Privacy Policy

We take the protection of your personal data extremely seriously. The following Data Privacy Policy informs you about the type, scope, purpose, duration and lawfulness of the processing of personal data under the General Data Protection Regulation (GDPR). Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly (Art. 4 (1) GDPR). This information includes for example a person’s name, address, e-mail address or telephone number.

1. Controller

EHI Retail Institute GmbH
Spichernstr. 55
50672 Cologne
Germany
Telephone: +49 221 57993-0
Fax: +49 221 57993-45
e-mail: info@ehi.org

How to contact our data protection officer:
Spichernstr. 55
50672 Cologne
Germany
e-mail: datenschutz@ehi.org

2. Provision of the website

We process the data sent to us by your browser to enable you to visit and use the website; we also process information sent to us by cookies in order to perform statistical analyses of the way our website is used.

For technical reasons relating to the provision of the website, we have to process automatically some of the information you send us so that your browser can display our website and you can use it. This information is recorded automatically every time you visit our website and is then stored in server log files. This information concerns the computer system on the computer used to visit the website.

2.1 Information about cookies

We use so-called cookies on our website. Cookies are small text files that are stored on your respective device (PC, smartphone, tablet, etc.) and stored by your browser. Necessary cookies enable basic functions and are necessary for the proper functioning of the website. In addition, we use optional cookies, which provide us with additional information, for example for website analysis. The list of cookies can be found here:

Cookie banner
Service: Borlabs Cookie, Provider: EHI Retail Institute GmbH, Purpose: Saves the settings of visitors selected in the cookie box of Borlabs Cookie. Cookie name: borlabs-cookie, time: 1 year

Statistics
Service: Matomo On-Premise, Provider: EHI Retail Institute, Purpose: Cookie from Matomo for website analysis. Generates statistical data about how the visitor uses the website. Data protection information: #matomo Cookie name _pk_*.*, cookie duration: 13 months

External media
Service: Google Maps, Provider: Google, Purpose: Used to unlock Google Maps content. Data protection information: https://policies.google.com/privacy Host: google.com, Cookie name: NIDCookie, time: 6 months

Service: Vimeo, Provider: Vimeo, Purpose: Used to unlock Vimeo content. Data protection information: https://vimeo.com/privacy Host: player.vimeo.com, Cookie name: vuid, time: 2 years

Service: YouTube, Provider: YouTube, Purpose: Used to unlock YouTube content. Data protection information: https://policies.google.com/privacy Host: google.com, Cookie Name: NID, time: 6 months

2.1.1 Cookie banner

In order to meet our data protection obligations, we use a cookie consent banner from the provider Borlabs, Benjamin A. Bornschein, Georg-Wilhelm-Straße 17, 21107 Hamburg (“Borlabs”). When you visit our website, your cookie preferences are queried via a banner. Borlabs then sets a cookie in which data on granted or revoked consents, cookie durations and versions, domain and path of the website accessed and a randomly generated ID are stored.

The data processing takes place on the basis of our predominantly legitimate interest in data protection compliant data processing on our website in accordance with Art. 6 (1) (f) GDPR.

2.1.2 Cookie settings

You can revoke and / or change your consent to cookies and / or all of your cookie settings in the footer (the area at the bottom of every page) by clicking on the link „Data protection settings“.

You can also prevent or restrict future data processing using cookies by selecting the appropriate browser settings and deactivating the use of cookies there, for example. Cookies that have already been saved can be deleted in the browser settings.

2.2 Web analysis with Matomo

We are using Matomo On-Premise for a data protection-friendly web analysis. Matomo is an open source project that we use in the self-hosted Matomo On-Premise solution. We have also selected the setting so that your IP address is only recorded in abbreviated form. Cookies are set to improve website analysis. For this purpose, the usage information recorded in the cookie (including your abbreviated IP address) will be transmitted to our server with your consent and stored for usage analysis purposes. With Matomo, no data is transmitted to servers that are beyond our control. We are supported in this by our hosting service provider, with whom we have concluded a corresponding contract for order data processing. The information about your use of our websites will not be passed on to third parties and will not be processed outside the EU. We use the collected data for the statistical analysis of user behavior for the purpose of optimizing the functionality and stability of the websites, adapting our content and improving our offers.

Lawfulness of data processing: Is your prior consent in accordance with Art. 6 Paragraph (1) (a) GDPR. You can revoke your consent at any time with future effect by changing your data protection settings in the footer (the area at the bottom of every page).

