Privacy Notice

as per may 2

  1. Name and adress of the controller
  2. The controller according to the GDPR and other national data protection laws of member countries as well as other data protection regulations is:
    HOSTA - Werk für Schokolade-Spezialitäten GmbH & Co. KG
    Greutstraße 9
    74597 Stimpfach-Randenweiler
    Germany
    +49 (0) 07967 / 153-0
    info@hosta-group.com
    www.hosta-group.de | www.hosta-group.com
  3. Name and address of the data protection officer
  4. The data protection officer is:

    DataCo GmbH
    Dr. Patrick Schweisthal
    Dachauer Straße 65
    80335 München
    Germany
    +49 89 740045840
    datenschutz@dataguard.de
    www.dataguard.de

  5. General information about data processing
  6. 1. Scope of data processing

    We process personal data of our users only if this is necessary for the provision of a functioning website and our contents and services. A user’s personal data are only processed with the user’s consent. An exception are cases, when a prior consent is not possible for factual reasons, and the processing of data is approved by legal regulations.

    2. Legal basis for data processing

    The data subject’s consent to the processing of personal data shall be subject to Art. 6 Para. 1 S. 1 lit. a EU General Data Protection Regulation (GDPR).

    Legal basis for the processing of personal data necessary for the performance of a contract to which the data subject is party, shall be Art. 6 Para. 1 S. 1 lit. b GDPR. This shall also apply to necessary steps prior to entering in to a contract.

    If the processing of personal data is necessary for the compliance with a legal obligation to which our company is subject, Art. 6 Para. 1 S. 1 lit. c GDPR shall be the legal basis.

    Art. 6 Para. 1 S. 1 lit. d GDPR shall apply, if vital interests of the data subject or of another natural person require the processing of personal data.

    If data processing is necessary for the purposes of the legitimate interests pursued by our company or a third party, and if such interests are not overridden by the interests, fundamental rights and freedoms of the data subject, Art. 6 Para. 1 S. 1 lit. f GDPR shall apply.

    3. Data erasure and maximum storage time

    The personal data of the data subject shall be erased or blocked, as soon as the purpose for the data storage ceases to apply. Data may be stored beyond that time, if required by European or national legislative authorities in union regulations, laws, or other provisions to which the data controller is subject. Data are also blocked or erased, if a period of data storage required by the standards mentioned has expired, unless further storage of data is necessary for the conclusion or performance of a contract.

  7. Rights of the data subject
  8. If your personal data are processed, you are a data subject acc. to the GDPR and you have the following rights:

    1. Right to information

    You shall have the right to obtain from the controller information as to whether personal data are processed.

    If such data are processed, you may request the controller to provide the following information:

    1. the purposes of the processing, the categories of personal data processed;
    2. the recipients or categories of recipient to whom the personal data have been or will be disclosed;
    3. the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
    4. the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject by the data controller or to object to such processing;
    5. the right to lodge a complaint with a supervisory authority;
    6. where the personal data are not collected from the data subject, any available information as to their source;
    7. the existence of automated decision-making, including profiling acc. to Art. 22 Para. 1 and 4 GDPR – and at least in those cases– meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

    The data subject shall have the right to be informed, if personal data are transferred to a third country or an international organisation. In this case, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR related to the transfer.

    This right to information may be restricted, if this right is likely to render impossible or seriously impair the realisation of reserach or statistical purposes, and if the restriction is necessary for achieving research and statistical purposes.

    2. Right of rectification

    The data subject shall have a right to rectification and/or completion of data, if the personal data processed are incorrect or incomplete. The controller has to correct the data without undue delay.

    The data subject’s right to rectification may be restricted, if this right is likely to render impossible or seriously impair the realisation of reserach or statistical purposes, and if the restriction is necessary for achieving research and statistical purposes.

    3. Right to restriction of processing

    The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

    • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
    • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
    • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
    • or the data subject has objected to processing pursuant to Art. 21 Para. 1 GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

    Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

    If the restriction of processing was restricted according to the a.m. requirements, the data subject will be informed by the controller prior to the restriction’s cancellation.

    1.34. This right of restriction may be restricted, if it is likely to render impossible or seriously impair the realisation of reserach or statistical purposes, and if the restriction is necessary for achieving research and statistical purposes.

