1. What does this data protection policy cover?

Data protection is a matter of trust, and your trust is important to us. This is why we have published this data protection policy. Having regard to the new European data protection regulation (“GDPR”), this policy sets out what personal data we process, how we process it and for what purposes. Although the GDPR is a European Union regulation, it is important for us. Swiss data protection law (“FADP”) is heavily influenced by European law and the forthcoming revised FADP will incorporate many GDPR provisions. Additionally, businesses located outside the European Union are required to comply with the GDPR in certain circumstances. In any event, we wish to provide the high level of protection offered by the GDPR to all persons whose personal data is processed by us and we have therefore decided to align this data protection policy globally with the GDPR. You may view the GDPR here.

We aim to give you detailed information on how your personal data is processed. This data protection policy therefore provides you with information regarding the manner in which we collect, process and use your personal data and the reasons why we do so. It is important to us that you understand:

  • what personal data relating to you we collect and process;
  • when we collect your personal data;
  • for what purpose we use your personal data;
  • for how long we store your personal data;
  • who has access to your personal data; and
  • what your rights are in relation to your personal data.

You will find relevant observations and explanations below. Do not hesitate to contact us if you have any questions. You will find our details at Who are we?

2. Who are we?

When any data processing takes place, a defined business is the controller in relation to data protection. This is either the business which decides whether specific processing (e.g. processing in relation to the provision of services, during use of a website, etc.) needs to take place, for what purposes it takes place and what principles should apply to it (if such decisions are taken jointly by several businesses, they may also be joint controllers). For data processing under this data protection policy, the controller is, in principle, the business referred to below (“we” or entities derived from it):

Centre Balexert

27, av. Louis-Casaï CP 2845

CH-1211 Geneva 28

We have appointed a data protection officer; you can contact him/her as follows: protection.donnees@migrosgeneve.ch .

In certain circumstances, the controller is another business rather than us:

  • If you are in touch with another business in the Migros group, a retail outlet in the Balexert shopping centre, e.g. if you approach a customer care department, it is this business which is the data controller, unless this data protection policy provides otherwise in relation to the processing in question.
  • In certain circumstances, we send your personal data to another company in the Migros group or to third parties so that these recipients can process personal data for their own purposes (therefore not on our behalf). This may also involve authorities. In such circumstances, the recipient in question is deemed to be the controller. You will find information on such data controllers in the recipient’s corresponding data protection policy; this will generally be available on that recipient’s website.

3. What is “personal data” and what does “processing” mean?

The processing of personal data is governed by data protection law. Personal data (or “data of a personal nature”) means all data which can be associated with a given individual, i.e. a human being. It includes the following information in particular:

  • contact details, e.g. name, postal address, email address, telephone number;
  • other personal information, e.g. sex, date of birth and age, marital situation, nationality;
  • professional information, e.g. occupation, title, position, training, former employers, skills and experience, authorisations, approvals and memberships;
  • information on purchases, e.g. information concerning purchases, orders, purchase histories, preferred times and places of purchase, shopping baskets, preferences and affinity with certain types of products;
  • financial information, e.g. credit card number, account information, credit standing, assets and income;
  • data relating to health, e.g. information concerning physical and mental impairments, treatment and medication;
  • recordings of images, sounds and video;
  • records of websites you have visited and applications you have used.

In Switzerland, personal data is also deemed to include information on a given legal entity (e.g. information on a contract with a business).

Certain personal data is subject to special protection under the legislation. This relates in particular to “sensitive personal data” (also known as “special category data”). This involves, for example, data referring to race or ethnic origin, political views, religious or ideological beliefs or trade union membership, and genetic data, biometric data for unambiguous identification, data relating to health and data concerning one’s sex life or sexual orientation, and also includes data relating to criminal convictions and offences and, where applicable, data relating to welfare benefits.

In principle, we collect your personal data from you directly, e.g. when you behave in a certain way, particularly whenever you communicate with us, visit a website or take advantage of an offer online or via an app or make a purchase from us at an online store and/or by using a customer card. Data may, however, be collected indirectly, e.g. when goods are delivered to another person (e.g. as a gift), when other persons are mentioned during communications with us, or through the purchase of additional information from third-party data sources (e.g. from social media or resellers of addresses).

We do not necessarily process all the categories of personal data referred to under this point. You will find detailed information on your personal data processed by us under What personal data do we process and for what purposes? and in the table at the end of this data protection policy. Depending on the processing, we also inform you by way of a specific data protection policy or in a notice, particularly if the data processing is not self-evident.

Processing” therefore means any use of your personal data. This includes, for example, the following actions:

  • collection and storage;
  • organisation and management;
  • adaptation and modification;
  • listing and searches;
  • use and exploitation;
  • transfer and disclosure;
  • association;
  • limitation;
  • deletion and destruction

4. For whom is this data protection policy intended and why?

This data protection policy applies to the personal data processing we undertake in all our areas of activity. It is applicable to the processing of personal data already collected and to the processing of future personal data. Additionally, for the provision of certain services, additional data protection provisions may be applicable.

The data processing we undertake may relate in particular to the following persons (referred to as the “data subjects”):

  • persons who write to us or contact us in any other way;
  • customers in our shops;
  • visitors to our premises;
  • customers in online stores;
  • users of online offers and applications;
  • persons benefiting from services provided by us or who come into contact with our services;
  • persons visiting our website;
  • recipients of marketing information and correspondence;
  • persons taking part in competitions, promotional games and customer events;
  • persons taking part in market research studies and opinion polls;
  • representatives of our suppliers, customers and other commercial partners;
  • applicants

You will find further information on the processing of data associated with individual offers in the general terms of sale, terms of participation and other similar provisions.

5. What personal data do we process and for what purposes?

We process very different personal data depending on the circumstances and purpose. More detailed information on this point can be found in this paragraph and in the table at the end of this data protection policy and often also in the general terms of sale, terms of participation and additional data protection policies. We process personal data, and potentially special category data, in the following situations for the following purposes:

