Privacy policy

In this privacy policy, we explain how we collect, process and use personal data in the context of providing our website. Personal data is specific information about your personal identity. We process and use personal data that we collect about you, exclusively within the framework of the applicable legal provisions.

We undertake to comply with the statutory provisions on data protection and always endeavour to observe the principles of data avoidance and data minimization.

1. Name and address of the data controller and the data protection officer

The responsible party for the operation of this website is METRO AG, Metro-Straße 1, 40235 Düsseldorf, Germany (hereinafter referred to as "METRO", "we" or "us"). METRO attaches the highest importance to the protection of your personal data.

You can contact our data protection officer with questions about data protection at: METRO AG, Data Protection Officer, Metro-Straße 1, 40235 Düsseldorf, e-mail: datenschutz@metro.de.

2. Definitions of terms

We have designed our privacy policy in accordance with the principles of clarity and transparency. However, if there are any ambiguities regarding the use of various terms, the relevant definitions can be found here [https://dsgvo-gesetz.de/art-4-dsgvo/].

3. Legal basis for the processing of personal data

We only process your personal data, such as your last name and first name, your e-mail address and IP address, etc., if there is a legal basis for doing so. According to the General Data Protection Regulation, the following regulations, in particular, come into consideration:

• Section 6 para. 1 p. 1 lit. a GDPR: The data subject has given their consent to the processing of personal data relating to them for one or more specific purposes.
• Section 6 (1) p. 1 lit. b GDPR: Processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject's request.
• Section 6 para. 1 sentence 1 lit. c GDPR: Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Section 6 para. 1 p. 1 lit. d GDPR: Processing is necessary to protect the vital interests of the data subject or another natural person
• Section 6 (1) p. 1 lit. e GDPR: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Section 6 (1) p. 1 lit. f GDPR: Processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where such interests are superseded by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child

However, we will always state the legal basis on which the processing of your personal is based in the respective sections of this privacy policy.

4. Disclosure of personal data

The transfer of personal data is also processing within the sense of section 3. However, we would like to inform you separately about the transfer of data to third parties. The protection of your personal data is highly important to us. For this reason, we are particularly careful when it comes to passing on your data to third parties.

Therefore, we only pass on data to third parties if there is a legal basis for the processing. For example, we share personal data with persons or companies that act as processors on our behalf us in accordance with Section 28 GDPR. A processor is anyone who processes personal data on our behalf. This refers to, in particular, in a relationship of instruction and control with us

In accordance with the requirements of the GDPR, we conclude a contract with each of our processors to oblige them to comply with data protection regulations and, thus, provide comprehensive protection for your data.

5. Storage period and deletion

Your personal data will be deleted by us if it is no longer necessary for the purposes for which it was collected or otherwise processed, the processing is not necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.

6. Hosting

This website is hosted by an external service provider. Personal data collected on this website is stored on the provider's servers. This data may include IP addresses, contact requests, metadata and communication data, contract data, contact data, names, website accesses and other data generated via a website.

The hosting service provider is used for the purpose of fulfilling contracts with our potential and existing customers (Section 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Section 6 para. 1 lit. f GDPR).

Our hosting service provider will only process your data to the extent necessary to fulfil its service obligations and follow our instructions regarding this data.

We use the following hosting service providers:

1. ALL-INKL.COM - Neue Medien Münnich
   Hauptstraße 68
   02742 Friedersdorf
   Germany
   
   
2. Hetzner Online GmbH
   25
   91710 Gunzenhausen
   Germany

7. SSL encryption

This website uses SSL encryption for security purposes and to protect the transmission of confidential content such as requests that you send to us as the website operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL encryption is activated, the data you transmit to us cannot be read by third parties.

8. Cookies

We use cookies on our website. Cookies are small data packets that your browser automatically creates and that are stored on your terminal device when you visit our website. These cookies are used to store information in connection with the respective terminal device used.

When cookies are used, a distinction is made between technically necessary cookies and "other" cookies. Technically necessary cookies are those that are absolutely necessary in order to provide an information society service that you have expressly requested.

1. Session cookies

In order to make the use of our website more convenient for you, we use session cookies (e.g. language and font selection, shopping cart, etc.). These session cookies fall under the category of technically necessary cookies and are automatically deleted after you leave our site. The legal basis for the cookies is derived from Section 6 para. 1 p. 1 lit. f) GDPR, our legitimate interest in the error-free operation of the website and the interest in providing you with our services in an optimized manner.

1. Other cookies

Other cookies include cookies for statistical and analysis purposes.

We use these cookies either due to legitimate interest in accordance with Section 6 para. 1 p. 1 lit. f GDPR to improve and optimize our offers or for you based on your consent in accordance with Section 6 para. 1 p. 1 lit. a) GDPR.

