METRO

METRO Companion App

General Data Protection Statement for the "METRO Companion" App

With the METRO Companion app (hereinafter also called "App"), METRO AG, Metro-Straße 1, 40235 Düsseldorf, (hereinafter called "METRO", "us" or "we") offers you helpful features surrounding the shopping experience and further services from METRO (hereinafter called "Service" or "Services"). This App constitutes a useful supplement to our website and to the physical shopping experience in our stores.

In the context of the App, this General Data Protection Statement informs you of how your data will always be processed every time you use the App, regardless of whether or not you are logged into your customer account. Once you have logged into the App with your customer details, the respective relevant country-specific data protection statement (for detailed information, see the subsection "Country-specific data protection statements and data processing activities") shall apply regarding the customer account that you have logged into.

Use of our App requires that personal data be provided to the extent described here. Data constitute personal data if they contain individual details concerning the personal or factual circumstances of a specific or identifiable natural person and can be linked to this person. We shall process your personal data in accordance with the statutory provisions of data protection law, i.e. the EU General Data Protection Regulation (GDPR) within the European Union, and any national data protection laws (in Germany, for example, the Bundesdatenschutzgesetz [German Federal Data Protection Act]).

The following provisions inform you of the nature, scope and purpose of the processing of personal data in the context of your use of the App.

Please note in this respect that the security of your data is very important to us, which is why we always take IT security precautions based on the current state of the art. Nevertheless, any Internet-based transfer of data can always be prone to hidden security vulnerabilities. Unfortunately, therefore, it is not technically possible to ensure complete protection against third-party access.

Who will be responsible for the processing of your data in cases where you use the App without logging in?

In terms of the GDPR, the controller responsible under data protection law in cases where you use the App without being logged into your customer account is

METRO AG

Address:
METRO AG
Metro-Straße 1
40235 Düsseldorf
Germany

Please note: The respective national METRO/MAKRO subsidiary shall be responsible for data processing in the context of your customer account. To ascertain which national subsidiary this is, please refer to the information provided in the App itself or to the data protection statement presented to you when you registered as a customer beforehand (for detailed information, see the subsection "Country-specific data protection statements and data processing activities").

How can I contact the relevant data protection officer for the App?

METRO AG
Data Protection Officer
Metro-Straße 1
40235 Düsseldorf
Germany

Email: datenschutz@metro.de

Please note: Regarding the data processing in the context of your customer account, the authority of the data protection officer responsible for you shall be determined on the basis of the country-specific data protection statement presented to you when you registered as a customer beforehand, or on the basis of the details provided in the App itself (for detailed information, see the subsection "Country-specific data protection statements and data processing activities").

What data will be transferred to the App Store when you download the App?

When you download the App, the information necessary for this shall be transferred to the respective App Store, i.e. in particular your user name, your email address, the customer details relating to your account, the time of the downloading, any payment information and the individual identifiers of your terminal device. However, we have no influence over this data processing and are not responsible for it. In this respect, only the data protection policy for use of the respective App Store, which you can access there, shall be applicable.

What data will be collected by METRO when you download the app?

No personal data shall be collected by METRO or be transmitted by the respective App Store to METRO merely as a result of downloading of the App from the respective App Store to your smartphone. No data shall be collected by METRO or transmitted to METRO before the App is first used.

What data from you will be processed when you use the App?

Regardless of whether you log into the country-specific features of the App with your customer details (for detailed information, see the subsection "Country-specific data protection statements and data processing activities"), certain data will need to be gathered when you use the App so that it is technically possible to provide the App service to you. This concerns the following data or data processing activities:

  • the language set on the device

These data are processed for the App language preselection and country selection in the App.

The processing of these data shall take place on the legal basis of Art. 6 (1), sentence 1, letter b GDPR in order to enable you to use the App.

What data will METRO process on the basis of your consent?

If you have declared your consent hereto by setting the METRO Companion App accordingly or by means of the system settings of your terminal device, the App shall access the following data in order to be able to display individual services of the App (e.g. the location-based store search, camera-based scanning of ID cards) or to optimise these services:

  • camera data (for scanning ID cards or barcodes and adding images to the shopping list)
  • images from your terminal device's picture gallery (for adding images to the shopping list)
  • location data, i.e. data concerning your location with the aid of GPS

However, location data shall be processed only as long as the App is being used, and only insofar as the respective feature requires the processing of location data. The location data shall, however, be processed locally on your smartphone rather than being transferred to METRO.