  • Communication: We process personal data whenever you contact us or we contact you, e.g. whenever you contact a customer service department and write to or phone us. Generally, information such as name and contact details and the content and timing of the notifications in question is all we need. We use this data so that we can reply to you or provide you with information, process your application and communicate with you, and for quality assurance and training purposes. We send notifications, even within the Migros group, to the competent departments of the business, e.g. when your application relates to another business.
  • Purchase of goods and use of services: We also process personal data whenever you use our services, e.g. whenever you purchase goods or services from us. We then process your personal data e.g. to fulfil orders and contracts or for delivery and invoicing. When purchases are made from online stores or where a bonus card or loyalty card is used, we also collect and process personal data relating to your credit standing and your purchasing and payment behaviour. For example, we use information on credit standing to decide whether to offer you a purchase against an invoice, and we process information to find out the type, timing and frequency of your purchases, and the subsidiaries or online stores in or from which you make your purchases so that we can deduce information on your preferences and affinities in relation to certain products or services. This information helps us to provide you with targeted information on other offers and to tailor our offer more precisely in accordance with demand.
  • Loyalty and bonus schemes: We process personal data within the framework of our “Cumulus” loyalty and bonus scheme. In addition to contact details, we also process personal data relating to your use of the scheme and other information, e.g. indications relating to your purchasing habits, preferences and affinities with certain products and services, which help us to provide you with targeted information on other offers and to tailor our offer more precisely to demand. You will find further information on this point in this data protection policy under “purchase of goods and use of services” and in the corresponding general sale terms or the terms of participation in the scheme.
  • Visiting websites: If you visit our websites, we process personal data in accordance with the offer and functionality. This includes technical data, e.g. details of the time when our website was accessed, the duration of the visit, the pages displayed and details of the equipment used (e.g. tablet, PC or smartphone; “device”). We use this data to make the website available, for IT security reasons and to make the website more user-friendly. We also use cookies, which are files stored on the device when you visit our website. In many cases, cookies are required to enable the website to function correctly and they are automatically deleted after the website has been visited. Other cookies are used to customise the offer or to enable us to show you targeted advertising from third-party businesses and are stored for a fixed period (e.g. two years). We also use analytical services, such as Google Analytics. Detailed information on behaviour on the website in question is therefore collected. We may also incorporate functions of service providers, such as Facebook, which enable the service provider in question to obtain data relating to you. In most cases, however, we do not know the names of visitors to the website.
  • Online offers and applications: If you take advantage of any of our online offers, we also process personal data (even if you do not purchase any goods or services). Depending on the type of offer, this includes details of a customer account and its use, and information on the installation and use of mobile applications (“apps”).
  • Information and direct marketing: We process personal data to send information messages and advertising messages. If, for example, you sign up to a newsletter or notification by text messaging service, we process your contact details and also, where email is used, information on your use of notifications (e.g. if you have opened an email and downloaded the images inserted in it) so that we can get to know you better, tailor our offers relating to you and enable us to improve them generally. You can block processing of your usage data in your email program if you are not in agreement with this.
  • Competitions, promotional games and similar events: From time to time we organise competitions, promotional games and similar events. In these circumstances we process your contact details and indications relating to your participation to create competitions and promotional games, where applicable to communicate with you about them and for advertising purposes. Further information on this point can be found in the corresponding terms of participation.
  • Entering our premises: When you enter our premises, we may, for security reasons and for evidential purposes, make video recordings in areas marked accordingly. Further, you have the option of taking advantage of an offer of Wi-Fi. In these circumstances we collect data specific to the device during registration and where applicable we invite you to register, giving your name and email address or mobile phone number.
  • Customer events: When we organise customer events (such as promotional events, sponsored events, cultural and sports events), we also process personal data. This includes the name and postal or email address of the participants or the persons involved and, where applicable, other data, e.g. your date of birth. We process this information to organise customer events but also so that we can make direct contact with you and get to know you better. Further information on this point can be found in the corresponding terms of participation.
  • Support programmes: In accordance with our articles of incorporation and our objectives, we support certain projects in the fields of education, society and culture. If you put forward an application for this type of support, we process the personal data required for that purpose relating to you and relating to other parties involved and your project, and we also use it to develop our educational and leisure offers and to tailor them to recipients.
  • Commercial partners: We collaborate with various businesses and commercial partners, e.g. with suppliers, commercial buyers of goods and services, cooperation partners and service providers (e.g. IT service providers). We also process personal data via representatives at these businesses, e.g. name, position, title and communication with us, for the preparation and performance of the contract, planning, accounting and other purposes relating to the contract. Depending on the area of activity, we are also required to examine the business in question and its staff more closely, e.g. by means of a security check. In these circumstances we collect and process other information. We may also process personal data to improve our customer orientation, customer satisfaction and customer loyalty (customer/supplier relationship management = CRM).
  • Administration: We process personal data for the purposes of our own administration and for administration within the group. We may for example process personal data when managing information technology or real estate. We also process personal data for accounting and archiving purposes and, generally, to control and improve internal processes.
  • Business transactions: We may also process personal data for the preparation and execution of business purchases and sales and asset purchases and sales. In these circumstances the purpose and scope of the data collected or transferred depend on the stage and purpose of the transaction.
  • Applications: We also process personal data if you make an application to us. For this purpose, as a general rule we require the usual information and documents and the information and documents referred to in a recruitment notice.
  • Compliance with legal requirements: We process personal data to comply with legal requirements. This includes, for example, receiving and processing complaints and other notifications, internal investigations or the disclosure of documents to an authority if we have good reason or are legally obliged to do so.
  • Safeguarding rights: We process personal data in different fields to preserve our rights, e.g. to impose requirements through the courts, at the pre-action stage or by extrajudicial means and before the authorities in Switzerland and abroad, or to defend ourselves against claims. We may, for example, have the prospects of success of a trial assessed or submit documents to an authority. In these circumstances we may process your personal data or transfer it to third parties in Switzerland and abroad insofar as this is necessary and authorised.

The table at the end of this data protection policy describes in greater detail what types of personal data relating to you we collect and process, how it is used, for what purposes and on what legal basis, and whether you are required to disclose the personal data to us.

6. To whom do we send your personal data?

Our staff have access to your personal data insofar as this is necessary for the purposes described and for the activity of the staff in question. In these circumstances they act in accordance with our instructions and are required to exercise confidentiality and discretion in managing your personal data.
We may also send your personal data to other Migros group companies for internal group management and for the various processing purposes. Accordingly, for the various purposes, your personal data may also be processed and linked together with personal data from other Migros group businesses.

We may transfer your personal data to third parties if we wish to benefit from their services (“data processing officer”). This relates to services in the following fields in particular:

  • business management services, e.g. accountancy or asset management;
  • advisory services, e.g. services of tax advisers, lawyers, business advisers, recruitment and staff placement advisers;
  • IT services, for example data storage (hosting), cloud services, despatch of newsletters by email, data analysis and optimisation, etc.;
  • checks on credit standing, e.g. if you wish to make a purchase against an invoice;
  • transport and logistics services, e.g. for the despatch of goods ordered;

Through the selection of the data processing officers and by virtue of appropriate contractual agreements, we guarantee that data protection is ensured throughout the processing of your personal data, even by third parties.  Our data processing officers are required to process personal data exclusively on our behalf and in accordance with our instructions.

Additionally, it is possible that personal data may be transferred to other businesses (likewise) for their own purposes. In these circumstances the data recipient is itself responsible with regard to data protection legislation. This relates, for example, to the following circumstances:

  • Whenever we verify or carry out transactions such as business groupings or the purchase or sale of certain aspects of a business or its assets, we are required to send personal data to another business for this purpose. In these circumstances we will inform you as soon as possible and try to process as little personal data as possible.
  • We may disclose your personal data to third parties (e.g. authorities in Switzerland and abroad) if this is authorised by the law. Additionally, we reserve the right to process your personal data to comply with a court decision or invoke rights or defend ourselves against claims, or if we believe that this is necessary for other legal reasons.
  • We may transfer personal data relating to you to former employers if you make an application to us (information on references) or to future employers if you apply for a new job.
  • Nevertheless, we will not do so unless you ask us to do so or give your consent.
  • Whenever we transfer debts owed by you to other businesses, e.g. to collection companies.

