The data controller responsible for processing your personal data on this websites is Barry Callebaut AG, headquartered at Hardturmstrasse 181, 8005 Zurich, Switzerland. Barry Callebaut AG (together with its affiliates) determines the purposes and means of processing your personal data collected via this site. 

If you have any questions or requests regarding your personal data, you can contact us at the above address or through our websites’s contact page. We have appointed a Data Protection Officer (DPO) to oversee our data protection compliance. You may reach our DPO by emailing [email protected] or by writing to the postal address above (Attn: Data Protection Officer).

We collect several types of personal data through our websites, including:

• Contact information: For example, your name, email address, telephone number, job title, company name, and country/region. These details are typically collected when you fill out forms on our site (such as a “Contact Us” or download form).
• Preferences and interests: Information you share about your product preferences, areas of interest, or communication preferences. For instance, you might let us know what products or solutions you are interested in, or whether you want to subscribe to our newsletters.
• Business details: If you provide information related to your company or role (such as industry, company size, or purchasing needs) as part of an inquiry or lead form, we will collect that data to better qualify and understand your needs.
• Website usage data: When you visit our site, we automatically collect certain data about your device and how you use the websites. This includes technical information like your Internet Protocol (IP) address, browser type and language, device identifiers, and the dates/times of access, as well as behavioral information such as the pages you view, links you click, and the path you take through our site . This usage data may be collected via cookies and similar tracking technologies (described in the Cookies section below).
• Communications: If you correspond with us (for example, via email or chat from the websites), we may keep records of that correspondence, which could include personal contact details and the content of your communications.

We do not intentionally collect sensitive personal data (such as information about health, race, religion, or political opinions) through the marketing sections of our websites. We ask that you refrain from providing such sensitive information in any website forms. All personal data that you do choose to provide to us or that we collect about your website's activity will be handled in accordance with this Policy.

Our processing of personal data for the above purposes is justified under applicable data protection laws. Depending on the context, one or more of the following legal bases (as defined in GDPR and similar laws) will apply:

Legitimate interests: In many cases, we process your data because it is in our legitimate interests to do so as a commercial business.

These legitimate interests include responding to your inquiries, promoting and developing our products, and improving our websites and services. For example, if you drop your business card at a trade show or fill out a contact form, we have a legitimate interest in following up with you about our products. We only rely on this basis after considering your rights and ensuring that our data use is proportionate and would not be unexpected or intrusive. Direct marketing to our business contacts may be considered a legitimate interest (Recital 47 GDPR notes that processing personal data for direct marketing purposes may be regarded as carried out for a legitimate interest). You always have the right to object to marketing (see 09. What are your rights as a Data subject?), and we will honor any opt-out requests.

Consent: We rely on your consent in situations where consent is required or the most appropriate basis. For instance, if you are a new subscriber to our newsletter or if local law requires opt-in for email marketing, we will only send you promotional emails if you have given explicit consent (e.g., by ticking a sign-up box). Similarly, our use of non-essential cookies or similar tracking technologies is based on your consent, where required. You have the right to withdraw your consent at any time (with effect for the future), which will stop the relevant processing (see 11. Cookies and Tracking Technologies and 09. What are your rights as a Data subject? sections for how to adjust your preferences).

Contractual necessity: When you request something from us that requires processing of personal data as part of a contract or pre-contractual step, we process your data on the basis that it is necessary to fulfill that request or contract. For example, if you ask for a product sample, register for a webinar, or become a customer of Barry Callebaut, we will need to use your contact details and any relevant information to perform our agreement with you (providing the sample, the webinar access, or the products/services you purchased). If you refuse to provide necessary data in these cases, we may not be able to fulfill your request or enter into the contract with you.

Legal obligation: In some situations, we may need to process or retain your data to comply with a legal obligation. For example, if you become a customer, we may need to keep certain records for accounting and tax law purposes, or to comply with export regulations. We typically will cite this basis when a law requires us to collect or keep information (e.g., record-keeping for transactions, honoring opt-out lists to comply with anti-spam laws, etc.). While this is not a primary basis for our marketing activities, we mention it for completeness.

We always ensure that we have a valid legal basis to process your personal data. If multiple bases apply, we may rely on different ones for different aspects of the processing. If you have questions about the specific legal basis for a particular processing activity, feel free to contact us for more information.

Barry Callebaut does not sell your personal information. However, we do share personal data with certain third parties and transfer data to other jurisdictions in the course of our business. We take care to do this in a secure manner and in compliance with data protection laws. Below we explain who may receive your data and how we protect your data when it travels globally.

1. With whom do we share your data?

- Within the Barry Callebaut Group: We may share your personal data with other companies in the Barry Callebaut corporate group (such as our affiliates, subsidiaries, and parent company) if necessary for the purposes described in this Policy . For example, if you are located in a different country, your inquiry may be forwarded to the Barry Callebaut sales team or distributor in your region to better serve you. All our group companies are required to handle your data in accordance with this Privacy Policy and our internal data protection standards.

