Privacy statement

It’s very important to us that we handle your personal data responsibly. We take all necessary measures to protect the data you provide and to comply with the applicable national and European data protection regulations. This privacy statement explains for what purpose and on what legal basis this data is processed, to whom the data is passed on, for how long it is stored and what your rights are.

Contents

1. General
   1. Scope of application
   2. Controller and data protection officer
2. Processing your data
   1. Website
   2. Contact form and e-mail contact
   3. Competitions
   4. Applications
   5. Trade fair contacts, business cards
3. Rights of persons affected
   1. Right of access
   2. Rectification, deletion, restriction of processing
   3. Right to object
   4. Revocation of consent
   5. Supervisory authority

1. General

   1. Scope of application
      This privacy statement shall be applicable as of 25.5.2018 for the website www.cfp-brands.de, including any subpages, operated by CFP BRANDS Süßwarenhandels GmbH & Co. KG.

   2. Controller and data protection officer
      The controller of your personal data is CFP BRANDS Süßwarenhandels GmbH & Co. KG, Kortrijker Straße 1, 53177 Bonn, Germany. You can contact our data protection officer by email: datenschutz@cfp-brands.de or by post: Data Protection Officer c/o CFP BRANDS Süßwarenhandels GmbH & Co. KG, Kortrijker Straße 1, 53177 Bonn, Germany.

2. Processing your data

   1. Website

      1. Provision of the website

         1. Description of the data processing
            Every time the website is called up, our system collects automated data and information from the calling computer system. The following data is recorded in the process:

            • The IP address of the user
            • The date and time of access The data is stored in the log files of the SQL server. This data is not stored together with other personal data relating to the user.

         2. Purpose of processing and legal basis It is necessary for the system to temporarily store the IP address in order to enable the website to be delivered to the user’s computer. The user’s IP address must be stored for the duration of the session in order for this to take place. The legal basis for the temporary storage of the data is Article 6 Paragraph 1 (f) of the General Data Protection Regulation (GDPR). The legitimate interest in the data processing pursuant to Article 6 Paragraph 1 (f) of the GDPR comes from maintaining the functionality of the website.

         3. Recipient of the data and storage period The data will not be passed on to third parties and will be deleted as soon as it is no longer necessary in order to achieve the purpose for which it was stored. In the case of recording data for the provision of the website, this is the case when the respective session has been ended. The data is not stored by default. Data logging is only activated for verification purposes in the event of an error message. Once the error has been established, the data is deleted.

         4. Opportunity to object and withdraw The recording of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. As a result, there is no opportunity for the user to object.

      2. Use of cookies

         1. Description of the data processing
            Our website uses cookies. Cookies are text files that are stored in the internet browser or from the internet browser in the user’s computer system. If a user calls up a website, a cookie can be stored on the user’s operating system in this way. This cookie contains a characteristic sequence of characters, which enables the browser to be clearly identified when the website is called up again. We use Google Analytics, a web analysis service of Google Inc. (‘Google’) for our websites. Google uses cookies, which are stored on your computer.

         2. Purpose of processing and legal basis
            The purpose of the cookies used by Google Analytics is to analyse how you use the website. Google will use this information on our behalf in order to analyse how our online services are utilised by the user, to put together reports about the activities in connection with these services and to provide us with other services associated with the use of these online services and the use of the internet. In the process, pseudonymous user profiles of the users can be created from the processed data. We only use Google Analytics with activated IP anonymisation. This means that Google shortens the users’ IP addresses within the Member States of the European Union or in other contracting parties to the Agreement on the European Economic Area. Only in exceptional cases, the full IP address is transferred to a Google server in the USA, where it is shortened. The IP address transferred from the user’s browser is not linked with any other data from Google. The legal basis for the processing is Article 6 Paragraph 1 (f) of the GDPR. The legitimate interest in the processing of personal data pursuant to Article 6 Paragraph 1 (f) of the GDPR comes from designing our website to meet requirements.

         3. Recipient of the data and storage period
            The information regarding the use of the online service collected by the cookies from Google Analytics is usually transferred by Google to a server in the USA, where it is stored. Google Analytics states that its standardised procedure is to delete this information after 14 months.

