Café Royal uses cookies in order to ensure the best possible service for you. By continuing to use this website, you agree to the use of cookies.For more information, see our Privacy Policy.

Protection and confidentiality of your data are extremely important to us. 

Privacy Policy

  1. What Is this Privacy Policy about?
  2. Who Are We?
  3. What Is "Personal Data" and What Does "Processing" Mean?
  4. For Whom and for What Purpose Is this Privacy Policy Intended?
  5. Which Personal Data Do We Process and for What Purposes?
  6. To Whom Do We Disclose Personal Data?
  7. When Do We Transfer Your Personal Data Abroad?
  8. Do We Conduct Profiling and Use Automated Decision-Making?
  9. How Do We Protect Your Personal Data?
  10. For How Long Do We Store Your Personal Data?
  11. What Rights Do You Have in Connection with the Processing of Your Personal Data?
  12. What Else Do You Need to Bear in Mind?
  13. Changes to this Privacy Policy
  14. Table: Reasons for data collection; scope, purpose and obligation to provide data; legal basis for processing

 

as of may 25th

1. What Is this Privacy Policy about?

The protection of data is a matter of trust and your trust is important to us. It is for this reason that we have published this Privacy Policy. With a view to the new European General Data Protection Regulation ("GDPR"), it specifies which personal data we process, how we process this data, and for what purposes. Although the GDPR is a European Union Regulation, it is relevant to us. The Swiss Federal Act on Data Protection ("FADP") is heavily influenced by EU law and the future FADP, as amended, will incorporate many of the provisions of the GDPR. In addition, companies outside of the European Union are required to comply with the GDPR in certain circumstances. However, we want to ensure that the high level of protection established by the GDPR is afforded to all individuals whose personal data we process. For this reason, we have decided to align this Privacy Policy, in general, with the GDPR. You can view the GDPR here.

We are committed to providing comprehensive information on the processing of your personal data. This Privacy Policy therefore explains how and why we collect, process, and use your personal data. It is important to us that you understand:

  • what personal data about you we collect and process;
  • when we collect your personal data;
  • the purposes for which we use your personal data;
  • how long we store your personal data;
  • who has access to your personal data; and
  • what rights you have with respect to your personal data.

We provide information and guidance on all of these matters below. If you have any questions, please do not hesitate to contact us. Our contact details are included in Section 2.

2. Who Are We?

For each data processing activity, a particular company is responsible for ensuring compliance with data protection provisions. In each case, this is the company that defines whether a certain processing activity (e.g. processing in connection with a service or the use of a website) should take place, for what purposes it is performed, and the general principles that should apply (where such decisions are made jointly by more than one company, the companies may also be jointly responsible). The following company ("we" or "us") is generally responsible for the data processing activities covered by this Privacy Policy:

Delica AG
Hafenstrasse 120
CH-4127 Birsfelden
Switzerland

Tel: +41 800 506 506 (Switzerland)
Mail: info@cafe-royal.com

We have appointed a Data Protection Officer who may be contacted as follows:

Datenschutz Café Royal
datenschutz@cafe-royal.info
+ 41 61 315 77 88 Switzerland

We have also appointed the following company as a representative in the EU and/or the European Economic Area:

M-Industry Germany
Rudolf-Diesel-Strasse 24
D-64625 Bensheim
datenschutz@cafe-royal.info

In certain cases, responsibility does not lie with us, but rather with a different company:
If you contact another Migros Group company (e.g. in contacting Customer Services), this company will be responsible for the relevant data processing activity – unless this Privacy Policy states otherwise in relation to the processing activity concerned.

In certain circumstances, we may disclose your personal data to another Migros Group company or to an external party in order to enable these recipients to process personal data for their own purposes (i.e. not on our behalf). Such parties may also include the authorities. In such cases, the recipient concerned is deemed to be the data controller. Information on such data controllers is provided in the relevant privacy policy of the recipient, which will generally be available on its website.

3. What Is "Personal Data" and What Does "Processing" Mean?

The rules governing the processing of personal data are laid down in data protection legislation. Personal data (or "personal information") means any information relating to an identifiable natural person, i.e. an individual. This may, for example, include the following information:

  • Contact details, for example name, mailing address, email address, telephone number
  • Other personal details, for example gender, date of birth and age, marital status, nationality
  • Professional details, for example occupation, title, role, training, former employers, skills and experience, approvals and licenses, and memberships
  • Shopping information, for example purchase information, orders, shopping history, preferred shopping locations and -times, shopping baskets, preferences and preference for certain product categories
  • Financial details, for example credit card number, account details, credit rating, assets, and income
  • Image, sound, and video recordings
  • Records of your visits to websites and your use of apps.

Information relating to a particular legal entity (e.g. details about a contract with a company) also constitutes personal data.

Certain personal data are afforded special protection under the legislation, including "sensitive personal data" (also referred to as "special categories of personal data"). Such data may include information that discloses an individual's race or ethnic origin, political views, religious or philosophical beliefs, or trade union membership as well as genetic data, biometric data allowing the unique identification of an individual, health data and data concerning an individual's sex life or sexual orientation, as well as data concerning criminal convictions and offenses and, in certain circumstances, data relating to social security matters.

We generally collect your personal data directly from you, for example when you perform certain actions. This may include instances in which you communicate with us, visit a website, or avail yourself of an offer online or via an app or when you shop with us in an online shop. Personal data may, however, also be collected indirectly, for example when goods are delivered to a different person (e.g. as a gift), other people are mentioned in any communication with us, or through the procurement of additional data from third-party sources (e.g. from social media or mailing list brokers).

We do not necessarily process all the categories of personal data mentioned in this section. Specific information about the personal data processed by us can be found in section 5 and in the table at the end of this Privacy Policy. Depending on the type of processing involved, we will provide additional information by way of a separate privacy policy or notification, especially if a certain data processing activity is not self-explanatory.

Processing“ (or „use“) therefore refers to any use of your personal data. This may include the following actions:

  • Collection and storage
  • Organization and administration
  • Adaptation and alteration
  • Retrieval and storage
  • Disposal and usage
  • Transfer and disclosure
  • Combining
  • Restriction
  • Erasure and destruction.