2.3 Use of Google Maps

We use the “Google Maps” service to provide you with an interactive map. When the map is shown data such as your IP address and your location are sent to Google servers in the USA and stored there.
Further information about the terms of use at: www.google.com/terms_maps

2.5 Integration of videos

To better transport content and make it easier to understand, we use the possibilities of videos. We used external video providers such as Vimeo or YouTube to optimally integrate the videos on the website.

YouTube: Our website integrates videos using the service provided by YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA, represented by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Your IP address is normally sent to YouTube and cookies installed on your computer as soon as you go to a website which contains embedded videos. However, we have integrated videos in enhanced data protection mode (in this case YouTube still makes contact with Google’s Double Click service but, according to Google’s data privacy policy, does not evaluate personal data). This means that YouTube does not store any data about users who do not watch the video. When you click the video your IP address is sent to YouTube and YouTube is informed that you have watched the video. If you are logged into YouTube, this information is assigned to your user account (you can prevent this by logging out of YouTube before watching the video). We have no knowledge of or any influence on whether YouTube stores and uses your data.
More information about data protection is available at: www.policies.google.com/privacy

Vimeo: By default, cookies are placed in the browser by Vimeo (Vimeo LLC, White Plains, New York). We have prevented the setting of cookies by Vimeo with an extended data protection mode as far as possible by integrating a „Do-No-Track“ designation in the embed code.

More about Vimeo’s privacy policy can be found here: https://vimeo.com/privacy

3. Active use of the website and conclusion of contract

Purposes and lawfulness of data processing

You can also actively use our website to order one of our products or services, register for an event, register for our newsletter, contact us and download our studies (as an EHI member), whitepapers etc.

3.1 Ordering and downloading publications

When you order a product from us, your data (title, name, company, address, e-mail address and, if applicable, telephone number) are stored in order to take and execute the order. The offer of our EHI publications is aimed exclusively at commercial customers. All prices plus VAT.

Our EHI members can request their personal download link after providing their company e-mail address as well as title, first name and surname and will receive the corresponding download link of the member study by e-mail.

Free products can be requested after providing your e-mail address, title, first name, surname and company and will also be sent by e-mail.

Legal basis for data processing: For the fulfilment of a contract or the implementation of pre-contractual measures pursuant to Art. 6 (1)(b) DSGVO or on the basis of consent pursuant to Art. 6 (1)(a) DSGVO.

3.2 Registration for events

We process your data in order to receive and deal with registrations made on our website for any free or ticket event. This involves us processing the following information: first name, family name, company name (for assignment to a member company), contact data, such as e-mail, telephone number and company address, function and department. At partner events, the registration data of the participants will be forwarded to the co-organizer in order to be able to carry out the planning and execution of the event together.

Photos and, if necessary, video recordings are made at our events. The recordings are used for public relations, documentation and publicizing the event. More information: www.datenschutz.ehi.de/fotos

In our EHI sessions, which take place purely online, we use the „Zoom“ tool, a service provided by Zoom Video Communications, Inc., which is based in the USA. More information at www.datenschutz.ehi.de/zoom-hinweise/

Lawfulness of data processing: For the performance of a contract or steps taken prior to entering into a contract, the legal basis is Article 6(1) (b) GDPR.

3.3 Payment processing

We use payment service providers and banks for payment processing purposes.
Lawfulness of data processing: For the performance of a contract or steps taken prior to entering into a contract, the legal basis is Article 6(1) (b) GDPR.

3.4 Contact inquiries

We process the personal data you provide us in this context to handle and answer inquiries sent to us, e.g. using the contact form or sent to our e-mail address. This information will always include your name and e-mail address – this allows us to respond to you in person. The information may also include the name of your company as stated in the contact form so that this can be identified as a member company and any other information which you send to us.

These services are only available to persons aged 18 years of age or older (Article 8 GDPR). By registering you agree that you meet these preconditions.Lawfulness of data processing: For the purposes of our legitimate interests, the legal basis is Article 6(1) (f) GDPR; we have a legitimate interest in responding appropriately to inquiries.

3.5 Newsletter

The EHI Retail Institute processes your data for your subscription in order to send you the EHI Newsletter (Article 6(1) (a) GDPR), to contact you in person (Article 6(1) (a) GDPR) and to identify a member company (Article 6(1) (a) GDPR). We process the double opt-in procedure data to demonstrate that you have given your consent (Article 6(1) (f) GDPR, Article 13(1) (d) GDPR). We are supported in this respect by our e-mail and other IT service providers as contracted processors.

