Privacy Notice
Naturland Zeichen GmbH

Scope of processing. If you use our website for information purposes only, i.e., if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. When you access our website, we collect the following data: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website from which the request originates, browser, operating system and its interface, language and version of the browser software.

Purpose and legal basis. The processing of this data serves the purpose of enabling the technical provision of the website and ensuring its stability and security. This processing and storage is carried out in order to fulfil the user contract concluded with you, insofar as it serves the technical processing of the use of the website (legal basis: Article 6(1)(b) of the General Data Protection Regulation (GDPR)) and otherwise to safeguard our legitimate interest in making our website as user-friendly, secure and attractive as possible and to promote the realisation of our corporate purpose (legal basis: Article 6(1)(f) GDPR).

Duration of storage. The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. In the case of data collected to provide the website, this occurs when the respective session has ended. IP addresses are stored for seven days in order to be able to track misuse.

Scope of processing. If you sign up for our newsletter, we require your name and email address All additional information is voluntary. You will first receive an email containing a link that you must click on to confirm that you wish to receive the newsletter. This process prevents someone from signing up for the newsletter on your behalf without your consent. If you have given your consent for us to analyse your use of the newsletter, we will evaluate when you opened the newsletter, which browser you used, your approximate location at the time of opening, and which content you found of interest.

Purpose and legal basis. Your data will only be used for the purpose of sending our newsletter and for customer care, in order to contact you individually (where legally permitted) – potentially after researching additional data – to make you offers and to clarify your needs regarding our services. The purpose of analysing usage is to improve our services. We store your registration for the newsletter, your consent to usage analysis (if applicable), and your confirmation of registration in order to be able to prove that you have actually registered. The legal basis is therefore your consent (legal basis: Article 6(1)(a) GDPR), and, insofar as the proof of consent and the communication with interested parties is concerned, our legitimate interests. In this respect, our legitimate interest is to improve our services according to your individual needs and thereby support the achievement of our corporate objectives, to provide you with further offers tailored to your interests, and to document contractual arrangements and correspondence for the assertion, exercise or defence of legal claims (legal basis: Article 6(1)(f) GDPR).

Duration of storage. For the purpose of sending the newsletter and analysing usage, we store your data until you withdraw your consent or until the newsletter service is permanently discontinued. In order to support potential customers, we will delete your data as soon as you object to its use, or five years after your last expression of interest, whichever occurs first. For the purpose of proving consent, we store your data for three years after the last newsletter was sent to you. If you do not confirm your newsletter registration, we will delete your data after 24 hours.

Newsletter tools. We may use third-party tools for sending newsletters and analysing newsletter usage. These tools allow us to analyse our newsletter campaigns, for example to determine which newsletters have been opened and which links have been clicked on and whether certain predefined actions have subsequently been carried out (conversion rate). We may categorise newsletter recipients based on different criteria, such as age, gender, or place of residence ("clustering"), and then use this information to better tailor our newsletters to specific target groups.

We enter into data processing agreements with the providers of such newsletter tools, which ensure that personal data is only processed on our behalf and in accordance with our instructions. The legal basis for the use of newsletter tools is your consent (Article 6(1)(a) GDPR).

[We currently use the newsletter tool Brevo from Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany. Your data is stored on the servers of Sendinblue GmbH in Germany.]

If you wish to download brochures, newsletters or other content from our website, the provisions outlined in sections 1.1 and 1.2 shall apply accordingly.

Scope of processing. On our website, we may offer users the option of logging into non-public areas. Within these non-public areas, certain extended information is available to you. For this purpose, our employees will provide you with access credentials that do not require individual registration. When you log in, only your IP address is collected. Your data will not be shared with third parties. You have the option to select a checkbox on the website to remain logged in.

Purpose and legal basis. The data is collected to enable your registration for the non-public area and to prevent you from having to re-enter your registration details on your next visit to the site. We store this data for the initiation and fulfilment of the user contract established with the registration, insofar as this serves the technical processing of the use of the non-public area (legal basis: Article 6(1)(b) GDPR) and otherwise to safeguard our legitimate interest in making our website as user-friendly, secure and attractive as possible and to promote the realisation of our corporate purpose (legal basis: Article 6(1)(f) GDPR).

