Please note: Only the German original of this privacy statement is legally binding. The English translation is provided for information purposes only and has no legal force.
Data protection is a matter of trust, and your trust is important to us. Trust is based on transparency. This privacy statement is here to inform you how and why we collect, process and use your personal data. This privacy statement includes among other things:
- which of your personal data we collect and process;
- when we collect your personal data;
- the purpose for which we use your personal data;
- how long we keep your personal data;
- who has access to your personal data; and
- what rights you have in respect to your personal data.
This privacy statement is based on the General Data Protection Regulation (GDPR), which has established itself internationally as a benchmark for strong, effective data protection.
Galaxus Deutschland GmbH, Schützenstrasse 5, 22761 Hamburg (HRB 156008) is responsible for data processing in accordance with this privacy statement („we“ or „us“).
If you have any questions about this privacy statement or the processing of your personal data, please feel free to contact us, see Contact us.
You are also welcome to contact our data protection officer:
Our data processing primarily affects our customers, but also other persons whose personal data we process. This privacy statement applies to all our business areas and regardless of which channel you use to contact us, e.g. in a physical store, by telephone, in an online shop, on a website, in an app, via a social network, at an event, etc. We do not accept any liability for the content, correctness, completeness or quality of the information provided. This privacy statement applies both to the processing of personal data that has already been collected and to the processing of future personal data. For certain offers and services (e.g. competitions), additional data protection provisions may apply on top of this privacy statement.
The data protection law regulates the processing of personal data. This also applies to this privacy statement. "Personal data" refers to all information that can be associated with a specific natural person, i.e. with a human being. "Processing" refers to any handling of your personal data.
Depending on the occasion and purpose, we process different personal data. More detailed information in this is given in this section and partly also in our general terms and conditions and additional privacy statements. As a general rule, we collect your personal data directly from you, e.g. when you send us data or communicate with us. In most cases, you are not obliged to disclose personal data to us unless necessary to fulfil a contractual obligation. However, we are often not in a position to provide an offer or service to you without you making the necessary information available to us. In addition to information provided by yourself, personal data may also be collected from other sources, e.g. from other companies of the Migros Group or from third parties such as credit agencies, providers of online services such as providers of Internet analysis services, financial service providers for payments, from public registers, the media, the Internet, etc.
Among other things, we process personal data – in some circumstances including particularly sensitive personal data – in the following situations for the following purposes:
- Purchasing goods and using services: We process personal data when you make purchases in our shops or use other services from us. For instance, we process your personal data in the context of handling orders and contracts or for delivery and invoicing as well as in connection with your customer account. We also collect and process personal data in connection with your creditworthiness, for example, we collect credit information from third parties to decide whether we offer them the possibility to pay by invoice. We also analyse the purchasing behaviour of our customers and obtain information about their preferences and affinities for certain product categories as well as other information which is used to improve our services. This makes it possible for us to provide you with offers that are tailored to your interests and affinities and to tailor our offers to the needs of our customers in general.
- Use of mobile applications: We may provide mobile applications (apps). In this case, we collect and process personal data such as information about the installation and usage of the apps in question as well as information about a customer account and its usage. We process this personal data in order to provide the corresponding app and process the corresponding offer. We also process personal data to personalise the offering and to derive information about your preferences and affinities to certain products or services.
- Information and direct marketing: We process personal data for the purpose of sending written or electronic information and promotional messages unless you have objected to this processing. For example, we process your contact data in order to send you the corresponding messages. In the case of e-mail newsletters, push messages and other electronic messages, we can also process information about your usage of these messages, which allows us to get to know you better, tailor our offers more precisely to you and generally improve our offers.
- Communication: We process personal data when you contact us or we contact you, e.g. when you contact the customer service, when you write to us or when you call us. As a general rule, the only information we need is your name and contact details, the time of the relevant communication and its content, which may also include personal data of third parties. We use this information to provide you with information or messages, to process your request and communicate with you as well as for quality assurance and training purposes.