Subject to your consent, we may additionally send you customised messages to the lock screen (push messages). In this respect, we shall use the device ID in order to be able to send the messages.

Furthermore, you may consent to send us so-called "debug logs" for remedying possible faults and malfunctions in the App. These are log files containing your last activities in the App. Such log files shall include the designation of your terminal device, the version of the operating system used by you and the version of the App used by you. Additionally, such log files shall contain details relating to the features used or enabled by you, e.g. whether you have collected GPS data or have scanned an image. However, the log files shall not contain any data arising from these features, i.e. individual GPS coordinates or photographed images. You shall be able to view the content of the log files in the App yourself at any time.

You shall not be obliged to give your consent. However, we shall not use these data if you do not give your consent. You may then be unable to use all features of our App.

The legal basis of this processing lies in Art. 6 (1), sentence 1, letter a GDPR insofar as you have given us your consent. You may revoke this consent at any time by means of the corresponding settings in the App or in the system settings of your terminal device.

Which of your data shall we process for analysis purposes?

In the App we use various analysis tools to review and improve our service:

We use the technology of Firebase of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google") with different functionalities. If you are habitually resident in the European Economic Area or Switzerland, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) is the data controller. Google Ireland Limited is therefore the company affiliated with Google which is responsible for processing your data and ensuring compliance with the applicable data protection laws.

Firebase Analytics enables the analysis of how our services are used. This means that completely anonymous information about the use of our app is collected, transmitted to Google and stored there. Google uses the advertising ID of the end device for this purpose. Google will use this information to evaluate the use of our App in an anonymous form and to provide us with further services associated with the use of apps. You can restrict the use of the advertising ID in the device settings (iOS: Privacy/Advertising/No Ad Tracking; Android: Account/Google/Adverts).

Firebase Crash Reporting is used for stability and improvement of the App. It collects information about the device used and how our App is used (e.g. the timestamp, when the App was started and when the crash occurred), which enables us to diagnose and solve problems. Information about how Crashlytics works can be found here: firebase.google.com/products/crashlytics/

Firebase Cloud Messaging enables us to inform users with targeted and context-related messages about our services and to encourage them to use the App. Information on the subject, type of message and time of sending the message is processed, as well as data on whether and when a message was received and read. In some cases, this data is also used for analysis purposes. Cloud Messaging is only used if you have given your consent (Art. 6 (1), sentence 1, letter a GDPR).

Furthermore, we use Firebase Remote Config, which allows us to perform A/B tests and adapt the behaviour and appearance of the App without having to download a new version. Firebase Remote Config allows us to configure app settings so that we can change the App on the devices on which it is installed without having to completely reinstall it from the respective app store every time we make a change. Remote Config is used to process the data categories named in Firebase Analytics: Device information, information on the App in use, data on how the App is used, location data, user ID and information on individual requests within the App (events). Information about how Remote Config works can be found here: firebase.google.com/products/remote-config/

When we link Firebase to a Google Ads account, we are able to track the success of the advertising campaigns placed through that Google Ads account. For this purpose, installation and event data from the App are used and analysed anonymously. You can find further information about this here: support.google.com/google-ads/answer/93148

Subcontractors that Google may use can be found at the following link: firebase.google.com/terms/subprocessors

To improve our App and the service relating thereto, we shall, with the aid of the service provider "Yahoo" (company name: Oath (EMEA) Ltd., 5-7 Point Square, North Wall Quay, Dublin 1, Ireland) and its programme "Flurry Analytics" (hereinafter also called "Flurry"), aggregate and analyse the data referred to in this Data Protection Statement. Further information on data protection by this service provider and on data protection in the context of the analysis programme can be found at policies.oath.com/us/en/oath/privacy/products/developer/index.html or developer.yahoo.com/flurry/docs/analytics/gdpr/summary/.

The following data shall be gathered and processed in the context of the use of Flurry Analytics:

  • session data (e.g. commencement, end, duration)
  • App version
  • device data (e.g. model, model code)
  • country code
  • GPS data

Flurry shall not disclose to third parties any user data of any kind collected at METRO or otherwise processed in the context of the use of Flurry, unless it is legally obliged to do so. Neither METRO nor Flurry shall use the Flurry analysis to track the user's personal data or combine any personal data with other data. Nor shall METRO or Flurry allow third parties to carry out such actions.