Duration of storage. The data specified here will be stored until you cancel your registration with us.

We integrate recommendation buttons, known as social plug-ins, from social media platforms into our website. We use what is known as the two-click solution. This enables you to use social media features while maintaining control over your privacy. Direct contact between the social media platform and you is only established when you click on the button or link visible on our website. This solution prevents you from inadvertently sharing information on every page you visit. In particular, we use links to Facebook, YouTube, Instagram, and LinkedIn. These plug-ins are marked with the relevant platform's logo on our website.

However, we have no control over the data that may be transmitted once you click on these links. You should assume that, at a minimum, your IP address and other device-related information (i.e., all data mentioned under section 1.1 above) will be collected and processed. It is likely that Facebook, YouTube, Instagram, and LinkedIn will attempt to store cookies on your device. Please read the privacy policies of the respective social media providers, as your activities on our website that are published via social media are no longer subject to this privacy policy:

Google / YouTube:        https://policies.google.com/privacy?hl=de&gl=de

Facebook:                        https://de-de.facebook.com/about/privacy/

Instagram:                       https://help.instagram.com/519522125107875

LinkedIn:                          https://www.linkedin.com/legal/privacy-policy?

Scope of processing. Our website uses cookies. Cookies are text files that are stored on your computer by your internet browser. Each cookie contains a unique string of characters that enables your browser to be identified when you return to our website. We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a page change. The following data is stored and transmitted in the cookies: Language settings, log-in information. We also use cookies on our website that allow us to analyse your use of our website. The following data may be transmitted in this context: Search terms entered, frequency of page views, use of website functions. When accessing our website, users are informed about the use of cookies and asked to consent to the processing of the personal data used in this context via our cookie consent tool (see sections 1.6 and 3.1).

Purpose and legal basis. On the one hand, we use cookies to simplify the use of our website. On the other hand, we use cookies for analytical purposes, in particular to improve the quality of our website and to identify topics of interest. The setting of cookies is based on your consent, which you can give via our cookie consent tool for all or individual cookies and analysis tools (legal basis: Article 6(1)(a) GDPR and Section 25 of the German Act on Data Protection and Privacy in Telecommunications and Digital Services (TTDSG). If you do not accept technically necessary cookies, this may lead to restrictions in the use of our website.

Duration of storage. Cookies are stored on your computer. The duration of storage can be found in our cookie consent tool or in the overview in your browser’s cookie settings.

Provider. If you have given your consent in our cookie consent tool (see sections 1.6 and 3.1), Google Analytics 4 is used on our website. The provider is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").

Type of processing. Google Analytics uses cookies that enable us to analyse your use of our website. The information collected by the cookies about your use of our website is usually transferred to a Google server in the United States and stored there.

In Google Analytics 4, IP address anonymisation is enabled by default. Due to IP anonymisation, your IP address will be truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

While you are visiting our website, your user behaviour is recorded in the form of “events”. Examples of such events include:

• Page views
• First visit to the website
• Start of the session
• Websites visited
• Your "click path" (interactions with the website)
• Scrolls (whenever a user scrolls to the end of the page (90%))
• Clicks on external links
• Internal search queries
• Interaction with videos
• File downloads
• Viewed / clicked advertisements
• Language settings

The following information will also be recorded:

• Your approximate location (region)
• Date and time of your visit
• Your IP address (in abbreviated form)
• Technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
• Your internet service provider
• The referrer URL (the website or advertising medium through which you accessed our website).

Purposes of processing. Google will use this information on our behalf to analyse your use of the website and to compile reports on website activity. The reports provided by Google Analytics are used to analyse the performance of our website and the effectiveness of our marketing campaigns. 

Recipients. The recipients of the data are or may include:

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor pursuant to Article 28 GDPR)
• Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
• Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

Third-country transfers. For data transfers to the United States, Google LLC and Alphabet Inc. have joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission. As Google servers are distributed globally and a transfer to third countries (e.g. Singapore) cannot be completely ruled out, we have also entered into EU standard contractual clauses with the provider.

