Privacy Notice
We are pleased that you are visiting our website. Protecting and securing your personal information when using our website is very important to us. Therefore, we would like to inform you here about which of your personal data we collect when you visit our website and for what purposes it is used. This privacy notice applies to the online services of ACT Nuts and Natural Foods GmbH, which are accessible under the domain and various subdomains (“our website”).
Controller
Responsible for the processing of personal data within the meaning of the EU General Data Protection Regulation (GDPR):
ACT Nuts and Natural Foods GmbH
Hermannstr. 40
D-20095 Hamburg
Germany
+49 40 33 88 23
germany@act.de
Contact details of the Data Protection Officer
You can reach our Data Protection Officer at the following contact details:
bk systems Datenschutz GmbH
Rainer Cloos
Marie-Curie-Straße 1-3
24568 Kaltenkirchen
Email: datenschutz@act.de
General information on the legal bases of data processing
“Personal data” means all information relating to an identified or identifiable person. We process this data in accordance with applicable data protection laws, in particular the GDPR and the BDSG. We are only allowed to process personal data if there is a legal basis for doing so.
We process personal data only with your consent, to conclude a contract with you, to respond to your inquiries related to a potential business relationship, to fulfill legal obligations, or to protect our legitimate interests, provided that this does not override your interests or fundamental rights and freedoms that require the protection of personal data.
Retention period of personal data
We store your data only as long as necessary to achieve the purpose of processing or to fulfill our contractual or legal obligations unless otherwise specified in the following notices. Legal retention obligations may arise from commercial or tax regulations. After the end of the calendar year in which we collected the data, we will retain personal data contained in our accounting records for ten years and personal data contained in business correspondence and contracts for six years. Additionally, we will retain data related to consent that requires proof, as well as complaints and claims, for the duration of the statutory limitation periods. Data stored for marketing purposes will be deleted if you object to its processing for this purpose.
Recipients of personal data outside the organization
Article 4(9) of the GDPR defines “recipient” as “a natural or legal person, public authority, agency, or another body to whom personal data is disclosed, whether a third party or not.”
We only disclose your personal data processed on our website to third parties if this is necessary to fulfill the stated purposes and is covered by the legal basis (e.g., consent or legitimate interest). Additionally, we disclose personal data to third parties on a case-by-case basis when necessary for the assertion, exercise, or defense of legal claims. Possible recipients may include law enforcement authorities, lawyers, auditors, courts, etc.
If we use service providers for the operation of our website who process personal data on our behalf under Article 28 GDPR, these service providers may be recipients of your personal data. Further details about the use of data processors and web services can be found in the overview of individual processing activities.
General information on data transfers to third countries
As part of our data processing, certain personal data may be transferred to countries where the EU General Data Protection Regulation (EU GDPR) is not applicable law (so-called third countries). Such a transfer is only permitted if the European Commission has determined that the respective third country ensures an adequate level of data protection. If no such adequacy decision exists, personal data may only be transferred to a third country if appropriate safeguards under Article 46 GDPR exist or one of the conditions of Article 49 GDPR is met.
Unless otherwise stated below, we use the EU Standard Contractual Clauses as appropriate safeguards for the transfer of personal data to third countries. The data subject has the right to obtain a copy of these EU Standard Contractual Clauses or to review them. To do so, it is recommended to contact the contact details listed under “Controller.”
If the data subject explicitly consents to the transfer of personal data, the transfer will be based on Article 49(1)(a) GDPR.
Transfer of data to a third country or international organization
The transfer of personal data to an “international organization” (as defined in Article 4(26) GDPR) or to controllers, processors, or other recipients in a country outside the European Union (EU) and the European Economic Area (EEA) poses particular data protection risks for the data subject.
Adequacy decision by the EU Commission
The transfer of personal data to a country outside the European Union (EU) and the European Economic Area (EEA) or to an international organization is permitted if the European Commission has determined that the respective country, territory, or one or more specific sectors within that country or the respective international organization ensures an adequate level of protection.
Rights of the data subject
The General Data Protection Regulation (GDPR) grants each data subject certain rights regarding their personal data. As a data subject, you have the following rights:
Right of access: Pursuant to Article 15 GDPR, to obtain information about the personal data stored about you, including meaningful details on the processing and a copy of your data;
Right to rectification: Pursuant to Article 16 GDPR, to have incorrect or incomplete data stored by us corrected;
Right to erasure (“Right to be forgotten”): Pursuant to Article 17 GDPR, to have your data stored by us deleted, unless processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest, or to assert, exercise, or defend legal claims;
Right to restriction of processing: Pursuant to Article 18 GDPR, if the accuracy of the data is disputed, processing is unlawful, we no longer need the data, and you refuse its deletion because you need it for the assertion, exercise, or defense of legal claims, or you have objected to the processing under Article 21 GDPR.
Right to data portability: Pursuant to Article 20 GDPR, if you have provided us with personal data based on consent under Article 6(1)(a) GDPR or based on a contract under Article 6(1)(b) GDPR, and this data is processed by automated means. You will receive your data in a structured, commonly used, and machine-readable format or we will transmit the data directly to another controller, where technically feasible.
Right of Withdrawal Pursuant to Article 7 (3) GDPR, you have the right to revoke your consent at any time with effect for the future.
The data subject also has the right to lodge a complaint with a supervisory authority if they believe that the processing of their personal data violates the GDPR.
The supervisory authority responsible for us is: The Hamburg Commissioner for Data Protection and Freedom of Information.
