Data protection notice for the use of the website

(As at 1 February 2021)

This information provides you with an overview of how your personal data is processed when you visit the website www.rewe-group.com. We will tell you what data we collect from you and how we use it. Furthermore, we will explain your rights under applicable data protection law and tell you who you can contact if you have any questions.

  1. 1. Who is responsible for data processing?

REWE Zentralfinanz eG (REWE Group) are responsible for processing your personal data when you visit the rewe-group.com website. Contact details:

REWE Zentralfinanz eG
Domstraße 20
50668 Cologne
Tel.: 0221 149-0
E-mail: [email protected]

The REWE Group would also like to provide you with information about your rights in this connection. This privacy policy applies only to the website www.rewe-group.com, including any subpages (such as www.rewe-group.com/[xy]) and subdomains (such as [xy].rewe-group.com).

  1. 2. Who can you contact if you have questions about data processing?

The REWE data protection officer can be reached via the following contact details:

REWE – Zentralfinanz eG
Data protection officer
Domstraße 20
50668 Cologne

E-mail: [email protected]

If you have questions about your rights as a data subject (such as the right of access, the right to erasure and the right to object to the use of personal data for marketing purposes) or if you have other questions related to data protection, please contact: [email protected].

  1. 3. What personal data do we process?

We process the personal data that you provide us with when you visit our website or when you contact us by e-mail, post or telephone. In particular, this may involve the following data:

  • Hosting service providers for the operation of our servers

  • Development service providers for programming, development, maintenance and support for software applications

  • Analysis service providers for evaluating data and analysing the use of electronic media (website)

We only process the aforementioned data if it is actually made available to us. We do not use your data for advertising purposes.

4. Is there an obligation to provide data?

You are not required by law to provide your data. However, some data is necessary in order to be able to make our services available to you securely and reliably. Providing other data is voluntary, but it may be required to enable you to use certain services. When you enter data we will inform you whether you are required to provide it for the relevant service or the relevant function. Such data is marked as mandatory. If mandatory data is not entered, the relevant service or the relevant function cannot be provided. If optional data is not entered, we may not be able to provide our services in the same form or to the same extent as usual.

  1. 5. For what purposes do we process your data and on what legal basis?

5.1 Contact

You can contact us by e-mail, post and telephone. We process your data in order to respond to your query and, where necessary, to send you any information you have requested. Your data may also be transmitted to the unit responsible for your query. The legal basis for the data processing described above is Art. 6(1)(b) and (f) of the General Data Protection Regulation (steps prior to entering into a contract, the performance of a contract or a weighing of interests, based on the interest of the REWE Group in answering questions from employees, customers and others).

5.2 Job applications

From our website www.rewe-group.com, you can access the website karriere.rewe-group.com if you are interested in a career at the REWE Group. On our website karriere.rewe-group.com, you can learn about employment opportunities and jobs at the REWE Group. You can create a watch list of jobs you are especially interested in. The list is stored locally in your browser and is available to you until you delete your browser settings. The watch list is your personal selection from the various job offerings at the REWE Group.

If you would like to apply for a job online, click on the job link and you will be redirected to karriere.rewe-group.de. There you will find an online application system, which also allows you to submit an unsolicited CV. You will find further information about the data processing that is carried out at our career website at karriere.rewe-group.com. The legal basis for the above-mentioned data processing is Art. 88 of the General Data Protection Regulation in conjunction with Sec. 26, para. 1, clause 1 of the Federal Data Protection Act (BDSG) (decision on the establishment of an employment relationship) and Art. 6(1)(f) of the General Data Protection Regulation (legitimate interest of the REWE Group in providing you with a user-friendly website and making it easier to search).

5.3 Cookies and other technologies (website analysis/tracking)

We use cookies in some areas of our website in order, for example, to recognise users and optimally configure the website to meet their needs. This makes the website easier to navigate and more user-friendly. Cookies also help us to identify particularly popular areas of our website.

Cookies are small text files that are stored on the hard drive of your device. They make it possible to store information for a certain amount of time and to identify your device. We use cookies to make it easier for you to navigate the website and to improve the way the website is displayed on your device. We also use session cookies, which are automatically deleted when you close your browser. You can change your browser settings to alert you when cookies are stored. This will make the use of cookies transparent for you. Important: If you completely disable cookies, you may be unable to use some of our website’s functions. If you do not allow the use of cookies, this may restrict the way some content is displayed. If necessary, you can change this setting under “Privacy settings”.