Storage period. The data transmitted by us and linked to cookies is automatically deleted after 14 months. The maximum lifespan of Google Analytics cookies is 2 years. Data that has reached the end of its retention period is automatically deleted once a month.

Legal basis. The legal basis for this data processing is your consent (Article 6(1)(a) GDPR and Section 25 TTDSG).

Further information about the terms of use for Google Analytics and data protection at Google can be found at: https://marketingplatform.google.com/about/analytics/terms/de/ and at https://policies.google.com/?hl=de

Provider. If you have given your consent in our cookie consent tool (see sections 1.6 and 3.1), the "META Pixel" service is used on our website in extended data synchronisation mode. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook"). However, according to Facebook, the data collected may also be transferred to the United States and other third countries.

Type of processing. If a user clicks on an advertisement placed by us on Facebook, a parameter is added to the URL of our linked page with the help of "META Pixel". This URL parameter is then stored in the user’s browser via a cookie set by our linked page. In addition, this cookie collects specific customer data such as the email address that we collect on our website linked to the Facebook advertisement during processes such as purchase transactions, account logins or registrations (enhanced data matching). The cookie is then read and enables the data, including the specific customer data, to be transmitted to Facebook.

We use "META Pixel" with enhanced data matching to make our Facebook advertisements (so-called "Facebook Ads") more effective and to ensure that they correspond to the interests of users or have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited), which we transmit to Facebook (so-called "Custom Audiences").

In addition, we analyse the effectiveness of our advertisements by tracking whether users were redirected to our website after clicking on an advertisement (conversion). Compared to the standard version of "META Pixel", the extended data synchronisation function helps us to more accurately measure the effectiveness of our advertising campaigns by recording additional associated conversions.

All transmitted data is stored and processed by Facebook in such a way that it can be attributed to the respective user profile. Facebook may use this data for its own advertising purposes in accordance with its data usage policy: (https://www.facebook.com/about/privacy/). The data may enable Facebook and its partners to place advertisements on and off Facebook. We, as the website operator, have no influence over this further use of the data.

The information generated by Facebook is usually transmitted to a Facebook server and stored there. In this context, data may also be transferred to servers operated by Meta Platforms Inc. servers in the United States.

Legal basis. The legal basis for this data processing is your consent (Article 6(1)(a) GDPR and Section 25 TTDSG).

We are joint controllers with Facebook for data collected via our website and subsequently transmitted to Facebook (Article 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its forwarding to Facebook. Any further processing by Facebook after the transfer is not part of the joint controllership. The obligations incumbent on us jointly have been set out in an agreement. The wording of the agreement can be found at: www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information when using the Facebook tool and for the secure implementation of the tool on our website in accordance with data protection law. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you assert your data subject rights with us, we are obliged to forward them to Facebook.

For data transfers to the United States, Meta Platforms Inc. has signed up to the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

Further information on how Facebook processes personal data can be found in Facebook’s privacy policy at: https://de-de.facebook.com/about/privacy/.

You can also disable the Custom Audiences remarketing function in your ad preferences:

https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

To do this you must be logged in to Facebook. If you do not have a Facebook account, you can deactivate usage-based advertising by Facebook on the website of the European Interactive Digital Advertising Alliance:

Your Online Choices | EDAA

Provider. We use Eye-Able®, a software solution provided by Web Inclusion GmbH, on our website.

Type and purpose of processing. We use Eye-Able® to ensure barrier-reduced access to online information for all users. To enable this functionality, necessary files such as JavaScript, stylesheets, and images are loaded from an external server. When functions are activated, Eye-Able® uses the browser's local storage to save the settings. All settings are only stored locally and are not transmitted to external servers.

Eye-Able® uses the Content Delivery Network (CDN) of BunnyWay d.o.o. (Cesta komandanta Staneta 4A, 1215 Medvode, Slovenia) to ward off attacks and provide the service in near real time. All data and servers remain in the EU at all times. The provider does not collect or analyse personal user behaviour or other personal data at any time.

