As a matter of principle, the companies of REWE Group handle personal data confidentially. REWE Group secures these data in accordance with current legal requirements. REWE Group has made this practise a high priority, particularly in light of the growing online offerings from its sales brands.
Every data protection inquiry that is submitted to the companies of REWE Group by customers or supervisory authorities is documented, reviewed and processed. Internal and external data protection officers (DPO) (ten DPOs for 611 companies in 2017) ensure legally compliant handling of personal data and the processing programmes used. In addition, they continue to develop company-specific data protection and data security measures and advise organisational units and departments. The data protection officers report directly to the top management level of the companies or to the Management Board of REWE Group.
During the reporting period, important topics, due to the associated expenditure, were the deployment of external IT service providers within the scope of order data processing, video surveillance in stores that is subject to prior control by the DPO, and activities in connection with the EU General Data Protection Regulation (EU GDPR).
Due to the commencement of the GDPR in 2016 and its implementation by 25 May 2018, REWE Group was faced with certain requirements, such as adapting existing guidelines, operational and organisational structures, training material and document templates. In this context, there will also be extended documentation and information requirements, privacy impact assessments and the rights of data subjects to access, rectification, erasure and portability of data. REWE Group prepared itself for the GDPR with external support and has started its implementation activities.
1All non-Austrian country companies for PENNY and BILLA are listed together.
In the 2017 reporting year, there was one complaint in REWE Group companies regarding a breach of customer privacy that the organisation accepted as substantiated. This related to the incorrect naming of a service provider. There were no data leaks, data theft or data losses. No complaints were filed during the same period at REWE Group in Austria.
Allegations made in complaints are analysed, technical or organisational processes are changed where necessary and the complaining party – either a data subject or supervisory authority – is notified about the findings and potential measures to be taken as a result.