Privacy Policy

We take the protection of your personal data extremely seriously. The following Data Privacy Policy informs you about the type, scope, purpose, duration and lawfulness of the processing of personal data under the General Data Protection Regulation (GDPR). Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly (Art. 4 (1) GDPR). This information includes for example a person’s name, address, e-mail address or telephone number.

1. Controller

EHI Retail Institute GmbH
Spichernstr. 55
50672 Cologne
Germany
Telephone: +49 221 57993-0
Fax: +49 221 57993-45
e-mail: info@ehi.org

How to contact our data protection officer:
Spichernstr. 55
50672 Cologne
Germany
e-mail: datenschutz@ehi.org

2. Provision of the website

We process the data sent to us by your browser to enable you to visit and use the website; we also process information sent to us by cookies in order to perform statistical analyses of the way our website is used.

For technical reasons relating to the provision of the website, we have to process automatically some of the information you send us so that your browser can display our website and you can use it. This information is recorded automatically every time you visit our website and is then stored in server log files. This information concerns the computer system on the computer used to visit the website.

2.1 Information about cookies

We use so-called cookies on our website. Cookies are small text files that are stored on your respective device (PC, smartphone, tablet, etc.) and stored by your browser. Necessary cookies enable basic functions and are necessary for the proper functioning of the website. In addition, we use optional cookies, which provide us with additional information, for example for website analysis. The list of cookies can be found here:

Cookie banner
Service: Borlabs Cookie, Provider: EHI Retail Institute GmbH, Purpose: Saves the settings of visitors selected in the cookie box of Borlabs Cookie. Cookie name: borlabs-cookie, time: 1 year

Statistics
Service: Matomo On-Premise, Provider: EHI Retail Institute, Purpose: Cookie from Matomo for website analysis. Generates statistical data about how the visitor uses the website. Data protection information: #matomo Cookie name _pk_*.*, cookie duration: 13 months

External media
Service: Google Maps, Provider: Google, Purpose: Used to unlock Google Maps content. Data protection information: https://policies.google.com/privacy Host: google.com, Cookie name: NIDCookie, time: 6 months

Service: Vimeo, Provider: Vimeo, Purpose: Used to unlock Vimeo content. Data protection information: https://vimeo.com/privacy Host: player.vimeo.com, Cookie name: vuid, time: 2 years

Service: YouTube, Provider: YouTube, Purpose: Used to unlock YouTube content. Data protection information: https://policies.google.com/privacy Host: google.com, Cookie Name: NID, time: 6 months

2.1.1 Cookie banner

In order to meet our data protection obligations, we use a cookie consent banner from the provider Borlabs, Benjamin A. Bornschein, Georg-Wilhelm-Straße 17, 21107 Hamburg (“Borlabs”). When you visit our website, your cookie preferences are queried via a banner. Borlabs then sets a cookie in which data on granted or revoked consents, cookie durations and versions, domain and path of the website accessed and a randomly generated ID are stored.

The data processing takes place on the basis of our predominantly legitimate interest in data protection compliant data processing on our website in accordance with Art. 6 (1) (f) GDPR.

2.1.2 Cookie settings

You can revoke and / or change your consent to cookies and / or all of your cookie settings in the footer (the area at the bottom of every page) by clicking on the link „Data protection settings“.

You can also prevent or restrict future data processing using cookies by selecting the appropriate browser settings and deactivating the use of cookies there, for example. Cookies that have already been saved can be deleted in the browser settings.

2.2 Web analysis with Matomo

We are using Matomo On-Premise for a data protection-friendly web analysis. Matomo is an open source project that we use in the self-hosted Matomo On-Premise solution. We have also selected the setting so that your IP address is only recorded in abbreviated form. Cookies are set to improve website analysis. For this purpose, the usage information recorded in the cookie (including your abbreviated IP address) will be transmitted to our server with your consent and stored for usage analysis purposes. With Matomo, no data is transmitted to servers that are beyond our control. We are supported in this by our hosting service provider, with whom we have concluded a corresponding contract for order data processing. The information about your use of our websites will not be passed on to third parties and will not be processed outside the EU. We use the collected data for the statistical analysis of user behavior for the purpose of optimizing the functionality and stability of the websites, adapting our content and improving our offers.

