Data Privacy Statement for the CI Net of REWE Group
(Last update: April 2023)

REWE-ZENTRALFINANZ eG (hereinafter referred to as “REWE”) is the operator of the Corporate Identity Net (CI Net) of REWE Group: www.ci-net.rewe-group.com (hereinafter referred to as "website"). In the following data privacy statement, REWE will inform you about the extent to which data related to the visit and use of our website is collected and about the purposes for which this data is used.
Furthermore, REWE will explain the rights to which you are entitled in this regard.
 

1. Details of the responsible company and data protection officer

Responsible company:
REWE-ZENTRALFINANZ eG
Domstrasse 20
50668 Cologne
Phone: +49 (0) 221 149-0

The data protection officer of REWE-ZENTRALFINANZ eG can be contacted at:

REWE-ZENTRALFINANZ eG
Data protection officer
Domstr. 20
50668 Cologne

E-mail: datenschutz@rewe-group.com

 

2. What is personal data?
Personal data denotes individual details concerning the personal or material circumstances of an identified or identifiable natural person. That includes information such as your real name, address, telephone number and date of birth (if stated). Statistical anonymous information that cannot be directly or indirectly connected to you – including the popularity of individual websites we offer or the number of visitors to a page – is not considered to be personal data.

 

3. General information about the processing and use of personal data when visiting the website.
When you visit our website, the web server will store the connection data by default for system security purposes. Data is processed in accordance with Section 6 Paragraph 1 Letter b and f of the General Data Protection Regulation (GDPR) and with the purpose of ensuring system security and of analysing the availability of the website.
 
This recorded data set consists of:

· the page that was accessed
· the date and time of the request
· the amount of transmitted data,
· the IP address of the requesting computer
· the browser and the operating system from which the page was accessed,
· the page from which the visit was started,
· the status code of the page visit

This data is stored for 7 days and then automatically deleted.


4. Legal basis and purposes of data processing

Necessary technologies

These services, technologies and cookies are necessary to guarantee central functions of the website. They are used on the legal basis of § 25 para. 2 no. 2 TTDSG in conjunction with. Art. 6 para. 1 sentence 1 lit. b) (contract initiation or fulfilment), and/ or lit. f) DSGVO (overriding legitimate interests). The latter interests are monitoring the technical performance of the website. The following services are involved.

a) Strictly necessary cookies

Cookie key	Expiration	Domain	Description
fe_typo_user	Session	ci-net.rewe-group.com	Used to identify a session ID when logged-in to the TYPO3 Frontend

 

b) Performance Cookies / Basic Web Analytics

Cookie key	Expiration	Domain	Description
_pk_id.13.9992	13 months	stats.rewe-group-nachhaltigkeit.de/piwik	Used to store a few details about the user such as the unique visitor ID
_pk_ref.13.9992	6 months	stats.rewe-group-nachhaltigkeit.de/piwik	Used to store the attribution  information, the referrer initially used to visit the website
_pk_ses.13.9992	30 minutes	stats.rewe-group-nachhaltigkeit.de/piwik	Short lived cookies used to temporarily store data for the visit

 

The user data collected through technically necessary cookies are not used to create user profiles.

5. Collection and handling of personal data as part of the user profile
You have to get registered once before the first use. We require the following data from you, if you are registering as an external service provider/user:

· e-mail address,
· password,
· first name, surname,
· company or institution

If you are registering as an employee of a REWE Group company, we require the following data from you: 

· e-mail address,
· password,
· first name, surname,
· company
· department

In both registration options, you can voluntarily submit us your telephone number.
We will use the data provided during the registration process for the following purposes:

· to provide your user profile with access to our website,
· to verify the registration,
· to conduct analyses for statistical purposes

We use your data to answer your request. The data processing is carried out on the basis of our legitimate interest (Section 6 Paragraph 1 Letter f GDPR, based on the interest of being able to provide our employees with the CI Net service). The data you enter will be transmitted via a secure https/SSL connection.

Your data will be deleted within a period of 90 days after processing unless it must be stored for a longer period of time for reasons of verifiability, customer support or legally required retention periods.

6. Use of service providers / Data processing in countries outside the European Economic Area

REWE is employing service providers that provide certain services and process your data. They host your data in a secure computer center and they maintain and analyse databases (so-called contract data processing). These providers process data exclusively under the instruction of REWE and have been obliged to comply with the applicable data protection regulations. Contract processors have been carefully selected. They gain access to your personal data only to the extent and for the period of time that is required and only to the extent to which you have agreed to data processing and use.

The servers of some of the providers employed by REWE are located in the United States and other countries outside the European Union. Data protection laws governing companies in these countries generally provide less protection for personal data than do the laws in force in the European Union’s member states. If your data is handled in a country in which data is not afforded the same level of protection as in the European Union, REWE makes contractual arrangements or uses other approved instruments to ensure that your personal data is appropriately protected.

 

7. Automated decision making, profiling
On our website, no automated decision making or profiling in connection with your personal data is conducted.

8. Storage and deletion periods
Your personal data is stored for the period of time necessary to fulfil the above mentioned purposes and as long as there are no obligations or periods of retention to the contrary. Please find the relevant deletion periods in the corresponding paragraphs in this data privacy statement.

In case of user inactivity your user account is automatically anonymised after 365 days. Afterwards, it is deleted unless there are any legal or contractual periods of retention. Further details can be found in the sections above.

 

9. Requesting information, correcting and deleting data

 

9.1 Requesting information
You can request information about your personal data processed by us.
 

9.2 Correcting data
If your data is not correct (any more), you have the right to request the correction of your data. If your data are incomplete, you have the right to request the completion of the data.

 

9.3 Deleting data
You have the right to have your data deleted. Please note that the right to deletion depends on the existence of a legitimate reason. Moreover, regulations that oblige us to store your data must not exist.

 

9.4 Restriction of data processing
You have the right to request the restriction of the processing of your data. Please note that the right to restriction of processing depends on the existence of a legitimate reason.

 

9.5 Objection
You have the right to object to the processing of your data for reasons that arise from your particular situation with effect for the future. In case of a justified objection, we will no longer process your data. The processing of your personal date will remain legitimate until the effective objection.

 

9.6 Right to complaint
You have the right to lodge a complaint with a data protection supervisory authority, if you do not agree to the processing of your data.

 

9.7 Data portability
You have the right to receive the personal data you have submitted to us in an electronic format.