REWE Group Sustainability Report 2018

Data protection

Technical developments are constantly creating new possibilities for collecting and processing data. As a result, the importance of and requirements for reliable data protection are increasing. In 2018, the EU General Data Protection Regulation (EU GDPR) created a new framework for the processing of personal data. As an international company, REWE Group processes personal data in its daily activities. The protection of this data has the highest priority.

GRI 418: Customer privacy

Management approach

As a matter of principle, the companies of REWE Group handle personal data confidentially. REWE Group secures this data in accordance with current legal requirements. REWE Group has made this practice a high priority, particularly in light of the growing online offerings from its sales brands.

Every data protection enquiry that is submitted to the companies of REWE Group by customers or supervisory authorities is documented, reviewed and processed. Internal and external data protection officers (DPO) ensure legally compliant handling of personal data and the processing programmes used. In addition, they continue to develop company-specific data protection and data security measures and advise organisational units and departments. The data protection officers report directly to the top management level of the companies or to the Management Board of REWE Group. In the 2018 financial year, there were six data protection officers within REWE Group.

In addition to the data protection officers two further roles were established in 2018 to also ensure data protection compliance within the meaning of the EU GDPR: Since 2018, all organisational units have also had support from data protection coordinators (DSC). In addition, the Central Data Protection Management team was established. This team has combine-wide regulatory sovereignty regarding data protection, guidance of the REWE Group Data Protection Board, consolidation of reporting and controls, and, in the course of this, reporting to the Management Board and Supervisory Board. Furthermore, it promotes synergies between the activities of the data protection coordinators and data protection officers, as well as information and training campaigns for REWE Group.

Commitment to data protection

The Group Management Board of REWE Group made the following commitment to data protection during the financial year: “The aim of REWE Group as a group of trade and tourism companies is to offer its customers comprehensive offers and outstanding services. To achieve this, it is necessary to realise that the multitude of data available is an opportunity and to use it in such a way that the range of services is tailored to suit needs and processes are completed more efficiently in the course of digitalisation.


When using this customer data, but also the data of employees or business partners, it is crucially important that REWE Group complies with legal requirements for the processing of personal data. This is important in order to secure and deepen existing trust and thus ensure the long-term success of the companies of REWE Group.”

In addition to expanding the data protection organisation, REWE Group also worked on many other data protection issues and carried out actions during the reporting period as part of implementation of the EU GDPR: from implementing a new privacy policy and revising data protection-relevant documentation to adapting processes relating, for example, to the rights of data subjects. In addition, further training opportunities for the handling of personal data were created, which also include information regarding any changes and updates to the EU GDPR. This should further increase employee awareness in this area. The offerings include an eLearning module aimed at achieving a more sensitive handling of personal data, as well as classroom training sessions that demonstrate the practical implementation of this topic in the REWE Group for the respective target group. The eLearning campaign is a mandatory training session – across all employee levels, including the management team and the Management Board.

GRI 418-1:

Substantiated complaints concerning breaches of customer privacy and losses of customer data

In the 2018 financial year, with the EU GDPR coming into effect, enquiries regarding the rights of data subjects increased combine-wide from 25 May 2018 to September of that year. This number has been falling again since October.

All complaints and reports of potential data protection violations or breaches (120 cases in 2018) have been reviewed, processed and documented. Complaints received by the supervisory authorities or directly by REWE Group from 25 May 2018 onwards have turned out to be unfounded, with the exception of two cases. The two justified complaints concerned the processing of data subjects’ rights, which did not take place on time. Of the (potential) data protection violations or breaches identified internally at REWE Group, 13 cases had to be reported to the authority and, in part, to the data subjects. In most cases, these concerned human errors, such as the swapping of documents in envelopes.

Allegations made in all cases are analysed, technical or organisational measures are changed where necessary and the complaining party – either a data subject or supervisory authority – is notified about the findings and potential measures to be taken as a result.

More topics:

REWE Group Portrait

GRI 102-1 – 102-7, 102-10

Employee Structure

GRI 102-8, 102-41

Supply Chain

GRI 102-9

Risk Management

GRI 102-11

Industry Initiatives and Memberships

GRI 102-12, 102-13

Principles and Guidelines

GRI 102-16, 102-17

Sustainability Strategy

GRI 102-18 – 102-21

Stakeholder Dialogue

GRI 102-40, 102-42 – 102-44

Materiality Analysis

GRI 102-45 – 102-47, 102-49

Report Profile

GRI 102-48, 102-50 – 102-56

Economic Performance

GRI 201


GRI 205, 206, 307, 419

Public Policy

GRI 415