         4. Opportunity to object and withdraw
            You can prevent the use of cookies by Google Analytics by selecting the appropriate settings in your browser software; furthermore, users can prevent data generated by the cookie and related to their use of the online services from being recorded by Google, as well as the processing of this data by Google. You can object to the generation of the pseudonymous user profile at any time. There are lots of options for doing this:

            • You can object to the web analysis by Google Analytics by setting an opt-out cookie that instructs Google not to store or use your data for purposes of web analysis. Please note that with this solution, the web analysis will not take place only for as long as the opt-out cookie is stored by the browser. If you want to set the opt-out cookie now, please click here.
            • You can also prevent the storage of cookies used for the creation of profiles by selecting the appropriate settings in your browser software.
            • Depending on the browser used, you have the option to install a browser plugin that prevents tracking. In order to do so, please click here and install the browser plugin that can be retrieved from there.

      3. Social plugins

         1. Description of the data processing
            Buttons that provide the option to interact with various social media networks can also be found on our website. You can activate these social plugins (‘plugins’), whereby the activation has the consequence that notably the address of the website on which the activated plugin is located, the date and time at which the website was called up, information about the browser used and the operating system used, as well as your actual IP address in this case, are transferred to the respective social media provider. If you are already logged in to the networks in question at the time at which the plugin is activated, the plugin is also able to determine your username, as well as your real name, where applicable, from the data stated above.

            1. Facebook, Instagram and YouTube
               Our online service uses plugins from the social networks facebook.com, instagram.com and youtube.com. The Facebook plugins can be recognised by their logos (white ‘f’ on a blue tile, the word ‘Like’ or a ‘thumbs up’ icon), or the wording ‘Facebook Social Plugin’; the Instagram and YouTube plugins can be recognised by their corresponding logos.

            2. LinkedIn and XING
               Our vacancies page uses LinkedIn and XING buttons. By using the buttons, you can go directly to the career portals and see our job opportunities, as well as other job opportunities.

         2. Purpose of processing and legal basis

            1. Facebook, Instagram and YouTube
               The purpose and scope of the data collection and the further processing and use of data can be found in the privacy notices of Facebook https://www.facebook.com/about/privacy/, Instagram https://help.instagram.com and YouTube https://policies.google.com/privacy?hl=de&gl=de#application. When a user calls up a function of these online services that contain this type of plugin, their device builds a direct connection with the servers of Facebook, Instagram and YouTube. The content of the plugin is transferred from Facebook, Instagram and YouTube directly to the user’s device, from where it is integrated into the online service. In the process, user profiles of the user can be created from the processed data. As such, we have no influence on the scope of the data that Facebook, Instagram and YouTube collect using this plugin and therefore inform the users according to our level of knowledge. Through integration of the plugin, the companies obtain the information that a user has called up the relevant page of the online service. If the user is logged in to Facebook, Instagram or YouTube, the corresponding company can assign the visit to the user’s account. If users interact with the plugin, for example by pressing the ‘Like’ button or leaving a comment, the corresponding information will be transmitted directly from your device to Facebook, Instagram or YouTube, where it will be stored. If a user is not a Facebook member, there is still the possibility for Facebook to find out and store your IP address. According to Facebook, only anonymised IP addresses are stored in Germany. The legal basis for the use of the Facebook plugin is the legitimate interest in the data processing pursuant to Article 6 Paragraph 1 (f) of the GDPR. The legitimate interest comes from providing a comprehensive service on our website.

            2. XING and LinkedIn
               If a user calls up a website from these portals, their browser builds a direct connection with the servers. The content of the buttons is transferred directly to the user’s browser. As such, we have no influence on the scope of the data that XING or LinkedIn collect using this plugin. Further information about this can be found in the XING privacy statement https://privacy.xing.com/de/datenschutzerklaerung/allgemeines-zu-den-zwecken-der-datenverarbeitung and the LinkedIn privacy statement https://www.linkedin.com/legal/privacy-policy?l=deDE. The legal basis for the use is the legitimate interest in the data processing pursuant to Article 6 Paragraph 1 (f) of the GDPR. The legitimate interest comes from providing an additional service on our website.