4. For Whom and for What Purpose Is this Privacy Policy Intended?

This Privacy Policy applies to our personal data processing activities in all of our business areas. This also includes the business activities of the brand beluga. It applies to the processing of personal data that has already been collected and personal data that will be collected in future. Additional data protection provisions may also apply to certain services.

Our data processing activities may affect, in particular, the following individuals (so-called "data subjects"):

  • Individuals who write to us or contact us in some other way
  • Customers in our shops
  • Customers in online shops
  • Users of online offers and apps
  • Nutzer von Online-Angeboten und Apps
  • Individuals who use our services or come into contact with our services
  • Visitors to our website
  • Recipients of information and marketing communications
  • Participants in competitions, prize draws and customer events
  • Participants in market research and opinion surveys
  • Contacts at our suppliers, outlets, and other business partnersƒWhich
  • Job applicants.

Further information on data processing activities relating to specific offers may be included in general terms and conditions, terms of participation, and similar provisions.

5. Which Personal Data Do We Process and for What Purposes?

We process a wide range of personal data for different reasons and purposes. Further information is provided in this section and in the table at the end of this Privacy Policy and, in many instances, in the applicable general terms and conditions, conditions of participation, and additional privacy policies. For example, we process personal data, which may include sensitive personal data, in the following situations for the following purposes:

  • Communications: We process personal data if you contact us or we contact you, for example when you contact Customer Services, if you write to us, or if you call us. As a general rule, information such as your name and contact details as well as the content and time of the messages in question will be sufficient for us. We use this data to ensure that we can provide you with information or notifications, deal with your concerns, and communicate with you, as well as for quality assurance and training purposes. We also forward information within the Migros Group to the relevant company officers, for example if your concern relates to another company.
  • Purchase of goods and use of services: We also process personal data in connection with products and services supplied by us, e.g. when you buy a product from us or use a service. We process your personal data, for instance, in the context of processing orders, the performance of contracts or for delivery and invoicing purposes. When you make purchases in online shops or use a bonus or loyalty card, we also collect and process personal data relating to your credit rating as well as shopping and payment patterns. For example, we use credit reports for the purpose of determining whether to allow you to buy on account and we also process information with respect to the purchases you make, when and how often you make them, and the stores or online shops where you purchase items. This information helps us understand your preferences for and interest in certain products or services, enabling us to provide targeted information regarding other offers and align our offerings more precisely with demand.
  • Visiting websites: When you visit our website, we will process personal data based on the offer and functionality involved. This includes technical data, e.g. information on the time you accessed our website, the duration of the visit, the pages accessed, and the device used (e.g. tablet, PC or smartphone; "end device"). We use such data for the purposes of providing the website, for reasons of IT security, and to improve the user-friendliness of the website. We also use "cookies", i.e. files that are stored on the end device when you visit our website. In many cases, cookies are required for the functionality of the website and are deleted automatically following the visit. Other cookies are used to personalize the offering and are saved for a set duration (e.g. two years). We also use analysis services such as Google Analytics. This involves the collection of detailed information regarding patterns of behavior on the relevant website. We may also integrate functions from providers such as Facebook, which may lead to the provider in question obtaining data about you. In most cases, however, we do not know the names of website visitors.
  • Online offers and apps: If you use online offers provided by us, we will also process your personal data (even if you do not purchase any goods or services). Depending on the type of offer, this information may include details of customer accounts and the use of such accounts as well as information on the installation and use of mobile applications ("apps").
  • Information and direct marketing: We process personal data in order to send information and advertising messages. For example, if you register for a newsletter or an SMS notification, we will process your contact data. In the case of emails, we will also process information regarding your use of the messages (e.g. whether you opened an email and downloaded any images embedded therein). We do so in order to get to know you better, to gear our offers more precisely towards your needs, and to improve such offers in general. If you do not agree to the processing of usage data, you may block such processing in your email program.
  • Competitions, prize draws, and similar events: We now and again organize competitions, prize draws, and similar events. In such cases, we will process your contact information and details about your participation for the purposes of conducting the competitions and prize draws. Where applicable, we will also process this data to enable us to communicate with you and for advertising purposes. Further information in this regard can be found in the relevant terms of participation.
  • Customer events: We will also process personal data in relation to any customer events held by us (e.g. advertising events, sponsorship events, cultural and sporting events). This includes the participants' or interested parties' names and mailing or email addresses as well as any further information that may be required, for example your date of birth. We will process this data for the purpose of holding customer events, but also to allow us to contact you directly and get to know you better. Further information in this regard can be found in the relevant terms of participation.
  • Business partners: We work with various companies and business partners, for example with suppliers, commercial purchasers of goods and services, cooperation partners, and service providers (e.g. IT service providers). For purposes relating to contract initiation and performance, planning, and accounting, as well as for other purposes associated with the respective contract, we may also process personal data pertaining to contacts at the relevant companies, for example their name, role, title and communications with us. Depending on the area of activity, we are also required to check the company in question and its employees in more detail, for example by performing a security check. In this case, we will collect and process additional information. We may also process personal data to improve our customer focus, levels of customer satisfaction, and customer retention (customer/supplier relationship management).
  • Administration: We process personal data for our own and intra-Group administration. For example, we may process personal data for the purposes of invoice management, address management, etc.We also process personal data for accounting and archiving purposes and, in general, with a view to reviewing and improving internal processes.
  • Corporate transactions: We may also process personal data for the purposes of undertaking preparatory work and undertaking corporate takeovers and -salesas well as purchases and sales of assets. The subject matter and scope of any data collected or transmitted will depend on the stage and object of the transaction.
  • Job applications: We will also process personal data if you apply for a position with us. Generally speaking, we will require the usual information and documents specified in the job advertisement.
  • Compliance with legal requirements: We process personal data in order to comply with legal requirements. This includes, for example, the acceptance and processing of complaints and other notifications, internal investigations, and the disclosure of documents to an authority if we have good reason or are legally obliged to do so.
  • Safeguarding of rights: We may process personal data in various forms in order to safeguard our rights, for example to enforce our rights both in or out of court and before national or foreign authorities or to defend against any claims. For example, we may seek clarification as to the prospects of success in relation to legal proceedings or submit documents to an authority. In doing so, we may process your personal data or disclose your data to third parties, either at home or abroad, to the extent required and permitted.

