1. Who is the controller for data processing?
The controller for the processing of your personal data is:
REWE digital GmbH
Domstraße 20
50668 Cologne, Germany
Tel.: +49 221 149-0
Email: info@rewe-group.com
2. Who should you contact with questions about data processing?
You can contact the controller’s data protection officer at:
REWE digital GmbH
Data Protection Officer
Domstraße 20
50668 Cologne, Germany
Email: dsb-digital@rewe-group.com
3. What data is processed for what purpose and on what legal basis?
3.1 Visiting the website
Every time you visit our website, your browser automatically transmits data, which is saved in the server logfiles. The following data is transmitted (“logfile data”):
information about the browser type and browser version used;
- the page that was accessed;
- the page from which the website was accessed;
- the volume of data transmitted;
- the user’s operating system;
- the internet service provider and IP address of the user;
- the date and time of access.
We have the logfile data analysed anonymously in order to improve the website continuously, adapt the website to the interests of our users and rectify errors more quickly.
Legal basis:
Our legitimate interest in data processing in accordance with Art. 6(1) point (f) GDPR is the basis for these purposes.
The logfile data is used in non-anonymised form only to identify faults and to ensure system security, including detecting and investigating attempts at prohibited access and attempted fraud and misuse.
Legal basis:
This data processing is also based on our legitimate interest in accordance with Art. 6(1) point (f) GDPR.
3.2 Information
This privacy policy applies exclusively to the site https://supplier.rewe-group.com, including any subpages. At https://supplier.rewe-group.com you have the option to access other REWE websites, including www.rewe-group.com. These sites, which do not begin supplier.rewe-group.com, have their own privacy policies, which can be found on the sites in question.
Legal basis:
The legal basis for the data processing described is Art. 6(1) point (b) GDPR, for the purpose of entering into or fulfilling a contract. This also includes the associated customer support. Art. 6(1) point (f) also applies (legitimate interest of REWE digital in providing you with a user-friendly website).
3.3 Areas with restricted access (customised area)
Registration is carried out on the basis of an invitation from REWE Group Buying. We use the data that you send to us in the course of registration to ensure access to the protected area and the applications provided for you on the REWE Group Supplier Portal.
You can change or delete your profile in the account at any time. The data is then automatically removed from our system.
The following data is collected from you for areas with restricted access:
- Obligatory fields:
username, first name, surname, email address, phone number (office), choice of language
- Optional information:
role designation, office hours, telephone number (outside office hours), mobile number, fax
Legal basis:
The legal basis for the data processing described is Art. 6(1) point (b) GDPR for the purpose of entering into or fulfilling a contract and Art 6(1) point (f) GDPR (legitimate interest in authentication for access to restricted areas).
3.4 Cookies and other technologies (website analysis/tracking)
In some areas of our website we use cookies, e.g. to identify the preferences of visitors and present the website accordingly. This facilitates navigation and makes the site extremely user-friendly. Cookies also help us to identify particularly popular areas of our website.
Cookies are small text files that are stored on the hard drive of your end device. They allow us to keep information for a specific period and to identify your end device. We use permanent cookies for better user navigation and presentation of certain services. We also use session cookies, which are automatically erased when you close your browser. You can set your browser to notify you when cookies are set.
This makes the use of cookies transparent to you.
Please note: If you prevent the use of cookies completely, you may not be able to use certain functions of our website.
3.4.1 Essential technologies
Session cookies work with a temporary session ID for each user. In the case of LPA tokens, the encrypted internal REWE user ID is used. These cookies are essential for you to move around the website and use its functions, such as accessing password-protected areas. Without these cookies, we are not able to provide certain services required by you. We always use necessary cookies to identify registered users clearly, so that they can be recognised during the session and when they visit the website again. Only use session cookies to manage your visit, and they are automatically erased when you close your browser. This means that no data is permanently stored on your device.
These services, technologies and cookies are required to provide central functions of the portal and to fulfil contracts with customers and cooperation partners.
Legal basis:
The use of cookies is on the basis of Section 25(2) no. 2 of the German Telecommunications-Telemedia Data Protection Act (TTDSG) in conjunction with Art. 6(1) sentence (1) point (b) GDPR (initiation or performance of a contract) and point (f) GDPR (overriding legitimate interest). The latter interests include, in particular, monitoring technical performance and ensuring the functionality of the website.
4. Is there an obligation to provide data?
The provision of data is not prescribed by law. However, some of the data described is necessary to allow (technical) use of our website.
5. Is automated processing for profiling used?
Your personal data is not used either for automated decision-making or profiling.
6. Who has access to your data and for what reason?
Within REWE digital, only those persons who require your data to complete the work assigned to them have access to it. Outside REWE digital, service providers who support us in completing our tasks have access to your data. They are service providers in the following categories:
- Hosting service providers for the operation of our servers
- Development service providers for programming, development, maintenance and support for software applications
- Analytical service providers for evaluation of data and analysis of the use of electronic media
Service providers used by us must meet special confidentiality requirements. They are given access to your data only to the extent and for the period necessary for them to complete their work.
In the case of suspicion of a criminal act, we may pass your data on to the criminal investigation authorities (police, state prosecutor).
7. Is the data processed outside the European Union?
We may use service providers located in third countries outside the European Union to process your data. Countries outside the European Union handle the protection of personal data differently from countries within the European Union. There is currently no decision from the EU Commission that these third countries offer an appropriate level of protection in general. We have, therefore, taken special measures to ensure that your data is processed as securely in the third countries as it is within the European Union. With service providers in third countries, we conclude the data protection contract (standard data protection clauses) provided by the Commission of the European Union for processing of personal data in third countries. This provides appropriate guarantees for the protection of your data with service providers in third countries. For further information, please approach the contact specified under 2.
8. For how long is my data stored?
We only ever store your data for as long as we need it for the respective processing purposes. When the data is no longer required for the processing purposes specified in this privacy policy, it is erased unless its retention is still necessary to meet retention obligations under commercial or tax law. We usually erase your data after the following periods or set the erasure period according to the criteria specified:
- We store your IP address for 7 days and then erase it. Logfile data retention, which is necessary for evidentiary purposes is excepted from erasure until the final clarification of the incident in question.
- We store your personal data as long as it is required for use of the customised area of the REWE Group Supplier Portal.
9. What rights do you have?
9.1 Access to information
You can request information about your personal data processed by us.
9.2 Rectification
You can request rectification of your data if the information is not/no longer accurate. If your data is incomplete, you can request completion.
9.3 Erasure
You have the right to request erasure of your data. Please note that the right to erasure depends on the existence of a legitimate reason. There must also be no regulations that require us to retain your data.
9.4 Restriction of processing
You have the right to request restriction of processing of your data. Please note that the right to restriction of processing depends on the existence of a legitimate reason.
9.5 Objection
You have the right to object to the processing of your data for reasons resulting from your particular situation. In the case of a legitimate objection, we will stop processing your data.
9.6 Right to lodge a complaint
You are entitled to lodge a complaint with a data protection supervisory authority if you do not agree to the processing of your data.
9.7 Data portability
You have the right to obtain the personal data that you have communicated to us in an electronic format.
9.8 Withdrawal of consent
You may withdraw your consent to data processing at any time with effect for the future. The withdrawal does not affect the lawfulness of the data processing carried out before the withdrawal.
|