         3. Recipient of the data and storage period

            1. Facebook and Instagram
               According to the Facebook data protection guideline (Facebook Ireland Ltd., 4 Grand Canal SquareGrand Canal Harbour, Dublin 2 Ireland), the information is shared internally within the Group or with third parties. Instagram was taken over by Facebook in 2012, and the company discloses in the data protection guideline that information is exchanged between the companies. Information that is collected in the European Economic Area (EA), can, for example, be transferred to countries outside the EEA for the purposes described in the guideline. Facebook indicates that it uses standard contractual clauses approved by the European Commission, takes other measures in accordance with EU law and asks for your consent for the legitimisation of the transmission of data from the EEA to the USA or other countries. Facebook announces that it stores the data for as long as necessary in order provide users with other products and services. The information associated with the user account remains with Facebook, Instagram or YouTube until the account is deleted, unless the companies no longer require the data in order to provide products and services. 

            2. XING or LinkedIn
               According to XING’s privacy policy, personal data is only passed on to third parties in the event that this is necessary in order to fulfil its own business objective (e.g. if the profile is being made accessible to another user), consent has been given for this, or XING is obliged to do so by law or as a result of a judicial or official order. LinkedIn keeps the personal information for as long as the account exists or for as long as it is necessary to provide services to you. LinkedIn states that it keeps certain data (for example visits to websites that contain the plugin ‘Share on LinkedIn’ or ‘Apply with LinkedIn’ without the plugin being clicked) in an anonymised or aggregated form.

         4. Opportunity to object and withdraw

            1. Facebook and Instagram
               Information about how you can manage your content and information with Facebook can be found at https://www.facebook.com/about/privacy and with Instagram at https://help.instagram.com/369001149843369?helpref=page_content Further settings and options to object to the use of data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads.

            2. XING and LinkedIn
               As a registered user of XING or LinkedIn, you can access, amend, delete or change your personal data under Account Settings. Further information relating to deleting or amending your data with XING can be found here https://faq.xing.com/de/mein-profil/wie-kann-ich-mein-profil-löschen or with LinkedIn can be found here https://www.linkedin.com/help/linkedin/answer/66?lang=de.

         5. Amazon Online Shop

            1. Description and scope of data processing
               You will also find buttons that provide the option to be forwarded directly to the provider amazon.de on our website. The activation ‘Buy now at Amazon’ has the consequence that notably the address of the website, the date and time at which the website was called up, information about the browser used and the operating system used, as well as your actual IP address, are transferred to Amazon. If you are already logged in to Amazon at the time at which the plugin is activated, the plugin is also able to determine your username, as well as your real name, where applicable, from the data stated above.

            2. Purpose of processing and legal basis
               The purpose of the processing is to give you direct access to online shopping. The legal basis for the processing of the data is, where the user’s consent has been obtained, Article 6 Paragraph 1 (a) of the GDPR. The legal basis for the use is the legitimate interest in the data processing pursuant to Article 6 Paragraph 1 (f) of the GDPR. The legitimate interest comes from providing a comprehensive service on our website.

            3. Recipient and duration of storage
               According to the data protection regulations of Amazon Europe Core S.à.r.l., the information is shared with affiliated companies, partner companies and service providers. Amazon indicates that it takes part in the programmes EU-US and Swiss-US Privacy Shield for the collection, use and storage of personal information from Member States of the European Union and Switzerland. Amazon has officially confirmed to the US Ministry of Commerce that it complies with the Privacy Shield principles.

            4. Opportunity to object and withdraw
               Information about how you can change your settings for advertisements and cookies from Amazon can be found at https://www.amazon.de/adprefs/ref=ya__39.

   2. Contact form and email contact

      1. Description and scope of data processing
         Our webpages contain a contact form that can be used for electronic contact. If a user takes this opportunity, the data provided in the input mask is transferred to us and stored. The only mandatory detail is your email address; you can also add your title, first name, surname, postcode, street name, house number, telephone number, topic, the brand and a message if you so choose. At the time at which the message is sent, the following data is also stored: The IP address of the user and the date and time of the registration. For the processing of data, your consent is obtained and referred to this privacy statement within the framework of the sending process.
         Alternatively, it is possible to make contact via the email address provided. In this case, the user’s personal data transmitted by email is stored.
         In this connection, the data is not passed on to third parties. The data is used exclusively in order to process the conversation.