The table at the end of this Privacy Policy provides a more detailed description of the kinds of personal data about you that we collect and process, how this data is used, for what purposes, and on what legal grounds. It also provides information on whether you are obliged to supply your personal data to us.

6. To Whom Do We Disclose Personal Data?

Our employees have access to your personal data to the extent required for the purposes defined and for the performance of the activities of the employees in question. Our employees act in accordance with our instructions and are bound by confidentiality and non-disclosure obligations in handling your personal data.

We may transfer your personal data to third parties if we wish to use their services ("contract data processors"). This primarily concerns services in the following areas:

  • Corporate management services, for example accounting or asset management
  • Advisory services, for example the services of tax advisors, lawyers, and management consultants, as well as the services of advisors in the fields of personnel recruitment and placement
  • IT services, for example in the areas of hosting, cloud services, the delivery of email newsletters, and data analysis and enhancement
  • Credit assessments, for example if you want to make a purchase on account
  • Services in the areas of haulage and logistics, for example for the delivery of ordered goods
  • Services in the field of digital payments

In selecting contract data processors and by entering into appropriate agreements, we ensure that privacy is safeguarded throughout the processing of your personal data, including when data are processed by third parties. Our contract data processors are under an obligation to process personal data solely on our behalf and in accordance with our instructions.

Furthermore, personal data may be transferred to other companies which may (also) use such data for their own purposes. In such cases, the data recipient is legally responsible as the controller of the data. This would apply in the following circumstances, for example:

  • If we are required to transfer personal data to another company in relation to transactions contemplated or carried out by us, including company mergers or the acquisition or sale of individual parts of a company or its assets. In such cases, we will inform you as early as possible and endeavor to process as little personal data as possible.
  • We may disclose your personal data to third parties (e.g. to the authorities within Switzerland and abroad) if this is required by law. We also reserve the right to process your personal data in order to satisfy a court order or for the purpose of enforcing or defending legal rights or claims or if we consider such processing to be necessary on any other legal grounds.
  • We may disclose personal data about you to former employers if you apply for a position with us (references) or to future employers if you wish to apply for a new job. However, we will not do so in the absence of any request to this effect from you or without your consent.
  • If we transfer claims against you to other companies, such as collection agencies.

7. When Do We Transfer Your Personal Data Abroad?

The recipients of your personal data data section 6 may be located abroad – including outside of the EU or EEA. The countries in question may not have laws in place that afford your personal data the same level of protection as provided in Switzerland or in the EU or the EEA. In transferring your personal data to such a country, we are required to ensure the protection of your personal data in a suitable manner (Articles 46 and 47 of the GDPR). One means of doing so is to conclude data transfer agreements with the recipients of your personal data in third countries that ensure the required level of data protection. These include agreements that have been approved, issued, or adopted by the European Commission and the Federal Data Protection and Information Commissioner, referred to as standard contractual clauses (legal basis set out in Article 46(2) of the GDPR). Data may also lawfully be transferred to recipients that are subject to the US Privacy Shield Program. Please conExamples of the types of agreement generally used can be found here. In exceptional circumstances, the transfer of personal data to countries without appropriate protection is also permitted in other cases, for example on the basis of explicit consent (Article 49(1)(a) of the GDPR), for the performance of a contract with the data subject or the handling of his or her contract application (Article 49(1)(b) of the GDPR), for the conclusion or performance of a contract with somebody else in the interests of the data subject (Article 49(1)(c) of the GDPR), or for the establishment, exercise, or defense of legal claims (Article 49(1)(e) of the GDPR).

8. Do We Conduct Profiling and Use Automated Decision-Making?

Profiling“ refers to a procedure during which personal data is processed on an automated basis in order to assess, analyze, or predict personal aspects, for example an individual's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. We often conduct profiling, for example in analyzing shopping behavior, selecting job applicants or evaluating contractual partners, etc.

Automated decision-making“ refers to any decision that is made on an automated basis, i.e. with no relevant human influences, and may have negative legal implications or other similar adverse consequences for you. We will provide separate information on any automated decision-making deployed by us in specific cases, insofar as such information is legally required.

9. How Do We Protect Your Personal Data?

We take appropriate technical measures (e.g. encryption, pseudonymization, record keeping, access restrictions, data backups) and organizational measures (e.g. instructions issued to employees, confidentiality agreements, audits) in order to safeguard your personal data, protect you against unauthorized or unlawful processing activities, and to address the risk of loss, unintentional changes, inadvertent disclosure, or unauthorized access. In general, however, security risks cannot be completely ruled out; certain residual risks are unavoidable in most cases.

10. For How Long Do We Store Your Personal Data?

We store your personal data in a personalized form for as long as it is required for the specific purpose for which it was collected. In the case of contracts, personal data is stored for at least the duration of the contractual relationship. We also store personal data if we have a legitimate interest in storing it. This may apply, for example, if we require personal data for the purpose of enforcing rights or defending against claims, for archiving purposes, to ensure IT security, or if limitation periods apply in respect of any contractual or non-contractual claims. In many case, a limitation period of ten years will apply, for example, while in other cases a five-year or one-year limitation period may apply. We also store your personal data if it is subject to a statutory retention requirement. For example, a ten-year retention period applies to certain data. Shorter retention periods apply for other data, for example for recordings from CCTV or for recordings of certain online processes (log data). In certain cases, we will also ask for your consent if we want to store your personal data for longer periods (e.g. for job applications that we wish to keep on file). At the end of the periods specified, we will erase or anonymize your personal data.

11. What Rights Do You Have in Connection with the Processing of Your Personal Data?

You may object to the processing of your personal data at any time and are generally free to withdraw your consent to any data processing activity. A right to object exists, in particular, with respect to data processing relating to direct advertising (e.g. advertising emails).

You also have the following rights:

Right to information

SYou have the right to transparent, easy-to-understand, and comprehensive information with respect to how we process your personal data and what rights you have with regard to the processing of your personal data. We meet this obligation by providing this Privacy Policy. If you would like further information, please do not hesitate to contact us (section 2 ).

