For us as a company, data protection is not just an empty phrase. We take the protection of personal data very seriously, both for our employees and for our customers, suppliers and all other persons. We spend a great effort to ensure this protection. We take care that all data is only processed in accordance with the strict legal requirements.
Data Protection Organization
For us, the essential requirements result from the EU General Data Protection Regulation (GDPR), which is applicable as of 25 May 2018. Within the scope of two projects, all data protection processes of all METRO companies throughout the company group were reviewed in light of the new requirements of the GDPR. Where necessary, corporate solutions were adapted to these requirements (e.g. declarations of consent, data protection regulations, IT systems, privacy default settings).
In this context, we have implemented a new Data Protection Guideline. The Guideline at first creates a group-wide data protection organization. There is a binding organizational structure with defined roles that regulates responsibility for data protection issues at all levels. In addition to the Data Protection Officers of the individual companies, there are many other function owners in our company who are responsible for compliance with data protection requirements.
In addition, the directive contains a set of rules with minimum standards for our data processing activities. There are minimum standards within the EU that are based on the GDPR, but there are also minimum standards for our companies outside the EU. Further key points of the directive are specifications for deletion concepts, data protection by design and by default.
Regular training courses are held on the requirements of the guideline.
Accountability and lawful data processing
Every data processing activity is recorded by us. We document the processes with the help of an individually adapted software application. In this way, we can assess the legality of the processing before it begins. In addition, we regularly check if processes are compliant and up-to-date.
Data protection issues are also closely linked to our general risk and compliance management.
Transfer of data to third parties
In addition, there are exact specifications for transferring data to third parties. Data processors who receive our data are selected under strict criteria. They must have sufficient technical and organizational measures in place to ensure the security of the data. We put contracts in place that define the requirements for data processors in a binding manner. There is a high uniform standard for this.
Data will only be transferred abroad if the legal requirements are fulfilled. Special precautions are required for transfers to countries outside the EU/EEA. As a rule, this is the conclusion of EU standard contract clauses with the recipient.
We inform all persons concerned sufficiently and comprehensively about the processing of their data. Transparency is of paramount importance to us. We want everyone to be able to form their own opinion about a certain process. On this basis, everyone should be able to decide whether or not he/she wishes his/her data to be processed. As far as it is technically possible, we provide corresponding data protection information for each process, e.g. the customer information in our shops or the privacy policies on our websites.
Rights of data subjects and deletion
We ensure that data subjects can assert their rights to data protection. This includes in particular the following rights:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object to data processing
We have taken extensive precautions so that all inquiries can be answered and implemented in sufficient time. In particular, there are detailed specifications for
deletion. This ensures that data is not stored longer than necessary.
To foster transparency and trust in our business, we publish the number of substantiated complaints from outside parties as well as the number of complaints from regulatory bodies regarding data breaches. In order to be published, any complaint regarding a data breach, irrespective of who lodged the complaint, must relate to an actual data breach in the sense of Art. 33 GDPR, meaning that the data breach must be likely to at least result in a risk to the rights and freedoms of natural persons. In addition, to be published any complaint must be substantiated, meaning that the complaint must be recognized as legitimate either by us or by any competent official or judicial authority. We will not publish information on the complainant, the subject of the complaint itself or the nature of the data breach as to not divulge any sensitive information.
Number of substantiated complaints group-wide in FY 2019/2020: 0
Data Protection Management System
For further information regarding data protection at METRO and our data protection standards please see the comprehensive description of our Data Protection Management System:
Concept audited and certified
The concept of the Data Protection Management System was audited by an external body in accordance with international auditing standard IDW PS 980. There were no objections. Further details can be found in the KPMG audit report: