Below, we would like to explain when and how we collect personal data, what kind of personal data we collect and how we handle the data we collect. We collect and process your personal data in accordance with national and European laws, in particular Germany’s Federal Data Protection Act (BDSG) and Telecommunications Telemedia Data Protection Act (TTDSG) and the EU’s General Data Protection Regulation (GDPR). If you have further questions regarding data protection at Naturkost GAIA GmbH and its affiliated companies, please do not hesitate to contact us using one of the phone numbers, fax numbers or email addresses below.
1. Data processing controller
Naturkost GAIA GmbH
Dürener Straße 67
Tel. +49 7567 9881 716
2. Data protection contact
We are not legally required to appoint an external data protection officer. If you have any questions about data protection at the Naturkost Group, you can contact us directly (see 1.) or get in touch with the data protection solicitor below:
Datenschutzkanzlei Lenz GmbH & Co. KG
Bahnhofstraße 50, 87435 Kempten (Allgäu), Germany
Tel.: +49 831 930653-00
3. When you visit our website
This section features information regarding data collection, data processing, data erasure, data security and the involvement of third-party providers in relation to your visit to our website www.naturkost-group.com.
3.1 Server log files
Whenever you visit our website, your browser transmits access data known as server log files or access logs, which we process in order to guarantee system security. The following information is recorded in the log files:
- The website previously visited (if a search engine was used, the search engine used including the keywords used)
- The requested website including the number of pages viewed and the page last opened before leaving the website
- The browser type and browser version
- The operating system and type of device used
- The language settings
- The date and time of the page view
- The use time
- The IP address
This data needs to be temporarily stored during a website visit in order to enable the website’s delivery. There is additionally storage in the form of log files/logs in order to guarantee website functionality and system security.
The purposes stated include our legitimate interests in data processing (Art. 6 I 1f GDPR). The data is erased as soon as it is no longer needed to achieve these purposes. Regarding provision of the website, this is the case when the session in question is terminated. The log files are additionally stored for seven days to be able to comprehensively guarantee system security and effectively analyse and eradicate errors. The collection of data for website provision and the storage of data in log files are essential for website operation. There is consequently no opt-out option for the user.
Our home page does not use or place cookies.
3.3 Data security
Our website uses effective encryption (TLS 1.2) for security reasons and for the protected transmission of the confidential content you submit to us as the page operators. You can recognise an encrypted connection when your browser’s address bar changes from ‘http://’ to ‘https://’ and when a lock icon appears in your address bar. When encryption is activated, the data you send us cannot be read by third parties.
3.4 External service providers
To provide and run our websites, we cooperate with external service providers who are carefully selected by us, who are obliged by the data protection requirements stipulated in data processing contracts pursuant to Art. 28 GDPR and whose activities we monitor. These service providers are based in Germany.
3.5 Links to external content
Insofar as our websites feature links to the websites of other providers, please note that we are not responsible for the content provided by the other providers and have no influence on the type and scope of data collection and data processing on the website in question. Please refer to the website in question for more information in this regard.
We offer you the opportunity to subscribe to one of our newsletters on our website www.naturkost-group.com. During registration, we will request contact details (e.g. email address, mobile phone number, fax number) as well as, in some cases, additional personal data provided voluntarily (e.g. first name and surname). The data collected shall be collected and processed based on your consent (Art. 6 I 1a GDPR). The data shall be processed exclusively for the purpose of delivery of the subscribed newsletter. We use external service providers for the dispatching of our newsletters who are carefully selected by us, who are obliged by the data protection requirements stipulated in data processing contracts pursuant to Art. 28 GDPR and whose activities we monitor. These service providers are based in Germany or in another EU member state.
You may revoke your consent at any time by cancelling your newsletter subscription via the website in question or via the link provided in every newsletter. The data collected during registration shall be erased without undue delay after you have cancelled your newsletter subscription and when we no longer need to process it pursuant to statutory data retention rights and obligations. Information relating to an email/fax newsletter subscription shall routinely be retained for three years following cancellation and information relating to consent to phone-based contact shall routinely be retained for five years following cancellation (Section 31 of the Regulatory Offences Act [OWiG], Section 7a of the Act against Unfair Competition [UWG]).
3.7 Contact via our website
You will find contact persons on our website. If you click on the email addresses provided there, your email program will open with the email address preset. This function is not needed in order to contact us or to use the rest of our website. We are not responsible for the processing of your data by the email program used by you.
