Privacy statement

Your cookies settings

Change cookies settings

(in fulfilment of the information obligations under Art. 13 General Data Protection Regulation – (GDPR))

Your personal data receive special protection in our hands, which is why it is particularly important that we comply in full with data protection regulations. The General Data Protection Regulation became effective on 25 May 2018. The introduction of the GDPR, and specifically Art. 13, has seen the obligation of the controller to inform the data subject precisely when personal data are collected.

As the operator of this website and the controller within the meaning of the GDPR, and in compliance with our legal obligations, we want to inform you as follows of the personal data that we process when you visit our website as a data subjectwithin the meaning of the GDPR.

Information according to Art. 13 GDPR

In fulfilment of our obligation under Art. 13 GDPR, we are providing you with the following information:

1. Identity and contact details of the controller and, where applicable, of the controller’s representative

Morello Food GmbH – Mr Davide Morello and Mr Ignazio Morello – Waldmatten 8a,79224 Umkirch, Germany,
Tel.: +49 (0) 7665 – 972921, Fax: +49 (0) 7665 – 972922, Email: info@morello-food.com

2. The purposes of the processing for which the personal data are intended, as well as the legal basis for the processing:

a) We process the following personal data:

During order placement:

  • Contact and billing information of companies and employees, such as, if applicable, the company Commercial Register number (Section A) and the relevant district court, branches, surnames and first names of employees, business contact details (address, email address(es), telephone/fax number, address, extension), Value Added Tax Identification Number (VAT ID),
  • Payment information, such as information required to process payment transactions or fraud prevention, including credit card information and card verification values (CVVs); account details – Article 6 (1) point (b) GDPR,
  • Data on exchanged services, periods of performance, invoice dates, invoice amounts, invoice numbers, information on VAT input tax deductions – Article 6 (1) point (b) GDPR,
  • If necessary, further information obtained in the context of the contractual relationship, such as areas of activity, opening hours (on site, by phone) – Article 6 (1) point (b) GDPR,

When you visit our website, the following data is automatically processed:

  • Cookies: Our website uses cookies, i.e. text files that are stored on your computer. In principle, a cookie is nothing more than a small text file with information that enables a web server to recognise a user and save settings. The possible uses range from purchase lists in online shops to personalised websites. Cookies are data that are saved on your computer by a website that you visit. In some browsers, each cookiehas its own folder, e.g. Firefox, however, all cookies are stored in a single folder that is stored under the user profile.The purpose of cookies is therefore to facilitate or ensure the practical usability of a website. Cookies are used, for example, so that when shopping online, you can add to your shopping cart without having to identify yourself as the same customer on every subpage of a retailer’s website. The same applies to online banking: In this case, the user is also ‘recognised’ with the help of cookies. Cookies can also save the font size or language in which a website should appear. Persistent cookies recognise that your PC has already accessed a specific website, session cookies save recently viewed offers. Third parties, in particular, our partner companies, are not permitted to use cookies to obtain, process or use personal data via our website. Session cookies are deleted after the browser is closed.There are no disadvantages to using cookies of the type that we have chosen. You can set the cookies to be accepted or blocked through a setting in your browser.

b) We collect, process and use your personal data for the following purposes:

  • Establishment and implementation of contractual relationships,
  • Customer service and support, communication,
  • Compliance with legal requirements (e.g. tax and commercial retention requirements).

c) Personal data may be processed on the following legal bases:

  • Art. 6 (1) point (a) GDPR serves as the legal basis for processing operations whereby we obtain your consent for a specific processing purpose.
  • Art. 6 (1) point (b) GDPR, insofar as the processing of personal data is necessary for the performance of a contract, e.g. when making an order or reservation. The same applies to processing that is necessary prior to entering into a contract, such as inquiries about our products or services.
  • Art. 6 (1) point (c) GDPR, insofar as the processing of personal data is necessary for compliance with a legal obligation, such as for the fulfilment of tax obligations.
  • Art. 6 (1) point (d) GDPR in the event that processing is necessary in order to protect the vital interests of the data subject or another natural person.
  • Art. 6 (1) point (f) GDPR applies on the basis of legitimate interests, e.g. when using service providers in the context of order processing, or when carrying out statistical surveys and analyses or when using cookies. Our interest is to be able to offer you a user-friendly and secure website and to work continuously to achieve this.