Lawfulness of data processing: Is your prior consent in accordance with Art. 6 Paragraph (1) (a) GDPR. You can revoke your consent at any time with future effect by changing your privacy settings in the footer (the area at the bottom of every page).

2.3 Use of Google Maps

We use the “Google Maps” service to provide you with an interactive map. Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, is responsible for data processing for Maps. It is possible that data processing takes place outside the EU or the EEA in the USA transferred to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google is certified under the EU-US Data Privacy Framework and is therefore subject to the EU Commission’s adequacy decision for data transfers to the USA. Further information about the terms of use at: www.google.com/terms_maps

2.5 Integration of videos

To better transport content and make it easier to understand, we use the possibilities of videos. We used external video providers such as Vimeo or YouTube to optimally integrate the videos on the website.

In the case of data processing via YouTube LLC, 901 Cherry Ave. San Bruno, CA 94066, USA (“YouTube”), it is possible that data processing takes place outside the EU or the EEA in the USA. Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) is responsible for the data processing of persons within the EU or the EEA. Google is certified under the EU-US Data Privacy Framework and is therefore subject to the EU adequacy decision for the USA.
More information about data protection is available at: www.policies.google.com/privacy

Vimeo: By default, cookies are placed in the browser by Vimeo (Vimeo LLC, White Plains, New York). imeo.com, Inc. is certified as a provider of Vimeo in accordance with the EU-U.S. Data Privacy Framework. It is possible that data processing takes place outside the EU or the EEA in the USA transferred to Vimeo.

More about Vimeo’s privacy policy can be found here: https://vimeo.com/privacy

3. Active use of the website and conclusion of contract

Purposes and lawfulness of data processing

You can also actively use our website to order one of our products or services, register for an event, register for our newsletter, contact us and download our studies (as an EHI member), whitepapers etc.

3.1 Ordering and downloading publications

When you order a product from us, your data (title, name, company, address, e-mail address and, if applicable, telephone number) are stored in order to take and execute the order. The offer of our EHI publications is aimed exclusively at commercial customers. All prices plus VAT.

Our EHI members can request their personal download link after providing their company e-mail address as well as title, first name and surname and will receive the corresponding download link of the member study by e-mail.

Free products can be requested after providing your e-mail address, title, first name, surname and company and will also be sent by e-mail.

Legal basis for data processing: For the fulfilment of a contract or the implementation of pre-contractual measures pursuant to Art. 6 (1)(b) DSGVO or on the basis of consent pursuant to Art. 6 (1)(a) DSGVO.

3.2 Registration for events

We process your data in order to receive and deal with registrations made on our website for any free or ticket event. This involves us processing the following information: first name, family name, company name (for assignment to a member company), contact data, such as e-mail, telephone number and company address, function and department. At partner events, the registration data of the participants will be forwarded to the co-organizer in order to be able to carry out the planning and execution of the event together.

Photos and, if necessary, video recordings are made at our events. The recordings are used for public relations, documentation and publicizing the event. More information: www.datenschutz.ehi.de/fotos

In our EHI sessions, which take place purely online, we use the „Zoom“ tool, a service provided by Zoom Video Communications, Inc., which is based in the USA. More information at www.datenschutz.ehi.de/zoom-hinweise/

Lawfulness of data processing: For the performance of a contract or steps taken prior to entering into a contract, the legal basis is Article 6(1) (b) GDPR.

3.3 Payment processing

We use payment service providers and banks for payment processing purposes.
Lawfulness of data processing: For the performance of a contract or steps taken prior to entering into a contract, the legal basis is Article 6(1) (b) GDPR.

