Data Privacy Statement for ALDI Photos and MEDION
(Last Revised July 2020)

ALDI Photos is delighted at your visit to this website and at your interest in the products and services of ALDI Photos and at your interest in our service partner MEDION (ALDI Photos/ MEDION). We take the protection of your personal data very seriously and want you to feel secure when using our website and our products. The protection of your privacy when processing personal data is important to ALDI Photos/ MEDION and its centrality is evident in all our business practices. We are concerned for the protection of your data which we collect, process and use when you visit the ALDI Photos/ MEDION website. Please do not hesitate to contact us if you have any questions on the subject of data protection with reference to ALDI Photos/ MEDION and we will make every effort to deal with your inquiry promptly. We also welcome your suggestions. The privacy statement may be updated from time to time. We therefore ask you to read this page regularly. The last line of this statement below indicates when it was last updated.

1. Basic principles

Your personal data are collected, processed and used in strict compliance with the statutory provisions and according to the principles of good faith. As far as possible, we conduct our business processes in such a way that the data protection requirements are already taken into account during the development of the products and services and ensure that personal data are anonymised in such a way that the data subject cannot be identified or can no longer be identified if this does not jeopardise the agreed purpose. ALDI Photos/ MEDION will use your personal data for the technical administration and further development of this website, for customer management, user administration and marketing, to inform you about our services and products and for other precisely defined purposes.

Image data

Your image data will be automatically stored for 60 days for the purpose of providing photo products. The storage period of any given project will be extended by 30 days each time the data are edited. You can delete your image data (projects) in the project folder at any time.  ALDI Photos/ MEDION will also provide you with online storage space at your request which you can optionally use to save the configuration of selected products over a longer period of time. You have the option of deleting your design projects from the online storage space (online project folder) at any time using your online login and access password.  The data collected from you will be processed exclusively in Germany.

2. Sources and data

We process personal data which we have received directly from you in the context of our business relations. We also process personal data which we legitimately obtain from publicly accessible sources or which are rightfully transmitted to us by other third parties, insofar as these data are required for the provision of the relevant services and for the agreed purpose.
We save your data as required to process your purchase orders, to make photo products, to enable the use of our products or to provide services, such as repairs, and – if you so choose – to process payments. These are personal data, such as your address details, date of birth (for transactions requiring age verification), image data, and data required for certain payment methods. The relevant purchase order data (item, quantity, price, etc.) are filed with your address.

3. Purpose of processing and legal basis

Your personal data will be processed in accordance with the provisions of the European General Data Protection Regulation (GDPR).

For the fulfilment of contractual obligations (Art. 6 (1) b) GDPR):

Personal data are processed in connection with the trade in products and services in the field of consumer electronics. The purposes of data processing will depend primarily on the specific product (e.g. physical or digital) and its possible applications or they may also depend on the order placed with us (e.g. repair). Further details on data processing purposes can be found in the contractual documents, the operating instructions and the terms and conditions or the terms of use.

In connection with the balancing of interests (Art. 6 (1) f) GDPR):

If necessary, we will process your data beyond the actual performance of the contract to safeguard our legitimate interests or the legitimate interests of third parties. This will include the review and optimisation of procedures for the analysis of requirements for the purposes of approaching customers directly, advertising, market research and opinion polls (unless you have objected to the use of your data for these purposes), the assertion of legal claims and defence in legal disputes, the guarantee of IT security and IT operation of ALDI Photos/ MEDION, the prevention and investigation of criminal offences based on official orders, and the measures put in place for the business management and further development of ALDI Photos/ MEDION services and products.

On the basis of your consent (Art. 6 (1) a) GDPR):

If we have your consent to process personal data for specific purposes (e.g. forwarding of data within the group of companies, evaluation of data for marketing purposes), the legality of such processing is based on your consent. Once granted, consent may be revoked at any time. This also applies to the revocation of consent granted to us before the GDPR entered into force, i.e. before 25.05.2018. The revocation of the consent does not affect the legality of the data processed until the revocation.