We use data which you submit to us in order to respond to your enquiry. It shall not be transferred to third parties unless this is essential in order to process your enquiry. The options which come into consideration are, in particular, the forwarding of your enquiry to one of our associated companies if the matter of your enquiry is directed at them.
We shall erase the personal data processed in the course of our correspondence once your matter has been handled unless we are required to retain them for longer pursuant to statutory data retention obligations or rights. For example, data may be retained for longer if we establish business relations or initiate a contract or if we are legally obliged to continue to retain data due to the nature of the information exchanged, such as business letters.
In processing the data, we are pursuing our legitimate interest in responding to your enquiries (Art. 6 I 1f GDPR). Depending on the matter, data may also be processed for the initiation of a contract (Art. 6 I 1b GDPR) or for compliance with legal obligations (Art. 6 I 1c GDPR). The transfer of data to third countries outside of the European Economic Area is not intended.
4. Social media
We use the respective providers’ services to evaluate the use of our company profiles and thus improve the profiles and the services offered on them. The services used are as follows:
- LinkedIn Analytics
- YouTube Analytics
When you visit our company profiles, we and the provider in question jointly process your data collected by the service in question as the joint data controllers. This data comprises information about your visit to/your interaction with our fan page which may relate to you and may therefore be personal data. As such, the legal basis for data processing in the context of our responsibility is our legitimate interest within the meaning of Art. 6 I 1f GDPR in the opening of a platform for exchange with you and in the analysis of who is visiting our fan page, so that we can orient our content to them accordingly.
We have concluded contracts regarding joint responsibility with the providers. These oblige the providers to comply with your rights as the data subject pursuant to Chapter 3 of the GDPR. You will find more information on the processing of your personal data in relation to the services in question under the following links:
Cookies can additionally be placed on the company profile in question by the provider. The data collected by means of cookies is not processed under our responsibility. Please note that we have no insight into this type of data processing.
We additionally provide links to our social media presences on our website. You will be taken directly to these when you click on these links. If you do not click on the links, no data will be passed on to the provider from you. This incorporation with the possibility of being forwarded is in our legitimate interest in presenting our services publicly (Art. 6 I 1f GDPR).
5. When you apply for a job with us
We are delighted when you choose to submit an application to us. We collect and process the personal data in application documents on the basis of consent granted by you (Art. 6 I 1a GDPR) and in particular for the purpose of making a decision regarding the establishment of an employment relationship (Art. 6 I 1b GDPR). If we contact you following an application, you can refer to the section ’When you contact us’ below to learn about how we handle the content of the communication.
5.1 Advertised vacancies
If you apply for a specific advertised vacancy, we shall only process your application documents to make a decision regarding appointment to the position for which you applied. Other personal data may be collected from you personally, from publicly accessible sources or from former employers and trainers and then processed in the course of the application process (Art. 6 I 1b GDPR). We are additionally legally obliged to subject your person to what is known as sanctions list screening or anti-terror screening. Here, we compare the particulars you submitted with the EU’s and the USA’s sanctions lists. This screening is performed for compliance with a legal obligation (Art. 6 I 1c GDPR; Council Regulation 2580/2001/EC and Council Regulation 881/2002/EC).
Should the application process not lead to your being recruited, your personal data shall be erased after six months, starting from the point in time at which the vacancy was filled. If the application process leads to your being recruited, the data collected and your application documents shall be added to your personnel file (Art. 6 I 1b GDPR), where they shall remain for the duration of the employment relationship.
5.2 Speculative applications
Applications which are not related to a specific vacancy (speculative applications) shall be processed for the purpose of making decisions regarding appointment to any vacancies that match your qualifications (Art. 6 I 1a, b GDPR). Other personal data may be collected from you personally, from publicly accessible sources or from former employers and trainers and then processed in the course of the application process (Art. 6 I 1b GDPR). We are additionally legally obliged to subject your person to what is known as sanctions list screening or anti-terror screening. Here, we compare the particulars you submitted with the EU’s and the USA’s sanctions lists. This screening is performed for compliance with a legal obligation (Art. 6 I 1c GDPR; Council Regulation 2580/2001/EC, Council Regulation 881/2002/EC and Council Regulation 2017/1420/EU).
Your personal data shall be erased after one year, calculated from the date of receipt of your application, unless it is still the subject of an ongoing application process. If no application process leads to your being recruited, your personal data shall be erased after six months, starting from the point in time at which the last vacancy was filled for which you were considered. If an application process leads to your being recruited, the data collected and your application documents shall be added to your personnel file (Art. 6 I 1b GDPR), where they shall remain for the duration of the employment relationship.