Legal basis. The legal basis for this data processing is the protection of our legitimate interest in making our website as user-friendly, secure, and attractive as possible and to promote the realisation of our corporate purpose (legal basis: Article 6(1)(f) GDPR).

We have entered into a data processing agreement with the provider, which ensures that any personal data is processed solely on our behalf and in accordance with our instructions.

To ensure data protection-compliant processing, the provider has concluded order processing contracts with our hosting providers IONOS and BunnyWay. Further information can be found in the provider's privacy policy:

Eye-Able Privacy Notice

Scope of processing. If you apply to us, we will only process the information that we receive from you as part of the application process, e.g. through your cover letter, CV, references, correspondence, or information shared by telephone or in conversation. In addition to your contact details, we are particularly interested in information relating to your education, professional experience, and skills. We kindly ask that you refrain from submitting any information that is not relevant for assessing your suitability for employment with us.

Please do not send applications to our general postal or email address. Instead, always direct your application to the contact person named on our website or in the relevant job advertisement, or to the address specified therein. Please note that data transmission over the internet is generally insecure unless it is encrypted. Our servers support transport encryption (STARTTLS), which means that emails sent between your email provider and our systems are protected, provided your email provider also supports transport encryption. You may further protect any email attachments by securing them with a password and informing us of the password through a separate communication channel.

Your data can be accessed by the people responsible for personnel matters at our company, your potential line manager, and – if necessary – senior management. For technical reasons, our IT administrators have access to data stored on our systems. However, your data is not "distributed" via email but is instead stored in an area of our IT system that is protected against unauthorised access.

As a general rule, we do not require any special categories of personal data within the meaning of Article 9 GDPR for the application process – such as health information, or details of your ethnic origin, religious or political beliefs, or trade union membership. We kindly ask you not to provide us with any such information from the outset. If, in exceptional cases, such information is relevant to the application process, we will process it alongside your other application data. This may apply, for example, to information regarding a severe disability, which you may choose to provide to us voluntarily, and which we are then required to process in order to fulfil our special obligations concerning the employment of persons with severe disabilities.

Purpose and legal basis. Your data will initially be processed exclusively for the purpose of carrying out the application procedure – that is, to enable a decision to be made regarding the establishment of an employment relationship. The legal basis for data processing in the application process is Section 26(1)(1) of the German Federal Data Protection Act (BDSG) or Article 6(1)(b) GDPR (performance of a contract). If you have given your consent, for example by sending information that is not necessary for the application process, the legal basis for processing is Article 6(1)(a) GDPR (consent). In cases in which you provide us with information about a severe disability, the processing is carried out for the purpose of exercising rights or fulfilling legal obligations under labour law, social security law, or social protection law. In such cases, the legal bases for processing are Article 9(2)(b) GDPR, Section 26(3) BDSG, and Section 164 of the German Social Code (SGB) Book IX.

Disclosure. As a rule, we do not share your personal data with third parties. However, in certain cases, it may be necessary to disclose your data to third parties in order to provide the service you have requested – for example, to service providers such as banks or postal services.

Scope of processing. If your application is successful, the information provided during the application process will become part of your personnel file and will be processed by our HR department. The scope of processing will then depend on the requirements arising from the employment relationship.

Purpose and legal basis. In this case, your data will be used for the purpose of administering the employment relationship (e.g. payroll processing, sickness reporting, notifications to social security institutions, etc.) and for its termination. The legal bases for this processing are the same as those outlined above under Section 1.1.

Duration of storage. If an employment relationship is established, your data will be deleted in accordance with the retention periods applicable to personnel records.

Scope of processing. If we are unable to offer you employment and you do not wish to be included in our talent pool (see section 2.1.4), your data will be stored in a designated area of our system that is appropriately labelled. It will then only be accessible to HR personnel and IT administrators until it is deleted.