Right of access

You have the right to request access to any personal data stored and processed by us at any time free of charge. You therefore have the opportunity to check what personal data about you we process and that we use this data in accordance with the applicable data protection provisions. In certain cases, the right of access may be restricted or excluded, in particular:

  • if we have any doubts concerning your identity and are unable to identify you;
  • to protect other individuals (e.g. to comply with confidentiality obligations or safeguard the data protection rights of third parties);
  • in the event that the right of access is exercised excessively (alternatively, we may request payment in consideration of providing access in such instances);

or

if the providing full access would involve disproportionate effort.

Right to rectification

You have the right to have inaccurate or incomplete personal data rectified and to be informed about such rectification. In such cases, we will inform the recipients of the affected data about the changes, unless this is impracticable or involves disproportionate effort.

Right to erasure

You have the right to have your personal data erased. You can request the erasure of your personal data if:

  • the personal data is no longer required for the intended purposes;
  • you have effectively withdrawn your consent or have effectively objected to the processing of your data; or
  • the personal data is being processed unlawfully.

In such cases, we will inform the recipients of the affected data about the erasure, unless this is impracticable or involves disproportionate effort.

In certain cases, the right to have personal data erased may be excluded, especially if the processing activity is required:

  • to exercise the right of freedom of expression;
  • to comply with a legal obligation or is in the public interest; or
  • to enforce legal claims.

Right to restriction of processing

Under certain conditions, you have the right to request that the processing of your personal data is restricted. This may mean, for example, the personal data is (temporarily) no longer processed or that published personal data is (temporarily) removed from a website. In such cases, we will inform the recipients of the affected data about the changes, unless this is impracticable or involves disproportionate effort.

Right to data portability

You have the right to receive personal data that you have provided to us in a readable format, free of charge, if:

  • the specific data processing activity is based on your consent or is required for the performance of a contract; and
  • the processing is performed with the assistance of automated processes.

Depending on the circumstances, your personal data may be transferred to you personally or directly to the third-party provider.

Right to lodge a complaint

You have the right to lodge a complaint to a competent supervisory authority with respect to the manner in which your personal data is processed.

In principle, you have the right to withdraw consent previously given at any time. Data processing activities performed in the past on the basis of your consent will, however, not become unlawful due to you withdrawing consent.

12. What Else Do You Need to Bear in Mind?

The "GDPR" requires that the applicable legal basis for data processing activities is specified. The processing of personal data is allowed, in particular, if:

  • this is required for the performance of a contract with the data subjects or for pre-contractual measures requested by the data subjects (e.g. reviewing their application to enter into contract – legal basis set out in Article 6(1)(b) of the GDPR); or;
  • this is required for legitimate interests, provided that the interests or fundamental rights and freedoms of the data subject are not overriding (legal basis set out in Article 6(1)(f) of the GDPR). These legitimate interests include our own interests and third-party interests. These interests are very diverse and include, for example interests in connection with the supply of products and services to third parties (e.g. recipients); interests in connection with good customer support, maintaining contact and other communications with customers, including outside the framework of a contract; interests in performing advertising and marketing activities; our interest in getting to know our customers and other individuals better; our interest in improving existing products and services and developing new ones; our interest in facilitating intra-Group management and intra-Group communication, which is necessary with a Group that requires cooperation between parties; our interest in combating fraud, for example in online shops, and in the prevention and investigation of offenses; our interest in protecting customers, employees, and other individuals and data, as well as secrets and assets of the Migros Group; our interest in ensuring IT security, especially in connection with the use of websites, apps and other IT infrastructure; our interest in safeguarding and organizing business operations, including the running and further development of websites and other systems; our interest in ensuring corporate management and development; any interest in selling or purchasing companies, parts of companies, or other assets; any interest in the enforcement or defense of legal rights and claims; and our interest in complying with Swiss law and internal rules and regulations;
  • this is based on effective consent that has not been withdrawn (legal basis set out in Article 4(11) and Articles 7 and 8 of the GDPR); or
  • this is required for compliance with legal obligations (legal basis set out in Article 6(1)(c) of the GDPR).

The processing of sensitive personal data (see section 3) is subject to more stringent restrictions. Such processing is, for example, permitted:

  • on the basis of effective and explicit consent that has not been withdrawn (legal basis set out in Article 9(2)(a) of the GDPR);
  • if the processing activity relates to personal data that the data subject has manifestly made public (legal basis set out in Article 9(2)(e) of the GDPR);
  • if this is required for the safeguarding of rights (legal grounds stipulated by Article 9 (2)(f) of the GDPR); or
  • if this is required in order to ensure compliance with certain legal provisions (legal basis set out in Article 9(2)(a) of the GDPR).

The transfer of data abroad is also only permitted under certain conditions. Information in this regard can be found in section 7.

In the a table at the end of this Privacy Policy, you can find further information with respect to the legal basis typically applying to the relevant data processing activities. However, due to the complexity of many data processing activities, it cannot be ruled out that in certain circumstances other legal grounds may also apply.

The GDPR also requires that you are provided with information on whether you are obliged to supply personal data or whether this is necessary for the conclusion of a contract and what the consequences of not providing this data would be. Generally speaking, there is no obligation to disclose personal data to us unless you have entered into a contractual relationship with us that establishes such an obligation. We will, however, be required to collect and process any personal data that is necessary or legally prescribed for the purposes of commencing and performing a contractual relationship and meeting related obligations. Otherwise, it will not be possible for us to conclude or continue the contract in question. The processing of certain data is also mandatory in relation to the use of websites. Although you can prevent cookies from being saved (further information in this regard can be found in this Privacy Policy), the recording of certain data, although generally not of a personal nature, such as your IP address, cannot be prevented for technical reasons.

Under certain circumstances, you may wish or be required to transfer personal data of third parties to us. Please note that in such cases you are required to inform the data subjects about the transfer of this data and about this Privacy Policy and to ensure that the personal data in question is accurate.

13. Changes to this Privacy Policy

This Privacy Policy may be updated over time, especially if we change our data processing activities or if new legal provisions become applicable. We will actively inform individuals whose contact details are registered with us of any material changes, provided that we can do this without disproportionate effort. Generally speaking, however, the version of the Privacy Policy in effect at the time at which the data processing activity in question commences is applicable.