- Competitions, raffles and similar activities:
Purpose of data processing and categories of data processed
This data processing is carried out for the purpose of prize draws. You take part in prize draws by posting comments on our website. This is why technical data is collected that is necessary for the provision of the website (IP address, protocol data, etc.).
Any comments you publish will be accompanied by your community name. If you win the competition, we have to contact you and process the contact data stored in your user account. This is based on the fulfilment of our obligations within the meaning of Art. 6 I lit. b DS-GVO.
Another purpose is to increase brand awareness and interaction with customers. This is based on our legitimate interest pursuant to Art. 6 I lit. f DS-GVO. The interests of the persons concerned (right to privacy for free development of personality) must not outweigh our interests (marketing measures for professional activities). Participants are aware that any comments they write are published. By doing so, participants demonstrate that protection of privacy is not equally important to them. The person concerned can only be identified to a limited extent through the use of community names. The interest of those affected does not predominate.
Transmission of your data
Since we are part of an enterprise group and are supported by the employees of our affiliated companies (Migros AG, Digitec Galaxus AG), your data will also be processed by these companies as part of the cooperation and depending on the specific assignment of tasks.
Based on the fact that part of our IT infrastructure is provided by external parties (hosting services, IT service providers), the data is also transmitted to these parties. In this context, part of the infrastructure is located in non-EU countries (Switzerland and the USA). Data processing to non-EU countries is carried out on the basis of an adequacy decision.
Statistical data is also collected (e.g. the number of participants). These will be transmitted to contract partners without any personal reference.
Personal data is not transmitted to external parties for marketing purposes.
We process and store your personal data as far as it is necessary for the fulfilment of the purpose. After one year, prize draws and corresponding comments are deleted.
If retentions periods require longer storage, this is done according to the legal requirements.
You have the following rights: the right to information, the right to correction or deletion, the right to limit the processing, the right to object to the processing (by e-mail to firstname.lastname@example.org), the right to data portability and the right to appeal to the supervisory authority responsible for us.
Further information on data processing can be found here: https://www.galaxus.de/en/guide/22. Information on data processing on the Facebook page can be found here: https://www.facebook.com/privacy/explanation
- Entering our premises: When you enter our premises, we may make video recordings in appropriately marked areas for security and evidence purposes. In addition, a Wi-Fi network may be available. In this case, we will collect device-specific data when you register onto the Wi-Fi network and may ask you to register by providing your name and e-mail address or mobile phone number. We may also process and evaluate data relating to the use of Wi-Fi services.
- Market research: We process personal data for market and opinion research. We may, in particular, use information from customer satisfaction surveys as well as information about your purchasing behaviour for this purpose.
- Contact with our company as a business partner: We cooperate with various companies and business partners, such as suppliers, commercial buyers of goods and services, cooperation partners and with service providers (e.g. IT service providers). We also process personal data about the contact persons in these companies for the purposes of contract initiation and execution, planning, accounting and other contract-related purposes. Depending on the field of work, we are also required to examine the company concerned and its employees more closely, e.g. by means of a security audit. In this case, we may also collect and process further information from third parties.
- Administration: We process personal data for administrative purposes. For example, we may process personal data for IT or real estate management purposes. We also process personal data for accounting and archiving purposes and generally for the purpose of reviewing and improving internal processes.
- Business transactions: We may also process personal data to prepare and process takeovers and sales of businesses and to process purchases or sales of assets.
- Job applications: We also process personal data when you apply for a job with us. For this purpose, we generally require the usual information and documents as well as those specified in the job advertisement, which may also contain personal data of third parties.
- Compliance with legal requirements: We process personal data to comply with legal requirements and to prevent and detect violations. This includes, for example, receiving and processing complaints and other reports, internal investigations or disclosing documents to an authority if we have a good reason to do so or are legally required to do so. In doing so, we may also process personal data of third parties.
- Protecting legal interests: We process personal data in various constellations in order to protect our rights, e.g. to assert claims in court, pre- or extrajudicially and before authorities at national and international level or to defend ourselves against claims. We may process your personal data and personal data of third parties or pass on personal data to third parties in Germany and abroad.