7. When do we send your personal data abroad?

The recipients of your personal data may also be located abroad, including outside the EU or EEA. The countries in question may not have laws protecting your personal data in the same way as in Switzerland, the EU or the EEA. If we are required to send your personal data to such a country, we are obliged to ensure that appropriate safeguards are provided for your personal data (articles 46 and 47 GDPR). An effective way of doing so is to conclude data transfer contracts with the recipients of your personal data in third countries to ensure that the data has the necessary safeguards. This includes contracts which have been authorised, concluded or accepted by the European Commission and by the federal data protection and transparency officer, known as standard contractual clauses (article 46(2) GDPR constitutes the legal basis). Similarly, transfers to recipients covered by the US Privacy Shield programme are authorised. Please contact us if you wish to receive a copy of our data transfer contracts. You will find an example of the contracts generally used. In certain exceptional cases, transfer of data without appropriate safeguards is also possible in other circumstances, e.g. on the basis of explicit consent (article 49(1)(a) GDPR), for the performance of a contract with the data subject or to implement precontractual measures requested by him/her (point (b)), for the conclusion or performance of a contract with another person in the interests of the data subject (point (c)), for the establishment, exercise or defence of legal claims (point (e)).

8. Do we undertake any automated profiling and individual decisions?

Profiling” refers to a process in which personal data is processed in an automated manner to assess, analyse or predict personal matters, e.g. work performance, economic situation, health, personal preferences, interests, reliability, behaviour, place of residence or change of location. We frequently carry out profiling, e.g. during the analysis of purchaser behaviour, when applicants are selected, checks are made on contractual partners, etc. “Automated decision made case by case” refers to a decision taken automatically, i.e. without any particular human influence, which has negative legal effects on you or other similar negative effects. We will inform you separately if we use automated decisions made case by case in individual circumstances and insofar as this is authorised by law.

9. How do we protect your personal data?

We implement appropriate technical security measures (e.g. encryption, pseudonymisation, saving in a protocol, limiting access, safeguarding data, etc.) and organisational measures (e.g. instructions given to our staff, confidentiality agreements, checks, etc.), to preserve the security of your personal data, protect it against unjustified or unlawful processing and counter the risk of loss, unintentional amendment, involuntary disclosure or unauthorised access. Generally, security risks cannot be excluded entirely; certain residual risks are inevitable most of the time.

10. For how long do we store your personal data?

We store your personal data in a personalised form for as long as this is necessary for the material purpose for which we collected it; in the case of contracts, this generally represents at least the duration of the contractual relationship. We also store your personal data when we have a legitimate interest in storing it. This may be the case in particular when we require personal data to make claims or to defend ourselves against claims, for archiving purposes, to ensure IT security or when limitation periods are running for contractual or non-contractual claims. The limitation period is often ten years and, in certain cases, five years or one year. We also store your personal data for as long as it is subject to a legal storage obligation. For certain data, the storage period is ten years. For other data, short storage periods are applied, e.g. in the case of video surveillance recordings or for records of certain internet operations (log data). In certain cases we also ask for your consent when we wish to store your personal data for longer periods (e.g. for applications we wish to hold on file). After expiry of these periods, we delete or anonymise your personal data.

11. How do we process children’s personal data?

As a general rule, we do not process children’s personal data. In the event that it nevertheless becomes necessary to do so, we ensure that children are given special protection, and when we process children’s personal data on the basis of an authorisation, we ask for the consent of the parents or legal representatives. Where a parent or legal representative gives consent for a child, the adult is at liberty to revoke such consent at a later date.

12. What are your rights in relation to the processing of your personal data?

You may challenge data processing at any time and are generally at liberty to revoke any consent given in relation to data processing. A right to object exists in particular against the processing of data relating to direct mailing (for example against advertising emails).

Additionally, you have the following rights:

Right to be informed: You have the right to be informed in a transparent, clearly understandable and exhaustive manner regarding the way in which we process your personal data and regarding the rights you have in relation to the processing of your personal data. By virtue of this data protection policy, we comply with this obligation. Please contact us for any additional information.

Right to be informed: You have the right to request access to your personal data stored by us at any time when we are processing it. You therefore have the option of checking what personal data relating to you we are processing, and whether we are using it in accordance with the data protection provisions in force.

In certain cases the right to be informed may be restricted or excluded, notably:

  • if we have any doubts in relation to your identity and if you are unable to prove your identity;
  • for the protection of other persons (e.g. to comply with confidentiality obligations or third-party data protection rights);
  • in the event that the right of access is exercised to an excessive degree (in these circumstances we may also request payment for the information);
  • or if a disproportionate effort would be required to provide comprehensive information.

Right to rectification: You have the right to have any inaccurate or incomplete personal data rectified and to be informed of the correction. In these circumstances we inform the recipients of the data in question of the adjustments made, insofar as this is not impossible and does not require disproportionate effort.

Right to erasure: You have the right to have your personal data erased. You may ask for your personal data to be erased when:

  • the personal data is no longer required for the objectives pursued;
  • you validly withdraw your consent or have validly objected to the processing;
  • if the personal data is processed unlawfully.

In these circumstances we will inform the recipients of the data in question of the erasure, insofar as this is not impossible and does not require disproportionate effort.

In certain circumstances the right to erasure may be excluded, particularly if the processing is necessary:

  • for freedom of expression to be exercised;
  • for a statutory or public interest task to be performed;
  • for legal claims to be exercised.

Right to restriction of processing: Subject to certain conditions, you have the right to ask for the processing of your personal data to be limited. This may mean, for example, that processing of personal data is not continued (provisionally) or that personal data published is erased from a website (provisionally). In these circumstances we inform the recipients of the data in question of the adjustments made, insofar as this is not impossible and does not require disproportionate effort.

Right to data portability: You have the right to receive from us, free of charge and in a legible format, the personal data you have provided us with, insofar as:

  • the material processing of the data is based on your consent or is required for performance of the contract;
  • the processing is carried out using automated processes.

Depending on the circumstances, your personal data may be sent to you or directly to third-party service providers.

Right to a remedy: You have the right to lodge a complaint with a competent supervisory authority in relation to the way in which your personal data has been processed.

Right of withdrawal: Generally, you have the right to withdraw a consent given at any time. The withdrawal of your consent will not, however, affect the lawfulness of processing activities based on consent in the past.

