GRI 418

Data Protection

Technological developments are creating more and more data collection and data processing possibilities. This development increases the importance of and the requirements for reliable data protection. The EU General Data Protection Regulation (GDPR) that took effect in 2018 created a new framework governing the processing of personal data. As an international company, the REWE Group processes personal data as part of its daily operations. Protecting this data is the company’s highest priority.

GRI 418: Customer privacy

Management approach

Principles

The companies of the REWE Group confidentially handle personal data as a matter of course. The REWE Group protects this data in accordance with legal requirements. The company has made this practice a high priority – particularly in light of the growing online business being that is being conducted by its sales brands.

Implementation

Every data protection question sent to the companies of the REWE Group by customers or supervisory authorities is documented, reviewed and processed by the data protection organisation. Internal and external data protection officers ensure that the handling of personal data and the processing programmes used in this work comply with laws. They also assist work to refine company-specific data protection and data storage measures and advise organisational units and specialist departments. Data protection coordinators throughout the combine assist and support them. The data protection officers report directly to the top management level of the companies or to the REWE Group’s central data protection management team. In turn, these managers report to the Management Board and Supervisory Board of the REWE Group. The REWE Group had 25 data protection officers in 2021.

The central data protection management organisation assumes responsibility for combine-wide governance on data protection, the leadership of the REWE Group Data Protection Board and the consolidation of reporting and controls. In addition, it is responsible for promoting synergies between the activities of the data protection coordinators and data protection officers and for providing information campaigns and training programmes for the REWE Group.

The REWE Group’s Data Protection Board ensures that the implementation requirements for court rulings on data protection during the year that are relevant to the Group are clarified and provided to controllers via the data-protection organisation.

Commitment to data protection

The Group Management Board of the REWE Group made the following commitment to data protection in 2018: “The objective of the REWE Group as a group of trade and tourism companies is to provide a comprehensive range of products and exceptional services to its customers. In this process, the extensive amount of data available to the company must be viewed as an opportunity and be used in a way that designs the range of services to meet customer needs and that makes processes more efficient as part of digitalisation. In using this customer data as well as the data of employees and business partners, the REWE Group understands the imperative need to observe legal regulations governing the processing of personal data. The company must take this approach to safeguard and bolster existing trust and thus secure the long-term success of the REWE Group.”

During the reporting period, the reporting system for audit plans and reports was optimised along with the existing combine-wide reporting system on data protection. The activity reports of the data protection officers were improved as well. The improvements helped to increase the transparency about relevant areas of action for all key participants. In addition, the experience gained in the implementation of the EU GDPR and court rulings on various data protection issues during the year were evaluated. The results flowed into the optimisation of data-protection-relevant documentations and processes. Target-group-focused training courses offered as in-person classes or digital programmes – due to the Covid-19 pandemic – were expanded further.

During the financial year, new legal questions related to data protection arising from the coronavirus pandemic were addressed. Necessary measures were then developed and implemented. The data protection officers advised the respective specialist departments at the REWE Group and reviewed the permissibility or the impermissibility of measures – for instance, regarding the legally mandated recording of verification of compliance with a German pandemic-related regulation. Under this requirement, an individual had to have been vaccinated, recovered from a Covid-19 infection or tested for the coronavirus before he or she would be admitted to closed areas like shops. The basis of the decisions included guidelines issued by data protection supervisory authorities regarding the handling of personal data, including employee health data by employers. The REWE Group also provided its employees with in-depth information about the Covid-19 pandemic and data protection on a portal.

GRI 418-1:

Substantiated complaints concerning breaches of customer privacy and losses of customer data

In 2021, the rights of data subjects for the customers of the REWE Group were successfully clarified and completed on time.

All complaints and reports about potential data protection infringements or violations (2021: 277 incidents; 2020: 189 incidents) were reviewed, processed and documented. Data protection supervisory authorities were involved in 28 cases. These cases addressed either internally determined and reportable data protection violations or issues that supervisory authorities reported to the REWE Group. The underlying facts were analysed, technical or organisational measures were changed where necessary and the complaining party – either a data subject or supervisory authority – was notified about the findings and potential measures to be taken as a result.