In the context of the analysis tool, we shall process your data for the purpose of providing an appealing range of services and in order to be able to present our features in a user-friendly manner. The legal basis of this processing lies in Art. 6 (1), sentence 1, letter f GDPR. Our legitimate interest lies in the provision of an attractive, useful and user-friendly service.

You may at any time discontinue analysis by deactivating the corresponding option in the system settings.

METRO has concluded a data processing agreement with service providers in accordance with Art. 28 GDPR in order to also ensure a high level of data protection as regards the processing of your data by the service providers.

The data gathered from you shall also be processed by us for the following purposes:

Beyond the foregoing, we may, insofar as necessary, also possibly process your data for the following purposes:

  • for compliance with statutory obligations and
  • for enforcing legal claims and for clearing up and preventing criminal offences.

The legal basis for this processing lies in Art. 6 (1), sentence 1, letter c GDPR insofar as this is necessary for compliance with a legal obligation concerning us, and in Art. 6 (1), sentence 1, letter f GDPR in cases where we enforce legal claims; our legitimate interest lies in legally asserting our claims or defending ourselves in the event of legal disputes or clearing up or preventing criminal offence or breaches of our terms of use or in protecting us and our users.

To whom will data gathered from you be transmitted?

Beyond the transmission of data to service providers as outlined above, we shall transmit your data to third parties only if such transmission is necessary for legal reasons in order to meet the requirements of judicial or official proceedings or conform to the statutory provisions.

The legal basis of this transmission lies in Art. 6 (1), sentence 1, letter c GDPR for compliance with a legal obligation applicable to us.

Will your data also be processed outside of the European Union?

There shall be no transmission of data to data processing entities outside of the EU.

In the context of the analysis tool Flurry, the data outlined above in the description of the tool shall be transferred to the USA. As the USA are a third country within the meaning of the GDPR, METRO has, in addition to the data processing agreement with the service provider, also concluded with the service provider the EU standard contractual clauses to ensure compliance with the necessary safeguards under data protection law as defined by Art. 46 GDPR. We shall be happy to make a copy available to you free of charge, if you request so.

For how long will your data be stored?

Your device ID shall be used only as long as the App is being used. Your country selection shall be stored locally on your terminal device only as long as you have the App installed. The system language retrieved by us for the country preselection shall not be stored. The duration of storage of other data used in the context of the customer account shall be governed by the data protection statement presented to you when you registered as a customer beforehand (for detailed information, see the subsection "Country-specific data protection statements and data processing activities").

How can you monitor the use of your data?

You may revoke at any time with effect for the future any consent that you have given us (in particular consent to the use of location data). You can do so by contacting the contacts laid down in this Data Protection Statement or - insofar as your smartphone has this technical capability - by means of direct settings in your terminal device offering such capabilities.

What rights do you have regarding your personal data?

As a data subject under data protection law, you shall, subject to the statutory prerequisites, be entitled to the following rights exercisable already in the settings of the App or at datenschutz@metro.de:

Right to access information: Subject to the prerequisites under Art. 15 GDPR, you shall have the right to receive from us information on your personal data stored with us at any time.

Right to rectification: You shall be entitled under Art. 16 GDPR to obtain from us the rectification of any inapplicable or incorrect personal data stored concerning you.

Right to erasure: Subject to the prerequisites under Art. 17 GDPR, and except where other rights or statutory restrictions conflict herewith, you shall be entitled to obtain from us the erasure of personal data concerning you without delay.

Right to restriction of processing: Subject to the prerequisites under Art. 18 GDPR, you shall be entitled to obtain from us the restriction of processing of your personal data.

Right to data portability: Subject to the prerequisites under Art. 20 GDPR, you shall be entitled to obtain from us in a structured, commonly used and machine-readable format the personal data concerning you that you have provided to us.

Right to revoke: You shall have the right to revoke at any time with effect for the future any consent that you have given regarding the processing of personal data.

Right to object: Subject to the prerequisites under Art. 21 GDPR, you shall be entitled to lobject to the processing of your personal data, which shall obligate us to cease processing your personal data, except where other rights conflict herewith.

Right to lodge a complaint with a supervisory authority: Subject to the prerequisites under Art. 77 GDPR, you shall be entitled to lodge a complaint with a supervisory authority.