For compliance with legal requirements (Art. 6 (1) c) GDPR) or in the public interest (Art. 6 (1) e) GDPR):

This might include identity and age checks, for example, or the fulfilment of inspection and reporting obligations under tax law. Unless specifically stated below, no personal data are processed during the use of this website, i.e. no personal data are saved, changed or passed on to third parti

4. Transmission of data to third countries or international organisations

Data are transmitted to bodies in countries outside the European Union (referred to as third countries) insofar as this is necessary to process your orders or if required by law or if you have given us your consent. ALDI Photos/ MEDION does not transfer any personal data to bodies in third countries or international organisations in any further respects. ALDI Photos/ MEDION does, however, use service providers for certain orders who in turn use service providers who may have their company headquarters, parent company or data processing centres in a third country. Under Art. 45 GDPR, data may be transmitted if the European Commission has decided that there is an adequate level of protection in a third country. If no such decision has been taken, ALDI Photos/ MEDION or the service provider may only transfer personal data to a third country or to an international organisation if appropriate safeguards are in place (e.g. standard data protection clauses adopted by the Commission or by the supervisory authority in a particular procedure) and if enforceable rights and effective legal remedies are available. ALDI Photos/ MEDION has agreed contracts with these service providers for order processing, as it is called, which stipulate that fundamental data protection standards are always agreed with their contractual partners in keeping with the European level of data protection.

5. Storage periods

ALDI Photos/ MEDION processes and stores your personal data for as long as is necessary for the fulfilment of our contractual and legal obligations. If the data are no longer required for the fulfilment of contractual or legal obligations, they are routinely deleted unless their further processing is necessary – for a limited period – for the purpose of preserving evidence under the statute of limitations. Under sections 195 ff. of the German Civil Code these statutory limitation periods can be up to 30 years although the regular limitation period is three years. This also includes the fulfilment of statutory retention obligations under commercial law and tax law, as set out in the German Commercial Code or the German Fiscal Code. The mandatory data and documentation storage periods specified in the aforementioned laws range from two to 10 years.

6. Your rights as the data subject

Any person whose personal data are processed has the following rights as the data subject:

7. Obligation to provide data

Within the context of our business relationship, you are required to provide such personal data as are necessary to establish and conduct business relations and to fulfil the contractual obligations associated therewith or such personal data as we are legally obliged to collect. Without these data we will generally not be able to conclude or execute the contract with you, or your statutory rights (e.g. guarantees and warranties) will be at risk.

8. Automated individual decision-making and profiling

As a general principle, we do not use fully automated decision-making processes, as defined in Art. 22 GDPR, to establish and conduct business relations. Should we use these procedures in individual cases, we will specifically inform you if required to do so by law. We process some of your data automatically with the aim of evaluating certain personal aspects (profiling). We use profiling for various purposes, such as to be able to provide you with targeted information on products and services or we use evaluation tools. These enable needs-based communication and advertising, including market research and opinion polls.

9. Collection of personal data during visits to our website

If you visit the website for information purposes only, as in merely browsing, i.e. if you do not register or otherwise provide us with information, we will only collect the personal data which your browser transmits to our server. If you view our website, we will therefore collect the following data which are technically necessary for us to display our website to you and to guarantee stability and security (legal basis is Art. 6 (1) section 1 f) GDPR):

In addition to the aforementioned data, cookies will also be stored on your computer when you use our website. Cookies are small text files which are stored on your hard drive and assigned to the browser you are using and through which certain information is sent to the body which places the cookie (us in this case). This is used in various ways, such as to analyse the performance of the website through cookies which help to improve our website by providing us with overall statistics on the number of visitors to a site, the sections of a site viewed most frequently, and the city or location of the users. These may be installed by external analysis service providers acting on our instructions. These cookies cannot identify you personally. Cookies cannot run programs or transmit viruses to your computer. They serve merely to make the website easier to use and more efficient overall. ALDI Photos/ MEDION uses the following types of cookies: transient cookies and persistent cookies.

Transient cookies are automatically deleted when you close the browser. These include in particular the session cookies which store a session ID with which various requests sent by your browser can be assigned to the common session. This will allow your computer to be recognised when you return to our website. Session cookies are deleted when you log out or close the browser.

Persistent cookies are automatically deleted after a specified period which can vary depending on the cookie. You can delete cookies at any time in the security settings in your browser.