      2. Purpose of processing and legal basis
         The processing of personal data from the input mask exclusively serves the aim of enabling us to process your enquiry. In the event of an enquiry by email, this is also the necessary legitimate interest in processing the data. The other personal data processed during the sending process serves to prevent the misuse of the contact form and to ensure the security of our information technology systems. The legal basis for the processing of the data is, where the user’s consent has been obtained, Article 6 Paragraph 1 (a) of the GDPR. The legal basis for the processing of data that is transmitted in the course of sending an email is Article 6 Paragraph 1 (f) of the GDPR. If the email contact aims to conclude a contract, the additional legal basis for the processing is Article 6 Paragraph 1 (b) of the DSGVO.

      3. Recipient and duration of storage
         The data will not be passed on to third parties and will be deleted as soon as it is no longer necessary in order to achieve the purpose for which it was stored. For the personal data from the input mask of the contact form and that which is transmitted by email, this is the case when the corresponding conversation with the user has ended. The conversation is ended when it can be derived from the circumstances that the matter has been finally clarified. The personal data that is collected additionally during the sending process is deleted at the latest within a period of 90 days, as long as a longer retention period is not required for reasons of traceability or due to legal obligations to retain data.

      4. Opportunity to object and withdraw
         The user has the opportunity to revoke their consent for the processing of personal data at any time. If the user contacts us by email, they are able to object to the storage of their personal data at any time. In such cases, the conversation cannot be continued. The objection should be made to datenschutz@cfp-brands.de. In this case, all personal data stored within the course of the enquiry is deleted.

   3. Competitions

      1. Description and scope of data processing
         From time to time, we offer you the opportunity to take part in competitions that we organise. The personal details that you provide us with within the framework of such a promotion are used exclusively for the execution of the promotion (in the event of a competition, for example, for the determination of the winner, notification of the winner and sending the prize). 

      2. Purpose of processing and legal basis
         If you take part in a competition organised by us, we will process your data insofar as this is necessary for the execution of the competition. Where necessary, we obtain separate consent from you for the further processing of your data within the framework of the competition. In order to participate, you must be over the age of 16. The legal basis for this processing is Article 6 Paragraph 1 (a) (separate consent) and Article 6 Paragraph 1 (b) of the GDPR.

      3. Recipient and duration of storage
         The data collected for the participation is deleted after the competition expires, insofar as you have not agreed to processing beyond this period.

      4. Opportunity to object and withdraw
         As a participant, you have the opportunity to revoke your consent for the processing of personal data at any time. You can object to personal data being stored at any time. The objection should be made to datenschutz@cfp-brands.de. In this case, all personal data stored within the course of the enquiry is deleted.

   4. Applications

      1. Description of the data processing You can find out about our vacancies and apply for jobs online via our online careers portal. For this purpose, the fields title, first name, surname, street name and house number, postcode, city and country are compulsory, and your telephone number can be provided voluntarily. We also require information with regard to how you found out about us, when your earliest start date is and to download your CV. Furthermore, you can also choose to inform us of which division you are interested in, the desired time period of your job and your salary expectations. In addition, you can also choose to upload a cover letter and your picture, as well as additional documents. 

      2. Purpose of processing and legal basis  Your data is processed for the purpose of handling the application. On the basis of the data you transmitted online, we make a preliminary selection to fill the position. The legal basis for the processing of data is Article 6 Paragraph 1 (a) (consent) of the GDPR.

      3. Recipient and duration of storage
         Your data is transferred in encrypted form to our data processing company prescreen GmbH, after which it is made available to our company’s responsible department. If we are unable to consider you to fill the position, you will be informed by email. The data will then be deleted within 6 months. The correspondence and information that is collected from users within the framework of an application process will also be stored for a period of three years after they have ceased to be users and is visible to current and future users via the company’s Prescreen.io access.