5.3.1. Necessary technologies

These services, technologies and cookies are required in order to ensure the website’s key functions and the performance of contracts with customers and partners. The legal basis for their use is Art. 6(1)(1)(b) GDPR (entering into or performing a contract), (c) (legal requirement) and/or (f) (overriding legitimate interests). In particular, such interests include monitoring the technical performance of the website and our interest in the economic use of partner distribution channels. Therefore, they cannot be deactivated via our content management system or by you, as a user of the website. This involves the following services.

 5.3.1.1 Content management platform (CMP)

The processing within this category enables users to individually control how their data is shared. The content management platform is used to ask users their preferences, to document these preferences and to share them with other systems. In this connection, the following technologies and service providers are used:

e.g. Usercentrics (https://usercentrics.com/privacy-policy/)

5.3.1.2 Content delivery network (CDN)

The processing within this category makes our website faster and more secure. The content delivery network makes copies of our website and stores it on its own servers. When users visit our website a load distribution system ensures that most areas of our website are provided by the server that can display our website the fastest. The CDN significantly shortens the distance that data is transmitted to the relevant browser. It also provides security services, DDoS protection and a web firewall. Threats are blocked and harmful bots and crawlers that waste our bandwidth and server resources are restricted. In general, the CDN only shares data that is controlled by website operators. Thus, content is not defined by the CDN itself, but rather by the website operator. In addition, the CDN may in some cases collect certain information regarding the use of our website and process data used by us or for which the CDN has received corresponding instructions. For example, log data helps to detect new threats. This ensures a higher level of protection for our website. Such data is processed in compliance with the applicable laws, including the General Data Protection Regulation (GDPR). For security reasons, the CDN also uses a cookie that identifies users of a shared IP address and applies security settings for each individual user. This cookie does not store any personal data, is absolutely necessary for the security features and cannot be deactivated.

In this connection, the following technologies and service providers are used:

e.g. Cloudflare (https://www.cloudflare.com/de-de/privacypolicy/)

5.3.2 Statistics technologies

These services, technologies and cookies are necessary in order to better understand how our website is used, to identify errors and to continuously improve the website. The legal basis for their use is Art. 6(1) (1)(a) GDPR (your consent). Your data is only processed once you have opted in. You have the right to withdraw your consent with future effect at any time (see Sec. 10.8 of this privacy policy and the privacy settings in the website footer). The withdrawal does not affect the lawfulness of the data processing carried out prior to the withdrawal.

5.3.2.1 Tag management system

The processing within this category controls the use of services, technologies and cookies without storing the data that is collected in the framework of these services. That is, the tag management system itself does not collect or store any data. The tool (that implements the tags) is a cookie-less domain and does not store any personal data. It is used for the technical implementation of your privacy setting selections.

In this connection, the following technologies and service providers are used:

e.g. Google Tag Manager (https://policies.google.com/privacy?hl=de and https://support.google.com/tagmanager/answer/6102821?hl=de)

5.3.2.2 Website statistics and analysis

The processing within this category is used to measure the reach of our website, to understand how visitors come to our website and to identify optimisation potential. To this end, permanent cookies are placed on your device and read by us. This enables us to recognise returning visitors and to count them as such.

In this connection, the following technologies and service providers are used:

e.g. Google Analytics (https://policies.google.com/privacy?hl=de)

 5.3.2.3 Session and service monitoring

The processing within this category is used to understand the behaviour of the visitors to our website and to identify any problems encountered during use of the website. In this connection, the following technologies and service providers are used:

e.g. Mouseflow (https://mouseflow.com/de/privacy/)

5.3.2.4 Website testing and optimisation

The processing within this category is used to test different versions of website content with the aim of structuring the website optimally for customers. In this connection, the following technologies and service providers are used:

e.g. Optimizely (https://www.optimizely.com/de/privacy/)

 5.4. Integration of third-party media

Audio/video services are integrated in our website as iFrames (an HTML object). iFrames make it possible to integrate web content from an external website in the website being accessed.

e.g. JW Player – video player

 The plug-in developed by JW Player, LongTail Ad Solutions, Inc. d/b/a JW Player, 2 Park Avenue, 10th Floor New York, NY 10016, USA  is embedded in our website. Each time you access a page with one or more JW Player video clips, a direct connection will be established between your browser and a JW Player server in the USA.  Information about your visit and your IP address will only be transmitted to JW Player and saved there when you interact with the JW Player plug-ins (e.g. by clicking on the start button).

The privacy policy for JW Player, including detailed information about the collection and use of your data by JW Player can be found here.

In addition, JW Player uses an iFrame where the video is accessed to access Google Analytics. This involves tracking by JW Player over which we have no control. The legal basis for this is Art. 6(1)(1)(a) GDPR (your consent). Your data is only processed once you have opted in via the cookie banner.

5.5 Sharing via social media services

On our website, you will find links to the social media services Facebook, Twitter, LinkedIn, YouTube, XING and Instagram. You can recognise the links to the websites for these social media services by the relevant company logos. Clicking on the links will take you to the REWE Group profile on the relevant social media service. Clicking on a link to a social media service will create a connection with the servers of that social media service. As a result, the servers of the social media service will be informed that you have visited our website. Other data will also be transmitted to the provider of the social media service. Such data includes, for example: Address of the website where the link was clicked; data and time the website was accessed or the link was clicked; information about the browser and operating system used; IP address. If you are logged into the corresponding social media service when you click on the link, the provider of that social media service may be able to use the transmitted data to determine your user name and, in some cases, your real name and assign this information to your personal user account with the social media service. You can prevent any association with your personal user account by logging out of your user account before you click on the link. The servers of the social media services are located in the USA and other countries outside of the European Union. As a result, the data may also be processed by the providers of the social media services in countries outside of the European Union. Please note that companies in these countries are subject to data protection laws that generally do not provide the same level of protection of personal data that is available in the European Union. We have no influence over the scope, type and purpose of data processing by the provider of the social media service. Further information about how your data is used by the social media services that are integrated in our website can be found in the privacy policy for the relevant social media service.

 5.6 Web server logs

When you visit our website, the connection data of the computer used to access our website is processed by default to ensure the security of our IT systems. This data includes the

IP address
the pages of our website you visit
the date and
the duration of the visit
the data identifying the browser and operating system used
the website you visited before visiting our website.

The legal basis for the aforementioned data processing is Art. 6(1)(f) GDPR (overriding legitimate interests, based on the interest of the REWE Group in safeguarding the security of its IT systems).

  1. 6. Automated decision-making; profiling

Our website does not use automated decision-making or profiling in relation to your personal data.

7. Who has access to your data and why?

Within the REWE Group, only those persons who need your data to carry out their duties have access to it. In addition, service providers who help us to carry out our tasks may also receive access to your data. These include service providers in the following categories:

  • Hosting service providers for the operation of our servers

  • Development service providers for programming, development, maintenance and support for software applications

  • Analysis service providers for evaluating data and analysing the use of electronic media (website)

The service providers we use must meet special confidentiality requirements. They only receive access to your data to the extent and for the period necessary for them to carry out their duties. If we suspect a criminal offence has been committed, we may forward your data to the law enforcement authorities (e.g. police, public prosecutor).

8. Is data processed outside of the European Union?

We also use service providers located in countries outside of the European Union to process your data. Countries outside of the European Union handle the protection of personal data differently to countries within the European Union. At present, there is no European Commission decision indicating that these third countries generally offer an adequate level of protection. We have therefore taken special measures to ensure that your data is processed just as securely in third countries as it is within the European Union. With service providers in third countries, we conclude the European Commission’s standard contractual clauses for data transfers between the EU and third countries. These clauses provide suitable guarantees to protect your data with service providers in the third country. You can request a copy of these clauses by writing to the address specified above.

 9. How long will the data be stored?

In general, we only store your data for as long as is necessary for the relevant processing purposes. If the data is no longer needed to carry out the processing purposes specified in this data protection notice, it will be deleted, unless retention of the data is required in order to meet retention obligations arising from commercial or tax law. In general, we delete your data after these periods or define the deletion date based on these criteria:

  • Data collected in connection with Sec. 5.3 is stored for up to 8 years from the end of the session, depending on the cookie.

  1. 10. What rights do you have?

10.1 Access

You can request access to your personal data that we process.

10.2 Rectification

If your information is not (or is no longer) accurate, you can request rectification of your data. If your information is incomplete, you can request that your data be completed.

10.3 Erasure

You have the right to request the erasure of your data. Please note that a claim to erasure is dependent on the presentation of a legitimate reason. In addition, there must be no legal requirements obliging us to maintain your data.

10.4 Restriction of processing

You have the right to request the restriction of the processing of your data. Please note that a claim to the restriction of processing is dependent on the presentation of a legitimate reason.

10.5 Objection

You have the right, for reasons related to your personal situation, to lodge an objection to the processing of your data. If the objection is justified, we will no longer process your data.

10.6 Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority if you do not agree with the processing of your data.

10.7 Data portability

You have the right to receive in an electronic format the personal data you have communicated to us.

10.8 Withdrawal of your consent

You have the right to withdraw at any time the consent to process your data that you have granted us. This also applies to the withdrawal of declarations of consent that you submitted to us before the General Data Protection Regulation went into effect, i.e. before 25 May 2018. The easiest way to withdraw consent that you have granted is to send an e-mail to the contact details specified above. The withdrawal of the consent does not affect the lawfulness of the data processing carried out prior to the withdrawal.