You can configure your browser settings as you wish and refuse the acceptance of third-party cookies or all cookies, for example. We would point out that you may not be able to use all the functions of this website in this case. Please note that most browsers offer different ways of protecting your privacy. You can allow first-party cookies, for example, but block third-party cookies or ask to be notified each time a website wants to install a cookie. Please note that disabling cookies in this way will mean that it is not possible to set new cookies but it will not prevent cookies previously set from continuing to function on your device until you have deleted all the cookies in your browser settings. You can usually find the instructions for managing cookies on your browser under the help function in the browser or in the operating instructions for your smartphone or for the stationary or mobile product with Internet access which you are using.

We also use cookies to be able to identify you on return visits if you have an account or separate individual access to our offers. Otherwise you would have to log in again on each visit. The Flash cookies used are not detected by your browser but by your Flash plug-in. We also use HTML5 storage objects which are stored on your end device. These objects store the required data independently of your browser and do not have an automatic expiry date. If you do not want the Flash cookies to be processed, you need to install an add-on like the one for Mozilla Firefox (https://addons.mozilla.org/de/firefox/addon/betterprivacy/) or the Adobe Flash killer cookie for Google Chrome. You can prevent the use of HTML5 storage objects by setting the private mode in your browser.

Overview and description of the cookies we use

On this website, various data is measured by our partner named below for the control of advertising (=measurement data) Amongst other things, for this purpose, the frequency of the use of different subject areas are stored on a website-basis and target groups for advertising are identified according to socio-demographic characteristics and product interests. Only the statistical patterns that result from the use of online advertising and editorial content are processed. The information about your internet usage may also be used across websites to provide a rough estimate of which advertising may interest you the most.

You have the right to, at any time, object to the recording of measurement data by our partners by using the revocation options listed below (opt-out).

Webtrekk

Based on our legitimate interests (i.e. interest in the analysis, optimization, and financial operation of our online offer in accordance with Art. 6. section 1 f) of the GDPR), we use the marketing service (“Webtrekk service”) of Webtrekk GmbH, Robert-Koch-Platz 4, 10115 Berlin (“Webtrekk”).

Webtrekk is located in Germany. The company is therefore subject to German and European data protection legislations. It has been privacy certified within the field of web controlling in Germany after the validation of its data processing in accordance with data protection conformity and data security.

Webtrekk creates pseudonymized usage records for the purpose of advertising, market research or to tailor offers to needs, insofar that you do not object. The usage records are created using so-called cookies. These cookies have different lifetimes. The most used cookies are so-called “session cookies”, but also cookies with longer expiration are used to recognise you anonymously as a visitor. Webtrekk uses the following cookies for web controlling:

Session cookie (for session recognition, expiration: one session)
Long-term cookie (for recognition of new/regular customer, expiration: 6 months)
Opt-out cookie (in case of objection to tracking, expiration: 60 months/5 years)
Opt-in cookie (to expand the lifetime of the long-term cookie, expiration: 12 months/1 year)

In accordance with our contract, this information is only used on our behalf to analyse the use of our online offer by the user, to compilate reports on the activities on our online offer and for further services that are related to this online offer and other internet services. Your IP address is not saved as part of the above cookie usage. IP addresses are pseudonymized, i.e. they are shortened for the sake of geo localization as part of the web analysis. The IP addresses themselves are immediately deleted so that it is no longer possible to identify the user based on the collected data. Geo localization works via a database in which the IP address contingents of different hosts are stored with their respective location. As such, the geo localization only locates the place of the internet service provider, not the specific address of the user. User data is strictly processed by the Webtrekk service in pseudonymized form. Webtrekk does not store or process the name or email address of the user, for example, but only processes the relevant cookie data within pseudonymous user profiles. Advertising is not managed or displayed for one specific identified person by Webtrekk, but only for the cookie holder, regardless of who this is. However, if the user consents to MEDION AG to having their data processed without this pseudonymization, and if the user identifies themselves through our website, we will combine this data with the master data created by us and send it to Webtrekk in an encrypted form (more precisely: hashed). Webtrekk will not be able to identify the user. However, this comparison of data enables us to define specific user groups (e.g. to establish a connection between age and interest in our products) and thus to address user groups with targeted advertising in line with their interests.