Purpose and legal basis. Following a rejection, we retain your data in order to be able to defend ourselves against potential legal claims, in particular those relating to alleged discrimination in the application process. If you receive cost reimbursements (e.g. travel expenses) or if other tax-relevant transactions occur (e.g. invitation to a meal), the corresponding accounting records will be retained in order to comply with retention obligations under commercial and tax law. The legal basis for processing your data after a rejection is Article 6(1)(f) GDPR. The legal basis for retention under commercial and tax law is Article 6(1)(c) GDPR in conjunction with Section 147 of the German Fiscal Code (AO) and Section 257 of the German Commercial Code (HGB). Our legitimate interest in processing this data arises from the need to be able to defend against legal claims.

Duration of storage. Data retained for the purpose of defending against legal claims will be stored for a maximum of six months after the rejection. Data retained in accordance with commercial or tax law will be stored until 31 March of the eleventh calendar year following the year of payment (for tax-relevant accounting records), or until the end of the seventh calendar year following the date of creation (for commercial correspondence and other tax-relevant documentation).

Scope of processing. Even if your profile does not fully match the advertised position, we highly value your talents and your interest in our company. For this reason, we have established a talent pool, in which we may continue to store the personal data of unsuccessful applicants with your separate consent, even after the application process has concluded.

Purpose and legal basis. For future vacancies, we access this applicant data in order to identify potentially suitable candidates and contact them to ask them whether they would like to reapply. We only include applicant data in the talent pool with your explicit consent (legal basis: Article 6(1)(a) GDPR).

Duration of storage. Applicant data in the talent pool will be deleted 24 months after the last communication with you.

This privacy policy applies to the following social media sites

https://www.facebook.com/NaturlandoekoLandbau

https://www.instagram.com/naturland_official/

https://de.linkedin.com/company/naturland-zeichen-gmbh

https://www.youtube.com/@NaturlandVerband

https://www.tiktok.com/@naturland.official

Data processing by social media platforms

We maintain publicly accessible profiles on social media platforms. The individual social media platforms we use are listed below.

Social media platforms such as Facebook, X, etc. can generally analyse your user behaviour comprehensively when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). Visiting our social media presences triggers numerous data protection-relevant processing operations. These include, in particular:

If you are logged into your social media account and visit our social media presence, the operator of the social media platform can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media platform. This may occur, for example, via cookies stored on your device or by recording your IP address.

The data collected in this way may be used by the platform operators to create user profiles, in which your preferences and interests are stored. This allows interest-based advertising to be displayed to you both within and outside the respective social media presence. If you have an account with the respective social platform, the interest-based advertising may be shown to you across all devices on which you are or have been logged in.

Please also note that we cannot track all processing operations on the social media platforms. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media platforms. For more detailed information, please refer to the terms of use and privacy policies of the relevant social media platforms.

Legal basis

Our presence on social media platforms serves to ensure the broadest possible visibility on the internet. This constitutes a legitimate interest within the meaning of Article 6(1)(f) GDPR. The analysis processes initiated by the social media platforms may be based on different legal grounds, which must be specified by the operators of those platforms (e.g. consent within the meaning of Article 6(1)(a) GDPR).

Joint responsibility and exercising your rights

If you visit one of our social media presences (e.g. On Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You may exercise your rights (information, rectification, erasure, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media platform (e.g. Facebook). Please note that, despite our joint responsibility with the operators of social media platforms, we do not have full influence over the data processing procedures carried out by these platforms. Our options are largely determined by the corporate policies of the respective providers.

Storage duration

Any data collected directly by us through our social media presence will be deleted from our systems as soon as you request its deletion, revoke your consent to its storage, or the purpose for data storage no longer applies. Cookies stored on your device will remain there until you delete them. Mandatory statutory provisions - in particular, retention periods - remain unaffected. We have no control over the storage duration of your data that is processed and stored by the operators of social media platforms for their own purposes. For further details, please consult the operators of the social media platforms directly (e.g. in their privacy policy – see below).

Your rights

You have the right to obtain, at any time and free of charge, information regarding the origin, recipient, and purpose of your stored personal data. You also have the right to object, the right to data portability and the right to lodge a complaint with the competent supervisory authority. Furthermore, you can request the correction, blocking, erasure and, under certain circumstances, the restriction of the processing of your personal data.

