A. Data protection notice for the online marketplace

Thank you for visiting the data protection section for the Kaufland companies. The following Privacy Policy describes how we handle the collection, use and disclosure of personal data. The statutory basis for data protection is, in particular, the EU General Data Protection Regulation (GDPR).

I. Overview

Data processing by the Kaufland companies can essentially be divided into three categories:

For the purposes of carrying out the login process, all data required to log in or register a customer account will be processed by websites such as www.kaufland.de (hereinafter: Website of the Online Marketplace) and filiale.kaufland.de via each website’s national companies (hereinafter: Websites of the Brick-and-Mortar Business). The controller for this processing is Kaufland Dienstleistung GmbH & Co.KG, and/or the responsible party within the controller’s national company.

When you visit the Online Marketplace Websites or use the services offered there, various data is processed for specific purposes. This may also involve personal data. The controller responsible for processing is Kaufland Marketplace GmbH.

When you access the In-store Business Websites or use the services offered there, various data is processed for specific purposes. This may also involve personal data. The controller responsible for processing in Germany is Kaufland Dienstleistung GmbH & Co.KG and otherwise the respective national company.

II. General information on centralised functionalities

1.) Kaufland customer accounts

a) Registration on Kaufland websites

Purpose of the data processing/legal basis: The process of registering your customer accounts at www.kaufland.de and filiale.kaufland.de is arranged via a common, centralised login function of Kaufland Dienstleistung GmbH & Co.KG. The shared login allows you to use all services on the basis of one registration. The following data is processed as part of the registration process:

• E-mail address
• Name,
• Title,
• Phone number (if applicable)
• Information on consents (consents remain unaffected otherwise however)
• Password,
• Date of birth (if applicable)

The legal basis for processing your data is Art. 6 para. 1 (1) f) GDPR. The legitimate interest on the part of the Kaufland companies arises from our interest in being able to provide customers with the extended functions of the centralised customer accounts.

Your customer account data can also be used within the Schwarz Group by the responsible departments for the technical administration of the Kaufland customer accounts and for anonymous statistical analyses. Additional information concerning the data storage period as well as the right to objection can be found under further information on the use of the online marketplace at kaufland.de/rechtliches/datenschutz.

b) Registration via social login (Facebook, Google, Apple)

Purpose of the data processing/legal basis: We offer the opportunity of using your social media accounts (for example, Facebook, Google or Apple) to register and log in to the Kaufland websites or the Kaufland app (“social login”). In this case, an additional registration to one of the Kaufland customer accounts is not necessary. Rather, your social media user account (Apple, Google, Facebook account) will be linked to the Kaufland websites and apps, allowing you to authenticate yourself vis-à-vis the Kaufland customer account and log in to the Kaufland services with this user account. The advantage for you is that you don’t have to remember a new password for the Kaufland online services.

Categories of data that Kaufland receives from your social media account: By virtue of this linking and depending on the data protection settings you have chosen for your social media account, we automatically receive from the provider of your social media account (Apple lnc., Facebook lnc., or Google lnc.) at most the following information:

• Surname, first name
• Title (this may infer your gender)
• Phone number
• E-mail address
• Date of birth

For social logins via Google, we also receive, in line with the settings in your Google account, the following data:

• Billing address/shipping address

We store this data in the Kaufland customer accounts you have created via social login and use the data exclusively for the Kaufland services you have selected.

Categories of data that Kaufland transfers automatically to your social media account provider: The operator of the social media account you use to authenticate vis-à-vis the Kaufland services always receives the following data automatically by virtue of the linking and each login:

• Information that you have registered for a Kaufland service for the first time using your social media account and therefore have a Kaufland customer account.
• Information regarding when you log in to a Kaufland service using the social login (time and date).

This data transfer is automated and mandatory when using the social login of the social media provider. No additional information is transferred. In particular, the social media account operator does not receive any usage data or information regarding how long you are logged in to Kaufland services and what activities you carry out in Kaufland services (for example, purchases, K-App functions, etc.) or other data stored in your Kaufland customer account. Data synchronisation does not take place.