We analyse the links in these e-mails in anonymous form for statistical purposes and to optimise our offer. However, it at no time becomes apparent who precisely has clicked the link.

We process your data for this purpose until you withdraw your consent to such processing. The newsletter can only be sent to you if we have your e-mail address. We only need your e-mail address for this purpose but further information does make communication easier. You have the right to receive information from us about the relevant personal data as well as the right to have such data rectified, erased (right to be forgotten), to have the processing of such data restricted, the right to data portability and, where data are processed under Article 6(1) (e) and (f) GDPR, the right to object to processing.

If you no longer wish to receive the newsletter, you may unsubscribe at any time using the link at the end of the newsletter.

These services are only available to persons aged 18 years of age or older (Article 8 GDPR). By registering you agree that you meet these preconditions.

3.6 Advertising for own similar services

We process your e-mail address and information about your order in order to send you advertising by e-mail for similar services (Article 6(1) (f) GDPR). We have a legitimate interest in the direct marketing of our services. We are supported in this respect by our e-mail and other IT service providers as contracted processors.

We analyse the links in these e-mails in anonymous form for statistical purposes and to optimise our offer. However, it at no time becomes apparent who precisely has clicked the link.

We process your data for this purpose until you express your objection. It is only possible to advertise in this way using your e-mail address and the information about your order. You may withdraw any consent you have given to our processing of your personal data with effect for the future at any time. You may send us your objection by e-mail to datenschutz@ehi.org. You will also find an unsubscribe link at the end of each advertising e-mail.
Lawfulness of data processing: For the purposes of our legitimate interests, the legal basis is Article 6(1) (f) GDPR; we have a legitimate interest in the direct marketing of our products and services.

3.7 Downloads of the EHI session lectures

Our EHI sessions are made possible by the support of partners. In order to download the presentations of the partners after the online event, you can register with your contact details (first name, surname, company, email address). As soon as you have saved your data in the registration form, you can select the companies whose content interests you. By clicking on „Release data“ in the corresponding window, you confirm that your data will be sent to the respective partner for the purpose of advertising in connection with the product / service mentioned in the lecture. The title of the lecture, the partner, the advertised product / service, e-mail address for the revocation and a link to the partner’s data protection declaration are listed on the respective download page in the lower area. The revocation of the advertising consent is possible at any time, for example by e-mail at the e-mail address listed with the respective partner.

Lawfulness of data processing: Is your prior consent in accordance with Art. 6 Paragraph (1) (a) GDPR.

3.8 Information on social media

We maintain an online presence in social networks and on platforms were we communicate with and inform users who are active there. The data used in this context may be processed outside the European Union. The relevant social media providers usually process their data for market research and advertising purposes. They usually do this by means of cookies which collect and store information about your user behaviour and interest on your device. In addition, and particularly if you are registered on the relevant platform, data may be stored in your user profile separately from your device.

For more detail about the processing of your data please read the relevant providers’ privacy policies:

Facebook, Ireland, privacy policy: www.facebook.com/about/privacy/
YouTube, Ireland, privacy policy: www.policies.google.com/privacy
Twitter, Ireland, privacy policy: www.twitter.com/en/privacy
LinkedIn, Ireland, privacy policy: www.linkedin.com/legal/privacy-policy
Xing, Germany, privacy policy: www.privacy.xing.com/en
Instagram, Ireland, privacy policy: instagram.com/about/legal/privacy/

You can also make requests for information from and assert your user rights against the providers.
Lawfulness: Your personal data is processed on the basis of our legitimate interests in accordance with Article 6(1) f) GDPR. We have a legitimate interest in communicating with and providing information to users of social media. The legal basis of consent to the processing of your data to the relevant social media providers is Article 6 (1) (a) GDPR.

3.9. Using Fact Finder

In order to offer you the best results via our search function, we use the FACT-Finder service on our company website www.ehi.org (a product of Omikron Data Quality GmbH, Habermehlstr. 17, 75172 Pforzheim). The search terms entered from the website’s search function are transmitted to FACT-Finder and stored there. Only data that is absolutely necessary for functionality is stored. When using the FACT-Finder WebComponents, client IP addresses of search users are stored, since the search queries are transmitted directly from the browser to the search server. It is not possible for us to draw any conclusions about your person. You can find more information at www.fact-finder.de/dsgvo and at www.fact-finder.de/datenschutz.

Legal basis for data processing: To protect our legitimate interests in accordance with Art. 6 (1)(f) GDPR; We would like to offer our website visitors an optimal search function with the appropriate results.