14. Reasons for data collection; scope, purpose and obligation to provide data; legal basis for processing

14.1 Communication
14.2 Purchase of goods and use of services
14.3 Visits to our website
14.4 Online offers and apps
14.5 Information and direct marketing
14.6 Participation in competitions, prize draws, and similar events
14.7 Participation in customer events
14.8 Contact with our company as a business partner
14.9 Administration
14.10 Corporate transactions
14.11 Job applications
14.12 Compliance with legal requirements
14.13 Exercising rights

In this table, you can find detailed information on the individual processing purposes, the personal data processed to this end, the applicable legal basis, and any obligation to disclose relevant personal data to us. Please note that in many cases it is not possible to provide an exhaustive list.

14.1 Reason for data collection: Communication

Processed personal data

We collect and process personal data if you contact us or we contact you in writing, electronically, or by phone, for example if you contact Customer Services and if you send us an email or letter or call us, but also e.g. if you leave a comment on our website. In such cases, we process contact and communication details. This includes, in particular, the following personal data:

  • Name
  • Contact data based on the form of communication, for example your mailing address, email address or telephone number
  • Details about third parties who are mentioned in the communication, as applicable
  • The content and time of the communication

The exact scope of the personal data is largely dependent on the content of the communication. If you transfer sensitive personal data to us, we will also process this. Telephone conversations with us may be recorded. In such cases, you will be informed accordingly in advance.

Processing purpose and obligation to provide personal data

In particular, we process personal data in this context for the following purposes:

  • Communication with you
  • Customer services and -care
  • Quality assurance and training
  • All other processing purposes, to the extent that they require communication (e.g. performance of contracts)

in this case, you are generally under no obligation to provide us with specific information. Often, however, we can only respond to you, handle your concerns, and communicate with you if we process certain information as a minimum. If you do not want us to record telephone conversations, you can cut off the telephone call at any time and correspond with our Customer Services in another way (e.g. via email).

Legal basis

If communication is initiated by you, we will deem this to constitute consent to the processing of your personal data (Article 6(1)(a) and, where applicable, Article 9(2)(a) of the GDPR). The processing performed by way of Customer Services and through communication is in many cases also in our legitimate interest (Article 6(1)(f) of the GDPR), as this allows us to communicate with customers and other individuals, improve the quality of our services, prevent errors in our processes, and achieve a high level of customer satisfaction

14.2 Reason for data collection: Purchase of goods and use of services

Processed personal data

If we make supplies to you, for example if you purchase goods or services from us, we will process personal data relating to your shopping and payment patterns. This includes, in particular, the following personal data, which may be sensitive:

  • Name, address, contact information, delivery address(es)
  • Credit rating and payment information
  • Information about what purchases you make as well as where you make the purchases, how often, and using which payment methods in which stores or online shops
  • Details about your behavior in an online shop (ordered and cancelled shopping baskets, wish lists, viewed articles, etc.).

However, the foregoing is subject to you shopping online, using a bonus or loyalty card, or identifying yourself in some other manner. In our stores, however, you can generally also shop without us knowing your name.

We may also evaluate information about in-store and online purchases and behavior and combine this with other personal data, for example with non-personalized statistical data and other personal data that we have collected about you. We may also check your credit rating in connection with the contract. To this end, we will normally consult information from specialist companies known as credit reference agencies. If you shop online, please also note the provisions of this Privacy Policy under "Use of online offers".

Processing purpose and obligation to provide personal data

In this case, we will process your data, in particular, for the following purposes:

  • Initiation and performance of the contract: We will process your personal data so that we can decide whether and how (e.g. with which payment options) we enter into a contract with you so that we can record products and services purchased, make deliveries in the event of orders, and for invoicing purposes, as well as generally for the purpose of entering into, performing, and, where necessary, enforcing the terms of the contract.
  • Information about your shopping behavior: We analyze the shopping behavior of our customers and to obtain information on your preference for and interest in specific products or services as well as additional information that we take into account when improving our services (product range, location selected, etc.) This allows us to tailor our offers to our customers' needs (as a group and individually) and to respond optimally to their demands.
  • Statistical purposes: We process your personal data for statistical purposes, for example to evaluate information on interactions with our customers on a non-individual basis. This also makes it easier for us to cater to our customers' needs. It also allows us to know which products are preferred and how we can improve our offering.

You are not obliged to disclose personal data to us when making purchases. However, it is not possible to place orders, purchase services or purchase certain goods without us processing personal data. We must also process the personal data required for the purposes of online shopping.

Legal basis

We process such data on the basis that we are permitted to process personal data for the purpose of dealing with contract requests and performing contracts (Article 6(1)(b) of the GDPR). The processing also serves legitimate interests (Article 6(2)(f) of the GDPR), for example when delivering goods to third parties (e.g. for gifts), and the evaluation of information about your shopping behavior allows us to gear our services towards your needs and interests in a more accurate and targeted manner and to expand and improve our offers. This is important to us, as it enables us to compete successfully in the market. Any processing activities involving sensitive data will generally be based on your explicit consent (Article 9(2)(a) of the GDPR).

14.3 Reason for data collection: Visits to our website

Processed personal data

Technical data: Each time our website is visited, certain data is automatically collected by us for technical reasons and stored in log files. This includes, for example, the following data:

  • IP address and device-specific details such as the MAC address and device operating system
  • The user's Internet service provider
  • Accessed contents and the date and time of the website visit

Cookies: We store cookies depending on the functionality. Cookies are small files that your browser creates automatically and that are saved on your end device (tablet, PC, smartphone, etc.) when you visit our website. Firstly, we use session cookies in which a unique identification number is stored, a so-called session ID, as well as information about the origin and storage period of the cookie. These cookies are deleted following any visit to our website. We use such cookies, for example, to enable shopping baskets to be saved. Secondly, we use permanent cookies that also remain stored once the browser session has been completed. Such cookies are used to recognize a visitor upon a later visit.

Some cookies also originate from third-party companies. This will apply, for example, if we use functions on our website that are provided by third parties. This affects analysis services, which also work with cookies; information in this regard can be found in this table under "Visits to our website (analyses)".

