Data protection notice for the use of the website

(As at 28 May 2024)

This information provides you with an overview of how your personal data is processed when you visit the website www.rewe-group.com. We will tell you what data we collect from you and how we use it. Furthermore, we will explain your rights under applicable data protection law and tell you who you can contact if you have any questions.

  1. 1. Who is responsible for data processing?

REWE Zentralfinanz eG (REWE Group) are responsible for processing your personal data when you visit the rewe-group.com website. Contact details:

REWE Zentralfinanz eG
Domstraße 20
50668 Cologne
Tel.: 0221 149-0
E-mail: [email protected]

The REWE Group would also like to provide you with information about your rights in this connection. This privacy policy applies only to the website www.rewe-group.com, including any subpages (such as www.rewe-group.com/[xy]) and subdomains (such as [xy].rewe-group.com).

  1. 2. Who can you contact if you have questions about data processing?

The REWE data protection officer can be reached via the following contact details:

REWE – Zentralfinanz eG
Data protection officer
Domstraße 20
50668 Cologne

E-mail: [email protected]

If you have questions about your rights as a data subject (such as the right of access, the right to erasure and the right to object to the use of personal data for marketing purposes) or if you have other questions related to data protection, please contact: [email protected].

  1. 3. What personal data do we process?

We process the personal data that you provide us with when you visit our website or when you contact us by e-mail, post or telephone. In particular, this may involve the following data:

  • Data that is generated when using our website rewe-group.com through the use of cookies and other technologies (pages viewed, links clicked, the date and time of the query, the duration of the visit, when you were last on our site, the identification data of the browser and operating system type used and the website from which you came to us, as well as your mouse movements when navigating)

  • Data that you communicate to us when you subscribe to the newsletter (email address, selection of topics and newsletter frequency)

  • Data that we need to prove your consent to receive the newsletter (IP address and time stamp of the newsletter subscription as well as when the link in the confirmation email is clicked, the personal data in the declaration of consent that is given)

  • Data that we receive when you read the newsletter (statistical evaluation of: opening the email, clicking on the links in the email, data about the device used, data about the location based on the IP address)

  • Data that you provide to us when you apply for a position or send us an unsolicited application (personal data, data on training, data on previous professional career, cover letter, curriculum vitae, portrait photo, certificates)

  • Data that you provide to us when you contact us by email, telephone or post

We only process the aforementioned data if it is actually made available to us. We do not use your data for advertising purposes.

4. Is there an obligation to provide data?

You are not required by law to provide your data. However, some data is necessary in order to be able to make our services available to you securely and reliably. Providing other data is voluntary, but it may be required to enable you to use certain services. When you enter data we will inform you whether you are required to provide it for the relevant service or the relevant function. Such data is marked as mandatory. If mandatory data is not entered, the relevant service or the relevant function cannot be provided. If optional data is not entered, we may not be able to provide our services in the same form or to the same extent as usual.

  1. 5. For what purposes do we process your data and on what legal basis?

5.1 Contact

You can contact us by e-mail, post and telephone. We process your data in order to respond to your query and, where necessary, to send you any information you have requested. Your data may also be transmitted to the unit responsible for your query. The legal basis for the data processing described above is Art. 6(1)(b) and (f) of the General Data Protection Regulation (steps prior to entering into a contract, the performance of a contract or a weighing of interests, based on the interest of the REWE Group in answering questions from employees, customers and others).

5.2 Job applications

From our website www.rewe-group.com, you can access the website karriere.rewe-group.com if you are interested in a career at the REWE Group. On our website karriere.rewe-group.com, you can learn about employment opportunities and jobs at the REWE Group. You can create a watch list of jobs you are especially interested in. The list is stored locally in your browser and is available to you until you delete your browser settings. The watch list is your personal selection from the various job offerings at the REWE Group.

If you would like to apply for a job online, click on the job link and you will be redirected to karriere.rewe-group.de. There you will find an online application system, which also allows you to submit an unsolicited CV. You will find further information about the data processing that is carried out at our career website at karriere.rewe-group.com. The legal basis for the above-mentioned data processing is Art. 88 of the General Data Protection Regulation in conjunction with Sec. 26, para. 1, clause 1 of the Federal Data Protection Act (BDSG) (decision on the establishment of an employment relationship) and Art. 6(1)(f) of the General Data Protection Regulation (legitimate interest of the REWE Group in providing you with a user-friendly website and making it easier to search).