13. What else should be taken into consideration?

The GDPR requires the legal basis applicable to each instance of data processing to be mentioned. The processing of personal data is authorised in particular if:

  • it is required for performance of a contract of the data subject or to take steps he/she has requested before concluding a contract (e.g. verification of his/her request for a contract) (article 6(1)(b) GDPR constitutes the legal basis);
  • it is required for legitimate interests, insofar as such interests are not overridden by the interests or fundamental rights and freedoms of the data subject (article 6(1)(f) GDPR constitutes the legal basis). Our own and third-party interests fall within the scope of legitimate interests. They are very varied and include, for example, the interests associated with delivery of goods and services to third parties (e.g. persons benefiting from gifts); the interest in monitoring customers effectively, maintaining contact and any other communication with customers, even beyond the scope of a contract; the the interest in advertising and marketing activities; the interest in better getting to know our customers and other persons; the interest in improving goods and services and developing new goods and services; the interest in internal group management and communication required in the case of a group in which cooperation is based on the division of work; the interest in relation to fraud prevention, e.g. in the case of online stores, and the interest relating to prevention and analysis of offences; the interest in protecting customers, staff and other persons, and the data, secrets and assets of the Migros group; the interest in guaranteeing IT security, particularly as regards the use of websites, applications and other IT infrastructures; the interest in guaranteeing and organising commercial activity, including operation and development of websites and other systems; the interest in managing and developing the business; the interest in selling or purchasing businesses, parts of businesses and other assets; the interest in ensuring compliance with or defending rights and the interest in complying with Swiss law and internal rules;
  • it is founded on actual consent which has not been withdrawn (article 4 note 11, articles 7 and 8 GDPR constitute the legal basis);
  • it is required for compliance with legal obligations (article 6(1)(c) GDPR constitutes the legal basis).

The processing of sensitive personal data in this respect is more limited. It is permitted inter alia:

  • with actual and explicit consent which has not been withdrawn (article 9(2)(a) GDPR constitutes the legal basis);
  • if it relates to personal data which has manifestly been made public by the data subject (article 9(2)(e) GDPR constitutes the legal basis);
  • if it is required to safeguard a legal claim (article 9(2)(f) GDPR constitutes the legal basis).
  • if it is required for compliance with certain legal obligations (article 9(2)(a) GDPR constitutes the legal basis).

The transfer of data abroad is also only admissible subject to certain conditions. Information on this point can be found under When do we send your personal data abroad?

Further information setting out on what legal bases the processing of the data in question is typically founded is contained in the table at the end of this data protection policy. Due to the complexity of many instances of data processing, it is not impossible, however, that other legal bases may also apply in certain cases, depending on the circumstances.

The GDPR also requires us to inform you whether you are legally or contractually obliged to provide personal data, or whether this is necessary for a contract to be concluded, and what the consequences of failure to provide the data would be.  As a general rule, there is no obligation to provide us with personal data unless you enter into a contractual relationship with us, which is grounds for such an obligation. However, we will need to collect and process the personal data required or stipulated by law to set up and implement a contractual relationship and comply with the associated obligations. If we cannot do so, we will be unable to conclude or continue the contract in question. The processing of certain data is also mandatory in the event that websites are used. You may of course refuse cookies in this case (you will find further information on this point in this data protection policy). However, the saving in a protocol of certain data which is not generally personal data, such as your IP address, cannot for technical reasons be avoided. You may wish or be required to send us personal data of third parties. We draw your attention to the fact that, in certain circumstances, you are required to inform the data subjects of such data transfer and of this data protection policy, and to ensure that the personal data in question is accurate.

14. Amendments to this data protection policy

This data protection policy may be adapted over time, particularly if we change how we process data or if new legal provisions come into effect. Where the changes are significant, we actively inform the persons whose details are registered with us of such changes, insofar as this is possible without disproportionate effort having to be deployed.  Generally, for data processing, the version of the data protection policy valid at the start of the processing in question is nevertheless applied.

15. Table: Reason for data collection; scope, purpose and obligation to supply it; legal basis for processing

  • Communication
  • Purchase of goods and use of services:
  • Loyalty points or bonus points scheme
  • Visiting our website
  • Online offers and applications:
  • Information and direct marketing:
  • Taking part in competitions, promotional games and other similar events
  • Entering our premises
  • Taking part in customer events
  • Support programmes
  • Contact with our business as a commercial partner
  • Administration
  • Business transactions
  • Application
  • Compliance with legal requirements
  • Safeguarding a legal claim

 

In this table you will find detailed information on various processing purposes, the personal data processed for the purpose, the applicable legal basis and any obligation to disclose the personal data in question to us. Please note that it is impossible to give an exhaustive list in many cases.