The legal basis for processing your data in connection with the use of the optional social login is your consent as described below in accordance with Art. 6 para. 1 (1) a) GDPR. By using the social login service, you consent to the collection, processing and use of your data as described in the following points 1) to 3):

1) I consent to the following data being transferred by my social media service provider (Apple, Facebook or Google) to Kaufland as part of the social login procedure:

• Surname, first name
• Title (this may infer your gender)
• Phone number
• E-mail address
• Date of birth

In line with the settings in my Google account, the following additional data may be shared:

• Billing address/shipping address

Kaufland may store this data in my personal Kaufland customer account and use it exclusively for registration purposes, to address me personally in my customer account and for Kaufland services as selected by me.

2) I also consent to the following data being automatically transmitted by the Kaufland servers to the provider of the social media account I use for social login within the scope of the voluntary optional use of the social login function:

• Information that you have registered for a Kaufland service for the first time using your social media account and therefore have a Kaufland customer account.
• Information regarding when you log in to a Kaufland service using the social login (time and date).

3) I am aware that the provider of my social media account may be based in a country outside the European Union (for example, in the USA) which has a lower legal level of data protection than the European Union and, as a result, certain entities there, for example, investigating authorities or companies may be able to access this data from my social media account provider. As such and within the scope of the voluntary use of the social login, I expressly consent to the transfer of the aforementioned data to the country in which the operator of my social media account is based in accordance with Art. 49 para. 1 (1) a) GDPR, knowing the lower level of data protection and the associated risks.

You can revoke this consent at any time and with effect for the future by sending an e-mail to [email protected] In this case, you can no longer use the social login function, but will have to register for a customer account in the conventional way. All data stored about you to date on the basis of this consent will also be deleted.

Your provider is legally responsible for processing the data transferred to the operator of your social media account. Therefore, the data protection notice of the country in which the provider is based applies. The relevant data protection information regarding the Apple, Facebook and/or Google login and the privacy settings of your social media account can be found in the data protection notices and the terms of use of

• Apple (https://www.apple.com/de/privacy/features/)
• Facebook (https://www.facebook.com/legal/terms)
• Google ((https://business.safety.google/privacy/

Recipients/categories of recipients: Your Kaufland customer account data can generally only be accessed by the departments within the Kaufland Group charged with managing the Kaufland online marketplace websites and the Kaufland customer accounts or which offer the specific Kaufland service used by you. With the exception of the data disclosed to your social media account provider, this data will not be passed on to third parties outside the Kaufland Group.

Storage period/criteria for determining the storage period: The social login data will be stored in your Kaufland customer account and processed as described until you revoke your consent.

c) Logging in via other services

(1) Klarna

Storage period/criteria for determining the storage period: We offer you the opportunity to register and log in to the Kaufland websites via Klarna. In this case, an additional registration to one of the Kaufland customer accounts is not necessary. Rather, the Klarna user account is linked to the Kaufland customer account so that you can authenticate yourself using the Klarna account and thereby log in to the Kaufland services. The advantage for you is that you don’t have to remember a new password for the Kaufland online services. Categories of data that Kaufland receives from Klarna: By virtue of this linking and depending on the data protection settings you have chosen for your Klarna account, we automatically receive at most the following information from Klarna:

Categories of data that Kaufland receives from Klarna: By virtue of this linking and depending on the data protection settings you have chosen for your Klarna account, we automatically receive at most the following information from Klarna:

• Surname, first name
• E-mail address
• Phone number
• Date of birth
• Billing address/shipping address

The date of birth is sent to us, but is not stored. We store the remaining data in the Kaufland customer accounts created via Klarna and use this data exclusively for the Kaufland services you have selected (for example, customer account log in, registration for Kaufland Card benefits programme, purchasing on the kaufland.de online marketplace).