      4. Opportunity to object and withdraw
         The user has the opportunity to revoke their consent for the processing of personal data at any time. In this case, the application process will be ended and the data will be deleted. You can also make changes to your profile in the applicant management system and delete your data under the point ‘Delete account’. After deleting your account, your data will be anonymised and used for statistical purposes. Please note that changes to your profile affect all of your applications. The Prescreen data protection information can be found here: https://prescreen.io/de/policy/

   5. Trade fair contacts, business cards

      1. Description of the data processing
         If you hand over business cards at trade fairs or on other business occasions, we will save the details transmitted, such as name, telephone number, email address, position and your telephone number, in our CRM system. We will then contact you by email and obtain your consent via opt-in, so that we are able to inform you about future products, innovations or activities or offers of our company that may be of interest to you.

      2. Purpose of processing and legal basis  The purpose of processing is to submit information to our company. The legal basis for the processing of data is Article 6 Paragraph 1 (a) (consent) of the GDPR.

      3. Recipient and duration of storage
         Your data will be stored in our CRM database. The data will be deleted immediately if you do not give us your consent by opt-in within one month after the confirmation email is sent. If you do provide us with consent, we will process the data to keep you updated.

      4. Opportunity to object and withdraw
         You have the opportunity to revoke your consent for the processing of personal data at any time. In this case, we will not provide you with any further information, and the data will be deleted. 

3. Rights of persons affected

   Where the legal preconditions are met, you have the following rights pursuant to Article 13 Paragraph 2, 15 to 22 of the GDPR.

   1. Right of access
      You are entitled to demand information about your personal data processed by us pursuant to Article 15 of the GDPR. In particular, you can demand information about the processing purposes, the category of the personal data, the categories of recipients to whom your data have been or will be disclosed, the intended storage duration, the existence of a right to rectify, delete or restrict the processing or to object, the existence of a right of appeal, the origin of your data, if this wasn’t collected by us, as well as the existence of automated decision-making including profiling and, where applicable, meaningful information regarding their details. Please contact datenschutz@cfp-brands.dedirectly if you want to use your right of access.

   2. Rectification, deletion, restriction of processing and data portability
      Furthermore, where the legal preconditions are met, you have the right,

      • pursuant to Article 16 of the GDPR, to immediately demand the rectification of inaccurate personal data or the completion of incomplete personal data we hold concerning you;
      • pursuant to Article 17 of the GDPR, to demand the deletion of the personal data we hold concerning you insofar as the processing is not necessary in order to exercise the freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;
      • pursuant to Article 18 of the GDPR, to demand the restriction of processing of your personal data, insofar as the accuracy of your data is contested, the processing is unlawful, but you oppose its deletion and we no longer require the data, but you require it for the establishment, exercise or defence of legal claims or you have objected to the processing pursuant to Article 21 of the GDPR;
      • pursuant to Article 20 of the GDPR, to demand to receive your personal data that you have provided to us, in a structured, commonly used and machine-readable format or to demand the transmission of this data to another controller.

   3. Right to object
      Insofar as your personal data is processed on the basis of legitimate interest pursuant to Article 6 Paragraph 1 Page 1 (f) of the GDPR, you are entitled, pursuant to Article 21 of the GDPR, to object to the processing of your personal data insofar as there are grounds for doing so that relate to your particular situation or the objection relates to direct marketing. In the latter case, you have a general right to object, which will be implemented by us, without providing a particular situation. If you wish to make use of your right of revocation or right to object, an email to: datenschutz@cfp-brands.de will suffice.

   4. Revocation of consent
      You are entitled to revoke your declaration of consent under data protection law at any time. As a result of the revocation of consent, the legality of the processing that took place on the basis of consent until its revocation will not be affected.

   5. Supervisory authority
      Without prejudice to any other administrative or legislative legal remedy, you are entitled to lodge a complaint to a supervisory authority, in particular in the Member State of your place of stay, your place of work or the place of the suspected infringement, if you believe that the processing of the personal data relating to you infringes on the GDPR. The supervisory authority to whom the complaint is submitted will inform the complainant about the status and the result of the complaint including the possibility for a judicial remedy pursuant to Article 78 of the GDPR. The address of the supervisory authority responsible for our company is: Data Protection and Freedom of Information Authority for the State of North Rhine-Westphalia, Postfach 20 04 44, 40102 Düsseldorf, Germany, email: poststelle@ldi.nrw.de.

Status 25.5.2018