Data protection declaration

(Last amended: 1 March 2020)

The protection of your personal data is important to us. Whenever we process data, we do so in accordance with the statutory regulations. Pursuant to Articles 12, 13 and 21 of the General Data Protection Regulation (GDPR), this policy explains how your personal data are handled when you use our website www.haribo.com.

I. Controller

The controller within the meaning of the General Data Protection Regulation:

Name: HARIBO GmbH & Co. KG
Address: Dr.-Hans-und-Paul-Riegel-Str. 1
53501 Grafschaft, Germany
E-mail: info@haribo.com
Phone: +49 2641 3000
Fax: +49 2641 300 289

II. Data protection officer

Contact details of our data protection officer:

HARIBO GmbH & Co. KG
Data protection officer
Dr.-Hans-und-Paul-Riegel-Str. 1
53501 Grafschaft, Deutschland
E-mail: datenschutz@haribo.com

III. Purposes and legal bases for data processing

1. Use of the website for information purposes

You can visit our website without actively providing any information about yourself. In this case, we will process the following personal data on a technical level:

a. Technical provision of the website

It is necessary for technical provision of the website that we process certain information sent automatically by you so that your browser displays our website and you can use the website. This information is collected automatically every time you access our website and is saved in our server log files. This information relates to the computer system of the accessing computer. The following information is collected:

  • IP address of the user
  • The date and time the website was accessed
  • URL visited including HTTP method and GET parameters + protocol version
  • Byte size of the server response
  • HTTP referrer
  • Browser type and version
  • Operating system type and version

Furthermore, we use cookies to make our website available for you to use. Cookies are text files that are saved in a web browser or by a web browser on your computer system when you visit a website. Cookies contain a unique string of characters that uniquely identifies the browser when the user returns to the website. We use cookies only to make our website available to you along with its technical features. Some features of our website can be provided without using cookies. The cookies listed below store the information described in each case and transmit it to us:

This enables us to improve the quality of our website. We do not use the information collected by the above cookies to create user profiles or to evaluate your surfing behaviour.

Your data, which we have collected using the above cookies, will not be used by us to create user profiles or to analyse your surfing behaviour.
We process your personal data for the technical provision of our website on the following legal bases:

  • to perform a contract or to take steps prior to entering into a contract pursuant to point (b) of Article 6 (1) of the GDPR in so far as you visit our website to find out about our products and events; and
  • to protect our legitimate interests pursuant to point (f) of Article 6 (1) of the GDPR in order to be able to make the website technically available to you. Our legitimate interests lie in being able to make an attractive, technically functional and user-friendly website available to you as well as to take steps to protect our website against cyber risks and prevent cyber risks for third parties emanating from our website.

b. Statistical analysis of website use and increased coverage

With your consent, we use analytical tools in order to carry out statistical analyses of how our website is used. By doing this, we can improve the quality of our website and its content. We learn how the website is used and can thus continually optimise our service. The information obtained in the context of statistical analysis of our website will not be combined with any other of your data collected by the website. We process your personal data in order to carry out a statistical analysis of how you use our website on the basis of your consent pursuant to point (a) of Article 6 (1) of the GDPR.

Google Analytics
Our website uses Google Analytics, a web analytics service provided by Google Inc. Google Analytics uses so-called ‘cookies’ which are text files saved on your computer that enable your use of the website to be analysed. The information generated by the cookies about your use of our website is usually transmitted to and stored on a server operated by Google in the United States. However, if IP anonymisation is enabled on this website, Google will shorten your IP address within Member States of the European Union or in other states that are party to the Agreement on the European Economic Area beforehand. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there. Google uses this information on our behalf to analyse your use of the website, compile website activity reports and provide further services associated with use of the website in particular and use of the Internet in general to the website operator. The IP address transmitted from your browser in the context of Google Analytics will not be combined with other Google data.

We use Google Analytics with the extension ‘anonymizelp()’ on our website. This means that IP addresses are further processed in shortened form thus preventing them from being directly linked to an individual.

You can find more information about the cookies being used, any consent you might have granted and ways to manage cookies in the section Technical provision of the website (a.).

You can find more information about the terms of use of and data protection at Google Analytics at https://marketingplatform.google.com/about/analytics/terms/us/ and https://policies.google.com/?hl=en-GB

Google Tag Manager
Our website uses the Google Tag Manager. The Google Tag Manager is a solution that marketers can use to manage website tags via an interface. The Google Tag Manager service itself (which implements the tags) is a cookie-free domain and does not collect any personal data. The Google Tag Manager service causes other tags to be triggered, which may then collect data in certain situations. Google Tag Manager does not access such data. If a deactivation has been put into effect at domain or cookie level, it will remain valid for all tracking tags implemented by Google Tag Manager.