TTechnical data and cookies often do not contain any personal data. It is often not possible for us to assign the information collected in this way to a particular person.

Analysis of user behavior: On our website, we use Google Analytics, an analysis service of Google, Inc. in the US. Google Analytics uses cookies that enable analysis of website usage. This means that information about your behavior on our website and the end device (tablet, PC, smartphone, etc.) used for this purpose will be saved. This includes, for example, the following usage data:

  • Browser type and version
  • The address (URL) of the website from which you accessed our website
  • Provider name
  • dIP address of end device
  • Date and time our website was accessed
  • Visited pages and length of stay

This information is saved on a Google server in the US. Provided you have activated the IP anonymization function, your IP address will, however, be abbreviated in the EU or EEA. The full IP address is only transmitted to the US in exceptional circumstances. In the US, Google is bound by theUS Privacy Shield Program. Google Analytics also makes it possible to assign dates, sessions and interactions across several end devices to a pseudonym user ID, allowing the activities of an unnamed user on different devices to be analyzed. Further information can be found under the Terms of Service or the Privacy Policy of Google.

We use similar services of other providers. Such providers often do not receive any personal data, but they may record the usage of the relevant website by the user, for example through the use of cookies and other technologies. These records may be combined with similar information from other websites. The behavior of a particular user can thus be recorded across several websites and several end devices. The provider concerned may also use this data for its own purposes, for instance for personalized promotions on its own website and other websites that it provides with advertisements. If a user is registered with the provider, the provider may be able to attribute usage data to the individual concerned. It will generally obtain the consent of the data subject for such purpose and allow him or her to withdraw such consent in accordance with its requirements. Such personal data is processed by the provider under its own responsibility and in accordance with its own data protection provisions.

Processing purpose and obligation to provide personal data

We process your personal data in this context for the following purposes:

  • Provision of the website: The recording of certain log files and cookies is essential for the provision of the website and its functions for technical reasons. Other cookies help us to provide and safeguard the various functions and offers available on our website.
  • Personalization of website: Some cookies are used to adjust our online offers in line with your needs (e.g. by saving your chosen language).
  • Website management: The saving and processing of log files and cookies helps us with maintenance and troubleshooting, in safeguarding the security of our website, and in combating fraud.
  • Third-party cookies allow the companies in question to provide services to us or to display advertisements to you that you may actually be interested in.

Collecting the data specified is not mandatory but is required in many cases for the purpose of using the website and certain functions. However, you can configure your end device to display a message before a new cookie is created. This means you can also reject cookies. Furthermore, you can delete cookies from your end device. You also have the option to prevent the recording of data created by the cookie (incl. your IP address) and the processing of this data by downloading and installing an appropriate browser add-on. The rejection or deactivation of cookies may, however, mean that you are unable to use all of the website's functions.

This information is used, in particular, in order to better understand the use of our website and to improve its content, functionality, and retrievability. For example, this data allows us to see the sites from which most of our users access our website, which pages are visited the most, and on which page most visitors leave our website.We may also evaluate this personal data and combine this with other personal data, for example to non-personalized statistical data and other personal data that we have collected about you in order to extrapolate information about your preferences and interest in certain products or services.

You can prevent the use of Google Analytics by installing a browser add-on. SYou can also set an opt-out cookie by clicking here. An opt-out cookie prevents any future recording. However, it only applies for the browser in question. In order to prevent recording across several end devices, you need to implement the opt-out on all devices and browsers used. If you delete your cookies in a browser, the opt-out cookie will also be removed.

You also have the option to withdraw any consent issued to providers (information in this regard can be found in the left-hand column) or to object to their processing activities, for example those performed by Google via https://adssettings.google.com.

Legal basis

The processing of log files and cookies for the stated purposes is in our legitimate interest (Article 6(1)(f) of the GDPR). Some cookies are required, for example, in order to save individual settings or provide shopping baskets. Such customization is also in the interests of visitors to our websites. The analysis of the use of our websites also represents a legitimate interest.

The processing purposes specified are in our legitimate interest (Article 6(1)(f) of the GDPR). Our webpages are a very important tool for us in terms of customer communication and -acquisition. It is key for us that we keep our websites functional, attractive, and personal.

14.4 Reason for data collection: Online offers and apps

Processed personal data

Online offers: We will also process personal data when you use online offers provided by us – even if you do not purchase any goods or services in the process. For example, if you register with us, we will process contact details and data relating to the offer concerned. In particular, this may include the following personal data:

  • Your name
  • Your mailing address
  • Your email address and, where applicable your telephone number
  • Date and time of registration

If you register with us via Facebook Connect or another login of a third-party provider (e.g. Google or LinkedIn), we may obtain access to certain data saved by the provider in question, for example your user name, profile picture, date of birth, gender, and other information. Information in this regard can be found in the privacy policy of the relevant provider.

Apps: We may also make mobile applications (apps) available. In this case, we will collect and process personal data when you install an app, when you use the app and the available functions, and when you update the app. In particular, this data includes the following information:

  • Date, time, and duration of installation
  • Device-specific information, including the type of device and the current version of your operating system
  • Information regarding use of the app.

Depending on the type of offer, we may process additional data comprising the following personal data, which may also include sensitive personal data:

  • Information on the use of a customer account
  • Your age
  • Your shopping behavior
  • Your location

We may evaluate this personal data and combine this with other information, for example with non-personalized statistical data and other personal data that we have collected about you in order to extrapolate information about your preferences and interest in certain products or services. Further information can be found in the terms and conditions of use, where applicable, and in this table under "Visits to our website". If you shop with us in an online shop, you can find additional information under "Purchase of goods and use of services".

Processing purpose and obligation to provide personal data

We process your personal data in connection with online offers and apps for the following purposes:

  • Provision of the respective offer: We process personal data in order to make the relevant offer available online or via an app and to implement the offer. This may include the opening and management of a customer account in your name.
  • Analysis and personalization: We process personal data in connection with online offers and apps in order to better understand behavior with respect to these offers and apps and, in general, the interests and preferences of our customers, to present personalized offers, and to further develop our offers and apps. To this end, we may record, for example, which apps you download, how you use them, how long you leave them installed, and which offers you take up using such apps.
  • The processing of personal data also helps us to combat fraud.

