(As of: June 2021)
REWE-ZENTRALFINANZ eG (hereinafter referred to as “REWE”) is the operator of the website www.rewe-group-geschaeftsbericht.de (hereinafter referred to as “website”) where the Annual Report of REWE Group is posted. In the following Data Privacy Statement, REWE will inform you about the amount of your personal data that is collected during your visit to and use of the website and the purpose for which this data is used.
Furthermore, REWE will explain the rights to which you are entitled in this regard.
1. RESPONSIBILITY FOR PROCESSING YOUR PERSONAL DATA
Details of the person responsible and data protection officer:
Phone: +49 (0) 221 149-0
The data protection officer of REWE-ZENTRALFINANZ eG can be reached at the following contact details:
Data protection officer
2. WHAT IS PERSONAL DATA?
The term “personal data” refers to specific information about the personal or material circumstances of an identified or identifiable natural person. This includes such information as your correct name, address, telephone number and date of birth (if provided). Statistical anonymous information that cannot be directly or indirectly connected to you – including the popularity of individual websites we offer or the number of visitors to a page – is not considered to be personal data.
On this website, personal data become relevant especially in the context of the contact form (see section 5).
3. GENERAL INFORMATION REGARDING THE PROCESSING AND USE OF PERSONAL DATA DURING VISITS TO THE WEBSITE
To ensure system security, when you visit our website the web servers store the connection data of the inquiring computer by default. The data processing is done in accordance with Section 6 (1) lit. b) and f) of the General Data Protection Regulation (GDPR) and with the purpose of ensuring system security and of analysing the availability of the website.
The collected data set consists of:
- the page that was visited,
- the date and time of the request,
- the volume of data transmitted,
- the IP address of the inquiring computer,
- the browser and the operating system from which the page was visited,
- the page from which the visit was started,
- the status code of the page visit
This data is stored for 18 months.
4. COOKIES/WEBSITE ANALYSIS/TRACKING:
Strictly necessary cookies: These services, technologies and cookies are required to secure the main functions of the portal and the contract performance toward customers and cooperation partners. The legal basis for the processing is provided in Section 6 (1) p.1 lit. b) (Entering into or performance of a contract), lit. c (in case of legal obligations) and/or lit. f) of the GDPR (overridden legitimate interests). The latter case refers particularly to the monitoring of the technical performance of the website and of our interest in the economic use of partner sales channels. Thus, they are unable to be deactivated by you as a website user in our Consent Management System. These are the following services:
a) Consent Management Platform (CMP): The processing steps in this category enable the user to individually manage his/her data transfer. The Consent Management Platform is used to query the user’s decision, to document it and transfer it to other systems. In the process, the following technologies and providers are used: e.g. Usercentrics (https://usercentrics.com/privacy-policy/)
Your consent or non-consent is stored until you delete your cookies.
b) Basic web analytics: The processing procedures within this category are used for the following purposes: for non-personal traffic analytics, incident monitoring and alerting, fraud detection, IT management, range measurement, product development and improvement and navigation tracking, e.g. Matomo.
Your personal data is stored for 30 minutes or 13 months.
5. CONTACT FORM
You can send an email to presse[at]rewe-group.com, write us a letter or get in touch with us via phone. We will process your data to answer your request and to send you some information, if requested. Your data can be transmitted to the unit responsible for your request. The legal basis for the above mentioned data processing is Section 6 (1) p.1 lit. b), f) of the GDPR (Entering into or performance of a contract, balancing of interests, based on REWE Group’s interest to answer requests by interested persons, stakeholders and other persons). You have the right to object to the processing of your data due to legitimate interests for reasons that evolve from your personal situation.
6. FACEBOOK, TWITTER, XING, LINKEDIN, INSTAGRAM, YOUTUBE
On our website, you will find links to the social media sites Facebook, Twitter, Xing, LinkedIn, Instagram and YouTube. The links are marked with the logos of the social media services. Clicking on one of these links will take you to REWE’s corporate page on the respective social media. And you will then be connected to the server of that site. This informs the server of the social media services that you have visited our website. Additional data is also transmitted to the provider of the social media services. The information includes:
- the address of the website on which the activated link is located
- the date and time when the website was called or the link was activated
- information about the browser and operating system being used
- IP address
If you were already logged into the social networking site when the link was activated, the transmitted data may enable the network to identify your user name and perhaps even your real name, and to connect that information to your personal account on the social networking site. You can prevent such assignment to your personal user account by logging out from your account beforehand.