4. Recipients or categories of recipients of the personal data

We only transfer personal data to third parties if this is necessary as part of the processing of contracts or to enforce our legitimate interests. Furthermore, your data will be passed on to third parties or government agencies within the framework of data protection regulations if there is a legal, official or judicial obligation to do so. There is no further transmission of the data, other than in the case where you have expressly consented to the transmission.

Recipients of personal data may also be:

  • employees of the controller or his/her authorised representative,
  • employees of companies that process data on behalf of the controller,
  • revenue authorities,
  • courts, bailiffs and lawyers, where outstanding claims are not paid despite multiple reminders.

5. Transfer of personal data to a third country

There is no transfer to a third country

6. Duration of storage of personal data or, if not available, criteria for determining the duration

In general, personal data is erased at the latest 10 years after the purpose of the data processing no longer applies.

Here, the commercial and tax law retention requirements of up to 10 years, or the interest in securing evidence, a timeframe which corresponds to the statutory limitation period (usually 3 years which period is triggered by the necessary awareness or 10 years in absolute terms in accordance with Section 195 et seqq. BGB (Bürgerliches Gesetzbuch, German Civil Code)) are to be noted. In exceptional cases, e.g. according to Section 197,199 BGB, a longer statutory limitation period of 30 years is also possible.

7. Whether the provision of personal data is required by law or contract or is required for the conclusion of a contract, whether the data subject is obliged to provide their personal data and any possible consequences non-provision would incur

The data collected is necessary for the conclusion and implementation of the contractual relationship. Failure to provide this means that such a contractual relationship could not be established or implemented.

8. The existence of automated individual decision-making including profiling in accordance with Art. 22 (1,4) GDPR as well as statements about which logic was used and the scope and intended effects of such processing for the data subject.

There is no automated decision making.

9. As the data subject, you also have the following rights vis-à-vis the controller with regard to your personal data:

a) Right of access by the data subject according to Art. 15 GDPR,
b) Right to rectification according to Art. 16 GDPR,
c) Right to erasure (‘right to be forgotten’) according to Art. 17 GDPR,
d) Right to restriction of processing according to Art. 18 GDPR,
e) Right to data portability according to Art. 20 GDPR
f) Right to object according to Art. 21 GDPR
g) Right to withdraw his or her consent given at any time with future effect if the processing is based on Art. 6 (1) point (a) or Art. 9 (2) point (a) GDPR. This shall not affect the lawfulness of processing based on consent before its withdrawal.

To assert the aforementioned rights, please contact the controller using the contact details provided.

h) Right to lodge a complaint with a regulatory authority in accordance with Art. 13 (2) point (d) GDPR. If you have a complaint, you may contact the responsible federal commissioner for data protection and freedom of information in Baden-Württemberg at any time.

Art. 4 GDPR Definitions

For the purposes of this regulation, the terms are defined as follows:

1. ‘personal data’ means any information relating to an identified or identifiable natural person (hereinafter ‘data subject’); an identifiable person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more characteristics specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. ‘processing’ means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting processing in the future;
4. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
5. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
6. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
8. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
9. 1‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. 2However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
10. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
11. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
12. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
13. ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
14. ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
15. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
16. ‘main establishment’

1. as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
2. as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

17. ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
18. ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
19. ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;
20. ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
21. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
22. ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:

1. the controller or processor is established on the territory of the Member State of that supervisory authority;
2. data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
3. a complaint has been lodged with that supervisory authority;

23. ‘cross-border processing’ means either:

1. processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
2. processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

24. ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
25. ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (¹);
26. ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.