1) General Comments on the Website

Dear visitors to our internet portal,

We are pleased to welcome you as visitors to our website https://supplier.rewe-group.com. We want you to feel secure and at ease during your visit to our websites, so we have compiled below some information about how we treat your data. The privacy policy below is intended to explain to you how we collect, use and transfer your personal data.

Please note: this privacy statement applies solely and exclusively to the site https://supplier.rewe-group.com, including any sub-pages to the site. It is possible for you to change to other REWE websites (such as www.rewe-group.com and others) from https://supplier.rewe-group.com. Any such sites that do not begin with supplier.rewe-group.com are governed by their own privacy statements that can be viewed on the sites themselves.

2) Controller

REWE-Zentral-Aktiengesellschaft (see point 14 below for contact information) is responsible for the collection and processing of data. We collect on principle solely the data that are required for the conclusion of contracts.

3) Data Processing for Performance of Contracts

Pursuant to point (b) of Art. 6 (1) GDPR, we process the collected data for the purpose of performing the contract. Performance also includes the related customer care.

4) Data Processing for Safeguarding Legitimate Interests

We process your data solely for the purpose of enabling you to utilise the personalised section (authentication and access management) of our site at the Rewe Group Supplier Portal. Our legitimate interests include in particular the convenient and user-friendly use of the portal as well as the security of the functional capability of the services that are offered.

5) Categories of Processed Data

We process the following categories of personal data within the scope of this website:

• Required fields: User name, first name, surname, email address, phone number (office), preferred language
• Optional fields: Professional designation, office hours, phone number (outside of office hours), mobile phone number, fax

You will find further details in the following remarks.

6) Usage Data

When you visit our websites, so-called usage data are stored temporarily on our web server as log files for statistical purposes and to help us improve the quality of our websites. These data records include the following:

• The site from which the file was accessed
• The name of the file
• The date and time of the access
• The quantity of transmitted data
• The access status (file transferred, file not found)
• The description of the type of web browser used
• The IP address of the accessing computer; it is truncated in such a manner that the identification of the individual is not possible.

We use this information to make access to our website possible, to control and administrate our systems and to improve the design of the websites. The stored data are stored in anonymised form in accordance with legal provisions. [The continued application of the data protection sections of the Telemedia Act (TMG) since 25 May 2018 has not been finally clarified. The new E-Privacy Regulation, which may regulate specifically privacy in the online sector, is scheduled to enter into force at the beginning of 2019.] The creation of personal user profiles is therefore precluded. Data about individuals or their personal behaviour are not collected.

7) Web Site Analysis/Tracking

Cookies: We use so-called cookies in parts of our website, e.g. for recognition of the visitors and to be able to design the website for optimal use. They simplify the navigation of the site and ensure a high level of user friendliness of a website. Cookies also help us to identify the sections of our internet site that are especially popular. Cookies are small files that are placed on a visitor’s hard drive. They make it possible to retain information over a certain period of time and to identify the visitor’s computer. We use permanent cookies for more effective user guidance and individual presentation of services. Moreover, we use so-called session cookies that are automatically deleted when you close your browser. You can choose optional settings in your browser so that you are always notified about the placement of cookies. The use of cookies becomes transparent for you.

Important: If you completely preclude the use of cookies, you may possibly be unable to use some of the functions on our website.

We use the following categories of cookies on our website:

• Crucial cookies (session cookies and LTPA tokens)

Crucial cookies (session cookies and LTPA tokens): Session cookies involve working with a temporary session ID for each user. LTPA tokens relate to the use of the encrypted user ID within REWE. These cookies are necessary so that you can navigate within the website and utilise its functions such as access to password-protected sections. Without these cookies, we cannot provide to you the services you request. We use crucial cookies to definitively identify registered users so that they are recognised during their use of the website and when they return for later visits. We use solely so-called session cookies to manage your visit; they are automatically erased when you close your browser. In other words, no data are permanently stored on your computer.

The legal grounds for all of the cookies described above are point (f) of Art. 6 (1) GDPR. Our legitimate interest is the assurance of the functionality of our website.