Reason for data collectionPersonal data processedPurpose of processing and obligation to provide dataLegal basis
CommunicationWe collect and process personal data if you enter into contact with us or we enter into contact with you in writing, by electronic methods or by phone, e.g. when you contact a customer service department or you send us an email or postal letter or phone us, but also for example when you leave a comment on our website. In these circumstances we process contact details and communication information including the following personal data in particular:
• name;
• depending on the type of communication, the contact details such as postal address, email address and phone number;
• where applicable, information on third parties referred to in the communication;
• content and timing of the communication.
Accordingly the precise volume of personal data depends to a great extent on the content of the communication. If you send us sensitive personal data, we also process this. Telephone conversations with us may be recorded; you will be notified in advance if this is the case.
Accordingly we process personal data for the following purposes in particular:
• communication with you;
• customer service and customer monitoring;
• quality assurance and training;
• all other processing purposes, insofar as communication is required (e.g. performance of the contract).
In principle, you are not obliged to provide us with certain information. However, we are sometimes unable to reply to you, process your request and communicate with you without processing certain minimal information. If you do not wish us to make recordings of telephone conversations, you have the option of stopping the conversation at any time and corresponding with our customer service department in another way (e.g. by email).
If the communication takes place at your initiative, we will deem this to be consent on your part to process your personal data (article 6(1)(a) and, where applicable, article 9(2)(a) GDPR). In many cases the processing by the customer service department and the communication are in our legitimate interest (article 6(1)(f) GDPR) because it enables us to communicate with customers and with other persons, improve the quality of our services, avoid errors in our procedures and achieve greater customer satisfaction.
Purchase of goods and use of servicesIf you use certain services we provide, e.g. if you purchase goods or services, we process the personal data relating to your purchasing and payment behaviour. This includes the following personal data in particular, which may be particularly sensitive data where applicable:
• name, address, contact details, delivery address(es);
• information on credit standing and payment;
• information on the timing and frequency of your purchases and on the payment methods used, and on the subsidiaries or online stores in which these purchases are made;
• details of your behaviour in an online store (shopping basket ordered and emptied, lists of tagged items, items viewed, etc.).
This assumes, however, that you make purchases online, that you use a bonus card or loyalty card or that you identify yourself in any other way. As a general rule, you may also make purchases from our subsidiaries without our knowing your name.
We may also exploit information on purchases and behaviour in relation to subsidiaries and online stores and link it with other personal data, e.g. non-personal statistical information and other personal data which we have collected about you. With regard to the contract, we may also check your credit standing. To do this, we generally obtain information from specialist businesses, known as credit reference agencies.
When you make an online purchase, you should also be aware of the provisions of this data protection policy under “Use of online offers”.
In these circumstances we process your personal data for the following purposes in particular:
• Procuring and performing a contract: We process your personal data to decide if and how (e.g. using what payment methods) we are going to conclude a contract with you, to enable us to record purchases and services, despatch items and issue invoices if an order is made and, generally, to conclude, perform and, where applicable, ensure compliance with the contract;
• Information on your purchasing behaviour: We analyse our customers’ purchasing behaviour and accordingly obtain information on your preferences and affinities with certain goods or services, and other information which we take into consideration when improving our services (range, choice of location, etc.). This enables us to tailor our offers to our customers’ needs (globally and individually) and to react to demand in the best way possible.
• Statistical purposes: We process your personal data for statistical purposes, e.g. to exploit, on a non-individual basis, information on interactions between us and our customers. Moreover, it is thus easier for us to improve our response to our customers’ needs. Further, we can therefore find out which products are preferred and how we can improve our offer.
You are not obliged to disclose personal data to us when you make a purchase. However, orders cannot be placed and services and certain goods cannot be purchased without our processing personal data. Purchasing from online stores also presupposes that we will process the personal data required for this purpose.
We base this processing on the fact that we can process personal data to implement your contractual requests and perform contracts (article 6(1)(b) GDPR). Processing also serves legitimate interests (article 6(1)(f) GDPR), e.g. where we deliver goods to third parties (e.g. in the case of gifts), and, as a result of the exploitation of information on your purchasing behaviour, we are able to tailor our services more effectively and in a way which targets your needs and interests more closely, and we are able to expand and improve our offers. We believe this is important if we are to maintain our position in the market.
Insofar as we process sensitive personal data, we generally rely on your explicit consent (article 9(2)(a) GDPR).
Loyalty points or bonus points schemeIf you sign up to our “Cumulus” scheme, we collect and process contact details and other personal data, in particular as follows:
• name;
• postal address;
• email address;
• phone number;
• date of birth;
• size of household;
• purchases of goods;
• visits to our sales outlets;
• visits to our leisure areas.
When you use your loyalty card or membership card to make purchases, we also process transaction data, which may include the following personal data in particular, and may also be particularly sensitive data:
• information on purchases of goods and services;
• purpose, time and place of your purchases;
• value of your purchases.
We may exploit your personal data and also link it to other personal data, e.g. to non-personal statistical information which we have collected about you, to enable us to infer information on your preferences and affinities with certain goods or services.
You will find further information in this data protection policy under “purchase of goods and use of services” and in the general sale terms or the terms of participation in the scheme.
Additionally, we collect personal data when you take advantage of the benefits under the scheme. This includes the following personal data:
• points earned and used;
• bonuses earned, e.g. purchases at a reduced price, visits to events, use of leisure offers.
Additionally, we collect and process personal data when you contact the separate customer services department for the scheme; this involves the following personal data in particular:
• frequency of calls and number they are made from;
• content of conversations.
Additionally, these conversations may also be recorded; you will be informed of this at the start of the conversation.
All this personal data may relate not only to you but also to other participants in the scheme, e.g. members of your family.
Within the framework of the scheme, we process your personal data for the following purposes in particular:
• Managing the scheme: We use your personal data to issue you with your personal customer card with the coupons, etc., and send it to you. Additionally, we require personal data so that we can inform you quickly and easily of any changes or additional offers by electronic means or by post.
• Optimising our offer: We analyse the personal data which we receive when the card is used so that we can understand the purchasing behaviour of our customers and infer information which we can use when managing our services (creating the range, choosing the location, etc.).
• Tailoring our offers to your needs: Through your participation in the scheme and use of the benefits and offers associated with it (further information on this point can be found in the general terms of the scheme), we learn how to understand your behaviour better (particularly when you make your purchases, where and how frequently). This allows us to tailor our offers to our customers’ needs more effectively both on a global scale and individually. We are therefore able to tailor our offers and initiatives to demand.
• Marketing: We process your personal data to provide you with targeted information, based on your interests, regarding offers of goods and services, special offers, promotional games or other specific offers.
• Statistics: We also process your personal data on a non-personal basis for statistical purposes.
Participation in the scheme is optional; it presupposes, however, that we will be able to process certain personal data. Use is also optional. If you do not wish us to process personal data relating, for example, to your purchasing habits, you may stop using the scheme. This will mean that you may miss out on the specific benefits relating to the scheme (e.g. loyalty bonuses).
Participation in the scheme assumes that we will accept a request made by you. A contract is then concluded between you and us. Processing of personal data to implement the request and execute the scheme, e.g. the acquisition and conversion of points, is permitted (article 6(1)(a) GDPR). Additionally, processing for the above purposes is necessary for legitimate interests (article 6(1)(f) GDPR). Thus we have the option of performing the contract and rewarding customers for their loyalty to enhance their loyalty and, through the personal data collected in the scheme, we are able to tailor our services more effectively in a way which targets your needs and interests more closely, and we can expand and improve our offers.
When we process sensitive personal data, we generally rely on your explicit consent (article 9(2)(a) GDPR).
Visiting our websiteTechnical data: For technical reasons, every time our website is visited, certain data is collected automatically for us and stored in log files. Included, for example, is the following information:
• the IP address and information specific to the device, for example the MAC address and the device’s operating system;
• the user’s internet service provider;
• the content viewed and the date and time when the website is visited.