4. Data processing outside the website

Purposes and lawfulness of data processing

If you make contact with us, enter into a contract with us or register for a free or ticket event via channels (e.g. e-mail, telephone, in person) other than our website, we process the personal data you send us for the purposes of entering into a contract or registering with us and which are needed in order to make a contract and to provide our products or services, to establish, perform and, where applicable, terminate our contracts/events as follows.

4.1 Contact inquiries

We process the personal data you provide us in this context to handle and answer inquiries sent to us, e.g. by telephone, post or to our e-mail address. In all cases this information includes your name and your address, such as your e-mail address, postal address or a fax number to which a response can be sent as well as any other information which you send us.

Lawfulness of data processing: For the purposes of our legitimate interests, the legal basis is Article 6(1) (f) GDPR; we have a legitimate interest in responding to inquiries.

4.2 Entering into a contract

If you order any of our free or other products and services by telephone, e-mail or in person, we process your personal data in order to receive and process your order and to be able to provide you with the products or services you have ordered. We do this by processing the information you enter in our forms.

Lawfulness of data processing: performance of a contract or steps taken prior to entering into a contract under Article 6(1) (b) GDPR.

4.3 Registration for events

We process your data in order to receive and deal with registrations made by telephone, by e-mail, post or in person for any free or ticket event. This involves us processing the following information: first name, family name, company name (for assignment to a member company), contact data, such as e-mail, telephone number and company address, function and department.

Lawfulness of data processing: For the performance of a contract or steps taken prior to entering into a contract, the legal basis is Article 6(1) (b) GDPR.

4.4 Payment

We use payment service providers and banks for payment processing purposes. Lawfulness of data processing: For the performance of a contract or steps taken prior to entering into a contract, the legal basis is Article 6(1) (b) GDPR.

4.5 Compliance with legal requirements

We process your personal data in order to comply with other statutory requirements relating to the performance of the contract. Such requirements include but are not limited to retention periods under business, commercial or tax law.

Lawfulness of data processing: for compliance with a legal obligation to which we are subject under Article 6(1)(c) GDPR in connection in particular with business, commercial or tax law.

4.6 Enforcement of law

We also process your personal data to enable us to assert our legal rights and to defend ourselves against legal claims brought against us. Finally, we process your personal data as necessary for the purpose of defending against or for the prosecution of criminal offences.

Lawfulness of data processing: For the purposes of our legitimate interests, the legal basis for the assertion of legal claims or the mounting of a defence in legal disputes or the prevention or investigation of crimes is Article 6(1) (f) GDPR.

5. Information about applicant’s data

You are welcome to send applications to us via our applicant portal. We use the personnel and applicant management software from HRworks GmbH for this purpose. HRworks processes personal data on behalf of your application. The data transmitted in connection with your application will be stored on a server within the European Union and encrypted during transmission. We alone are responsible within the meaning of Art. 4 No. 7 GDPR, as we carry out this application process. HRworks is only the operator of the applicant management software and the application form and acts in this relationship as a processor according to Art. 28 DSGVO. The basis for processing by HRworks is a contract for order processing. We process the data that you have sent us in connection with your application in order to check your suitability for the position (or any other open positions in our company) and to carry out the application process.

Necessary cookies
As part of the applicant management function in HRworks, three essential cookies are set on the job portal server when using the function, which are necessary for the use of the job advertisements and the application form. You can delete the cookies at any time in the security settings of your browser after submitting the application.

If your application for a job is successful, your data will be transferred from the application data system to our human resources information system. Your application data are inspected as soon as they have been received by the human resources department. Suitable applications are then passed on internally to those responsible in the departments for the relevant vacancies. Further action is then agreed. In the company itself your data are only accessible to persons who require them for your application procedure.

We process the data which you send us with your application to assess your appropriateness for the position (or any other vacancies in our company) and to carry out the application procedure. If the data are still needed after the application procedure has been completed or for prosecution purposes, data may be processed on the legal basis provided by Article 6 GDPR, including for the purpose of our legitimate interests under Article 6(1)(f) GDPR. We then have an interest in asserting or defending against claims.

The data on candidates whose application has been turned down are kept for a maximum of 6 months and then erased. If you have agreed to allow your personal data to be stored for longer, we will add your data to our pool of candidates. The data will expire after a period of two years.

Lawfulness of data processing: The legal basis for this application procedure is primarily the 25 May 2018 version of section 26 of the German Data Protection Act (BDSG). The data may then be processed which are required in connection with the decision concerning the establishment of an employment relationship.

