Technical developments are constantly creating new possibilities for collecting and processing data. As a result, the importance of and requirements for reliable data protection are increasing. In 2018, the EU General Data Protection Regulation (EU GDPR) created a new framework for the processing of personal data. As an international company, REWE Group processes personal data in its daily activities. The protection of this data has the highest priority.
As a matter of principle, the companies of REWE Group handle personal data confidentially. REWE Group secures this data in accordance with current legal requirements. REWE Group has made this practice a high priority, particularly in light of the growing online offerings from its sales brands.
Every data protection enquiry that is submitted to the companies of REWE Group by customers or supervisory authorities is documented, reviewed and processed. Internal and external data protection officers (DPO) ensure legally compliant handling of personal data and the processing programmes used. In addition, they continue to develop company-specific data protection and data security measures and advise organisational units and departments. The data protection officers report directly to the top management level of the companies or to the Management Board of REWE Group. In the 2018 financial year, there were six data protection officers within REWE Group.
In addition to the data protection officers two further roles were established in 2018 to also ensure data protection compliance within the meaning of the EU GDPR: Since 2018, all organisational units have also had support from data protection coordinators (DSC). In addition, the Central Data Protection Management team was established. This team has combine-wide regulatory sovereignty regarding data protection, guidance of the REWE Group Data Protection Board, consolidation of reporting and controls, and, in the course of this, reporting to the Management Board and Supervisory Board. Furthermore, it promotes synergies between the activities of the data protection coordinators and data protection officers, as well as information and training campaigns for REWE Group.
In the 2018 financial year, with the EU GDPR coming into effect, enquiries regarding the rights of data subjects increased combine-wide from 25 May 2018 to September of that year. This number has been falling again since October.
All complaints and reports of potential data protection violations or breaches (120 cases in 2018) have been reviewed, processed and documented. Complaints received by the supervisory authorities or directly by REWE Group from 25 May 2018 onwards have turned out to be unfounded, with the exception of two cases. The two justified complaints concerned the processing of data subjects’ rights, which did not take place on time. Of the (potential) data protection violations or breaches identified internally at REWE Group, 13 cases had to be reported to the authority and, in part, to the data subjects. In most cases, these concerned human errors, such as the swapping of documents in envelopes.
Allegations made in all cases are analysed, technical or organisational measures are changed where necessary and the complaining party – either a data subject or supervisory authority – is notified about the findings and potential measures to be taken as a result.