You can find more information about the cookies being used, any consent you might have granted and ways to manage cookies in the section Technical provision of the website (a.).

2. Active use of the website

In addition to using our website for purely informational purposes, you can also actively use our website in order to contact us, subscribe to the newsletter or join the fan pool. In this case, in addition to the processing of your personal data as indicated above when you use the website purely for informational purposes, we also use other personal data that we require, for instance, to process and respond to your enquiry.

a. Contact request

In order to process and respond to your enquiries, e.g. via the various contact forms, we process your personal data provided by you in this context. In every case, this will include your first name and surname and e-mail address in order to send you a reply, as well as other information you provide us in the context of your communication.

We process your personal data to respond to enquiries on the following legal basis:

  • to protect our legitimate interests pursuant to point (f) of Article 6 (1) of the GDPR; our legitimate interest lies in providing an appropriate response to enquiries from end customers or other interested parties.

b. Newsletter, promotional e-mails and fan pool

With your consent, we will use your data for the purposes of advertising and market research such as sending our newsletter or participation in the fan pool. As it is mandatory information, we will always process your first name and surname, your e-mail address and your confirmation that you are at least 16 years of age. We will also process your post code in connection with the fan pool.

We process your personal data for these purposes on the basis of your consent in accordance with point (a) of Article 6 (1) of the GDPR.
You can unsubscribe from the newsletter at any time by clicking on the corresponding link in the newsletter and confirming that you wish to unsubscribe.
You can leave the fan pool on our website at any time by clicking on Company / Service / Fan Pool.

IV. Links

Some sections of our website contain links to the websites of third-party providers. These websites are subject to their own data privacy policies. We are not responsible for their operation, including the handling of data. If you send information to or via such third-party sites, you should check the privacy policies of these sites before sending information that can be traced to you personally.

V. Categories of recipients

In the first instance, only our employees receive your personal data. Insofar as permitted or prescribed under law, we also share your personal data with other recipients which provide services in connection with our website. We restrict the forwarding of your personal data to what is necessary. Some of our service providers receive your personal data in their capacity as processors and, in this case, are strictly bound by our instructions when handling your personal data. In some cases, the recipients act independently with your data which we send to them.

The categories of recipients of your personal data are indicated below:

  • External service providers for programming the website www.haribo.com, specifically Scholz & Volkmer GmbH, Schwalbacher Strasse 72, 65183 Wiesbaden, Germany;
  • External service providers for hosting the website www.haribo.com, specifically PlusServer GmbH, Hohenzollernring 72, 50672 Cologne, Germany, Akamai Technologies GmbH, Parkring 20–22, 85748 Garching, Germany, and Cloudinary Inc., 111 W Evelyn Ave, Suite 206, Sunnyvale, CA 94086, USA;
  • External service providers for sending newsletters by e-mail, specifically Newsletter2Go GmbH, Köpenicker Str. 126, 10179 Berlin, Germany;
  • External service providers for providing the search tool on the website www.haribo.com, specifically Elasticsearch B.V., Keizersgracht 281, Amsterdam 1016 –Ed, Netherlands;
  • External service providers for responding to or checking enquiries or executing competitions;
  • Logistics service providers for sending you goods, letters or other items;
  • Insurers when claims are filed against us;
  • Payment service providers and banks for processing payments;
  • IT service providers for administration and hosting of our website;
  • Legal advisors when claims are filed or defended against.
  • Google Analytics
  • YouTube
  • Monotype

VI. Transfer to third countries

Personal data are transmitted to the USA as part of the use of various tools. Data transfer is based on Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield. We do not transfer your personal data to countries outside the EU or the EEA or to international organisations.

VII. Duration of storage

1. Use of the website for information purposes

We store your personal data as follows when you use our website for information purposes only:

  • Server logs are stored for up to three months.
  • Information on the storage period of cookies can be found in the section Technical provision of the website (a.).
  • Otherwise, your personal data are erased as soon as you leave our website.

You can delete installed cookies yourself at any time.