In the case of the use of cookies due to legitimate interest, you may object to their further use in the future at any time.

You may revoke your consent to the use of cookies at any time.

We hereby inform you that the revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent up until the revocation.

For this purpose, you can deactivate the use of cookies in your browser settings (whereby this may also restrict the functionality of the online offer) or set an opt-out for the corresponding service in individual cases.

You may also declare your objection to the use of cookies for marketing purposes via the EU site http://www.youronlinechoices.com/ or generally at http://optout.aboutads.info.

We will inform you of the legal basis on which this data is processed for the respective services within the data protection declaration.

9. Collection and storage of personal data as well as their type and purpose of use 

1. When visiting the website

When you visit our website, information is automatically sent to our website server by the browser used on your terminal device. This information is stored temporarily in a log file. The following information is collected without your intervention and stored until automated deletion:

• IP address of the requesting computer
• Date and time of access
• Name and URL of the accessed file
• Website from which the access was made (referrer URL)
• Browser used and, if applicable, the operating system of your computer as well as the name of your access provider.

The aforementioned data is processed by us for the following purposes:

• Ensuring that the connection to the website is established without problems
• Ensuring that our website can be used conveniently
• Evaluating system security and stability
• Error analysis
• Other administrative purposes

Data that can be traced back to you personally, such as the IP address, will be deleted after 7 days at the latest. If we store the data beyond this period, this data is pseudonymized so that it is no longer possible to link it to you.

The legal basis for the data processing is Section 6 para. 1 p. 1 lit. f GDPR. Our legitimate interest is derived from the purposes for data collection listed above. In no case do we use the collected data for the purpose of drawing conclusions about your personal identity.

1. Registration, member area

During registration on the website, the username, the e-mail address, a password and the affiliation to roles/groups are processed in accordance with Section 6 para. 1 p. 1 lit. b GDPR. This information is used to provide the various content, if any, that is available on our website.

If you voluntarily provide additional information, this will only be processed on the basis of your consent pursuant to Section 6 (1) sentence 1 lit. a GDPR. We use this voluntary information to offer to constantly improve customer-friendly service.

1. Newsletter

Content of the newsletter and registration data

We will only send you a newsletter if you order it from us and have granted your consent in accordance with Section 6 (1) p. 1 lit. a GDPR. The contents of the newsletter will be specifically described when you register for the newsletter. To register for the newsletter, you need only provide your e-mail address. If you voluntarily provide additional information, such as your name and/or gender, this will be used exclusively to personalize the newsletter addressed to you.

Double opt-in and logging

For security reasons, we use the double opt-in procedure to register for our newsletter in order to ensure that no one can register another person's e-mail address. Therefore, after you have registered for our newsletter, you will first receive an e-mail asking you to confirm your registration. The registration only becomes effective after confirmation.

Furthermore, your registration for the newsletter will be documented. The documentation includes the storage of the registration and confirmation time, your specific data and your IP address. If you make changes to your data, these changes will also be recorded.

Revocation

If you no longer wish to receive our newsletter, you may revoke your consent at any time for the future. To do so, click on the unsubscribe link at the end of each newsletter or send an e-mail to the following email address: datenschutz@metro.de.

The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent up until the revocation.

Use of rapidmail

We use rapidmail (rapidmail GmbH, Augustinerplatz 2, 79098 Freiburg i.Br. Germany) to send our newsletter, transactional e-mails during registration or information about the event. Therefore, your data will be transmitted to rapidmail GmbH. rapidmail GmbH is prohibited from using your data for purposes other than sending the newsletter. rapidmail GmbH is not permitted to distribute or sell your data. rapidmail is a certified German newsletter software provider, which was carefully selected in accordance with the requirements of the GDPR and the BDSG.

We have concluded an order processing contract with rapidmail.

You can find further information about rapidmail's data protection here. [https://www.rapidmail.de/datenschutz]

The use of the distribution service provider rapidmail GmbH is based on our legitimate interests pursuant to Section 6 (1) p. 1 lit. f GDPR. Our interest is directed towards the use of a user-friendly and secure newsletter system that serves our business interests as well as the expectations of the users.

1. Contact form / e-mail contact

We provide a contact form on our website in order to enable you to contact us at any time. To use of the contact form, you must provide a name for a personal salutation and a valid e-mail address, so that we know from whom the request comes and can process it.

If you send us inquiries via the contact form, your information from the inquiry form, including the contact information that you provide there, as well as your IP address, will be processed pursuant to Section 6 (1) p. 1 lit. b and f GDPR for the purpose of carrying out pre-contractual measures that take place in response to your inquiry or to exercise our legitimate interest, namely to carry out our business activities.