3.4 Contact inquiries

We process the personal data you provide us in this context to handle and answer inquiries sent to us, e.g. using the contact form or sent to our e-mail address. This information will always include your name and e-mail address – this allows us to respond to you in person. The information may also include the name of your company as stated in the contact form so that this can be identified as a member company and any other information which you send to us.

These services are only available to persons aged 18 years of age or older (Article 8 GDPR). By registering you agree that you meet these preconditions.Lawfulness of data processing: For the purposes of our legitimate interests, the legal basis is Article 6(1) (f) GDPR; we have a legitimate interest in responding appropriately to inquiries.

3.5 Newsletter

The EHI Retail Institute processes your data for your subscription in order to send you the EHI Newsletter (Article 6(1) (a) GDPR), to contact you in person (Article 6(1) (a) GDPR) and to identify a member company (Article 6(1) (a) GDPR). We process the double opt-in procedure data to demonstrate that you have given your consent (Article 6(1) (f) GDPR, Article 13(1) (d) GDPR). We are supported in this respect by our e-mail and other IT service providers as contracted processors.

We analyse the links in these e-mails in anonymous form for statistical purposes and to optimise our offer. However, it at no time becomes apparent who precisely has clicked the link.

We process your data for this purpose until you withdraw your consent to such processing. The newsletter can only be sent to you if we have your e-mail address. We only need your e-mail address for this purpose but further information does make communication easier. You have the right to receive information from us about the relevant personal data as well as the right to have such data rectified, erased (right to be forgotten), to have the processing of such data restricted, the right to data portability and, where data are processed under Article 6(1) (e) and (f) GDPR, the right to object to processing.

If you no longer wish to receive the newsletter, you may unsubscribe at any time using the link at the end of the newsletter.

These services are only available to persons aged 18 years of age or older (Article 8 GDPR). By registering you agree that you meet these preconditions.

3.6 Advertising for own similar services

We process your e-mail address and information about your order in order to send you advertising by e-mail for similar services (Article 6(1) (f) GDPR). We have a legitimate interest in the direct marketing of our services. We are supported in this respect by our e-mail and other IT service providers as contracted processors.

We analyse the links in these e-mails in anonymous form for statistical purposes and to optimise our offer. However, it at no time becomes apparent who precisely has clicked the link.

We process your data for this purpose until you express your objection. It is only possible to advertise in this way using your e-mail address and the information about your order. You may withdraw any consent you have given to our processing of your personal data with effect for the future at any time. You may send us your objection by e-mail to datenschutz@ehi.org. You will also find an unsubscribe link at the end of each advertising e-mail.
Lawfulness of data processing: For the purposes of our legitimate interests, the legal basis is Article 6(1) (f) GDPR; we have a legitimate interest in the direct marketing of our products and services.

3.7 Downloads of the EHI session lectures

Our EHI sessions are made possible by the support of partners. In order to download the presentations of the partners after the online event, you can register with your contact details (first name, surname, company, email address). As soon as you have saved your data in the registration form, you can select the companies whose content interests you. By clicking on „Release data“ in the corresponding window, you confirm that your data will be sent to the respective partner for the purpose of advertising in connection with the product / service mentioned in the lecture. The title of the lecture, the partner, the advertised product / service, e-mail address for the revocation and a link to the partner’s data protection declaration are listed on the respective download page in the lower area. The revocation of the advertising consent is possible at any time, for example by e-mail at the e-mail address listed with the respective partner.

Lawfulness of data processing: Is your prior consent in accordance with Art. 6 Paragraph (1) (a) GDPR.

3.8 Information on social media

We maintain an online presence in social networks and on platforms were we communicate with and inform users who are active there. The data used in this context may be processed outside the European Union. The relevant social media providers usually process their data for market research and advertising purposes. They usually do this by means of cookies which collect and store information about your user behaviour and interest on your device. In addition, and particularly if you are registered on the relevant platform, data may be stored in your user profile separately from your device.