    4. Right to erasure

    a) Obligation to erasure

    The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

    1. The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
    2. The data subject withdraws consent on which the processing is based according to Art. 6 Para. 1 S. 1 lit. a or Art. 9 Para. 2 lit. a GDPR, and where there is no other legal ground for the processing.
    3. The data subject objects to the processing pursuant to Art. 21 Para. 1 GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 Para. 2 GDPR.
    4. The personal data have been unlawfully processed.
    5. The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
    6. The personal data have been collected in relation to the offer of information society services referred to Art. 8 Para. 1 GDPR.

    b) Information to a third party

    Where the controller has made the personal data public and is obliged pursuant to Art. 17 Para. 1 GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

    c) Exceptions

    The right to erasure shall not apply to the extent that processing is necessary

    1. for exercising the right of freedom of expression and information;
    2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    3. for reasons of public interest in the area of public health in accordance with Art. 9 Para. 2 lit. h and i as well as Art. 9 Para. 3 GDPR;
    4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 Para. 1 GDPR in so far as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing
    5. or for the establishment, exercise or defence of legal claims.

    5. Notification obligation

    The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

    The controller shall inform the data subject about those recipients if the data subject requests it.

    6. Right to data portability

    The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided

    1. where the processing is based on consent pursuant to Art. 6 Para. 1 S. 1 lit. a GDPR or Art. 9 Para. 2 lit. a GDPR or on a contract pursuant to Art. 6 Para. 1 S. 1 lit. b GDPR
    2. and the processing is carried out by automated means.

    In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This right shall not adversely affect the rights and freedoms of others.

    The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

    7. Right to object

    The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Art. 6 Para. 1 S. 1 lit. e or f GDPR, including profiling based on those provisions.

    The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

    Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

    Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

    In the context of the use of information society services, and notwithstanding Directive 2002/58/EG, the data subject may exercise his or her right to object by automated means using technical specifications.

    Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Art. 89 Para. 1 GDPR, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary to the extent that the realisation of research or statistical purposes would be seriously impaired or rendered impossible, and the restriction is necessary for the achievement of research and statistical purposes.

    8. Right to withdrawal of consent

    The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

    9. Automated individual decision-making, including profiling

    The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This shall not apply if the decision

    1. is necessary for entering into, or performance of, a contract between the data subject and the data controller,
    2. if it is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests
    3. or is based on the data subject’s explicit consent.

    These decisions, however, shall not be based on special categories of personal data referred to in Art. 9 Para. 1 GDPR, unless Art. 9 Para. 2 lit. a or g GDPR applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

    In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

    10. Right to lodge a complaint with a supervisory authority

    Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

    The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

  9. Provision of website and storage in log files
  10. 1. Description and scope of data processing

    When accessing our website our system automatically collects data and information of the accessing computer’s data processing system.

    The following data are collected:

    • Information about the browser type and its used version
    • The user's operating system
    • The user's internet service provider
    • The user’s IP address
    • Date and time of access
    • Websites from which the user’s system has accessed our website
    • Personal data of contact enquiries

    Data are also stored in the log files of our system. These data will not be stored together with other personal data of the user.

    2. Legal basis for data processing

    Legal basis for the temporary storage of data and log files is Art. 6 Para. 1 S. 1 lit. f GDPR.

    3. Purpose of data processing

    The temporary storage of the IP address by the system is necessary to deliver the website to the user’s computer. The user’s IP address must be stored for the period of access.

    Data are stored in log files to ensure the website’s functional capability. In addition to that the data help us to optimise our website and to ensure the security of our information technology systems. The evaluation of data for marketing purposes does not take place in this context.

    These purposes also serve our legitimate interests in data processing according to Art. 6 Para. 1 S. 1 lit. f GDPR.

    4. Maximum storage time

    Data are erased as soon as they are no longer necessary for achieving the purpose of their collection. Where data are collected for the provision of the website, these data are erased when the access is terminated.

    If data are stored in log files, data will be erased after seven days at the latest. Longer storage is possible. In this case the users’ IP addresses are deleted or distorted to prevent the assignment of the accessing client.

    5. Possibility to object and erase

    The collection of data for the provision of the website and the storage of data in log files is compulsory for the operation of a website. Therefore the user cannot object.

  11. Contact form and e-mail contact
  12. 1. Description and scope of data processing

    Our website provides a contact form which may be used for electronic contacts. If a user uses this form, the data entered into the entry mask will be transferred to us and stored.

    At the time of sending the message the following additional data will be stored:

    • E-mail address
    • Name
    • First name
    • Address
    • Phone / mobile phone number
    • Company, message

    For the processing of data your consent will be requested when the message is sent, and you will be referred to this privacy notice.

    As an alternative you may also contact us via the e-mail address provided. In this case the user’s personal data which are sent with the e-mail will be stored.

    Data are not transferred to a third party. The data are only used for processing the conversation.

    2. Legal basis for data processing

    Legal basis for data processing with the user’s consent shall be Art. 6 Para. 1 S. 1 lit. a GDPR.