Social media platforms in detail

Facebook

We maintain a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereinafter referred to as Meta). According to Meta the data collected is also transferred to the United States and other third countries.

We have entered into a joint processing agreement (Controller Addendum) with Meta. This agreement specifies which data processing operations we or Meta are responsible for when you visit our Facebook page. You can view this agreement at the following link:

https://www.facebook.com/legal/terms/page_controller_addendum.

You can customise your advertising preferences directly within your user account. To do so, please click the following link and log in:

https://www.facebook.com/settings?tab=ads.

Data transfer to the United States is based on the standard contractual clauses of the EU Commission.

Further details can be found here:

https://www.facebook.com/legal/EU_data_transfer_addendum and

https://de-de.facebook.com/help/566994660333381.

Further details can be found in Facebook's privacy policy:

https://www.facebook.com/about/privacy/.

The company is certified under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the United States designed to ensure that data processing in the United States complies with European data protection standards. Any company certified under the DPF commits to adhering to these data protection standards. Further information on this can be obtained from the provider at the following link:

https://www.dataprivacyframework.gov/participant/4452

Instagram

We maintain a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited,

Merrion Road, Dublin 4, D04 X2K5, Ireland.

Data transfer to the United States is based on the standard contractual clauses of the EU Commission.

Further details can be found here:

https://www.facebook.com/legal/EU_data_transfer_addendum and

https://de-de.facebook.com/help/566994660333381.

Details on how your personal data is handled can be found in Instagram’s privacy policy:

https://privacycenter.instagram.com/policy/.

The company is certified under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the United States designed to ensure that data processing in the United States complies with European data protection standards. Any company certified under the DPF commits to adhering to these data protection standards. Further information on this can be obtained from the provider at the following link:

https://www.dataprivacyframework.gov/participant/4452

LinkedIn

We maintain a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton

Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

If you wish to deactivate LinkedIn advertising cookies, please use the following link:

https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Data transfer to the United States is based on the standard contractual clauses of the EU Commission.

Further details can be found here:

https://www.linkedin.com/legal/l/dpa und

https://www.linkedin.com/legal/l/eu-sccs.

Details on how your personal data is handled can be found in LinkedIn’s privacy policy:

https://www.linkedin.com/legal/privacy-policy.

The company is certified under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the United States designed to ensure that data processing in the United States complies with European data protection standards. Any company certified under the DPF commits to adhering to these data protection standards. Further information on this can be obtained from the provider at the following link:

https://www.dataprivacyframework.gov/participant/5448

YouTube

We maintain a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Details on how your personal data is handled can be found in YouTube's privacy policy:

https://policies.google.com/privacy?hl=de.

The company is certified under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the United States designed to ensure that data processing in the United States complies with European data protection standards. Any company certified under the DPF commits to adhering to these data protection standards. Further information on this can be obtained from the provider at the following link:

https://www.dataprivacyframework.gov/participant/5780

TikTok

We maintain a profile on TikTok. The provider is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. Details on how your personal data is handled can be found in

TikTok's privacy policy:

https://www.tiktok.com/legal/privacy-policy?lang=de.

Data transfer to non-secure third countries is carried out on the basis of the European Commission’s Standard Contractual Clauses. Further details can be found here:

https://www.tiktok.com/legal/privacy-policy?lang=de.

Type and purpose of processing. We offer you the opportunity to participate in competitions in various contexts. This may take place, for example, on our social media platforms (section 2.2) or as part of our newsletter (section 1.2).

The data you provide when participating in a competition will be collected, processed, and used by us for the purpose of organising the competition, in accordance with the applicable terms and conditions. Among other things, we use your data to contact the winners and to dispatch the prizes. For this purpose, we may also pass your data on to service providers commissioned to send the prizes. If we organise the competition in cooperation with a prize sponsor or another partner, it may also be necessary to pass on your data to the cooperation partner in order to process the competition and distribute the prizes.

Legal basis. The data is collected and processed for the purpose of organising the competition (legal basis: Article 6(1)(b) GDPR).