You are also welcome to send us an e-mail instead using the e-mail address provided on our website. In this case, we store and process your e-mail address and the information that you provide in the e-mail in accordance with Section 6 (1) p. 1 lit. b and f GDPR to process your message.

The inquiries as well as the associated data will be deleted no later than 3 months after receipt unless they are required for a further contractual relationship.

1. com voting

We use the TEDME tool from aisys media GmbH (Ludwigstr. 8a, 97070 Würzburg, Germany) for our voting on our website. If you participate in a voting process, only the personal data you voluntarily provide will be processed by us, e.g. if you ask your own questions or provide answers that contain personal data. You can find more information about the tool at https://tedme.com/data_privacy.

1. SlideSync

We use the tool SlideSync from MediaEvent Service GmbH & Co. KG (Charlotte-Bamberg-Str. 6, 35578 Wetzlar, Germany) on our website. This is a web-based platform that enables live presentations for a large number of participants.

If you participate in a livestream, the following data will be collected and processed:

• Anonymous session ID
• External IP address
• Browser used
• Operating system
• Screen resolution
• Device
• Player technologies
• Participated (yes/no)
• Duration of use

This data is processed in order to provide the livestream on our website in accordance with Section 6 para. 1 p. 1 lit. a GDPR on the basis of the consent you have given. You may revoke your consent at any time by changing the cookie settings. The processing remains lawful until the revocation.

1. telbee

We use the telbee tool from Telbee Group Ltd. (20 Exhibition House Addison Bridge Place, London, England) on our website. This is a web-based platform that enables the recording of voice memos. When you send a voice memo via the tool, only the personal data you voluntarily provide will be processed by us, e.g. when you record a memo that contains personal data. You can find more information about the tool at https://www.telbee.io/privacy.

1. WOWZA

To display the video stream in a responsive online player, we use Wowza from Wowza® Media Systems, LLC (523 Park Point Drive, Suite 300, Golden, Colorado 80401 USA). You can find more information about Wowza here: https://www.wowza.com/legal/privacy

1. Zoom

We use the tool "Zoom" to conduct conference calls, online meetings, video conferences and/or webinars (hereinafter: "Online Meetings"). Zoom is a service provided by Zoom Video Communications, Inc. which is based in the USA.

When using Zoom, various data is processed. The scope of this data also depends on the information that you provide before or when participating in an online meeting.

The following personal data is subject to processing:

• User details: first name, last name, phone (optional), e-mail address, password (if "single sign-on" is not used), profile picture (optional), department (optional).
• Meeting metadata: Topic, description (optional), attendee IP addresses, device/hardware information.
• If recording (optional): MP4 file of all video audio and presentation recordings, M4A file of all audio recordings, text file of online meeting chat
• In case of dial-in with telephone: information about incoming and outgoing phone number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be stored.
• Text, audio and video data: You may have the opportunity to use the chat, question or survey functions in an "online meeting". To this extent, the text input you make is processed in order to display it in the "online meeting" and, if necessary, to record the input. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device will be processed accordingly for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time via the "Zoom" applications.

To participate in an online meeting or to enter the meeting room, you must at least provide information about your name.

This data is used to conduct the online meetings on our website in accordance with Section 6 para. 1 p. 1 lit. b) and f) GDPR, to provide contractual or pre-contractual services and for our legitimate interest. We have concluded an agreement with Zoom stating that only servers in the EU will be used for the processing of personal data. In addition, we have concluded an agreement with Zoom regarding the standard contractual clauses.

10. Analysis and tracking tools

1. Own analysis and tracking tools

We use analysis and tracking tools on our website. These are used to ensure the ongoing optimization of our website and to design it to meet your needs.

We use these tools on the basis of your consent pursuant to Section 6 para. 1 p. 1 lit. a GDPR. You may revoke your consent at any time by changing the cookie settings. The processing remains lawful until the revocation.

The respective data processing purposes and data categories can be found in the corresponding tools. We would like to state that we have no influence on whether and to what extent the service providers further process data.

• Name and version of the browser used
• Operating system of your computer
• Website from which access is made (referrer URL)
• Anonymized IP address of the requesting computer
• Time of the server request
• E-mail address
• Time of use of the website
• Time of the last login

As we have activated IP anonymization on our website, your IP address is rendered unrecognizable by the system, so that checks on this are impossible.

1. Google Analytics

We use Google Analytics on our website. This is a web analytics service provided by Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, hereinafter "Google").

Google Analytics uses cookies in this context (see section 7). The information generated by the cookie about your use of this website, such as

• Name and version of the browser used
• Operating system of your computer
• Website from which the access is made (referrer URL)
• IP address of the requesting computer
• Time of the server request

are usually transferred to a Google server in the USA and stored there.