    Legal basis for the processing of data which have been transferred by sending an e-mail, shall be Art. 6 Para. 1 S. 1 lit. f GDPR. If the e-mail contact is aimed at the conclusion of a contract, Art. 6 Para. 1 S. 1 lit. b GDPR shall apply, too.

    3. Purpose of data processing

    The processing of personal data from the entry mask is only required for processing your message. If we are contacted by e-mail, this includes the required legitimate interest in processing the data.

    The processing of other personal data resulting from sending an e-mail is used only by us to prevent any misuse of our contact form and to ensure the safety of our IT systems.

    4. Maximum storage time

    The data will be deleted as soon as they are no longer required for achieving the purpose of their collection. For personal data from the contact form’s entry mask und data which have been sent by e-mail, this is the case as soon as the conversation with the user is finished. The conversation is finished, when we can reasonably assume that the issue has been resolved.

    The additional data resulting from sending an e-mail will be erased after not more than seven days.

    5. Possibility to object and erase

    At any time the user may withdraw his or her consent to the processing of his or her personal data. If the user contacts us by e-mail, he or she may object to the storage of his or her personal data at any time. In this case the conversation cannot be continued.

    I have read the privacy statement. I consent to the electronic collection and storage of my information and data required for answering my enquiry. Note: You may withdraw your consent at any time for the future by e-mail to info@hosta-group.com.

    All personal data which have been stored when contacting us will be erased.

  13. Application e-mail contact
  14. 1. Scope of processing of personal data

    You may send us your application by e-mail. We collect your e-mail address and the data provided by you in your e-mail.

    After sending your application you will get an acknowledgement of receipt by e-mail.

    Your data will not be transferred to a third party. The data are used only for processing your application.

    2. Legal basis for data processing

    Data processing is subject to Art. 6 Para. 1 S.1 lit. a GDPR and §26 Federal Data Protection Act (BDSG).

    3. Purpose of data processing

    Personal data from your application e-mail will only be used for processing your application.

    4. Maximum storage time

    After the application procedure is finished data will be stored for up to 6 months. Your data will be erased at the end of 6 months. If required due to a legal obligation data are stored pursuant to applicable provisions.

    Additional personal data collected when sending an e-mail will be erased after a maximum of seven days.

    5. Possibility to object and erase

    The candidate may withdraw his or her consent to the processing of his or her personal data at any time. In this case his or her application cannot be considered any more.

    Any later change or erasure of data sent is only possible with another e-mail by the candidate.

    All personal data which have been stored in connection with eletronic applications will be erased in this case.

  15. Plugins used
  16. Use of YouTube-PlugIn

    1. Scope of processing of personal data

    On our website we use the Google plugin of YouTube, by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, UNITED STATES. When visiting our website your browser will start a connection with the servers of YouTube. Information about your visit to our website will be transferred to YouTube. The contents of the plugin is beyond our control. If you are logged into your YouTube account during your visit, YouTube can assign your visit to the website to your account. By interacting with this plugin this information will be transferred directly to YouTube and stored there. If you do not want this data transfer, you have to log out of your YouTube account before visiting our website.

    1. Legal basis for processing personal data

    Art. 6 Para. 1 S.1 lit. f GDPR shall apply for processing personal data of users.

    1. Purpose of data processing

    The provision of the YouTube plugin makes our site more user-friendly.

    1. Maximum storage time

    We have no information about the maximum storage time.

    1. Possibility to object and erase

    For more information about the purpose and scope of data collection by YouTube please look at: https://www.google.com/intl/en/policies/privacy/

This privacy notice has been created with the support of DataGuard.

Matomo (formerly Piwik)

Matomo (formerly Piwik). This website uses the open source web analytics application Matomo. Matomo uses so-called „cookies“. These are text files which are stored on your computer and enable us to analyse your visit to our website. The information provided by the cookie about the use of our website will be stored on our server. Before storage the IP address will be anonymised.

Matomo cookies remain on your end device until they are erased by you.

The storage of Matomo cookies and the use of this analytics tool is pursuant to Art. 6 Para. 1 lit. f GDPR. The website owner has a legitimate interest in the anonymised analysis of user behaviour in order to optimise their website and advertising.

The information created by the cookie about the website’s use will not be transferred to a third party. You can prevent the storage of cookies by changing your browser settings; we have to inform you, however, that in this case you may not be able to use all functions of this website to their full extent.

If you do not consent to the storage and use of your data, you may deactivate the storage and use here. In this case an opt-out-cookie is deposited on your browser which prevents Matomo from storing usage data. When you erase your cookies, the Matomo opt-out-cookie will be erased, too. The opt-out must be reactivated when you visit our website again.

Home