Depending on the purpose of the data processing, our processing of personal data is based on different legal bases. In particular, we may process personal data if this processing is either:
- necessary for the fulfilment of a contract with the person concerned or for pre-contractual measures at the person's request (e.g. the assessment of his or her contract application);
- necessary to safeguard legitimate interests;
- based on a valid consent which has not been withdrawn; or
- necessary to comply with legal requirements.
As a rule, we only process particularly sensitive personal data on the basis of a valid and explicit consent, unless the data in question has obviously been made public by the person concerned or the processing is necessary for legal compliance or compliance with legal requirements.
Data is only transmitted abroad under the conditions specified in point 7.
Your personal information will only be passed on to other companies to the extent described below. Under no circumstances will we sell your personal data to third parties. We do not trade with personal data.
We may pass on your personal information to other Migros Group companies. In addition to the Federation of Migros Cooperatives and the regional Migros Cooperatives, the Migros Group also includes its respective subsidiaries. Further information on the companies which belong to the Migros Group can be found in the annual report of the Federation of Migros Cooperatives (https://report.migros.ch/2017/en/). The transfer of personal data to other group companies often serves internal group administration purposes. In certain cases, individual companies of the Migros Group may also process your personal data in their own interest for the purposes specified in this privacy statement. For the respective purposes, your personal data may be linked and processed with personal data originating from other companies within the Migros Group.
We may disclose your personal information to companies (inside and outside the Migros Group) when we use their services. By selecting such data processors and entering into adequate contractual agreements, we ensure that data privacy is also ensured by contract during the entire handling of your personal data by data processors. Our data processors are obliged to handle personal data exclusively on our behalf and in accordance with our instructions and to take appropriate technical and organisational measures to ensure data security. This applies in particular to services related to credit checks, e.g. if you wish to pay by invoice, and to IT services, e.g. services in the fields of data storage (hosting), cloud services, sending newsletter e-mails, data analysis and refinement, etc.
In specific cases, we may pass on personal data to recipients outside the Migros Group for their own purposes, e.g. if we consider this to be legally necessary or necessary to protect our interests. In these cases, ensuring data privacy is the sole responsibility of the recipient. This applies in particular to the following cases:
- We may disclose your personal data to third parties (e.g. courts and authorities in Switzerland and abroad) if this is required by law or by the authorities. We also reserve the right to process your personal data in order to comply with a court order or to assert or defend legal claims or if we consider it necessary for other legal reasons. In doing so, we may also disclose personal data to other parties involved in the proceedings;
- when we transfer debt claims made against you to other companies such as collection agencies;
- when we examine or carry out transactions such as mergers or the acquisition or sale of individual parts of a company or its assets or become the subject of a transaction ourselves.
The recipients of your personal data (point 7) may be located abroad – even outside the EU or the EEA. The countries concerned may not have laws that protect your personal data to the same extent as in Switzerland, the EU or the EEA. If we transfer your personal data to a country where this applies, we will ensure that your personal data is appropriately protected. One way of doing this is to sign data transfer agreements with the recipients of your personal data in third countries, which ensure the necessary data protection is in place. This includes contracts that have been approved, issued or recognised by the European Commission and the Federal Data Protection and Information Commissioner, so-called standard contract clauses. It is also permitted to transfer the data to recipients who are subject to the US Privacy Shield Programme (https://www.privacyshield.gov/list). Please contact us if you would like more information on the data transfer agreements we have entered into or any other valid guarantees we use for international transfers. In exceptional cases, it may be permitted to transfer data to countries without adequate protection in other cases, for example on the basis of express consent or to assert, exercise or defend legal claims.