For more detail about the processing of your data please read the relevant providers’ privacy policies:

Facebook, Ireland, privacy policy: www.facebook.com/about/privacy/
YouTube, Ireland, privacy policy: www.policies.google.com/privacy
Twitter, Ireland, privacy policy: www.twitter.com/en/privacy
LinkedIn, Ireland, privacy policy: www.linkedin.com/legal/privacy-policy
Xing, Germany, privacy policy: www.privacy.xing.com/en
Instagram, Ireland, privacy policy: instagram.com/about/legal/privacy/

You can also make requests for information from and assert your user rights against the providers.
Lawfulness: Your personal data is processed on the basis of our legitimate interests in accordance with Article 6(1) f) GDPR. We have a legitimate interest in communicating with and providing information to users of social media. The legal basis of consent to the processing of your data to the relevant social media providers is Article 6 (1) (a) GDPR.

3.9. Using Fact Finder

In order to offer you the best results via our search function, we use the FACT-Finder service on our company website www.ehi.org (a product of Omikron Data Quality GmbH, Habermehlstr. 17, 75172 Pforzheim). The search terms entered from the website’s search function are transmitted to FACT-Finder and stored there. Only data that is absolutely necessary for functionality is stored. When using the FACT-Finder WebComponents, client IP addresses of search users are stored, since the search queries are transmitted directly from the browser to the search server. It is not possible for us to draw any conclusions about your person. You can find more information at www.fact-finder.de/dsgvo and at www.fact-finder.de/datenschutz.

Legal basis for data processing: To protect our legitimate interests in accordance with Art. 6 (1)(f) GDPR; We would like to offer our website visitors an optimal search function with the appropriate results.

4. Information about applicant’s data

You are welcome to send applications to us via our applicant portal. We use the personnel and applicant management software from HRworks GmbH for this purpose. HRworks processes personal data on behalf of your application. The data transmitted in connection with your application will be stored on a server within the European Union and encrypted during transmission. We alone are responsible within the meaning of Art. 4 No. 7 GDPR, as we carry out this application process. HRworks is only the operator of the applicant management software and the application form and acts in this relationship as a processor according to Art. 28 DSGVO. The basis for processing by HRworks is a contract for order processing. We process the data that you have sent us in connection with your application in order to check your suitability for the position (or any other open positions in our company) and to carry out the application process.

Necessary cookies
As part of the applicant management function in HRworks, three essential cookies are set on the job portal server when using the function, which are necessary for the use of the job advertisements and the application form. You can delete the cookies at any time in the security settings of your browser after submitting the application.

If your application for a job is successful, your data will be transferred from the application data system to our human resources information system. Your application data are inspected as soon as they have been received by the human resources department. Suitable applications are then passed on internally to those responsible in the departments for the relevant vacancies. Further action is then agreed. In the company itself your data are only accessible to persons who require them for your application procedure.

We process the data which you send us with your application to assess your appropriateness for the position (or any other vacancies in our company) and to carry out the application procedure. If the data are still needed after the application procedure has been completed or for prosecution purposes, data may be processed on the legal basis provided by Article 6 GDPR, including for the purpose of our legitimate interests under Article 6(1)(f) GDPR. We then have an interest in asserting or defending against claims.

The data on candidates whose application has been turned down are kept for a maximum of 6 months and then erased. If you have agreed to allow your personal data to be stored for longer, we will add your data to our pool of candidates. The data will expire after a period of two years.

Lawfulness of data processing: The legal basis for this application procedure is primarily the 25 May 2018 version of section 26 of the German Data Protection Act (BDSG). The data may then be processed which are required in connection with the decision concerning the establishment of an employment relationship.