The servers of the social media sites are located in the United States and other countries outside the European Union. As a result, the data may be handled by providers of social media services in countries outside the European Union. Please remember that data protection laws governing companies in these countries generally provide less protection for personal data than do the laws in force in the European Union’s member states.
7. EMBEDDING OF VIDEOS
Our website uses plug-ins from the video portal “Vimeo”, provided by Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA.
If you visit one of our web pages that is equipped with a Vimeo plug-in, a connection to Vimeo’s servers is created.
In the process, we use Vimeo’s Do-Not-Track version, so that only data required for playing the videos are processed.
The legal basis of processing your personal data is our legitimate interest complying with Section 6 (1) p.1 lit. f) of the GDPR for the purpose of presenting our company in an attractive way.
If you are logged on to your Vimeo account, you enable Vimeo to assign your surfing behaviour directly to your personal profile. You can prevent this by logging off your Vimeo account.
8. USE OF SERVICE PROVIDERS/PROCESSING OF DATA IN COUNTRIES OUTSIDE THE EUROPEAN ECONOMIC AREA
REWE uses service providers to perform services and to process your data (for example, hosting your data in a secure computer centre, delivering requested goods, sending letters or e-mails, and maintaining and analysing databases – that is, contract data processing). These service providers process the data only as instructed by REWE, and they are obliged to adhere to the applicable data protection regulations. All contract processors are carefully selected and gain access to your data only to the extent and for the period of time required to perform the relevant services or only to the extent that you have consented to the processing and use of your data.
The servers of some service providers used by REWE are located in the United States and other countries outside the European Union. The data protection laws governing companies in these countries generally provide less protection for personal data than do the laws in force in the European Union’s member states. If your data is handled in a country in which data is not afforded the same level of protection as in the European Union, REWE makes contractual arrangements or uses other approved instruments to ensure that your personal data is appropriately protected.
9. AUTOMATED DECISION MAKING; PROFILING
On our website, automated decision making and profiling concerning your personal data do not take place.
10. STORAGE AND DELETION PERIODS
Your personal data is stored for the period of time necessary to fulfil the above-mentioned purposes and as long as there are no obligations or periods of retention to the contrary. Please find the relevant deletion periods in the corresponding paragraphs in this data privacy statement.
11. REQUESTING INFORMATION, CORRECTING AND DELETING DATA
11.1 Requesting information
You can request information about your personal data processed by us.
11.2 Correcting data
If your data is not correct (any more), you have the right to request the correction of your data. If your data are incomplete, you have the right to request the completion of the data.
11.3 Deletion of data
You have the right to have your data deleted. Please note that the right to deletion depends on the existence of a legitimate reason. Moreover, regulations that oblige us to store your data must not exist.
11.4 Restriction of data processing
You have the right to request the restriction of the processing of your data. Please note that the right to restriction of processing depends on the existence of a legitimate reason.
You have the right to object to the processing of your data for reasons that arise from your particular situation with effect for the future. In case of a justified objection, we will no longer process your data. Until the effective objection the processing of your personal date will remain legitimate.
11.6 Right to complaint
You have the right to lodge a complaint with a data protection supervisory authority, if you do not agree to the processing of your data.
11.7 Data portability
You have the right to receive the personal data you have submitted to us in an electronic format.
11.8 Withdrawal of your consent
You have the right to withdraw at any time the consent to process your data that you have granted us. This also applies to the withdrawal of declarations of consent that you submitted to us before the General Data Protection Regulation went into effect, i.e. before 25 May 2018. The easiest way to withdraw consent that you have granted is to send an e-mail to the contact details specified above. The withdrawal of the consent does not affect the lawfulness of the data processing carried out prior to the withdrawal.