However, as we have activated IP anonymization on our website, your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and truncated there.

Google will use this information on our behalf for the purpose of evaluating your use of our website, compiling reports on website activity and providing other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with any other data held by Google.

Please click here for an overview of Google's privacy policy. [https://support.google.com/analytics/answer/6004245]

11. Video integration

1. YouTube

We embed videos from YouTube, which is operated by Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland), into our website as part of iFrame. As part of the embedding of the videos, we have activated YouTube's extended data protection mode.

If you play a YouTube video during your visit, a connection is established to YouTube's servers and the YouTube server is informed about which of our pages you have visited. This allows YouTube to link your surfing behaviour directly to your personal profile. You can prevent this by logging out of your member account before visiting our website. In addition, YouTube sets various cookies when starting the service in order, according to its own information, to improve their offered services and to prevent misuse.

For more information on the handling of user data and the cookies set, please refer to YouTube's privacy policy at: https://www.google.de/intl/de/policies/privacy

The legal basis is derived from your consent granted in accordance with Section 6 para. 1 p. 1 lit. a GDPR. You may revoke your consent at any time by changing the cookie setting on our website.

12. Rights of the person concerned

You have the following rights:

1. Information

In accordance with Section 15 GDPR, you have the right to request information about your personal data processed by us. This right to information includes information about

• the purposes of processing
• the categories of personal data
• the recipients or categories of recipients to whom your data has been or will be disclosed
• the planned storage period or at least the criteria for determining the storage period
• the existence of a right to rectification, erasure, restriction of processing or objection
• the existence of a right of appeal to a supervisory authority
• the origin of your personal data if it was not collected by us
• the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details

1. Correction

In accordance with Section 16 GDPR, you are entitled to the immediate correction of incorrect or incomplete personal data stored by us.

1. Deletion

Pursuant to Section 17 GDPR, you have the right to request that we delete your personal data without delay, unless further processing is necessary for one of the following reasons:

the personal data is still necessary for the purposes for which it was collected or otherwise processed

• to exercise the right to freedom of expression and information
• for compliance with a legal obligation which requires processing under the law of the European Union or the Member States to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• for reasons of public interest in the area of public health pursuant to Section 9(2)(h) and (i) and Section 9(3) of the GDPR
• for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Section 89(1) GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing
• for the assertion, exercise or defence of legal claims

1. Restriction of processing

In accordance with Section 18 GDPR, you may request the restriction of the processing of your personal data for one of the following reasons:

• You dispute the accuracy of your personal data.
• The processing is unlawful and you object to the erasure of the personal data.
• We no longer require the personal data for the purposes of processing but you require it to assert, exercise or defend legal claims.
• You object to the processing pursuant to Article 21 (1) GDPR.

1. Notification

If you have requested the rectification or erasure of your personal data or a restriction of processing in accordance with Section 16, Section 17(1) and Section 18 GDPR, we will inform all recipients to whom your personal data has been disclosed, unless this proves impossible or involves a disproportionate effort. You may request that we inform you of these recipients.

1. Transmission

You have the right to receive your personal data that you have provided to us in a structured, common and machine-readable format.

You also have the right to request the transfer of this data to a third party, provided that the processing was carried out with the help of automated procedures and is based on consent pursuant to Section 6 para. 1 sentence 1 lit. a or Section 9 para. 2 lit. a or on a contract pursuant to Section 6 para. 1 sentence 1 lit. b GDPR.

1. Revocation

In accordance with Section 7 (3) GDPR, you have the right to revoke your consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent up until the revocation. In the future, we may no longer continue the data processing that was based on your revoked consent.

1. Complaint

Pursuant to Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR.

1. Objection

If your personal data is processed on the basis of legitimate interests pursuant to Section 6 (1) p. 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Section 21 GDPR, provided that there are grounds for doing so that arise from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right of objection, which will be implemented by us without specifying the particular situation. If you would like to exercise your right of revocation or objection, it is sufficient to send an e-mail to datenschutz@metro.de.

1. Automated decision in individual cases including profiling.

You have the right not to be subject to a decision based solely on automated processing - including profiling - which results in legal effects that concern or significantly affect you in a similar manner. This does not apply if the decision

1. is necessary for the conclusion or performance of a contract between you and us
2. is permitted by legislation of the European Union or the Member States to which we are subject and that legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests

• is made with your explicit consent.

However, these decisions must not be based on special categories of personal data pursuant to Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.

With regard to the cases mentioned in i) and iii), we take reasonable steps to safeguard the rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person from our side, to express your point of view and to contest the decision.

13. Changes to the privacy policy

If we make changes to the privacy policy, this will be stated on the website.

Version dated: 29.11.2021