8) Restricted Access Sections (Personalised Section)

Invitations to register are issued by REWE Group Buying. We use any data you provide to us during registration (see information under point 5) to provide to you access to the restricted section and the applications on the REWE Group Supplier Portal that are available for your use.

The data are processed in accordance with the legal grounds of point (b) of Art. 6 (1) (performance or initiation of a contract) and/or point (f) of Art. 6 (1) GDPR (legitimate interests). Our legitimate interests arise from the aforementioned purpose.

You can modify or even erase your profile within the account at any time. The data are then automatically deleted from our system.

9) Engagement of Service Providers / Processing of Data in Countries outside of the European Economic Area (EEA)

Rewe Zentral Aktiengesellschaft engages REWE digital GmbH as a service provider (among other purposes, for the hosting of your data in a secure data centre, the delivery of ordered goods, the sending of letters or emails and the care and analysis of databases) for the performance of services and the processing of your data as part of contract processing. You will find more detailed information in the privacy policy at https://www.rewe-digital.com/.

We do not process your data in any countries outside the EEA.

10) Storage Term: Erasure Deadline

We store your personal data as long as they are necessary for the personalised section of the Rewe Group Supplier Portal. In addition, they are erased in so far as the processing of your data is no longer required and there are no statutory or contractual retention periods contrary to the erasure.

You will find additional details in the above sections.

11) Data Security

We implement technical and organisational security measures to protect your data as comprehensively as possible from unwanted access. The information you provide is transmitted in encrypted form using the SSL (Secure Socket Layer) protocol to ward against any misuse of the data by third parties. You can see that the protocol is in use because a lock symbol appears in the status bar of your browser and the address bar begins with “https”.

12) Automated Decision-Making

There is neither any automated decision-making nor any profiling on our website.

13) Your User Rights

The GDPR grants to you, the website user, certain rights when your personal data are processed:

a. Right of access (Art. 15 GDPR):

You have the right to obtain confirmation whether personal data relating to you are being processed; if this is the case, you have the right to obtain information about these personal data and the information specified in Art. 15 GDPR.

b. Right to rectification and erasure (Art. 16 and 17 GDPR):

You have the right to request rectification of any inaccurate personal data relating to you and the completion of any incomplete personal data.

You also have the right to request erasure without delay of personal data relating to you in so far as one of the grounds stated in Art. 17 GDPR applies, e.g. if the data are no longer required for the pursued purpose.

c. Right to restriction of processing (Art. 18 GDPR):

You have the right to request restriction of the processing in so far as one of the conditions specified in Art. 18 GDPR applies, e.g. for the period required for verification if you have objected to the processing.

d. Right to data portability (Art. 20 GDPR):

In certain cases (specified in detail in Art. 20 GDPR), you have the right to obtain the personal data relating to you in a structured, commonly used and machine-readable format or to request the transfer of these data to a third party. 

e. Right to object (Art. 21 GDPR):

If data are collected pursuant to point (f) of Art. 6 (1) (processing necessary for the pursuit of legitimate interests), you have the right, on grounds relating to your particular situation, to object at any time to the processing. We will then no longer process the personal data unless there are compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

f. Withdrawal of your consent

You have the right to withdraw your consent at any time, effective for the future. Until such time as you have exercised your right to withdraw consent, our processing of your data is lawful.

g. Right of complaint to a supervisory authority

You have the right pursuant to Art. 77 GDPR to lodge a complaint with a supervisory authority if you consider that the processing of the data concerning you infringes data protection law. In particular, the complaint may be lodged with a supervisory authority in the member state in which you have your habitual residence, your place of work or the place of the alleged infringement.

14) Questions About Privacy

You may send any questions you have about privacy related to https://supplier.rewe-group.com at any time to:

REWE-ZENTRALFINANZ eG
Data Protection Officer
Domstr. 20
50668 Cologne, Germany
Email: Datenschutz@rewe-group.com
Phone +49 (0) 221-149-0

Last revised: 20/08/2018