Data Privacy Statement for the Annual Report of REWE Group

(As of: October 2018)

REWE-ZENTRALFINANZ eG (hereinafter referred to as “REWE”) is the operator of the website (hereinafter referred to as “website”) where the Annual Report of REWE Group is posted. In the following Data Privacy Statement, REWE will inform you about the amount of your personal data that is collected during your visit to and use of the website and the purpose for which this data is used.

Furthermore, REWE will explain the rights to which you are entitled in this regard.


REWE is responsible for complying with data protection regulations as it gathers and processes data. Our data privacy practices comply with the legal requirements concerning data protection. Our contact details:

REWE Zentralfinanz eG
Domstrasse 20
50668 Cologne
Phone: +49 (0) 221 149-0


The term “personal data” refers to specific information about the personal or material circumstances of an identified or identifiable natural person. This includes such information as your correct name, address, telephone number and date of birth (if provided). Statistical information that cannot be directly or indirectly connected to you – including the popularity of individual websites we offer or the number of visitors to a page – is not considered to be personal data.

On this website, personal data become relevant especially in the context of the contact form (see section 5).


To ensure system security, when you visit our website our web servers automatically and temporarily store the connection data of the inquiring computer, our websites that you are visiting, the date and duration of the visit, the identification data of the browser and the operating system you are using, and the website from which our site is accessed. The data processing is done in accordance with Section 6 (1) lit. f) of the General Data Protection Regulation (GDPR) and with the purpose of ensuring system security and of analysing the utilisation of the website. You have the right to object to this data processing. For more detailed information, please see Section 8 of this Data Privacy Statement.

The collected data set consists of:

  • the page from which the file was requested,
  • the name of the file,
  • the date and time of the request,
  • the volume of data transmitted,
  • access status (file transferred, file not found),
  • a description of the type of web browser used,
  • the IP address of the inquiring computer minus the last three digits.

This data is stored in anonymous form. It is not possible to create user profiles linked to specific individuals. This data will be deleted or rendered anonymous once the connection has ended.


a) Cookies: We use cookies in certain sections of our website for such purposes as determining the preferences of visitors and creating the most optimal design of the website. This facilitates navigation and a high degree of user friendliness on a website. Cookies also help us to identify particularly popular areas of our website. Cookies are small files that are downloaded onto the hard drive of a visitor’s computer. They enable us to make information available for a specified period of time and to identify the visitor’s computer. We use permanent cookies to improve user experience and individual performance. We also use session cookies that are deleted automatically when you close your browser. You can set your browser in such a way that it will inform you about the placement of cookies. This will make the use of cookies transparent to you. Remember: If you completely block the use of cookies, you may be unable to use individual functions of our website. We use the following categories of cookies on our website:

  • strictly necessary cookies 
  • performance cookies 
  • functional/personalising cookies

Strictly necessary cookies: These cookies enable you to navigate around the website and use its functions, including access to password-protected pages. Without these cookies, we are unable to make available certain services that you have requested. We use these strictly necessary cookies for the definitive identification of registered users so they can be recognised while they are on the site and when they make subsequent visits. 

The legal basis for the processing is provided in Section 6 (1) lit. f) of the GDPR. Our legitimate interests are the above mentioned purposes.

Performance cookies: These cookies collect information regarding how visitors use the website. This can include which pages they visit most frequently and whether they receive error messages from websites. These cookies gather no data that could be used to identify visitors. All information collected with the help of these cookies is anonymous and is used exclusively to improve the functionality and service of the website. We use performance cookies to compile statistics on how our website is used and to assess the effectiveness of our advertising campaigns.