You can address complaints to our data protection officer. If possible, your requests to exercise your rights should be addressed in writing to the above address or directly to our data protection officer. This right to lodge a complaint shall apply without prejudice to other remedies under administrative law or to judicial remedies.

Our relevant supervisory authority is:

Landesbeauftragte für Datenschutz und Informationsfreiheit NRW [State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia]
Postfach 200444
40102 Düsseldorf
Germany

Are you obliged to provide personal data?

In principle, you shall not be obliged to provide information or personal data. If you refuse to do so, however, we may be unable to offer the App or its features or carry out certain services.

Does automated individual decision-making take place (so-called profiling)?

No.

Information on your right to object under 21 GDPR

You shall have the right to object at any time, on grounds relating to your particular situation, to any processing of your data that takes place on the basis of Art. 6 (1) f GDPR (data processing on the basis of a balancing of interests). This shall also apply to any profiling, as defined by Art. 4, no. 4 GDPR, based on this provision.

If you lodge an objection, we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.

Such objection may be lodged informally and should, if possible, be addressed to

METRO AG

Address:
METRO AG
Data Protection Officer
Metro-Straße 1
40235 Düsseldorf
Germany

Email: datenschutz@metro.de

Country-specific data protection statements and data processing activities

You shall only be able to log into a customer account if you have registered with METRO or a national METRO/MAKRO subsidiary as a customer and have, in the course of this registration, read and accepted the data protection policy and General Terms and Conditions of Business applicable to the respective national subsidiary.

Once you log into your customer account within the App, the App features available in the context of the customer account as well as the data processing activities in connection therewith shall be governed by the aforementioned stipulations of the national METRO/MAKRO subsidiaries. The App will recognise, by means of your device setting, the country in which you are registered as a customer (e.g. Germany, Netherlands or Spain) and will then automatically set the corresponding language and the country-specific App features. To be able to display in the App the services associated with your customer account and to create the functionalities, we shall combine your device ID with the corresponding customer account as long as you are logged in.

The processing of the data described in the above subsection shall take place on the legal basis of Art. 6 (1), sentence 1, letter b GDPR for the implementation of the contract concluded with us concerning use of the App and of the respective customer account.

Insofar as you have consented to push messages (see above under the subsection "What data will METRO process on the basis of your consent?"), the customer number available when logging in shall be linked to the device ID to also enable the sending of push messages with content relating to the customer account.

The legal basis of this processing lies in Art. 6 (1), sentence 1, letter a GDPR insofar as you have given us your consent. You may revoke this consent at any time by setting the App accordingly or by means of the system settings of your terminal device.

Once you have logged into the App as a customer, the data processing activities taking place in the context of the customer account shall be governed by the explanations set out in the country-specific data protection statement relevant to you, which you already received when you registered as a customer (cf. above), but which you can also access within the App if you are logged in there.


As of: 29/03/2019

Обща декларация за защита на данните за Приложението „Companion“
PDF 205 KB

Allgemeine Datenschutzerklärung für die „METRO Companion“ App
PDF 144 KB

General Data Protection Statement for the "METRO Companion" App
PDF 142 KB

Declaración general de protección de datos para la aplicación «METRO Companion»
PDF 131 KB

Déclaration générale relative à la protection des données pour l’application « METRO Companion »
PDF 172 KB

Opća obavijest o zaštiti osobnih podataka za aplikaciju „Companion“
PDF 157 KB

A „Companion” appra vonatkozó adatvédelmi nyilatkozat
PDF 129 KB

Dichiarazione Generale sulla Protezione dei Dati Personali per l’App "METRO Companion"
PDF 192 KB

Privacyverklaring voor de 'METRO Companion' app
PDF 145 KB

General Data Protection Statement for the "METRO Companion" App
PDF 142 KB

Oświadczenie o ochronie danych dla aplikacji "METRO Companion"
PDF 199 KB

Declaração Geral de Protecção de Dados para a Aplicação “METRO Companion”
PDF 197 KB

Declarația generală privind protecția datelor pentru aplicația "METRO Companion"
PDF 169 KB

Obaveštenje o zaštiti podataka za aplikaciju „Companion“
PDF 214 KB

Загальна політика конфіденційності для додатку "METRO Companion"
PDF 239 KB