5.3 Disclosure of your applicant data
Personal data which you submit to us in the course of your application and/or which we collect from publicly accessible sources or from former employers and trainers is processed exclusively by us. Data will be disclosed to companies affiliated with the Naturkost Group only if and insofar as you explicitly request this in your application (Art. 6 I 1a GDPR).
Insofar as we draw on the services of external service providers to provide job advertisements and application portals or to process your application, we shall select these carefully and shall oblige them to observe the data protection requirements stipulated in data processing contracts pursuant to Art. 28 GDPR. These service providers are based in Germany or in the EU.
6. When you contact us or collaborate with us
We are delighted that you wish to contact us or collaborate with us as a business partner. This section features information regarding data collection, data processing, data erasure, data security and the involvement of third-party providers in relation to business contact.
6.1 Data collection, data processing and data erasure
In the context of business contact, we shall regularly collect and process the following personal data:
- Full name
- Professional contact details (address, phone number, email address, position within the company)
In individual cases, we shall additionally request further information from you regarding your person, such as private contact details or dates of birth; such requests shall be kept to an absolute minimum. We shall ensure in particular that any additional data requested is requested due to technical or organisational necessity.
If you communicate with us via portals or software applications, the IP address of the device from which you accessed the portal or software application shall additionally be logged. This data will be collected automatically without any action on your part. You can find out in specific data privacy notices or in the cookie banner of the application in question whether such portals or software applications place cookies on your device and, if so, which cookies they place.
We shall process your personal data in particular to initiate future or execute existing business relations (Art. 6 I 1b GDPR) and to subject our business customers, suppliers and service providers to anti-terror screening and sanctions list screening to the extent prescribed by law (Art. 6 I 1c GDPR, Council Regulation 2580/2001/EC, Council Regulation 882/2002/EC, Council Regulation 2017/1420/EU). Other purposes may arise in individual cases.
Your personal data will be erased without undue delay once the processing purpose for which it was collected no longer applies. Insofar as data is, in individual cases, subject to statutory retention obligations, it shall be retained until expiry of the retention period in question and shall then be erased.
6.2 Disclosure of your data
Data shall only be exchanged with other Naturkost Group companies insofar as we draw on such companies for the performance of our obligations subject to the contracts concluded with you (Art. 6 I 1b GDPR) or if, in individual cases, this is in our overriding legitimate interest (Art. 6 I 1f GDPR).
Your personal data may be disclosed to authorities and courts as well as to lawyers, public auditors, tax consultants, business consultants and similar service providers who are bound by legal confidentiality.
6.3 External service providers
Your personal data shall be stored in our IT systems. Insofar as we draw on the services of external service providers to provide our IT infrastructure, individual IT applications and/or data processing, we shall select these carefully, shall monitor their activities and shall oblige them to observe the data protection requirements stipulated in data processing contracts pursuant to Art. 28 GDPR.
Data shall not as a rule be transmitted to countries outside of the EU. Should this occur in individual cases, we shall ensure that the recipient has an adequate level of data protection as per Art. 44 ff. GDPR.
7. Your rights vis-à-vis Naturkost Gaia GmbH
This section explains your rights if and insofar as we collect and process your personal data. Please note that we shall comply with your justified request as quickly as possible and that no fee or charge shall be incurred for this. Please submit the establishment of your rights to the following address: firstname.lastname@example.org.
In accordance with Art. 15 GDPR, you have the right to demand access to the data stored regarding your person as well as its origins, the recipients or categories of recipient to whom we disclose data and the purpose of the processing.
In accordance with Art. 16–18 GDPR, you may, in individual cases, have the right to rectification, erasure or restriction of the processing of your personal data. Pursuant to Art. 20 GDPR, you may also demand that your data be transferred to a different controller. Further, you may, pursuant to Art. 21 GDPR, have a special right to object to the processing of your data if and insofar as we base this processing solely on an overriding legitimate interest (Art. 6 I 1f GDPR) or insofar as the processing is for direct marketing purposes.
You may revoke your consent to data collection and data processing (Art. 6 I 1a GDPR) at any time. In this instance, we shall cease to process your personal data unless such continued processing is permitted or mandated by law.
The aforementioned objections or revocations shall only take effect for the future and shall not render past data collection and data processing inadmissible.
Finally, you have the right in accordance with Art. 77 GDPR to lodge a complaint with a data protection supervisory authority; North Rhine-Westphalia’s State Commissioner for Data Protection and Freedom of Information (LDI NRW) is the authority responsible for us.
(Correct as at: 05/2022)