Cookies: Depending on the function, we may place cookies on your device. Cookies are small files created automatically by your browser and stored on your device (tablet, PC, smartphone, etc.) whenever you visit our website. First, we use session cookies, in which a unique identification number, known as the session ID, is assigned, together with details of the origin and retention period of the cookies. These cookies are deleted after our website has been visited. We use these cookies to store a shopping basket, for example. Second, we use persistent cookies which are retained after the end of the browsing session. These cookies enable a visitor to be recognised during a subsequent visit.
Certain cookies also come from third-party businesses. This occurs when we use functions on our website which are provided by third parties. This relates to analytical services which also use cookies; information about this is found in the table under “Visiting our website (analytics)”. This also relates to some of our partners who display advertisements for you to see on our website on behalf of third-party businesses.
Accordingly we process your personal data for the following purposes:
• Making the website available: For technical reasons, it is obligatory for certain log files and cookies to be saved for the website to be made available and to function correctly. Other cookies help us to provide and safeguard our website’s various functions and offers.
• Customisation of the website: Certain cookies are used to tailor our online offers to your needs (e.g. by saving your choice of language).
• Management of the website: The storage and processing of log files and cookies help us whenever we undertake maintenance and repairs, and helps us to ensure that our website is secure and to prevent fraud.
• Third-party cookies enable the businesses concerned to provide services for us or to show you advertisements which could be of actual interest to you.
It is not obligatory for the above data to be collected, but this is necessary in many cases for use of the website and for certain functions. You may, however, configure your device in such a way that a message is displayed when a new cookie is created. You can also refuse cookies in this way. Additionally, you may delete cookies from your device. You also have the option of preventing the data generated by the cookie (including your IP address) being saved and processed by downloading and installing a suitable browser add-on. If you refuse or deactivate cookies this may, however, result in your being unable to use all the functions of the website.
The processing of log files and cookies for the above purposes is in our legitimate interest (article 6(1)(f) GDPR). Certain cookies are necessary, for example, to save individual settings or create shopping baskets. This customisation is also in the interest of visitors to our websites. Analysis of the use of our websites also represents a legitimate interest.
 Often, technical data and cookies do not contain personal data. We are often unable to attribute the information collected in this way to any given person.
Analysis of user behaviour: On our website we use Google Analytics, an analytics service provided by Google Inc. in the United States. Google Analytics uses cookies allowing use of the website to be analysed. This enables information to be saved relating to your behaviour on our website and on the device (tablet, PC, smartphone, etc.) used for this purpose. It includes, for example, the following user data:
• browser type and version;
• address of the website (URL) from which you arrived at our website;
• name of your internet service provider;
• IP address of the device;
• date and time when our website was accessed;
• pages visited and duration of the visit.
This information is used in particular to increase our understanding of how our website is used and to improve its content, functionality and accessibility. This enables us to see, for example, which websites our greatest number of visitors come from, which are the most visited pages and from which page the greatest number of visitors leave our website.
We may also exploit this personal data and link it to other personal data, e.g. to non-personal statistical information and other personal data which we have collected about you, to enable us to infer information on your preferences and affinities with certain goods or services.
You can prevent Google Analytics being used by installing an add-on to your browser, known as a browser extension. You may also install an opt-out cookie by clicking here. An opt-out cookie prevents future records being made. However, it is valid only for the browser in question. To prevent information being saved across different devices, you must therefore set up the opt-out on all devices and browsers used. If you delete your cookies in a browser, the opt-out cookie will also be deleted.
You also have the option of withdrawing any authorisations given to service providers (you will find information about this in the left-hand column) or of objecting to them being processed, on Google for example through https://adssettings.google.com.
The processing purposes referred to are in our legitimate interest (article 6(1)(f) GDPR). Our websites constitute a very important resource for us in relation to customer communication and customer acquisition. It is crucial to us that our websites are functional, attractive and customised at all times.
 This information is stored on a Google server in the United States. However, your IP address is shortened in the EU or the EEA beforehand, insofar as you have activated the IP anonymisation function. The entire IP address is sent to the United States only in exceptional circumstances. In the United States, Google is subject to the US Privacy Shield programme. Additionally, Google Analytics allows data, sessions and interactions from more than one terminal to be attributed to a pseudonymised user name and therefore enables the activities of a user whose name is unknown to be analysed on all devices. More detailed information can be found in the Google Terms of Use or data protection policy.
We use similar services from other providers. Often, providers do not receive personal data in these circumstances; nevertheless, they may record the use of the website in question by the user, e.g. by using cookies and other technology. These records may be linked to similar information coming from other websites. The behaviour of a specific user may therefore be recorded across more than one website and more than one device. The provider in question may also use this data for its own purposes, e.g. for customised advertisements on its own website and on other websites to which it supplies advertisements. If a user is registered with the provider, the provider may attribute the usage data to this person. To do so, it will generally ask the data subject for his/her permission and allow him/her to withdraw this authorisation in accordance with its requirements. Personal data is in this case processed by the service provider under its own responsibility and in accordance with its own data protection provisions.
Social media plugins: Our websites use social media plugins, e.g. Facebook, YouTube, Twitter, Instagram or Google+. Buttons for the corresponding providers are therefore displayed, e.g. the “Like” button for Facebook, or content from the provider in question may be incorporated into the website. When you display a website which uses this type of social media plugin, your browser makes a connection with the providers in question. The content of the social media plugin is sent from the provider in question to your browser, and is then incorporated by the browser into the website in question. Through this process, the provider in question receives the following data in particular:
• the information on the basis of which your browser has displayed the website in question;
• the IP address of the device used, even if you do not have an account with the service provider.
If you are connected to the provider in question at the same time, the provider can then attribute the visit to your personal profile. When you interact with a social media plugin, e.g. if you use a “Like” button or make a comment, the corresponding information is sent from your browser to the provider in question, who stores it. It may also be published on your profile with the provider in question and shown to your contacts.
We use social media plugins in particular to make our website more attractive and to facilitate your interaction with the offer in question, for example the fact of “liking” a page. This also helps us to broaden the reach of our website. Further information on the processing of the data in question can be found in the data protection statements of the various providers.
If you do not wish the provider in question to collect data about you through our website, you must sign out from the provider in question before visiting our website. Even if you are signed out, providers collect data in an anonymised format using social media plugins. This data may be attributed to your profile, insofar as you log in with the provider in question at a later stage, in which case the service provider in question processes the personal data under its own responsibility and in accordance with its own data protection provisions. If you wish to prevent the provider attributing the data to your profile, you should delete the corresponding cookies. You can also fully prevent the loading of social media plugins by using add-ons to your browser, e.g. with “NoScript”.
The processing purposes referred to are in our legitimate interest (article 6(1)(f) GDPR). It is important to us that our website has an attractive appearance and that we are able to increase interaction with our visitors. Use of social media plugins is an important resource in achieving this.
Online offers and applicationsOnline offers: If you take advantage of our online offers, we also process personal data, even if you do not purchase any goods or services. If, for example, you register with us, we process the contact details and data relating to the offer in question; this includes the following personal data in particular:
• your name;
• your postal address;
• your email address and, where applicable, your phone number;
• date and time of registration.
If you log in with us using Facebook Connect or using another login of a third-party provider (e.g. Google, LinkedIn), we will then have access to certain data stored with the provider in question, e.g. your user name, profile photo, date of birth, sex and other information. Information on this point can be found in the data protection policy of the provider in question.
Applications: We may also provide mobile applications (apps), in which case we collect and process personal data when you install an application, use the application and the functions it provides and update the application. This data includes the following information in particular:
• date, time and duration of installation;
• information specific to the device, e.g. the type of device or current version of your operating system;