- Service Providers (Processors): We use trusted third-party service providers to support our websites and marketing operations. These include services like websites hosting, customer relationship management (CRM) platforms, email marketing tools, analytics providers, and event management services. When these providers process personal data on our behalf (and not for their own purposes), they act as “data processors” under the law. We only share the data that is necessary for them to perform their services, and we ensure there is a contract in place that obligates them to protect your data. For example, if we use an email broadcasting service to send out newsletters, that provider will have access to your email address for the purpose of sending our emails, but they are not allowed to use your information for anything else. They must also keep it confidential and secure.

- Business partners and distributors: In some cases, we might share your information with our official distributors, agents, or business partners. For instance, if you inquire about a product that we sell through a local distributor in your country, we may pass along your details to that distributor so they can contact you to fulfill your request. Similarly, if we co-sponsor an event or initiative with another organization (such as a chocolate industry conference), and you sign up, we might share attendee information with the co-organizer for logistical and networking purposes. We will only do this with partners that are bound to use your data solely for the intended purpose and to treat it with confidentiality .

- Legal and safety disclosures: We may disclose personal data to third parties if we believe in good faith that such disclosure is necessary to (a) comply with a legal obligation or request (for example, a court order, subpoena, or government inquiry), (b) enforce our websites terms of use or other agreements, or (c) protect the rights, property, or safety of Barry Callebaut, our employees, our users, or others. This could include sharing information with law enforcement or regulators, or with external advisors (like attorneys or auditors) as required. We will ensure any request is valid and only provide the minimum data necessary.

- Corporate transactions: Although not common, if Barry Callebaut undergoes a business transaction such as a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the acquiring or merging entity as part of the transaction. If this happens, we will ensure your data remains protected by this Privacy Policy (unless, and until, it is superseded by a new privacy policy following the transaction, at which point you would be informed of the changes).

A list of our providers and third parties can be requested by sending an email to [email protected] 

2. Do we transfer your data internationally?

Barry Callebaut is a global company headquartered in Switzerland and operating in many countries. As a result, the personal data we collect may be transferred and stored across international borders. For example, data collected from the EU or UK may be transferred to our servers or offices in Switzerland or other countries, and vice versa. When transferring personal data internationally, we take extra precautions to ensure that your data remains protected to the standard required by the GDPR and relevant laws, regardless of where it is processed.

• Adequacy decisions: We will, where possible, transfer personal data only to countries that have been officially deemed to have an “adequate” level of data protection by the European Commission or other relevant authorities. An adequacy decision means the country’s laws are considered essentially equivalent to EU data protection standards, so data can flow freely. For instance, the EU has recognized countries like Switzerland, Canada (commercial organizations), Japan, and others as providing adequate protection. If your data is transferred to one of these jurisdictions, it enjoys a level of protection deemed comparable to EU law.
• Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision (for example, a transfer from the EU to the United States or to an Asian country that hasn’t been declared adequate), we put in place European Commission-approved Standard Contractual Clauses as part of our contract with the data importer . SCCs are legal clauses that bind the recipient of the data to protect it according to EU privacy standards, even in a country that lacks such laws. They provide a mechanism to safeguard personal data internationally. Practically, this means if your data is handled by, say, a U.S.-based service provider, we will have an agreement in place with them with these clauses obligating them to protect your data.
• Binding Corporate Rules (BCRs): In cases of transfers within the Barry Callebaut group, we either use SCCs or, if available in the future, Binding Corporate Rules. BCRs are internal policies adhered to by all members of a corporate group which have been approved by EU data protection authorities, allowing intra-group transfers of personal data at a high protection level. As of now, Barry Callebaut ensures intra-group data transfers are protected via agreements; we will update this Policy if we implement BCRs or similar group-wide measures officially.
• Other safeguards: In specific cases, we may rely on additional safeguards or derogations permitted by law. For example, if you explicitly consent to an international transfer after being informed of possible risks, or if a transfer is necessary for the performance of a contract with you (such as booking a training session in another country at your request), we will ensure any such transfer is lawful. These cases are limited and we will always prioritize structured mechanisms like SCCs or adequacy when possible.

No matter where your personal data is processed, we enforce privacy protections as described in this Policy. All third parties handling personal data on our behalf must adhere to comparable privacy and security standards, either through contract or through certifications/frameworks (such as Privacy Shield’s successors or other government-approved frameworks, where applicable). We also continuously monitor the legal landscape for international transfers (for example, evolving requirements post-Schrems II decision) and will adjust our practices to remain compliant. If you have questions about a specific transfer or the safeguards in place, you can contact our DPO for more information.

