Data Protection

Since 2018, the EU General Data Protection Regulation (EU GDPR) has been the framework for the processing of personal data. As virtually every business process is affected by this, it is of utmost importance for the REWE Group to comply with the legal requirements for the processing of such data and the company's internal guidelines on this topic.

Effect

Technological developments are constantly creating new options for data collection and processing. As a result, the importance of and requirements for reliable data protection are increasing. The REWE Group is aware that its business activities also require appropriate data protection. For instance, when users visit the Group's website or use a contact form, the web servers store their data. Applicants also leave their data on the careers page. The same applies to the websites of the sales lines, where, in addition, online services are used, whether for ordering food or booking a trip. This personal data must be protected – whether from internal errors or external attacks. In addition to appropriate security measures, it must always be ensured that all personal data that is collected and processed has a purpose and a legal basis. These statutory stipulations as well as many other requirements pursuant to the EU GDPR and other country-specific regulations can result in great damage to the company's image and also to high fines in the event of a violation.

Principles

The companies of the REWE Group associate the topic of data protection with the responsible processing of personal data.

Compliance with the principles of data protection is therefore a high priority for the REWE Group, from the lawful processing of personal data to data processing appropriate to the purpose and ensuring adequate data security. The REWE Group attaches major importance to this – also in view of the increasing online offerings of its sales lines.

In 2018, the Board of Managing Directors of the REWE Group has made the following commitment on the topic of data protection: "The objective of the REWE Group as a group of trade and tourism companies is to offer its customers comprehensive products and outstanding services. To achieve this, it is necessary to see the large amount of available data as an opportunity and to use it in such a way that the range of services is designed to meet demand and processes become more efficient in the course of digitalisation. When using customer data, but also the data of employees or business partners, it is vital for the REWE Group to comply with the statutory stipulations for the processing of personal data. This is important to secure and deepen the existing trust and thus ensure the long-term success of the companies of the REWE Group."

In order to achieve its objective, so-called "Lessons Learned Workshops" are regularly held on selected elements of the Compliance Management System (CMS) for data protection, such as data protection-relevant roles, processes and tools or aids in the form of templates and checklists.

Responsibility and Resources

The REWE Group's data protection organisation, which was expanded in 2018, covers all responsibilities required pursuant to the EU GDPR, such as those relating to accountability, data protection governance, implementation, advice, monitoring or coordination. The existing roles of the "persons responsible", i.e. the management bodies, specialist departments and the data protection officer, have been supplemented by the roles of the data protection governance function, the data protection business segment officer and the data protection coordinator.

Combine-wide data protection governance, the management of the REWE Group's data protection board as well as the consolidation of reporting and controls are the responsibility of the central data protection management. It is also responsible for promoting synergies between the activities of the data protection coordinators and data protection officers and for providing information and training campaigns for the REWE Group.

The REWE Group's data protection board ensures that the combine-relevant implementation requirements for data protection rulings during the year are clarified and made available to those responsible via the data protection organisation. Regulatory requirements for more than one year are provided via the Combine Guideline.

The data protection business segment officers are also responsible for ensuring that sufficient resources are available to implement data protection. As part of this, they appoint the data protection coordinators for their business segment. These are the central contact persons in their business units and support the respective departments both through coordination and advice during implementation. Further to the supplementary data protection advice and monitoring by the data protection officers, the data protection coordinators are one of the key success factors for the implementation of the data protection requirements.

The data protection officers report directly to the management of the companies or to the central data protection management of the REWE Group. This in turn reports regularly to the Executive Board and the Supervisory Board of the Group. In 2022, there were 15 (2021: 25) data protection officers within the REWE Group. The reduction vs the previous year is mainly due to social changes and the associated reassignment of data protection officers.

Implementation

The REWE Group pursues its objective by establishing and implementing a combine-wide Compliance Management System (CMS) on the topic of data protection and, simultaneously the combine-wide data protection governance function, which

• ensures that the compliance system is in place throughout the REWE Group, and
• in the course of which, translates relevant external laws and court rulings into combine-wide internal regulations and makes them available within the company, e.g. in the form of a Combine Guideline.

All established components of the combine-wide CMS on the topic of data protection are aligned with the associated auditing standard (PS) 980 of the Institute of Public Auditors in Germany (IDW). They include all required basic elements, such as organisation, risk management and the constant monitoring and improvement of the CMS. To this end, all elements of the CMS are continuously reviewed for the REWE Group data protection in accordance with the so-called PDCA cycle (plan–do–check–act).