5.3 Cookies and other technologies (website analysis/tracking)

We use cookies in some areas of our website. This enables us, for example, to identify users’ preferences and optimally configure the website to meet their needs, making the website easier to navigate and more user-friendly. Cookies also help us to identify particularly popular areas of our website.

Cookies are small text files that are stored on your device’s hard drive. They make it possible to store information for a certain amount of time and to identify your device. We use persistent cookies for improved user navigation and personalised performance. We also use session cookies, which are automatically deleted when you close your browser. You can change your browser settings to alert you when cookies are placed and enable you to see clearly how cookies are being used. Important: if you completely disable cookies, you may be unable to use some functions of our website.

Depending on the purpose of the cookies and other technologies, we differentiate between necessary and statistical cookies.

5.3.1 Necessary technologies

These services, technologies and cookies are necessary to ensure that the portal can perform its key functions and contracts with customers and partners can be fulfilled. The legal basis for their use is Section 25 (2) No. 2 of the German Telecommunications Digital Services Data Protection Act (TDDDG), in conjunction with Article 6 (1) (b) (performance of a contract or prior to entering into a contract), (c) (for compliance with a legal obligation), and/or (f) (legitimate interests pursued by the controller or by a third party) of the General Data Protection Regulation (GDPR). Legitimate interests include, but are not limited to, monitoring the website’s technical performance and our interest in the cost-effective use of partner sales channels. These necessary technologies therefore cannot be deactivated via our consent management system or by you as a website user.

Details of all cookies and other technologies are given in the cookie banner under “Services”. You can view these at any time under “Privacy Settings” in the website footer, or by clicking here.

5.3.2 Statistical technologies

Statistical cookies and other technologies are required to understand how our visitors use our portal, identify errors and continuously improve the portal. The legal basis for their use is Section 25 (1) TDDDG (consent for the setting or reading of cookies), in conjunction with Article 6 (1) (a) GDPR (consent for subsequent data processing). Your data is not processed until after you opt in. You have the right to withdraw your consent at any time with future effect (see 10.8. of this data protection declaration and the privacy settings in the website footer). Withdrawal of consent does not affect the lawfulness of data processing carried out based on consent prior to its withdrawal.

Details of all cookies and other technologies are given in the cookie banner under “Services”. You can view these at any time under “Privacy Settings” in the website footer, or by clicking here.

You can also withdraw your consent at any time under “Privacy Settings”.

5.4. Integration of third-party media

Audio/video services are integrated in our website as iFrames (an HTML object). iFrames make it possible to integrate web content from an external website in the website being accessed.

e.g. JW Player – video player

 The plug-in developed by JW Player, LongTail Ad Solutions, Inc. d/b/a JW Player, 2 Park Avenue, 10th Floor New York, NY 10016, USA  is embedded in our website. Each time you access a page with one or more JW Player video clips, a direct connection will be established between your browser and a JW Player server in the USA.  Information about your visit and your IP address will only be transmitted to JW Player and saved there when you interact with the JW Player plug-ins (e.g. by clicking on the start button).

The privacy policy for JW Player, including detailed information about the collection and use of your data by JW Player can be found here.

In addition, JW Player uses an iFrame where the video is accessed to access Google Analytics. This involves tracking by JW Player over which we have no control. The legal basis for this is Art. 6(1)(1)(a) GDPR (your consent). Your data is only processed once you have opted in via the cookie banner.

5.5 Newsletter

On our website, you have the option of subscribing to the REWE Group newsletter with your email address. We use this email address to provide you with the latest news about the companies of the REWE Group. When you subscribe to the newsletter you consent to the inclusion of your clicking and opening behaviour in our general, non-personalised statistics in order to provide you with an optimal newsletter experience.
After you submit the subscription request, you will receive a confirmation email. Your subscription will only become effective if you click on the link in the confirmation email (known as a double opt-in process, or DOI). The legal basis for the above-mentioned data processing is Art. 6, para. 1(a) of the General Data Protection Regulation (consent).
You can unsubscribe from the newsletter at any time in the future. There is a link at the end of each email that allows you to unsubscribe.