• details of use of the application.
Depending on the type of offer, we process other personal data. This may include the following personal data, which may also involve particularly sensitive personal data:
• details of use of a customer account;
• your age;
• your purchasing behaviour;
• your location;
• information on health.
We may exploit this personal data and link it to other information, e.g. to non-personal statistical information and other personal data which we have collected about you, to enable us to infer information on your preferences and affinities with certain goods or services. Where applicable, further information can be found in the terms of use and the table under “Visiting our website”. If you make a purchase from us in an online store, you will find additional information under “Purchase of goods and use of services”.
We process your personal data in relation to online offers and applications for the following purposes:
• Making the offer available: We process the personal data to make the offer in question available online or through an application and to enable us to process the offer. Where applicable, this also includes opening and managing a customer account in your name.
• Exploitation and customisation: We process the personal data in relation to online offers and applications to gain a better understanding of behaviour regarding these offers and applications and, generally, regarding the interests and affinities of our customers, so that we can make customised offers and improve our offers and applications. To do this, we record, for example, which applications you download, how you use them, how long you keep them installed and what offers you use in this way.
• The processing of personal data also helps us in fraud prevention.
Taking up online offers is optional. If you decide to take up an offer, this is not generally possible without the corresponding processing of personal data (e.g. in the case of mandatory details in online forms).
As a general rule, you can take up online offers only if you accept the relevant terms of use. A contract is then concluded between you and us. The processing of personal data for performance of the contract is authorised (article 6(1)(a) GDPR).
The processing also serves legitimate interests (article 6(1)(f) GDPR). This enables us to tailor our services more effectively in a way which targets your needs and interests more closely, and allows us to expand and improve our offers. We believe this is important if we are to maintain our position in the market. Depending on the functions of the online offer, we may ask you for additional consents (articles 6(1)(a) and 9(2)(a) GDPR).
Information et direct marketingWhen you sign up for an electronic newsletter and other electronic notifications, we process the following personal data in particular:
• your name;
• your email address and/or phone number;
• information on whether you have agreed or refused to receive such notifications.
We may also process information on your use of such notifications and your reaction to them, in particular the following personal data:
• despatch of the notification;
• opening and, where applicable, forwarding;
• links followed (destination, date and time).
We may also exploit your personal data and link it to other personal data, e.g. to non-personal statistical information and other personal data which we have collected about you, to enable us to infer information on your preferences and affinities with certain goods or services.
We process your personal data to enable us to send you electronic notifications, particularly advertising notifications. We process personal data relating to your use of the notifications and your reaction to them so that we can get to know you better and tailor our offers relating to you in a more targeted manner.
This data processing is optional for you. However, if you do not provide us with your personal data, particularly your email address, we will be unable to offer you this service. You may withdraw your consent to receive electronic newsletters at any time, by signing out of this service. This can be done through a link in each electronic newsletter.
We deem your registration for an electronic newsletter to be consent to the personal data referred to above being processed for the stated purposes (article 6(1)(a) GDPR). We also have a legitimate interest in direct mailing and in the analysis of your reaction to such advertisements. We believe that both these matters are important to us if we are to maintain our position in the market.
Taking part in competitions, promotional games and other similar eventsWe collect and process personal data if you take part in competitions, promotional games and other similar events (in each case an “event”). The volume of personal data processed may differ depending on the event. This includes the following personal data in particular:
• your name;
• your date of birth;
• your contact details;
• the fact that you are taking part;
• the result of your participation;
• where applicable, the correspondence relating to the event.
Further information on this point can be found in the corresponding terms of participation.
We may also exploit your personal data and link it to other personal data, e.g. to non-personal statistical information and other personal data which we have collected about you, to enable us to infer information on your preferences and affinities with certain goods or services.
We process your personal data in relation to events to enable us to operate the event in question and inform the winner. We may also process your name and contact details for advertising purposes.
Taking part in such events is optional; however, you will be unable to take part without personal data being processed.
When you take part in an event, you give us your consent to process your personal data for this purpose (article 6(1)(a) GDPR). The processing also serves legitimate interests (article 6(1)(f) GDPR). This enables us to tailor our services more effectively in a way which targets your needs and interests more closely, and allows us to expand and improve our offers. We believe that this is important if we are to maintain our position in the market.
Entering our premisesAreas under video surveillance: We make video recordings in the areas marked accordingly. Thus we may obtain information on your behaviour in the corresponding areas. The use of video surveillance cameras is limited to certain areas and is clearly identified. Additionally, the data collected in this way can be accessed only by certain selected members of staff.This processing is carried out for your own safety, for the safety of our staff and for evidential purposes. Where criminal acts are suspected, we may make the recordings available to the authorities responsible for criminal proceedings. If you do not wish to appear in video recordings, we would ask you not to enter the areas under video surveillance.It is in our legitimate interest (article 6(1)(f) GDPR) to ensure the safety of our customers and staff in the relevant areas and to prevent any criminal acts against our staff and against our customers, or to help to clear up such criminal acts. Additionally, if you voluntarily enter a marked surveillance area, we deem you to have given consent (article 6(1)(a) GDPR).
 Use of Wi-Fi: We collect and process data specific to your device (tablet, PC, smartphone, etc.) as soon as you register and log in using our Wi-Fi infrastructure. This includes the following information in particular:
• the MAC address of the terminal (unique identification of the device);
• date, time and duration of the connection.
In most cases we cannot attribute this information to a specific person. It may, however, be necessary for you to register before using the Wi-Fi network; you will then receive a code via your email address or a text message which you need to use our services. In these circumstances we collect and process the following personal data in particular:
• your name;
• your email address;
• where applicable, your mobile phone number;
• date and time of registration.
Additionally, there is an option of registering through social media or any other service (e.g. Facebook Connect). We therefore obtain access to certain data stored with the provider in question, e.g. your user name, profile photo, date of birth, sex and other information. Information on this point can be found in the data protection policy of the provider in question.
Where the Wi-Fi network is used, we process the following information in particular:
• duration of the connection;
• location of the offer of Wi-Fi;
• volume of data used.
We process this information so that we can make the Wi-Fi available to you and for IT security purposes. The use of an offer of Wi-Fi is optional. In principle, there is also no obligation for you to disclose personal data to us. However, it may not be possible for you to use the offer of Wi-Fi without your personal data being processed accordingly.When you take advantage of our offer of Wi-Fi, you give us your consent to process your personal data for this purpose (article 6(1)(a) GDPR).
Taking part in customer eventsWe process personal data whenever we invite you to customer events (such as promotional events, sponsored events, cultural and sports events). This includes the following personal data in particular, which may be particularly sensitive data where applicable:
• your name;
• your contact details;
We may also exploit your personal data and link it to other personal data, e.g. to non-personal statistical information and other personal data which we have collected about you, to enable us to infer information on your preferences and affinities with certain goods or services.
We process your personal data in particular to enable us to invite you to our events and to find out which customer events you are interested in. We may therefore draw your attention in a targeted manner to customer events which we hope will be of interest to you. Taking part in customer events is optional; however, you will be unable to take part without personal data being processedWe process your personal data once you have given consent (article 6(1)(a) GDPR) to our informing you about the corresponding customer events, or if you have registered for any of our customer events.
The processing referred to is also in our legitimate interest (article 6(1)(f) GDPR) because it enables us to enter into contact with you personally and get to know you better. This enables us to tailor our services more effectively in a way which targets your needs and interests more closely, and allows us to expand and improve our offers. We believe that this is important if we are to maintain our position in the market.
We process your personal data once you have given consent (article 6(1)(a) GDPR) to our informing you about the corresponding customer events, or if you have registered for any of our customer events.
