of your personal data, meaning that we must terminate the processing of your personal data. The right of objection only exists within the limits provided for in Article 21 UK GDPR. In addition, our interests may contradict termination of the processing, meaning that we may remain authorised to process your personal data in spite of your objection.

Right of appeal to a supervisory authority: You have the right to appeal to the UK Information Commissioner's Office (ICO) is you are of the opinion that the processing of the personal data concerning you violates the UK GDPR. The right of appeal shall exist irrespective of any other administrative or judicial rights of appeal.

The ICO can be contacted at:

ICO
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF

Telephone: +44 (0) 1625 545 745
Fax: +44 (0) 1625 524 510

Email: england@ico.org.uk

However, we recommend that you always initially direct any complaints to us at dataprivacy@haribo.com

IX. The Scope of your Obligations for the Provision of Data

In principle, you are not obligated to inform us of your personal data. However, if you do not do this, we cannot provide you with our website and cannot respond to requests you send to us. Personal data which is absolutely essential to us for the abovementioned processing purposes is marked as such.

X. Automated Decision-Making/Profiling

We do not use automated decision-making or profiling (an automated analysis of your personal circumstances).

XI. Changes

We reserve the right to change this Data Protection Declaration at any time. Any changes shall be announced on our website through publication of the changed Data Protection Declaration. If not otherwise determined, such changes shall take effect immediately. Please therefore check this Data Protection Declaration regularly in order to view the respective most recent version.


Status: November 2023