By „profiling“ we mean a procedure in which personal data is processed automatically in order to analyse or predict personal aspects. We often perform profiling. For example, we analyse shopping behaviour, usage of our websites and apps as well as other transactional and behavioural data and make assumptions about your personal interests, preferences, affinities, and habits based on this information. Profiling helps us to tailor our offer to your individual needs more effectively and to only show you advertising and offers that are actually relevant to you. In order to improve the quality of our analyses, we may link personal data from various sources, such as data collected offline and online, data collected through our services or data obtained from other companies belonging to the Migros Group. If such profiling is related to direct e-mailing, you have the right to object to it as described in point 13.
As a general rule, we do not carry out automated individual decision-making. We will inform you separately if we decide to use automated individual decision-making in specific cases. “Automated individual decision-making“ refers to decisions which are fully automated, i.e. without any relevant human influence, and which have negative legal effects or other similar negative effects on you.
We have technical (e.g. encryption, pseudonymisation, logging, access restrictions, data security, etc.) and organisational (e.g. instructions to our employees, confidentiality agreements, checks, etc.) security procedures to maintain the security of your personal data and protect your personal data against unauthorised or illegal processing as well as against unintentional loss, modification, disclosure or access. However, security risks cannot be completely ruled out; a certain residual risk is usually unavoidable.
We keep your personal data for as long as this is necessary for the purposes for which they were collected – in the case of contracts, as a rule at least for the duration of the contractual relationship. We also store personal data if we have a legitimate interest in the retention. This may in particular be the case if we need personal data in order to assert or defend claims, for archiving purposes and to guarantee IT security. In addition, we store your personal data as long as they are subject to a retention period prescribed by law. Certain data, as an example, is subject to a ten-year retention period by law. For other data, short retention periods apply, e.g. for recordings from video surveillance or for recordings of certain processes on the Internet (log files). In certain cases, we ask for your consent if we want to store personal data for a longer period of time (e.g. for job applications that we would like to keep pending). We will delete or anonymise your personal data after the expiry of the retention period.
You have the right to object to the processing of your personal data if we process your personal data on the basis of a legitimate interest. You have the right to object to data processing in connection with direct advertising (e.g. advertising e-mails) at any time. This also applies to profiling if it is connected with such direct advertising.
If the applicable requirements are met and no legal exceptions apply, you also have the right to obtain information about your stored personal data, to rectify, delete or restrict or object to our data processing and to receive the personal data provided by you in a standard format. You also have the right to withdraw any consent you may have given us. However, this does not affect the legality of the data processing carried out before the withdrawal.
If you wish to exercise any of the above rights, or if you have any concerns about our processing of your personal data, please contact us at the address listed in point 2 above. You also have the right to file a complaint with a responsible controlling authority about the way in which your personal data is processed if you believe the processing of your data violates applicable law.
The responsible controlling authority is:
The State Commissioner for Data Protection and Freedom of Information Hamburg
When you visit our websites, which personal data do we process?
Technical data (log files)
When you visit our websites, we process personal data depending on the offer and functionality. For technical reasons, this includes automatically collected data stored in log files. These include, for example, the IP address and device-specific information, such as the MAC address and the operating system of the terminal device (tablet, PC, smartphone, etc.), information about the user's Internet service provider, information about the content accessed and the date and time of the visit to the website or information about logins.
Cookies and comparable technologies
Depending on the functionality, we store cookies or use similar technologies such as pixel tags (collectively referred to as "cookies"). Cookies are small files which are automatically created by our website in your browser and stored on your end device. Cookies contain a unique number (ID), which we can assign to a specific Internet user, but usually without knowing his or her name, and, depending on the intended use, other information, e.g. about the pages called up and the duration of a visit to a page.
- On the one hand, we use session cookies in which contain, among other things, the information about the origin and storage period of the cookie. These cookies are deleted after each visit to our website. We use such cookies, for example, to save the content of a shopping cart over the course of several page views carried out by the user.
- On the other hand, we use permanent cookies, which remain stored for a certain period even after the end of a browser session. Such cookies are used to recognise a visitor at a later visit, e.g. to save language settings over the course of several browser sessions or to display content on the website tailored to a visitor's interests. We thereby collect, for example, information about your visits, the pages viewed, items viewed and your shopping cart. After the pre-programmed duration has expired (usually between one month and two years), such cookies are automatically deactivated.