In order to disable the collection and analysis of data done by Webtrekk, and to opt out of any further user data collection so that your data will no longer be tracked on this website in the future, you must set a cookie (called ‘webtrekkOptOut’). You can set this here: Click here. This revocation will apply for as long as you do not delete the webtrekkOptOut cookie. Alternatively/additionally, in order to further protect your privacy, you can install a plugin in your browser which offers the possibility of hindering tracking – e.g. AdBlock, Ghostery or NoScript (please note the data protection information of the respective plugin provider).

Insofar that we only process anonymized data, it is no longer possible to identify a specific person or their specific characteristics.

11. Management of your data while processing payments

If you choose to pay by invoice, you will receive an invoice with the delivery of your photo order.  If the delivery address is different, you will receive the invoice in PDF format with the confirmation of dispatch by email.
For all the payment methods listed below, the entire payment process will be handled by the respective service provider. Therefore ALDI Photos/ MEDION will not have access to any personal data relating to customers in respect of specific payments.

Credit card
If you choose to pay by credit card, your payment will be forwarded and processed by Elavon Merchant Services, Postbus 20 000, Boîte Postale Brussel 1000 Bruxelles 1, Belgium. Therefore this name may also appear on your credit card statement. Elavon processes payment data on behalf of ALDI Photos/ MEDION in the course of providing payment management services and related services. In its role as order data processor, Elavon is particularly concerned with adhering to the principle of data economy and so collects and stores only such information as is absolutely essential. The entire payment process is managed by Elavon therefore ALDI Photos/ MEDION has no access to payment-related data of the customer.

PayPal
If you choose to pay by PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A.

22-24 Boulevard Royal, L-2449 Luxembourg), you will be redirected to PayPal at the end of the purchase order process. If you are already a PayPal customer, you can log in there with your user data and confirm the payment. If you are new to PayPal, you can open a PayPal account and then confirm the payment. It usually only takes a few minutes for us to receive confirmation of the payment from PayPal after the order has been placed and so your order is prepared for dispatch immediately. Please note, however, that in rare cases processing errors may occur on PayPal sites over which we have no control. If you return the goods, the refund will be credited to your PayPal account. For more information about PayPal, please visit

https://www.paypal.com/uk/webapps/mpp/personal

Direct debit
If you opt to pay by direct debit, you will be asked to enter your bank details in the payment form including the IBAN and BIC.

The data are sent in encrypted form. If you pay by direct debit, the relevant amount will be debited from your account after completion of your order.

12. Information about your right to object under Art. 21 of the General Data Protection Regulation (GDPR)

You may withdraw your consent from ALDI Photos/ MEDION at any time for the processing of personal data. This also applies to the withdrawal of any declarations of consent issued to us before the General Data Protection Regulation (GDPR) entered into force, i.e. before 25.05.2018. Please note that the revocation will only be effective for future processing. Any processing which took place before the revocation will not be affected by this.

Right to object in individual cases

You have the right, at any time for reasons arising from your particular situation, to object to the processing of personal data concerning you pursuant to Article 6 (1) e) GDPR (data processing in the public interest); this also applies to any profiling based on this provision as defined in Art. 4 (4) GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for their processing which override your interests, rights and freedoms or if the data are processed for the establishment, exercise or defence of legal claims.

If we base the processing of your personal data on the balancing of interests, you may object to the processing.  This will be the case if the processing in particular is not necessary to fulfil a contract with you which will be set out by us in each case in the following description of the functions. When any such objection is raised, we will ask you to explain the reasons why we should not process your personal data as we have done. Having received the reasons for your objection, we will investigate the situation and either stop processing the data and/or adapt our processing practices or explain the compelling legitimate reasons why we are required to continue processing the data.

Right to object to the processing of data for direct marketing purposes

In individual cases we will process your personal data for direct marketing purposes. You have the right to object to the processing of your personal data for the purpose of such advertising at any time; this also applies to profiling insofar as it is associated with such direct advertising. If you object to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes. The notice of objection need not take any official form and should preferably be addressed to MEDION AG, Datenschutz, Am Zehnthof 77, 45307 Essen.

13. Body responsible for ALDI Photos/ MEDION: MEDION AG, Am Zehnthof 77, 45307 Essen

You can also contact the company data protection office and the company data protection officer, Peter Staab, by email: datenschutz@medion.com

(MEDION AG Data Privacy Policy, Last Revised 07.2020, 1)