Domstrasse 20
50668 Cologne
Phone: +49 (0)221 149-0

Management Board
Lionel Souque (CEO)
Jan Kunath (Deputy CEO)
Sören Hartmann
Dr Christian Mielsch

Chairman of the Supervisory Board
Erich Stockhausen

Co-operative society register
Amtsgericht Köln (GnR 631)

VAT identification number
DE 122 789 630

Auditing Association: DGRV - Deutscher Genossenschafts- und Raiffeisenverband e.V., Berlin

All rights reserved.

Consumer arbitration:
REWE-ZENTRALFINANZ eG and REWE - Zentral AG do not participate in the dispute resolution proceedings of a consumer arbitration board and are not obliged to do so.

Data protection

Data Privacy Statement for the CI Net of REWE Group
(Last update: January 2021)

REWE-ZENTRALFINANZ eG (hereinafter referred to as “REWE”) is the operator of the Corporate Identity Net (CI Net) of REWE Group: (hereinafter referred to as "website"). In the following data privacy statement, REWE will inform you about the extent to which data related to the visit and use of our website is collected and about the purposes for which this data is used.
Furthermore, REWE will explain the rights to which you are entitled in this regard.

1. Details of the responsible company and data protection officer

Responsible company:
Domstrasse 20
50668 Cologne
Phone: +49 (0) 221 149-0

The data protection officer of REWE-ZENTRALFINANZ eG can be contacted at:

Data protection officer
Domstr. 20
50668 Cologne



2. What is personal data?
Personal data denotes individual details concerning the personal or material circumstances of an identified or identifiable natural person. That includes information such as your real name, address, telephone number and date of birth (if stated). Statistical anonymous information that cannot be directly or indirectly connected to you – including the popularity of individual websites we offer or the number of visitors to a page – is not considered to be personal data.


3. General information about the processing and use of personal data when visiting the website.
When you visit our website, the web server will store the connection data by default for system security purposes. Data is processed in accordance with Section 6 Paragraph 1 Letter b and f of the General Data Protection Regulation (GDPR) and with the purpose of ensuring system security and of analysing the availability of the website.
This recorded data set consists of:

· the page that was accessed
· the date and time of the request
· the amount of transmitted data,
· the IP address of the requesting computer
· the browser and the operating system from which the page was accessed,
· the page from which the visit was started,
· the status code of the page visit

This data is stored for 30 days.

4. Cookies / Website analysis / Tracking:

Cookies: We use cookies in certain sections of our website for such purposes as determining the preferences of visitors and creating an optimal design of the website. This facilitates navigation and a high degree of user friendliness on a website. Cookies also help us to identify particularly popular areas of our website. Cookies are small files that are downloaded onto the hard drive of a visitor’s computer. They enable us to make information available for a specified period of time and to identify the visitor’s computer. We use permanent cookies to improve user experience and individual performance. We also use session cookies that are deleted automatically when you close your browser. You can set your browser in such a way that it will inform you about the placement of cookies. This will make the use of cookies transparent to you. Remember: If you completely block the use of cookies, you may be unable to use individual functions of our website. We use the following categories of cookies on our website:

Strictly necessary cookies: These services, technologies and cookies are required to secure the main functions of the portal and the contract performance toward customers and cooperation partners. The legal basis for the use is Section 25 Paragraph 2 No. 2 of the Telecommunications and Telemedia Data Protection Act (TTDSG) in conjunction with Article 6 Paragraph 1 Sentence 1 Letter b (Entering into or performance of a contract), Letter c (in case of legal obligation) and/ or Letter f GDPR (legitimate interest). The latter case refers particularly to the monitoring of the technical performance of the website and of our interest in the economic use of partner sales channels. Thus, they are unable to be deactivated by you as a website user in our Consent Management System. These are the following services:

a) Consent Management Platform (CMP)
The processing steps in this category enable the user to individually manage his/her data transfer. The Consent Management Platform is used to query the user’s decision, to document it and transfer it to other systems. In the process, the following technologies and providers are used: e.g. Usercentrics ( and TYPO3.

Your personal data is stored for a period of time as long as the browser session. 

b) Basic web analytics: The processing procedures within this category are used for the following purposes: for non-personal traffic analytics, incident monitoring and alerting, fraud detection, IT management, range measurement, product development and improvement and navigation tracking, e.g. Matomo.

5. Collection and handling of personal data as part of the user profile
You have to get registered once before the first use. We require the following data from you, if you are registering as an external service provider/user:

· e-mail address,
· password,
· form of address,
· first name, surname,
· company or institution

If you are registering as an employee of a REWE Group company, we require the following data from you: 

· e-mail address,
· password,
· form of address,
· first name, surname,
· company
· department.

In both registration options, you can voluntarily submit us your telephone number.
We will use the data provided during the registration process for the following purposes:

· To provide your user profile with access to our website,
· to verify the registration,
· to conduct analyses for statistical purposes.

We use your data to answer your request. The data processing is carried out on the basis of our legitimate interest (Section 6 Paragraph 1 Letter f GDPR, based on the interest of being able to provide our employees with the CI Net service). The data you enter will be transmitted via a secure https/SSL connection.

Your data will be deleted within a period of 90 days after processing unless it must be stored for a longer period of time for reasons of verifiability, customer support or legally required retention periods.

6. Use of service providers / Data processing in countries outside the European Economic Area

REWE is employing service providers that provide certain services and process your data. They host your data in a secure computer center and they maintain and analyse databases (so-called contract data processing). These providers process data exclusively under the instruction of REWE and have been obliged to comply with the applicable data protection regulations. Contract processors have been carefully selected. They gain access to your personal data only to the extent and for the period of time that is required and only to the extent to which you have agreed to data processing and use.

The servers of some of the providers employed by REWE are located in the United States and other countries outside the European Union. Data protection laws governing companies in these countries generally provide less protection for personal data than do the laws in force in the European Union’s member states. If your data is handled in a country in which data is not afforded the same level of protection as in the European Union, REWE makes contractual arrangements or uses other approved instruments to ensure that your personal data is appropriately protected.


7. Automated decision making, profiling
On our website, no automated decision making or profiling in connection with your personal data is conducted.

8. Storage and deletion periods
Your personal data is stored for the period of time necessary to fulfil the above mentioned purposes and as long as there are no obligations or periods of retention to the contrary. Please find the relevant deletion periods in the corresponding paragraphs in this data privacy statement.

In case of user inactivity your user account is automatically anonymised after 365 days. Afterwards, it is deleted unless there are any legal or contractual periods of retention. Further details can be found in the sections above.


9. Requesting information, correcting and deleting data


9.1 Requesting information
You can request information about your personal data processed by us.

9.2 Correcting data
If your data is not correct (any more), you have the right to request the correction of your data. If your data are incomplete, you have the right to request the completion of the data.


9.3 Deleting data
You have the right to have your data deleted. Please note that the right to deletion depends on the existence of a legitimate reason. Moreover, regulations that oblige us to store your data must not exist.


9.4 Restriction of data processing
You have the right to request the restriction of the processing of your data. Please note that the right to restriction of processing depends on the existence of a legitimate reason.


9.5 Objection
You have the right to object to the processing of your data for reasons that arise from your particular situation with effect for the future. In case of a justified objection, we will no longer process your data. The processing of your personal date will remain legitimate until the effective objection.


9.6 Right to complaint
You have the right to lodge a complaint with a data protection supervisory authority, if you do not agree to the processing of your data.


9.7 Data portability
You have the right to receive the personal data you have submitted to us in an electronic format.