The processing referred to is also in our legitimate interest (article 6(1)(f) GDPR) because it enables us to enter into contact with you personally and get to know you better. This enables us to tailor our services more effectively in a way which targets your needs and interests more closely, and allows us to expand and improve our offers. We believe that this is important if we are to maintain our position in the market.
Support programmesIf you are interested in our support programmes, you may apply for assistance with your project. In these circumstances we process personal data such as:
• your name;
• your contact details;
• where applicable, relevant information on other parties concerned;
• information on your project;
• where applicable, other information on you (e.g. your occupation, activity, employer and language skills).
We process your personal data for the following purposes in particular:
• to consider your project application and, where applicable, to process it;
• to assess how we can help you to carry out your project;
• to tell you about our cultural offers and tell you about new projects and events;
• to develop our educational and leisure offers and tailor them to the requirements and interests of recipients.
Reference to personal data is optional. However, your application cannot be processed if the personal data is not disclosed to us.If you wish to benefit from our support programme, you must send us an appropriate application. We deem this to be consent to process your personal data (article 6(1)(a) GDPR). Additionally, we consider processing for the above purposes to be a legitimate interest (article 6(1)(f) GDPR) because this processing is based on the principles set out in our articles of incorporation to adopt a responsible attitude towards society and offer the population wide access to culture and education.
If you wish to benefit from our support programme, you must send us an appropriate application. We deem this to be consent to process your personal data (article 6(1)(a) GDPR). Additionally, we consider processing for the above purposes to be a legitimate interest (article 6(1)(f) GDPR) because this processing is based on the principles set out in our articles of incorporation to adopt a responsible attitude towards society and offer the population wide access to culture and education.
Contact with our business as a commercial partnerIf you work for a business which provides us with goods or services or purchases them from us, or with which we cooperate in any other way, we process personal data relating to you, such as:
• your name;
• your title, position, field of activity and relationship with the business in question;
• the stages in your professional career;
• your interaction with us.
We process other personal data and also, where applicable, particularly sensitive personal data, when we consider whether we can cooperate with your business or wish to do so (e.g. during security checks). If you carry out work at our premises, we also process contact information, such as information on:
• nationality and residence status;
• copies of the passport and identity card;
• criminal record and convictions;
• data relating to user accounts and use of the accounts;
• badge number and use;
• your use of our IT infrastructure;
• video recording (insofar as you are in a zone under video surveillance).
As a general rule, we will notify you separately of this processing or ask for your consent.
We process the personal data for the following purposes in particular:
• to check whether we receive services from your business or whether we supply services to your business, or whether we want to cooperate with your business and are able to do so (e.g. in relation to aptitude tests, checks on conflicts of interest, etc.);
• to check whether your business offers the necessary security, e.g. in the event that it is required to process personal data on our behalf;
• to communicate with you and with your business, e.g. in relation to performance of a contract;
• to plan for work to be undertaken by our staff and, where applicable, by you or by staff of your business;
• for training purposes;
• for supervision and performance appraisals;
• to prepare for and execute purchases and sales of businesses and similar transactions;
• to manage the customer/supplier relationship to get to know you and your business better, to improve our customer orientation and to increase customer satisfaction and loyalty (customer relationship management, “CRM”);
• for accounting purposes;
• for managing and operating our IT and other resources;
• for exchanging personal data within the group.
You are not obliged to disclose the above personal data to us. If you do not wish to provide us with the necessary personal data, we will not be able to cooperate with you. In exceptional circumstances we are legally required to process such personal data.
The above processing is in our legitimate interest (article 6(1)(f) GDPR) because it enables us to access goods and services and to sell them. Further, we have a legitimate interest in preventing abuse and guaranteeing an appropriate level of security. Customer monitoring is also in our legitimate interest. If we have a contract with you directly or if you wish to conclude a contract directly with us, we process your personal data for the purposes of concluding and performing the contract (article 6(1)(b) GDPR).
Insofar as we process particularly sensitive personal data for the above purposes, we generally do so for the establishment, exercise or defence of legal claims.
AdministrationFor our internal administration and management, we process personal data, which may be particularly sensitive data where necessary, relating to our customers, our commercial partners and third parties, e.g. within the framework of our IT management.We process this personal data for the following purposes in particular:
• monitoring and improving our internal processes;
• accounting;
• archiving;
• training;
• other administrative purposes.
These administrative purposes may relate to us or to businesses connected with us.
Processing for the purposes mentioned may be necessary for the performance of contracts (article 6(1)(b) GDPR). It is also necessary for the legitimate interest of the internal management of the business and of the group (article 6(1)(f) GDPR).
Business transactionsIn certain circumstances we verify or carry out transactions in which we sell, divide up or purchase businesses, parts of businesses or other assets. For these purposes, we process personal data, the volume of which depends on the purpose and stage of the transaction and which may also comprise particularly sensitive personal data. In certain circumstances such information is disclosed to or collected from a potential contractual partner, insofar as this is permitted. When we sell debts, we send the purchaser information relating, for example, to the reason for and amount of the debt and, where applicable, to the credit standing and behaviour of the debtor.The purpose of this data processing is, in particular, to check the corresponding transactions and execute them where applicable. Notifications may accordingly need to be sent to the authorities in Switzerland and abroad.Processing for the purposes mentioned may be necessary for the performance of contracts (article 6(1)(b) GDPR). It is also in our legitimate interest (article 6(1)(f) GDPR).
When we process sensitive personal data, we generally rely on your explicit consent (article 9(2)(a) GDPR).
ApplicationWhen you make an application for a position with us, we process your contact details and the information sent to us (e.g. application, family situation, CV, knowledge and skills, interests, references, qualifications, certificates, etc.). This may also include particularly sensitive personal data, e.g. data relating to health or information on trade union membership. During the application procedure, other personal data may also be required, depending on the position and profile.We process your personal data to check whether you are suitable for the position in question, to discuss a potential appointment with you and, where applicable, to prepare and conclude a contract. With your consent, we hold your application on file where applicable, even if we (or you) do not go ahead with an appointment, with a view to a potential future appointment. Providing the personal data referred to is optional; however, we cannot process an application without the personal data required for these purposes.When you make an application for a position with us, we process your personal data with a view to a potential contract (article 6(1)(a) GDPR). In addition, we consider that your application constitutes consent (articles 6(1)(a) and 9(2)(a) GDPR.
Compliance with legal requirementsTo enable us to comply with legal requirements, we are required to process personal data or will wish to do so, as the case may be. This is the case, for example, whenever we collect and process complaints and reports of malfunctions, or whenever an authority requires documents containing your name and contact details, or carries out an investigation at our premises. It is also possible that we may carry out internal investigations in which your personal data may also be processed.We process this personal data for the following purposes:
• to ensure compliance with legal obligations, including orders made by a court or by an authority;
• preventive measures to guarantee compliance;
measures for the disclosure and examination of abuse.
Processing for the above purposes is required to ensure compliance with legal obligations and for legitimate interests (article 6(1)(c) and (f) GDPR).
Safeguarding a legal claimWe process personal data to preserve our rights, e.g. to impose requirements through the courts, at the pre-action stage or by extrajudicial means and before the authorities in Switzerland and abroad, or to defend ourselves against claims. We may, for example, have the prospects of success of a trial assessed or submit documents to an authority. It may also be the case that authorities ask us to disclose documents containing personal data. In this regard, in addition to the contact details of the data subjects, we process other personal data depending on the scenario, e.g. information on processes which have given rise to or could give rise to a dispute. This data may also be particularly sensitive personal data.We process this personal data for the following purposes:
• to assess and implement our requirements, which may also include requirements of businesses connected with us and requirements of our contractual and commercial partners;
• to defend ourselves against claims made against us, and against our staff, businesses connected with us and our contractual and commercial partners;
• to clarify the prospects of success at trial and to clarify other legal, economic and other questions;
• to take part in legal proceedings and proceedings before the public authorities in Switzerland and abroad.
Processing for the purposes mentioned may be necessary for the performance of contracts (article 6(1)(b) GDPR). Further, it is in our legitimate interest and, where applicable, in the legitimate interest of third parties (articles 6(1)(f) and 9(2)(f) GDPR).