Data on user behaviour
Our websites use social plugins, e.g. from Facebook, YouTube, Twitter or Instagram. By doing so, buttons of the respective providers are displayed on our website, e.g. Facebook's "Like" button, or content of the respective provider are integrated on our website. If you access a website that uses such a social plugin, your browser will establish a connection with the respective provider. The content of the social plugin is transmitted by the provider to your browser and integrated into the website. Through this process, the provider receives the information that your browser has called up the respective website and the IP address of the device used, even if you do not have an account with the provider.
If you are logged in to the provider's service at the same time, the provider can assign the visit to your personal profile. If you interact with a social plugin – for example, by clicking a "Like" button or posting a comment – the corresponding information is transmitted from your browser to the respective provider and stored there. It may also be published on your profile from the respective provider and displayed to your contacts. If you visit our social media pages (e.g. Facebook fan pages), personal data may be transferred directly to the respective provider or collected and stored by the latter. The provider of the respective social network is primarily responsible for processing this data. Insofar as we are jointly responsible with the provider of the social network in question, we will enter into a corresponding agreement with this provider – for details on this agreement, please contact the provider. Further information on data processing by social network providers can be found in the privacy statements of the respective social networks (e.g. Facebook, YouTube, Twitter, Instagram).
For what purposes do we process this personal data?
- Hosting of the website: For technical reasons, recording certain log files and cookies is mandatory in order to host the website and its functions. Other cookies help us to guarantee and secure the range of functions and offers on our website and to make our website more attractive;
- Maintenance of the website: Storing and processing log files and cookies helps us maintain and troubleshoot our site, ensure its security, and fight fraud;
- Personalising of the website: Some cookies serve to tailor our website to your needs and interests, e.g. by storing your choice of language or personalised display of content;
- User behaviour analysis: We use data from web analysis services to gain greater understanding of how our websites are used and to improve its content, functionality and accessibility.
- Advertising: Some cookies enable us to display interest-related advertisements on our web pages or on third-party web pages or to display our advertisements after your visit to our website when you continue to use the Internet;
- Third-party cookies enable these third-party companies to carry out services for us or to contact you with advertisements that may be of particular interest to you.
If you are logged in to our site, we may analyse the collected personal information and link it to other information, such as non-personal statistical information and other information we have collected about you, in order to understand your preferences and affinities with certain products or services. If you are logged in to our site or log in to our site at a later point in time, usage data may be assigned to your profile and may help us to derive information about your preferences and affinities to certain products or services.
How can you prevent this data processing?
You can configure your device so that a message appears before a new cookie is created. This also allows you to reject cookies. You can also delete cookies from your device and you have the option of preventing the data generated by the cookie (including your IP address) from being collected and processed by downloading and installing a respective browser add-on. However, if you refuse or deactivate cookies, you may not be able to use all of the website's features.
You can prevent the use of Google Analytics by installing a browser add-on (https://tools.google.com/dlpage/gaoptout). You also have the right to withdraw any consent you may have given to the respective providers or to object to their processing. For Google, this is done via https://adssettings.google.com.
If you do not want a social network provider to collect information about you through our website, you need to log out of this provider's service before you visit our website. Even if you are logged out, the providers collect anonymous data via the social plugins. If you log into the provider at a later time, these data may be assigned to your profile. In these cases, the provider in question processes personal data at the provider's own responsibility and in accordance with the provider's own data security regulations. If you want to prevent the provider from assigning data to your profile, you need to delete the respective cookies. Browser add-ons, e.g. NoScript (https://noscript.net), can prevent loading social plugins entirely.
This privacy statement may change in the future, especially if we make changes to the ways we process data or if new legal regulations apply. In the event of significant changes, we actively inform persons whose contact details are registered with us about such changes, if this is possible without disproportionately large effort. In general, the privacy statement that applies to data processing is the version that was valid at the start of the respective processing.