Functional/personalising cookies: These cookies enable websites to remember user information (e.g. user name, language or selected store) in order to offer optimised features customised for the user. By storing your current location in a cookie, for example, a website can provide the latest information about your store. These cookies also make it possible to keep your chosen settings on the website (e.g. font type or size, or other options that can be adjusted by the user). In addition, they allow us to provide services requested by you, such as watching a video. These cookies cannot track your browser activities on other websites. They do not collect any information about you that could be used for advertising purposes and cannot identify where you were on the Internet beyond our website. We use functional/personalising cookies to recognise you when you revisit our website, to personalise content and to store your settings (including your preferred store).The legal basis for the processing is provided in Section 6 (1) lit. f) of the GDPR. Our legitimate interests are the above mentioned purposes.

b) Matomo: This website uses Matomo, a web analysis tool. Matomo also uses cookies. Cookies are text files that are stored on your computer and enable us to analyse the use of the website. 

To ensure an appropriate design of our website, we create user profiles under a pseudonym using the web analysis tool, provided that you have given your explicit consent (opt in according to Section 6 (1) p. 1 lit. a) of the GDPR. 

For this purpose, the usage information gathered by the cookie (including your shortened IP address) will be transmitted to our server and stored for usage analysis purposes. We can then use this information to optimise the website. In the process, your IP address is immediately pseudonymised. The information generated by the cookie regarding your use of this website will not be shared with a third party. 

If you do not agree to storage and analysis of this data from your visit, you can revoke your consent at any time with effect for the future (see Section 8). The processing of your personal data remains a legal activity until you have revoked your consent. 

With Matomo, you can also object to the storage and use at any time with a mouse click. 

In this case, an opt-out cookie will be placed on your browser. As a result, Matomo will not collect any session data. 

You may object to the creation of a pseudonymous user profile at any time. This can be done in several ways:

1.) One way to prevent web analysis by Matomo is to accept an opt-out cookie that will tell Matomo not to store or use your data for web analysis purposes. Please remember the following about this solution: Web analysis will not be done as long as the opt-out cookie is placed in the browser.

2.) You can block the storage of profile-creating cookies by using the corresponding setting in your browser software.


You can use the contact form to get in touch with us. To use the contact form, you need to provide us with the following information:

  • form of address,
  • given name,
  • surname,
  • e-mail address,
  • subject,
  • message

You can also provide such information as your company name, address and telephone and fax numbers. But it is not obligatory. We will use your personal data to respond to your enquiry and, as appropriate, to send you requested information. If necessary, we will forward your submitted information to the department that handles the particular area addressed in your contact form. The data you enter will be transmitted via a secure https/SSL connection. The legal basis for the processing is provided in Section 6 (1) p. 1 lit. b) of the GDPR. Your data is only processed for responding to your request and is deleted afterwards. You have the right of objection according to Section 21 of the GDPR. 

Your data will be deleted within a period of 90 days after processing unless it must be stored for a longer period of time for reasons of verifiability, customer support or legally required retention periods.


On our website, you will find links to the social networking sites Facebook, Twitter, Xing, LinkedIn, Google+, Instagram and YouTube. The links are marked with the logos of the social media services. Clicking on one of these links will take you to REWE’s corporate page on the respective social media. And you will then be connected to the server of that site. This informs the server of the social media services that you have visited our website. Additional data is also transmitted to the provider of the social media services. The information includes:

  • the address of the website on which the activated link is located
  • the date and time when the website was called or the link was activated
  • information about the browser and operating system being used
  • IP address

If you were already logged into the social networking site when the link was activated, the transmitted data may enable the network to identify your user name and perhaps even your real name, and to connect that information to your personal account on the social networking site. You can prevent such assignment to your personal user account by logging out from your account beforehand. 

The servers of the social media sites are located in the United States and other countries outside the European Union. As a result, the data may be handled by providers of social media services in countries outside the European Union. Please remember that data protection laws governing companies in these countries generally provide less protection for personal data than do the laws in force in the European Union’s member states. 

Note also that REWE has no influence over the scope, type or purpose of the data processing conducted by providers of social media services. More detailed information about the use of your data by the social media service providers that are linked to our website can be found in the privacy policy of each respective social media service.


Our website uses plug-ins from the video portal “Vimeo”, provided by Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA. 