6. Categories of recipients

Initially only our employees are informed about your personal data. We also share your personal data, if this is permitted or required by law, with other recipients who provide services in connection with our website. We only pass on your personal data if this is absolutely necessary, in particular in order to process your order. Some of our service providers receive your personal data in their function as processors and must then comply precisely with our instructions on the use of your personal data. Some of these recipients use the data we send to them autonomously.

Your personal data are sent to the following categories of recipients:

Where applicable, payment service providers and banks for the processing of payments
IT service providers for the administration and hosting of our website
Collection companies and legal counsel for the assertion of our rights and claims
Letter shops for transfer to the post.

7. Transfers to third countries

As part of the Google tools (integrating Google Maps, YouTube videos) or Vimeo videos, data may be transferred to the USA. If service providers are used outside the EU/EEA third country and there is no so-called „adequacy decision“ by the EU Commission for this country, these service providers are obliged to comply with the data protection level in Europe in addition to written instructions through the agreement of the EU standard contractual clauses. Unfortunately, due to the laws of non-EU countries (e.g. within the framework of the so-called Cloud Act in the USA), there is also the possibility that government agencies in particular can access your personal data without that we or you can learn about or prevent, stop or control this. For these reasons, your consent includes e.g. B. on the use of cookies (e.g. for YouTube or Vimeo videos) also the purpose of data transmission to countries outside the EU.

Otherwise, we do not transfer your personal data to countries outside the EU or EEA or to international organizations.

8. Data storage

When you visit our website your IP address, the website you were visiting prior to our website, the data and time you accessed our website, the volume of data transferred, the type and version of browser you are using and data on the referring provider are all sent to the EHI server and stored in log files.

When you make active use of our website and when you send us inquiries or register with us, including outside the website, we initially store your personal data for as long as it takes to respond to your inquiry. If a business relationship is then entered into and/or a contract is entered into, we store your personal data for the duration of our business relationship or the length of the contractual relationship. This also includes taking steps prior to entering into a contract (pre-contractual relationship) and the settlement of a contract.

We also store your personal data as potential evidence until any legal claims arising from the relationship with you have become statute-barred. The limitation period is as a rule three years.

Upon expiry of the limitation period we erase your personal data unless there is a legal requirement or requirements to retain the data for longer, e.g. the sections 238, 257 (4) of the German Commercial Code (HGB) or section 147 (3, 4) of the Tax Code (AO). These retention periods may be as long as ten years.

9. Information about your rights

You have the right to receive information from us about the relevant personal data as well as the right to have such data rectified, erased (right to be forgotten), to have the processing of such data restricted, the right to data portability and, where data are processed under Article 6(1) (e) and (f) GDPR, the right to object to processing.

You may withdraw any consent you have given to our processing of your personal data with effect for the future at any time.

You have the right to lodge a complaint to a data protection authority.

Questions, including about your rights as a data subject, can be sent to our data protection officer at the following e-mail address: datenschutz@ehi.org

Your applications can also be sent by post to our data protection officer directly at the address given.

10. Duties to provide data

You are not required in any way to disclose your personal data to us. If you do not disclose such data, however, we will not be able to make our website available to you, to respond to your inquiries or enter into a contract with you.

11. Automated decision-making

We do not engage in automated decision-making or profiling (an automated analysis of your personal circumstances).

12. Information about your right to object under Article 21 GDPR

You have the right to object at any time to the processing of your data on the legal basis of Article 6(1) (f) GDPR (data processing on the basis of a balance of interests) or Article 6(1) (e) GDPR (data processing in the public interest) on grounds relating to your particular situation.

If you lodge an objection, we will cease to process personal data concerning you unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or if such processing is carried out to establish, exercise or defend legal claims.

In certain specific cases we process your personal data for direct marketing purposes. You may object at any time if you do not wish to receive any advertising. We will comply with such objection with effect for the future. If you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes.

Your right to object may be exercised informally and should be communicated as soon as possible to:

EHI Retail Institute GmbH Spichernstr. 55
50672 Cologne
Germany
e-mail: datenschutz@ehi.org

13. Scope of and changes to this privacy policy

This privacy policy applies exclusively to the use of the websites provided by us. The policy does not apply to the websites of other service providers to which we refer merely by means of a link. We disclaim all responsibility and liability for external declarations and guidelines which are not related to our website. We reserve the right to modify the above privacy policy from time to time in line with future changes in the collection and processing of personal data.

(November 2023)