Irrespective of the audits conducted by Auditing, the following formats are currently established for controls and continuous improvement:

• Monitoring by the respective data protection officers according to the EU General Data Protection Regulation (GDPR), including audits of selected REWE Group areas and external order processors
• Data protection as a component of combine-wide risk management (RM) and the internal control system (ICS)
• Combine-wide key figure reporting, including data protection-relevant documentation

Twice a month, the data protection organisation holds a regular meeting to exchange information and experiences, create synergies and identify potential for optimisation. Specific measures are derived and implemented, if required.

If customers, employees, business partners or supervisory authorities make data protection-related enquiries to the REWE Group companies, these are documented, checked and processed within the scope of the company's data protection organisation. The internally and externally appointed data protection officers work to ensure that personal data and the processing programmes used for this purpose are in compliance with the law. They also accompany the further development of company-specific data protection and data security measures and advise the organisational units and departments and are supported by the data protection coordinators throughout the Combine.

In the reporting period, the tool support for mapping the lists of processing activities was checked for any need for improvement and measures were derived from this. Their implementation has started and will be continued in the next reporting period.

Furthermore, the existing aids in the form of templates and checklists were reviewed for selected data protection topics and revised, updated and supplemented with new aids, where necessary.

Moreover, a major focus in the reporting period was on promoting awareness: In 2022, the REWE Group has conceived a combine-wide campaign to raise awareness of both data protection and information security. The campaign is planned for the long term beyond 2022. Synergies in content are to be used in individual topic modules and both topics are to be communicated holistically, each with a different focus. The data security of both personal and non-personal data is an example for this. The focus is on topic- and target group-oriented training offers as well as awareness-raising measures such as a concerted phishing simulation. Various formats and media channels are used for the entire campaign.

The campaign was launched in the reporting period with the first topic module "Security@Home", which goes far beyond statutory obligations: Employees receive an introduction as well as related recommendations and tips on security aspects for the private – and not work-related – set-up and use of their private computers.

Involvement of Stakeholders

The responsible processing of personal data as part of all business processes was assessed by the stakeholders of the REWE Group as a relevant topic for the company in the Materiality Analysis. They are informed annually about the effectiveness of measures taken via the Sustainability Report and in various dialogue formats (see Stakeholder Dialogue). This exchange allows stakeholders to provide important input on the issue.

Internally, there are various coordination, reporting and exchange formats for the members of the data protection organisation to use among themselves and with their respective line organisations as well as with areas relevant to the topic interface, such as information security or IT. In addition to needs-based status reports to the Executive Board and Supervisory Board, including coordination of further action, the central data protection management provides the respective stakeholders with the combine-wide key figures as part of various REWE Group reporting formats.

Externally, the REWE Group actively contributes its knowledge and practical experience on the topic of data protection in cross-company committees and associations in order to share existing knowledge and promote data protection and related practical solutions across company and industry boundaries. The REWE Group also engages in dialogue with politicians as part of its public affairs activities on the topic of data protection.

Customers, suppliers and partners, as well as other stakeholders, can submit their grievances or comments. For this purpose, the REWE Group has established reporting and grievance mechanisms. For more information, please refer to the Compliance section.

A crisis hotline is available to the REWE Group employees throughout the combine to report data protection incidents. It can be called around the clock, every day ("24/7 availability"). Furthermore, data protection-specific mailboxes are available for employees to clarify questions and comments.

Reports or grievances can also be submitted in the context of data protection via the various media channels of the REWE Group companies, such as their websites or apps, and data subject rights can also be asserted. The possible entry channels and contact persons are noted in each case under the data protection information.

All grievances and notifications of potential data protection violations or breaches (2022: 241 cases; 2021: 277 cases) were reviewed, processed and documented with regard to data protection relevance and situation. In 13 cases (2021: 28) data protection supervisory authorities were involved. These were either data protection violations that had been identified internally and were subject to mandatory reporting or incidents that were reported to the REWE Group by supervisory authorities. The facts were analysed, technical or organisational measures were adapted where necessary and the requesting body – person affected or supervisory authority – was informed of the results and any measures taken. The REWE Group strives to reduce the risk to a minimum, particularly with regard to data theft and loss of data protection in connection with customer data.