The use of online offers is voluntary. If you opt to make use of an online offer, this is generally not possible without processing relevant personal data (e.g. the provision of mandatory data in online forms).

Legal basis

As a general rule, it is only possible to take up online offers if you accept the applicable terms and conditions of use. This means that you enter into a contract with us. The processing of personal data is permitted for the performance of the contract (Article 6(1)(a) of the GDPR).

The processing also serves legitimate interests (Article 6(1)(f) of the GDPR). This allows us to gear our services to your needs and interests in a more precise and targeted manner and also expand and improve our offers. This is essential to allowing us to compete successfully in the market. Depending on the functions of the online offer, we may ask you for further consent (Article 6(1)(a) and Article 9(2)(a) of the GDPR).

14.5 Reason for data collection: Information and direct marketing

Processed personal data

If you register for an electronic newsletter and other electronic notifications, we will process, in particular, the following personal data:

  • Your name
  • Your email address and/or your cell phone number
  • Information as to whether you have consented to or objected to receiving such notifications

We can also process data about your use and response to such notifications. This includes, in particular, the following personal data:

  • Delivery of notification
  • Opening and possible forwarding of notification
  • Links clicked (objective, date, and time).

We may also evaluate your personal data and combine this with other personal data, for example to non-personalized statistical data and other personal data that we have collected about you in order to extrapolate information about your preferences and interest in certain products or services.

Processing purpose and obligation to provide personal data

We process your personal data so that we can send you electronic notifications, including messages of a promotional nature. We process personal data with respect to your use of and response to the notifications in order to get to know you better and to enable us to gear our offers to your needs in a more targeted manner.

Such data processing is optional for you. However, if you do not provide us with your personal data and, in particular, your email address, we will not be able to offer you this service. You can withdraw your consent for electronic newsletters at any time by deregistering from this service. This is possible via a link in every electronic newsletter or by sending an email to info@cafe-royal.com.

Legal basis

We deem your registration for an electronic newsletter to represent consent to the processing of the named personal data for the specified purposes (Article 6(1)(a) of the GDPR). We also have a legitimate interest in advertising directly and analyzing your response to such advertisements. Both are important to us so that we can be successful on the market.

14.6 Reason for data collection: Participation in competitions, prize draws, and similar events

Processing purpose and obligation to provide personal data

We collect and process personal data if you participate in competitions, prize draws, and similar events (each referred to as an "event"). The scope of the processed personal data may vary from event to event. This information includes, in particular, the following personal data:

  • Your name
  • Your date of birth
  • Your contact details
  • The fact that you are participating
  • The outcome of your participation
  • Correspondence about the event, as applicable

Further information in this regard can be found in the relevant terms of participation.

We may also evaluate your personal data and combine this with other personal data, for example with non-personalized statistical data and other personal data that we have collected about you in order to extrapolate information about your preferences and interest in certain products or services.

Processing purpose and obligation to provide personal data

We will process your personal data in connection with events in order to conduct the relevant event and to enable us to notify the winner. We may also use your name and contact details for advertising purposes. Participation in such events is voluntary but is not possible without the processing of personal data.

Legal basis

By taking part in an event, you provide consent to the processing of your personal data for this purpose (Article 6(1)(a) of the GDPR). The processing also serves legitimate interests (Article 6(1)(f) of the GDPR). This allows us to gear our services towards your needs and interests in a more precise and targeted manner and also expand and improve our offers. This is important to us, as it enables us to compete successfully in the market.

14.7 Reason for data collection: Participation in customer events

Processed personal data

We will process personal data if we invite you to customer events (e.g. promotional events, sponsorship events, cultural and sporting events). This includes, in particular, the following personal data, which may also constitute sensitive information:

  • Your name
  • Your contact details
  • Your participation or non-participation
  • Other data appropriate to the customer event, such as your date of birth

We may also evaluate your personal data and combine this with other personal data, for example with non-personalized statistical data and other personal data that we have collected about you in order to extrapolate information about your preferences and interest in certain products or services.

Processing purpose and obligation to provide personal data

In particular, we process your personal data so that we can invite you to our events and also to find out which customer events may be of interest to you. This allows us to draw your attention to customer events that we hope may be of interest to you in a targeted manner. Participation in such events is voluntary but is not possible without the processing of personal data.

Legal basis

We process your personal data after you have provided us with your consent (Article 6(1)(a) of the GDPR) in order to inform you about relevant customer events or if you have registered for one of our customer events. The processing activities specified are in our legitimate interest (Article 6(1)(f) of the GDPR), as they allow us to contact you personally and get to know you better. This This allows us to gear our services towards your needs and interests in a more precise and targeted manner and also expand and improve our offers. This is important to us, as it enables us to compete successfully in the market.

14.8 Reason for data collection: Contact with our company as a business partner

Processed personal data

If you work for a company that supplies goods or services to us, purchases goods or services from us, or cooperates with us in some other way, we may, for example, process the following personal data about you:

  • Your name
  • Your title, position, area of activity, and relationship to the company concerned
  • Positions held during your career
  • Your interactions with us

We will process other personal data, which may include sensitive data, when reviewing whether we want or are able to work with your company (e.g. in the course of performing security checks). If you work at our premises, we will also process other contact details, e.g. the following information:

  • Your nationality and residency status
  • Copies of passport and identification documents
  • Previous convictions and any criminal enforcement measures
  • Data pertaining to user accounts and the use of such accounts
  • Badge number and -use
  • Your use of our IT infrastructure
  • Video recordings (if you access areas monitored by CCTV).

We will generally inform you separately about such processing activities or request your consent.

Processing purpose and obligation to provide personal data

In particular, the processing of personal data serves the following purposes:

  • To check whether we supply or purchase goods or services to or from your company or whether we want and are able to work with your company (e.g. as part of suitability checks, checks for conflicts of interest)
  • To check whether your company provides the required level of security, for example in the event that it processes personal data on our behalf
  • To communicate with you and your company, for example as part of the performance of a contract
  • To plan staff deployment and, where applicable, your deployment and the deployment of your company's employees
  • For training purposes
  • For monitoring and performance assessment purposes
  • To prepare and undertake corporate takeovers and sales as well as similar transactions
  • For customer and supplier relationship management in order to get to know you and your company better, improve our customer focus, and increase levels of customer satisfaction and retention (customer relationship management, "CRM")
  • For accounting purposes
  • For the administration and management of our IT and other resources
  • To exchange personal data within the Group. You are under no obligation to disclose the personal data specified to us. If you do not wish to provide the required personal data to us, we may be unable to work with you. In exceptional circumstances, we may even be legally required to process such personal data.