5.6 Sharing via social media services

On our website, you will find links to the social media services Facebook, Twitter, LinkedIn, YouTube, XING and Instagram. You can recognise the links to the websites for these social media services by the relevant company logos. Clicking on the links will take you to the REWE Group profile on the relevant social media service. Clicking on a link to a social media service will create a connection with the servers of that social media service. As a result, the servers of the social media service will be informed that you have visited our website. Other data will also be transmitted to the provider of the social media service. Such data includes, for example: Address of the website where the link was clicked; data and time the website was accessed or the link was clicked; information about the browser and operating system used; IP address. If you are logged into the corresponding social media service when you click on the link, the provider of that social media service may be able to use the transmitted data to determine your user name and, in some cases, your real name and assign this information to your personal user account with the social media service. You can prevent any association with your personal user account by logging out of your user account before you click on the link. The servers of the social media services are located in the USA and other countries outside of the European Union. As a result, the data may also be processed by the providers of the social media services in countries outside of the European Union. Please note that companies in these countries are subject to data protection laws that generally do not provide the same level of protection of personal data that is available in the European Union. We have no influence over the scope, type and purpose of data processing by the provider of the social media service. Further information about how your data is used by the social media services that are integrated in our website can be found in the privacy policy for the relevant social media service.

 5.7 Web server logs

When you visit our website, the connection data of the computer used to access our website is processed by default to ensure the security of our IT systems. This data includes the

IP address
the pages of our website you visit
the date and
the duration of the visit
the data identifying the browser and operating system used
the website you visited before visiting our website.

The legal basis for the aforementioned data processing is Art. 6(1)(f) GDPR (overriding legitimate interests, based on the interest of the REWE Group in safeguarding the security of its IT systems).

  1. 6. Automated decision-making; profiling

Our website does not use automated decision-making or profiling in relation to your personal data.

7. Who has access to your data and why?

Within the REWE Group, only those persons who need your data to carry out their duties have access to it. In addition, service providers who help us to carry out our tasks may also receive access to your data. These include service providers in the following categories:

  • Hosting service providers for the operation of our servers

  • Development service providers for programming, development, maintenance and support for software applications

  • Email service provider to send newsletters

  • Analysis service providers for evaluating data and analysing the use of electronic media (website)

The service providers we use must meet special confidentiality requirements. They only receive access to your data to the extent and for the period necessary for them to carry out their duties. If we suspect a criminal offence has been committed, we may forward your data to the law enforcement authorities (e.g. police, public prosecutor).

8. Is data processed outside of the European Union?

We also use service providers located in countries outside of the European Union to process your data. Countries outside of the European Union handle the protection of personal data differently to countries within the European Union. At present, there is no European Commission decision indicating that these third countries generally offer an adequate level of protection. We have therefore taken special measures to ensure that your data is processed just as securely in third countries as it is within the European Union. With service providers in third countries, we conclude the European Commission’s standard contractual clauses for data transfers between the EU and third countries. These clauses provide suitable guarantees to protect your data with service providers in the third country. You can request a copy of these clauses by writing to the address specified above.

 9. How long will the data be stored?

In general, we only store your data for as long as is necessary for the relevant processing purposes. If the data is no longer needed to carry out the processing purposes specified in this data protection notice, it will be deleted, unless retention of the data is required in order to meet retention obligations arising from commercial or tax law. In general, we delete your data after these periods or define the deletion date based on these criteria:

  • Data collected in connection with Sec. 5.3 is stored for up to 8 years from the end of the session, depending on the cookie.

  • Data collected during the newsletter subscription process is deleted as follows:
    The name is deleted within one week after unsubscribing. Data about pages opened and links clicked on will be deleted after one month. Unconfirmed email addresses will be deleted after one month.

  1. 10. What rights do you have?

10.1 Access

You can request access to your personal data that we process.

10.2 Rectification

If your information is not (or is no longer) accurate, you can request rectification of your data. If your information is incomplete, you can request that your data be completed.

10.3 Erasure

You have the right to request the erasure of your data. Please note that a claim to erasure is dependent on the presentation of a legitimate reason. In addition, there must be no legal requirements obliging us to maintain your data.

10.4 Restriction of processing

You have the right to request the restriction of the processing of your data. Please note that a claim to the restriction of processing is dependent on the presentation of a legitimate reason.

10.5 Objection

You have the right, for reasons related to your personal situation, to lodge an objection to the processing of your data. If the objection is justified, we will no longer process your data.

10.6 Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority if you do not agree with the processing of your data.

10.7 Data portability

You have the right to receive in an electronic format the personal data you have communicated to us.

10.8 Withdrawal of your consent

You have the right to withdraw at any time the consent to process your data that you have granted us. This also applies to the withdrawal of declarations of consent that you submitted to us before the General Data Protection Regulation went into effect, i.e. before 25 May 2018. The easiest way to withdraw consent that you have granted is to send an e-mail to the contact details specified above. The withdrawal of the consent does not affect the lawfulness of the data processing carried out prior to the withdrawal.