2. Active use of the website

When you use the website actively, we will only store your personal data for as long as necessary:

  • The data you transmit as part of enquiries shall initially be stored for the time it takes to respond to your enquiry. We may then continue to store your personal data until any legal claims arising from the relationship with you become time-barred, in order to use these as evidence where necessary. The period of limitation is generally between 12 and 36 months, but may be up to 30 years. We shall delete your personal data when claims become time-barred unless there is a statutory retention period in accordance with the Handelsgesetzbuch (HGB; German Commercial Code), for example (Section 238, 257 (4) of the HGB), or the Abgabenordnung (AO; German Tax Code) (Section 147 (3), (4)). These statutory retention obligations may be between two and eleven years.
  • If you join the fan pool or subscribe to the newsletter, your data shall be stored until you leave the fan pool or unsubscribe from the newsletter.
  • With regard to competitions, your data shall be stored for up to four weeks after the winners have been chosen.

VIII. Your rights as a data subject

Where the statutory criteria are met, you have the following rights as a data subject which you can exercise in relation to us:

Right to access: You have the right in the context of Article 15 of the GDPR to request confirmation from us of whether or not we process personal data concerning you; if this is the case, you are further entitled in the context of Article 15 of the GDPR to access these personal data as well certain other information (including the purposes of processing, categories of personal data, categories of recipients, envisaged storage period, origin of data, use of automated decision-making and, in the event of transfer to a third country, the appropriate safeguards) and to receive a copy of your data.

Right to rectification: You have the right in accordance with Article 16 of the GDPR to request the correction by us of personal data concerning you that is stored by us if such data are inapplicable or inaccurate.

Right to erasure: You have the right under Article 17 of the GDPR to obtain from us the erasure of personal data concerning you without undue delay. You will not have the right to erasure if the processing of personal data is necessary for (i) exercising the right of freedom of expression and information, (ii) for compliance with a legal obligation to which we are subject (for example, statutory retention obligations) or (iii) for the establishment, exercise or defence of legal claims.

Right to restriction of processing: You have the right under Article 18 of the GDPR to obtain from us the restriction of processing of your personal data.

Right to data portability: You have the right under Article 20 of the GDPR to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format.

Right to withdraw: You have the right to withdraw your consent to the processing of personal data at any time with future effect.

Right to object: You have the right under Article 21 of the GDPR to object to the processing of your personal data and consequently we must cease processing of your personal data. The right to object exists only within the limits provided for in Article 21 of the GDPR. Moreover, ceasing to process may be contrary to our interests and consequently we will be entitled to process your personal data in spite of your objection.

Right to lodge a complaint with a supervisory authority:

You have the right under Article 77 of the GDPR to lodge a complaint with a supervisory authority, especially in the member state of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedy.

The competent supervisory authority in our case is:

The State Commissioner for Data Protection and Freedom of Information for Rhineland-Palatinate
Professor Dieter Kugelmann
Office address: Hintere Bleiche 34, 55116 Mainz, Germany
Postal address: PO Box 3040, 55020 Mainz, Germany
Phone: +49 6131 208 2449
Fax: +49 6131 208 2497
E-mail: ed.plr.ztuhcsnetad@elletstsop

However, we recommend that you always send your complaint to our data protection officer in the first instance.

Where possible, you should address requests to exercise your rights in writing to the above address or to our data protection officer directly.

IX. Scope of your obligations to provide data

In principle, you are not obliged to provide us with your personal data. However, if you do not do so, we will not be able to make our website available to you or respond to your enquiries. Personal data which we absolutely need for the aforementioned processing purposes are labelled as mandatory.

X. Automated decision-making and profiling

We do not use automated decision-making or profiling (automated analysis of your personal circumstances).

Information on your right to object pursuant to Article 21 of the GDPR

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (f) of Article 6 (1) of the GDPR (data processing based on a balance of interests) or point (e) of Article 6 (1) of the GDPR (data processing in the public interest). This also applies to profiling (Article 4 no. 4 of the GDPR) based on these provisions.

If you make an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

In individual cases, we also process your data for the purposes of direct advertising. If you do not wish to receive any advertising, you are entitled to object to this at any time; this also applies to profiling if this is in conjunction with such direct advertising. We shall comply with this objection for the future.

We will no longer process your data for the purposes of direct advertising if you object to processing for these purposes.

Objections can be informal and should be sent where possible to

HARIBO GmbH & Co. KG
Dr.-Hans-und-Paul-Riegel-Str. 1
53501 Grafschaft, Germany
E-mail: info@haribo.com
Phone: +49 2641 3000
Fax: +49 2641 300 289

XI. Amendments

We reserve the right to amend this data privacy policy at any time. Any changes will be notified through the publication of an amended data privacy policy on our website. Unless provision is made otherwise, such changes will be effective immediately. Please check this privacy policy regularly to see the most up-to-date version.