Processing When Exercising Your Rights
If you wish to exercise your rights under Articles 15 to 22 of the GDPR, we will process the personal data you provide in order to implement these rights and to provide proof thereof. We will process the data stored for providing information and preparation purposes exclusively for this purpose and for data protection control purposes and otherwise restrict processing in accordance with Article 18 of the GDPR.
These processing activities are based on the legal basis of Article 6 (1) (c) of the GDPR in conjunction with Articles 15 to 22 of the GDPR and Section 34 (2) of the BDSG.
Server Log Files
The provider of the website automatically collects and stores information in server log files that your browser automatically transmits. These data include information such as the browser type and version, the operating system used, the referrer URL, the hostname of the accessing computer, the time of the server request, and the IP address. This information is not merged with other data sources.
This data processing serves the purpose of technically error-free presentation and security of the website. The stored information is deleted after seven days unless there is a legitimate suspicion of unlawful use, which would require further examination. We are unable to identify you based on the stored information. Therefore, Articles 15 to 22 of the GDPR do not apply in accordance with Article 11 (2) GDPR unless you provide additional information that enables identification.
General Cookie Notice
Cookies are small text files that are sent to your browser by us during your visit to our website and stored there on your device. Alternatively, information can be stored in your browser’s local storage. Some functions of our website cannot be provided without the use of cookies or local storage (technically necessary cookies). Other cookies allow us to perform various analyses, enabling us to recognize your browser on a subsequent visit and transmit various information to us (non-essential cookies). With cookies, we can make our online offering more user-friendly and effective by understanding how you use our website and identifying your preferred settings (e.g., country and language settings). If third parties process information through cookies, they collect this information directly via your browser. Cookies do not damage your device, execute programs, or contain viruses.
We provide information about the respective services for which we use cookies in the individual processing operations. Detailed information on the cookies used can be found in the cookie settings or the consent manager of this website.
CookieYes
Type and Scope of Processing
We have integrated CookieYes on our website. CookieYes is a consent solution by CookieYes Limited, 3 Warren Yard, Warren Park, Wolverton Mill, Milton Keynes, MK12 5NW, United Kingdom, which enables obtaining and documenting consent for cookie storage. CookieYes uses cookies or other web technologies to recognize users and store the consent given or withdrawn.
Purpose and Legal Basis
The use of this service is based on obtaining the legally required consent for the use of cookies in accordance with Article 6 (1) (c) GDPR and Section 25 (2) No. 2 TDDDG.
Storage Duration
The specific storage duration of the processed data is beyond our control and is determined by CookieYes Ltd. Further information can be found in the CookieYes Privacy Policy: https://www.cookieyes.com/privacy-policy/.
Cloudflare Insights
Type and Scope of Processing
We have integrated Cloudflare Insights on our website. Cloudflare Insights is a service provided by Cloudflare, Inc., which develops cloud-based software that enables website and application owners to monitor the performance of their services.
Cloudflare Insights allows statistical evaluations of the technical performance of our services (e.g., the duration of a specific database query, the stability and availability of our servers, or the response time of our servers). To achieve this, application and browser data are collected and stored using cookies.
The data is transferred to the operator of Cloudflare Insights, Cloudflare, Inc.
Purpose and Legal Basis
The use of Cloudflare Insights is based on your consent pursuant to Article 6 (1) (a) GDPR and Section 25 (1) TDDDG.
Storage Duration The specific storage duration of the processed data is beyond our control and is determined by Cloudflare, Inc. Further information can be found in the Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/.
Google APIs
Type and Scope of Processing
We use Google APIs from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to access additional services and data from Google Ireland Limited. This involves the transmission of your IP address to Google Ireland Limited. Please note that a separate section of this Privacy Notice applies to each additional service we use from Google Ireland Limited.
Purpose and Legal Basis
The use of Google APIs is based on our legitimate interests, namely the optimization of our online offering, pursuant to Article 6 (1) (f) GDPR.
Storage Duration
The specific storage duration of the processed data is beyond our control and is determined by Google Ireland Limited. Further information can be found in the Google APIs Privacy Policy: https://policies.google.com/privacy.
Google Fonts
Type and Scope of Processing
We use Google Fonts from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, as a service for providing fonts for our online offering. To retrieve these fonts, a connection is established with the servers of Google Ireland Limited, transmitting your IP address.
Purpose and Legal Basis
The use of Google Fonts is based on your consent pursuant to Article 6 (1) (a) GDPR and Section 25 (1) TDDDG.
We intend to transfer personal data to third countries outside the European Economic Area, particularly the USA. Data transfers to the USA are carried out under Article 45 (1) GDPR based on the adequacy decision of the European Commission. The participating US companies and/or their US subcontractors are certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF).
If there is no adequacy decision from the European Commission (including for US companies that are not certified under the EU-U.S. DPF), we have agreed with the recipients of the data on other appropriate safeguards in accordance with Articles 44 et seq. GDPR. These are—unless otherwise stated—the EU Commission’s Standard Contractual Clauses under Implementing Decision (EU) 2021/914 of June 4, 2021. You can view a copy of these Standard Contractual Clauses at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=DE.
Additionally, before any such third-country transfer, we obtain your consent under Article 49 (1) (a) GDPR, which you provide via the consent manager or other forms/registrations. We inform you that third-country transfers may involve unknown risks (e.g., data processing by security authorities in the third country, the scope of which we do not know, cannot influence, and of which you may not be aware).
Storage Duration
The specific storage duration of the processed data is beyond our control and is determined by Google Ireland Limited. Further information can be found in the Google Fonts Privacy Policy: https://policies.google.com/privacy.