Legal basis

The processing specified is in our legitimate interest (Article 6(1)(f) of the GDPR), as it allows us to use and sell goods and services. We also have a legitimate interest in preventing abuse and ensuring an adequate level of security. The provision of customer care is also in our legitimate interest. If we have a contract directly with you or you wish to conclude a contract directly with us, we will process your personal data for the purpose of concluding and performing the contract concerned (Article 6(1)(b) of the GDPR). To the extent that we process sensitive personal data for the specified purposes, we will generally do so for the purposes of enforcing, exercising or defending legal rights or on the basis of your explicit consent (Article 9(1)(a) and 9(1)(f) of the GDPR).

14.9 Reason for data collection: Administration

Processed personal data

In the course of performing internal administrative and management operations, we will process personal data, which may include sensitive personal data, about our customers, business partners, and third parties, for example for IT management purposes.

Processing purpose and obligation to provide personal data

We will process such personal data, in particular, for the following purposes:

  • Reviewing and improving our internal processes
  • Accounting
  • Archiving
  • Training
  • Other administrative purposes

These purposes may relate to us or companies affiliated to us. Data will be processed, in particular, for the purpose of assessing and, where applicable, executing the relevant transactions. It may also be necessary to file reports with the authorities both at home and abroad.

Legal basis

Processing for the specified purposes may be required for the performance of contracts (Article 6(1)(b) of the GDPR). This is in our legitimate interest (Article 6(1)(f) of the GDPR). To the extent that we process sensitive personal data, such processing activities will normally be based on your explicit consent (Article 9(2)(a) of the GDPR).

14.10 Reason for data collection: Corporate transactions

Processed personal data

In certain circumstances, we may review transactions or execute transactions involving the sale or purchase of companies, parts of companies, or other assets, or the creation of encumbrances. In this context, the scope of personal data processing will depend on the purpose and stage of the transaction, and may also include sensitive personal data. In certain circumstances, such information may be disclosed to, or collected by, potential contracting partners, to the extent permitted by law. In the event that we sell receivables, we will, for example, transfer information to the purchaser regarding the reason for and amount of the receivable and, where applicable, regarding the credit rating and behavior of the debtor.

Processing purpose and obligation to provide personal data

Data will be processed, in particular, for the purpose of assessing and, where applicable, executing the relevant transactions. It may also be necessary to file reports with the authorities both at home and abroad.

Legal basis

Processing for the specified purposes may be required for the performance of contracts (Article 6(1)(b) of the GDPR). This is in our legitimate interest (Article 6(1)(f) of the GDPR).

To the extent that we process sensitive personal data, such processing activities will normally be based on your explicit consent (Article 9(2)(a) of the GDPR).

14.11 Reason for data collection: Job applications

Processed personal data

If you apply for a position with us, we will process your contact details and the information transmitted to us (e.g. the application, family status, résumé, knowledge and skills, interests, references, qualifications, certificates). Such information may include sensitive personal data, such as dates of birth or details of trade union membership. During the job application process, other personal data may also be required depending on the position and job profile.

Processing purpose and obligation to provide personal data

We will process your personal data in order to assess your suitability for the position concerned and talk to you about potential employment, and, where applicable, for the purposes of preparing and concluding a contract. Subject to your consent, we will also, where applicable, keep your application on file if we decide not to recruit you, or you decide not to take a job, in the event that another position becomes vacant at a later date. Although providing the personal data specified is optional we are unable to process an application without the personal data required for this purpose.

Legal basis

If you apply for a position with us, we will process your personal data with a view to a possible contract (Article 6(1)(a) of the GDPR). In submitting your application, you will also be deemed to have consented to such processing activities (Article 6(1)(a) and Article 9(2)(a) of the GDPR).

14.12 Reason for data collection: Compliance with legal requirements

Processed personal data

In certain circumstances, we may be required or wish to process personal data in order to comply with legal obligations. We may, for example, receive and process complaints and reported irregularities, or the authorities may request documents containing your name and contact details or conduct an investigation in relation to us. We may also conduct internal investigations during which your personal data may also be processed.

Processing purpose and obligation to provide personal data

We process this personal data for the following purposes:

  • To ensure compliance with legal obligations, including orders issued by the courts or the authorities
  • Preventive measures to ensure compliance
  • Measures to detect and investigate abuses

Legal basis

Processing for the specified purposes is required for compliance with legal obligations and is in our legitimate interests (Article 6(1)(c) and (f) of the GDPR).

14.13 Reason for data collection: Safeguarding rights

Processed personal data

We will process personal data for the purpose of safeguarding our rights, for example to enforce our rights both in or out of court and before national or foreign authorities or to defend against any claims. For example, we may seek clarification as to the prospects of success in relation to legal proceedings or submit documents to an authority. The authorities may also require us to disclose documents that contain personal data. In addition to the contact details of data subjects, we may process other personal data, depending on the circumstances, such as information on events that led to or could give rise to a dispute. Such information may include sensitive personal data.

Processing purpose and obligation to provide personal data

We will process this personal data for the following purposes:

  • Investigating claims and enforcing rights, which may also include the rights and claims of affiliated companies and other contracting and business partners
  • The defense of claims against us, our employees, any affiliated companies, and any contracting or business partners
  • Seeking clarification as to the prospects of success in relation to legal proceedings and with respect to any other legal, commercial or other matters
  • Involvement in proceedings before the courts and authorities at home or abroad

Legal basis

Processing for the specified purposes may be required for the performance of contracts (Article 6(1)(b) of the GDPR). Such processing is in our legitimate interest and, where applicable, in the legitimate interests of third parties (Article 6(1)(f) and Article 9(2)(f) of the GDPR).