5. Categories of recipients

Initially only our employees are informed about your personal data. We also share your personal data, if this is permitted or required by law, with other recipients who provide services in connection with our website. We only pass on your personal data if this is absolutely necessary, in particular in order to process your order. Some of our service providers receive your personal data in their function as processors and must then comply precisely with our instructions on the use of your personal data. Some of these recipients use the data we send to them autonomously.

Your personal data are sent to the following categories of recipients:

Where applicable, payment service providers and banks for the processing of payments
IT service providers for the administration and hosting of our website
Collection companies and legal counsel for the assertion of our rights and claims
Letter shops for transfer to the post.

6. Transfers to third countries

As part of the Google tools (integrating Google Maps, YouTube videos) or Vimeo videos, data may be transferred to the USA. Google and Vimeo are certified under the EU-US Data Privacy Framework and are therefore subject to the EU Commission’s adequacy decision for data transfers to the USA.

Otherwise, we do not transfer your personal data to countries outside the EU or EEA or to international organizations.

7. Data storage

When you visit our website your IP address, the website you were visiting prior to our website, the data and time you accessed our website, the volume of data transferred, the type and version of browser you are using and data on the referring provider are all sent to the EHI server and stored in log files.

When you make active use of our website and when you send us inquiries or register with us, including outside the website, we initially store your personal data for as long as it takes to respond to your inquiry. If a business relationship is then entered into and/or a contract is entered into, we store your personal data for the duration of our business relationship or the length of the contractual relationship. This also includes taking steps prior to entering into a contract (pre-contractual relationship) and the settlement of a contract.

We also store your personal data as potential evidence until any legal claims arising from the relationship with you have become statute-barred. The limitation period is as a rule three years.

Upon expiry of the limitation period we erase your personal data unless there is a legal requirement or requirements to retain the data for longer, e.g. the sections 238, 257 (4) of the German Commercial Code (HGB) or section 147 (3, 4) of the Tax Code (AO). These retention periods may be as long as ten years.

8. Information about your rights

You have the right to receive information from us about the relevant personal data as well as the right to have such data rectified, erased (right to be forgotten), to have the processing of such data restricted, the right to data portability and, where data are processed under Article 6(1) (e) and (f) GDPR, the right to object to processing.

You may withdraw any consent you have given to our processing of your personal data with effect for the future at any time.

You have the right to lodge a complaint to a data protection authority.

Questions, including about your rights as a data subject, can be sent us per example to the following e-mail address: datenschutz@ehi.org

Your applications can also be sent by post to our address above.

9. Duties to provide data

You are not required in any way to disclose your personal data to us. If you do not disclose such data, however, we will not be able to make our website available to you, to respond to your inquiries or enter into a contract with you.

10. Automated decision-making

We do not engage in automated decision-making or profiling (an automated analysis of your personal circumstances).

11. Information about your right to object under Article 21 GDPR

You have the right to object at any time to the processing of your data on the legal basis of Article 6(1) (f) GDPR (data processing on the basis of a balance of interests) or Article 6(1) (e) GDPR (data processing in the public interest) on grounds relating to your particular situation.

If you lodge an objection, we will cease to process personal data concerning you unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or if such processing is carried out to establish, exercise or defend legal claims.

In certain specific cases we process your personal data for direct marketing purposes. You may object at any time if you do not wish to receive any advertising. We will comply with such objection with effect for the future. If you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes.

Your right to object may be exercised informally and should be communicated as soon as possible to:

EHI Retail Institute GmbH Spichernstr. 55
50672 Cologne
Germany
e-mail: datenschutz@ehi.org

12. Scope of and changes to this privacy policy

This privacy policy applies exclusively to the use of the websites provided by us. The policy does not apply to the websites of other service providers to which we refer merely by means of a link. We disclaim all responsibility and liability for external declarations and guidelines which are not related to our website. We reserve the right to modify the above privacy policy from time to time in line with future changes in the collection and processing of personal data.

(July 2024)