Type and purpose of processing. We provide an electronic whistleblowing portal under the name Whistleblower Naturland Zeichen GmbH. We use the information you provide via the whistleblower portal for purposes such as reviewing and documenting the reports, for internal investigations (including disclosure to external lawyers, auditors or other professionals bound by professional confidentiality as well as to affected Group companies) and, where necessary, for disclosure to public authorities (such as the police, public prosecutors, or courts). We assure all whistleblowers that their reports will be treated confidentially. Further information on the processing of whistleblower reports can be found here: Whistleblower Naturland Zeichen GmbH

Legal basis. The processing is carried out to fulfil legal obligations (legal basis: Article 6(1)(c) GDPR) where the detection and prosecution of legal violations is required. Where the objective is to identify and address violations of internal company policies or breaches of contractual obligations, processing is based on our legitimate interest in preventing conduct that does not align with our ethical standards and in enforcing legal claims (legal basis: Article 6(1)(f) GDPR).

Use of Hintcatcher. Our whistleblower portal is operated using the Hintcatcher software from product kitchen GmbH (https://www.hintcatcher.com/en/imprint/). We have entered into a data processing agreement with the provider, which ensures that any personal data is processed solely on our behalf and in accordance with our instructions.

On the platform mein-naturland.de, we offer a range of services for producers and processors of agricultural products certified by Naturland - Verband für ökologischen Landbau e.V. A separate privacy policy applies to this platform. You can access it here: Mein-Naturland Privacy Notice

Enquiries. You have the option of sending us enquiries and information via the website or otherwise. We will process the information provided in this context for the purpose for which it was transmitted. We store and process information relevant to your enquiry in order to initiate or fulfil the respective contractual relationship with you (legal basis: Article 6(1)(b) GDPR), and also to safeguard our legitimate interest in documenting contractual arrangements and correspondence for the establishment, exercise or defence of legal claims (legal basis: Article 6(1)(f) GDPR), as well as to comply with statutory documentation and retention obligations (legal basis: Article 6(1)(c) GDPR). We process additional information provided voluntarily within the scope of your consent (legal basis: Article 6(1)(a) GDPR). If a business relationship is initiated or established as a result, all information is stored in a customer account in our customer database.

Business relationships. If you express an interest in doing business with us, enter into transactions, or if a contractual relationship is otherwise initiated or established, we store the information collected in this context in a customer account in our customer database.

The customer account contains your master data (name, address, account, etc.). All processes and documents related to the customer relationship (e.g. correspondence, orders, contracts, complaints, etc.) are linked to this customer account.

We store and process the aforementioned information partly to fulfil the contractual relationship with you in relation to the services you use (legal basis: Article 6(1)(b) GDPR), and partly to safeguard our legitimate interests. These include improving our services in line with your individual needs and interests, furthering the achievement of our corporate objectives, offering you additional services that may be relevant to you, and documenting contractual agreements and correspondence for the establishment, exercise, or defence of legal claims (legal basis: Article 6(1)(f) GDPR), as well as complying with statutory documentation and retention obligations (legal basis: Article 6(1)(c) GDPR).

The data may also be used to carry out screenings and comparisons for transparency purposes to prevent corruption, money laundering, terrorist financing, for export control and to carry out other legal compliance checks, including those required under our internal policies. This is done, on the one hand, to meet legal obligations (legal basis: Article 6(1)(c) GDPR), and, where our internal policies go beyond legal requirements, to protect our legitimate interest in avoiding business relationships that do not align with our ethical standards (legal basis: Article 6(1)(f) GDPR).

We retain customer data for the duration of the customer relationship. After this period, the data will be retained for as long as necessary to maintain the customer account and to enable the allocation of documents or data of the following types. Otherwise, they will be deleted after one year.

In accordance with statutory retention periods for commercial correspondence and tax documents, we retain correspondence for seven years, and accounting records and invoices for eleven years. We retain contract-related data and documents for eleven years following the end of the contractual relationship, in line with the statutory limitation periods for legal claims and mandatory retention obligations for accounting records.

Our Data Protection Officer has access to your personal data to the extent necessary to fulfil his legal obligations. The Data Protection Officer is subject to a statutory duty of confidentiality.