3. How do we ensure the security and confidentiality of your personal information?

We take the security of your personal data very seriously. Barry Callebaut has implemented a variety of technical and organizational measures to prevent unauthorized access, loss, misuse, or alteration of your data. These measures are continuously reviewed and updated to match industry best practices and emerging threats. Key security practices include:

• Encryption: We use encryption technology to protect personal data. For example, our websites are secured with SSL/TLS encryption (you’ll notice the padlock in your browser address bar when visiting our site), which protects data during transmission by scrambling it so that it cannot be read by eavesdroppers . Sensitive information is also encrypted at rest in our databases or systems whenever feasible, adding an extra layer of protection in case of any unauthorized access.
• Access control and confidentiality: We restrict access to personal data strictly on a need-to-know basis . This means only authorized Barry Callebaut personnel (or authorized personnel of our processors) who require your information to perform their job (for example, responding to an inquiry or sending a newsletter) are able to access it. We have defined user roles and permissions in our systems (role-based access control) to ensure that people only see the data necessary for their duties. All employees receive training on data protection and are bound by confidentiality obligations, so they understand the importance of safeguarding personal data.
• Security procedures and policies: We maintain comprehensive security policies governing how personal data must be handled and protected. This covers everything from using strong passwords and multi-factor authentication, to secure configurations of our IT infrastructure, to rules about using and sharing data. We regularly review these policies and update them as needed. We also have incident response plans in place so that if a security issue or breach were to occur, we can react swiftly to contain and remediate it.
• Network and system security: Our IT environment employs modern security tools such as firewalls, intrusion detection/prevention systems, anti-virus/anti-malware software, and monitoring systems to guard against external attacks . We keep our software and systems up-to-date with security patches (patch management) to reduce vulnerabilities. Our data centers and cloud services utilize robust security measures and are often certified to standards like ISO 27001 or SOC 2 (which are frameworks for information security management), ensuring a high level of data protection.
• Audits and assessments: We conduct regular audits, tests, and assessments of our security measures and compliance procedures. This can include internal audits, external security assessments, and penetration testing of our websites. We also review our vendors’ security practices (through questionnaires or compliance certifications) to ensure they meet our standards. Compliance with data protection and security requirements is monitored on an ongoing basis, and we actively address any areas for improvement that are identified.
• Data minimization and pseudonymization: Wherever possible, we follow the principle of data minimization — collecting and retaining only the personal data that is relevant and necessary for the stated purposes. In some cases, we may pseudonymize data (replace identifying fields with artificial identifiers) or anonymize it if full details are not needed, especially when using data for analytics. This reduces the risk to your privacy in the event of any issue.
• Physical security: In our offices and data centers, we also employ physical security controls. Personal data on paper (if any) is stored securely, and our facilities have access controls (like keycards or biometric access, surveillance cameras, etc.) to prevent unauthorized entry.

While we strive to protect your information, no system can be 100% secure. However, we have invested in and continue to upgrade our protections to keep pace with security best practices. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the appropriate authorities as required by law. We also encourage you to play a part in security: for example, if you create an account on our websites, choose a strong password and keep it confidential. If you suspect any unauthorized access or have questions about our data security, please contact us immediately.

You can exercise any of your rights by contacting us through the contact information provided in this Policy. The easiest way is to email our Data Protection Officer at [email protected] with your request, or you may use the contact form on our websites (and mention it is a privacy request). To ensure we are dealing with the correct person, we may need to verify your identity before fulfilling your request (this is to protect your privacy by making sure someone else isn’t impersonating you). 

Verification might involve answering a few questions or providing a form of identification. We will respond to your request as soon as possible and at the latest within the timeframes set by law (under GDPR, typically within one month). If for some reason we cannot fulfill your request (for example, if an exemption applies or we need to retain data for legal reasons), we will explain the reason to you.

Exercising your rights is free of charge. However, if a request is manifestly unfounded or excessive (for instance, repetitive requests without good reason), we may either charge a reasonable fee or refuse to act on it – but we will provide you with an explanation in such cases. We want to assure you that your rights are important to us, and we have processes in place to make sure we handle requests properly. If you have any questions about your rights or how to exercise them, please do not hesitate to contact us for assistance.

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, to keep up with new legal requirements, or for other operational reasons. Barry Callebaut reserves the right to amend this Policy at any time, and any changes will be effective when we post the revised Policy on our websites . If we make significant changes, we will provide a prominent notice on our websites or notify you via email or other means, where appropriate, so that you are aware of the updates. However, we encourage you to review this Policy periodically to stay informed about how we are protecting your information. The “last updated” date at the end of this Policy will indicate when the latest changes were made.

Your continued use of our websites after any modifications to the Privacy Policy have been posted will signify your acceptance of those changes, to the extent permitted by law. If you do not agree with any aspect of an updated Policy, you have the right to stop using the websites or object as permitted by law, and of course, you may also exercise any of your data subject rights (as described above). We will not reduce your rights under this Privacy Policy without your explicit consent. Any changes we make will comply with applicable privacy laws.

For historical reference or your convenience, we may keep prior versions of this Policy accessible (or you can request them from us) so you can see how the Policy has evolved. If you have any questions or concerns about the Privacy Policy changes, please contact us via the contact information provided in the relevant sections above.

Previous Privacy policy can be found here:

• Privacy Policy of Barry Callebaut effective from September 23, 2024 until May 26, 2025
• Privacy Policy of Barry Callebaut effective from January 15, 2019 until September 23, 2024