If you visit one of our web pages that is equipped with a Vimeo plug-in, a connection to Vimeo’s servers is created. In the process, the Vimeo server receives information about which of our pages you have visited. Vimeo also obtains your IP address. This applies even if you have not logged on to Vimeo and do not have a Vimeo account. The information collected by Vimeo is sent to a Vimeo server in the USA. 

The legal basis for processing your personal data is our legitimate interest within the meaning of Art. 6 (1) (f) GDPR in presenting our company in an attractive form. 

If you are logged on to your Vimeo account, you enable Vimeo to assign your surfing behaviour directly to your personal profile. 

You can prevent this by logging off your Vimeo account. You have the right at any time to object to this on grounds relating to your particular situation.

Please note that Vimeo can use Google Analytics; we refer in this context to Google’s privacy policy as well as to opt-out options for Google Analytics and Google’s settings for the use of data for marketing purposes

You will find further information on the handling of user data in Vimeo’s privacy policy: Vimeo Inc. is also certified according to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (see


REWE uses service providers to perform services and to process your data (for example, hosting your data in a secure computer centre, delivering requested goods, sending letters or e-mails, and maintaining and analysing databases – that is, contract data processing). These service providers process the data only as instructed by REWE, and they are obliged to adhere to the applicable data protection regulations. All contract processors are carefully selected and gain access to your data only to the extent and for the period of time required to perform the relevant services or only to the extent that you have consented to the processing and use of your data. 

The servers of some service providers used by REWE are located in the United States and other countries outside the European Union. The data protection laws governing companies in these countries generally provide less protection for personal data than do the laws in force in the European Union’s member states. If your data is handled in a country in which data is not afforded the same level of protection as in the European Union, REWE makes contractual arrangements or uses other approved instruments to ensure that your personal data is appropriately protected.


On our website, automated decision making and profiling concerning your personal data do not take place.


We will store your data only as long as necessary for the specific processing purpose. If data are no longer needed for fulfilling the specific processing purposes mentioned in this data privacy statement, they are deleted unless their storage is necessary due to legal obligations to retain data. 

Further details can be found in the previous sections.


We put in place technological and organisational security measures to protect your data as fully as possible against unauthorised access. Besides taking security steps in the operating environment, we employ encryption processes in some areas (including online applications, customer accounts and the contact form). The information submitted by you is transmitted in encrypted form via the SSL protocol (secure socket layer) to prevent misuse of the data by a third party. You can recognise this process in two ways: a closed lock will appear in the status bar of your browser, and the address line will begin with the letters “https”.


12.1 Requesting information

You can request information about your personal data processed by us.

12.2 Correcting data

If your data is not correct (any more), you have the right to request the correction of your data. If your data are incomplete, you have the right to request the completion of the data.

12.3 Deletion of data

You have the right to have your data deleted. Please note that the right to deletion depends on the existence of a legitimate reason. Moreover, regulations that oblige us to store your data must not exist.

12.4 Restriction of data processing

You have the right to request the restriction of the processing of your data. Please note that the right to restriction of processing depends on the existence of a legitimate reason.

12.5 Objection

You have the right to object to the processing of your data for reasons that arise from your particular situation. In case of a justified objection, we will no longer process your data.

12.6 Objection to the processing of your data for direct advertising purposes

You have the right to object to the processing of your data for direct advertising purposes at any time. This also applies to profiling related to a direct advertising. You can send your objection informally to the above contact details under the title of “Objection to the processing of my personal data for advertising purposes”.

12.7 Right to complaint

You have the right to lodge a complaint with a data protection supervisory authority, if you do not agree to the processing of your data.

12.8 Data portability

You have the right to receive the personal data you have submitted to us in an electronic format.

12.9 Revoking your consent

You have the right to revoke your consent for processing your data at any time. This also applies to revoking declarations of consent that you have given us before the GDPR has become applicable, i.e. before 25 May 2018. The easiest way to revoke your consent is to send your revocation to the contact address listed above. The revocation of the consent does not affect the legality of data processing carried out before the revocation.


If you have questions regarding data protection on the website, please contact:

Data protection officer
Domstrasse 20
50668 Cologne


Phone: +49 (0) 221-149-0