Our website and our databases may be hosted, operated, maintained, or further developed by external processors or other service providers, who may have access to your data in the course of providing such services.

We also engage third-party service providers for the archiving and destruction of files and data. These providers may likewise have access to your data.

Where we store and process data for the processing of contractual relationships, we may share such data with agents or subcontractors involved in contract performance (e.g. logistics providers).

If we use data to contact you, we may use additional processors or other contractors (such as mailing houses) to manage this correspondence, who may also have access to your data.

We work with external consultants such as management consultants, lawyers, and tax advisors, who may access your personal data in the course of providing their services.

With processors of the aforementioned type, we have concluded (or will conclude in the case of future engagements) data processing agreements to ensure that personal data is processed solely on our behalf and in accordance with our instructions. With service providers or consultants who do not act as processors, we have concluded (or will conclude) confidentiality agreements where no statutory obligation of confidentiality already exists, to ensure the secure handling of your data.

We will transfer your personal data to competent law enforcement, regulatory or other authorities or institutions where we are legally required to do so (legal basis: Article 6(1)(c) GDPR), or where we have a legitimate interest in preventing enforcement actions by such authorities or institutions within the scope of their legal responsibilities (legal basis: Article 6(1)(f) GDPR). Such legally required or necessary transfers are not the subject of this privacy policy.

We fully uphold your rights as a data subject. You may contact us in any form to exercise your rights, including the right to withdraw any consent you may have given. You are also welcome to contact our Data Protection Officer directly. In order to exercise your rights, it may be necessary for you to identify yourself to us as the data subject.

Below, we briefly explain your rights:

You may withdraw your consent at any time. Such withdrawal shall not affect the lawfulness of any processing carried out on the basis of your consent before its withdrawal. Processing based on other legal grounds remains unaffected by the withdrawal of consent. In this respect, however, you can also exercise the aforementioned statutory rights (e.g. the right to object).

In particular, you may withdraw any consent given for the use of your email address or telephone number for direct marketing purposes at any time. You may also object to the continued use of your email address or telephone number for such purposes at any time, without incurring any costs other than the basic transmission charges of your provider.

You can also withdraw any consent given via our cookie consent tool for cookies or analytics tools by adjusting your preferences within the tool. Alternatively, you can configure your browser to block the transmission of cookies or to automatically delete stored cookies, e.g. when closing the browser. If cookies are disabled for our website, it may no longer be possible to use all functions of the website to their full extent.

We will not make any decision that produces legal effects concerning you or similarly significantly affects you solely on the basis of automated decision-making.

We would like to inform you that, under the applicable data protection laws, you have the right to obtain information about all personal data processed about you, to request the correction of incorrect personal data and the completion of incomplete personal data, and to request the erasure or restriction of the processing of your personal data under the legal requirements (Articles 15 to 18 GDPR). You also have the right (Article 21 GDPR) to object at any time to certain types of processing on grounds relating to your particular situation. In addition, where the legal requirements are met, you have the right (Article 20 GDPR) to receive your personal data in a structured, commonly used, and machine-readable format, and to have that data transmitted to another controller where technically feasible.

You have the right to lodge a complaint with a supervisory authority. The data protection supervisory authority generally responsible for us is:

Bayerisches Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision).

Street address

Promenade 18

91522 Ansbach

Germany

Postal address

P.O. Box 1349

91504 Ansbach

Germany

Accessibility

Phone: +49 (0) 981 180093-0

Fax: +49 (0) 981 180093-800

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

The controller within the meaning of the GDPR is:

Naturland Zeichen GmbH

Kleinhaderner Weg 6

DE-82166 Gräfelfing

Phone: +49 (0)89 898082-700

This email address is being protected from spambots. You need JavaScript enabled to view it.

If you have any questions regarding data protection, please do not hesitate to contact our Data Protection Officer:

This email address is being protected from spambots. You need JavaScript enabled to view it.

We will process your enquiry without delay and inform you of any measures we have taken in response.

We reserve the right to amend this privacy policy at any time. New versions will be published here.