Categories of data that Kaufland transfers automatically to Klarna: Klarna automatically receives the following data from Kaufland as part of the initial registration via Klarna through the initial linking of the accounts and with each subsequent login:

• Information that you have registered for a Kaufland service for the first time using your Klarna account and therefore have a Kaufland customer account.
• Information regarding when you log in to a Kaufland service using the Klarna account (time and date).

This data transfer is automated and mandatory when using your Klarna login. No additional information is transferred. In particular, Klarna does not receive any usage data or information regarding how long you are logged in to Kaufland services and what activities you carry out in Kaufland services (for example, purchases) or other data stored in your Kaufland customer account. Data synchronisation does not take place.

The legal basis for processing your data when using the optional login via Klarna is our legitimate interest in the data processing described in accordance with Art. 6 para. 1 (1) f) GDPR.

You can object to this data processing at any time by sending an e-mail to [email protected] In this case, you can no longer log in via Klarna, but will have to register for a customer account in the conventional way. All data stored to date will also be deleted.

Klarna is legally responsible for processing the data transferred to Klarna. Therefore, the data protection notice of the country in which the provider is based applies. The data protection information regarding the Klarna login and the Klarna privacy settings can be found in the Klarna data protection notices and terms of use.und Nutzungsbedingungen von Klarna.

Recipients/categories of recipients: Your Kaufland customer account data can generally only be accessed by the departments within the Kaufland Group charged with managing the Kaufland online marketplace websites and the Kaufland customer accounts or which offer the specific Kaufland service used by you. With the exception of Klarna, this data will not be passed on to third parties outside the Kaufland Group.

Storage period/criteria for determining the storage period: The login data will be stored in your Kaufland customer account and processed as described until you revoke your consent.

(2) Paypal

Purpose of the data processing/legal basis: We offer you the opportunity to register and log in to the Kaufland websites via PayPal. In this case, an additional registration to one of the Kaufland customer accounts is not necessary. Rather, the PayPal user account is linked to the Kaufland customer account so that you can authenticate yourself using the PayPal account and thereby log in to the Kaufland services. The advantage for you is that you don’t have to remember a new password for the Kaufland online services.

• Surname, first name
• E-mail address
• Phone number
• Date of birth
• Billing address/shipping address

The date of birth is sent to us, but is not stored. We store the data in the Kaufland customer accounts created via PayPal and use this data exclusively for the Kaufland services you have selected (for example, customer account log in, registration for Kaufland Card benefits programme, purchasing on the kaufland.de online marketplace).

Kaufland does not transmit any data to PayPal.

The legal basis for processing your data when using the optional login via PayPal is our legitimate interest in the data processing described in accordance with Art. 6 para. 1 (1) f) GDPR.

You can object to this data processing at any time by sending an e-mail to [email protected] In this case, you can no longer log in via PayPal, but will have to register for a customer account in the conventional way. All data stored to date will also be deleted.

PayPal’s data protection information privacy settings can be found in the Paypal data protection notices and terms of use.

Recipients/categories of recipients: our Kaufland customer account data can generally only be accessed by the departments within the Kaufland Group charged with managing the Kaufland online marketplace websites and the Kaufland customer accounts or which offer the specific Kaufland service used by you. With the exception of PayPal, this data will not be passed on to third parties outside the Kaufland Group.

Storage period/criteria for determining the storage period: The login data will be stored in your Kaufland customer account and processed as described until you revoke your consent.

III. Further information on using the Online Marketplace Websites

Under the heading "Controller", we provide you with initial information about the controller, the data protection officer and any contact options. Under "General information on using the Online Marketplace Websites/app area", we then provide you with generally applicable information. Under the headings "Further information for customers" and "Further information for sellers", we provide you with information specific to the respective user group.

1. Controller
2. General information on using the Online Marketplace Websites/app area
3. Further information for customers
4. Further information for sellers

Should you have any further questions about how your personal data is collected, processed and used or any specific processes, we or our data protection officer will be happy to respond to them via the contact options set out below.

In the event of any significant changes to the privacy policy, the marketplace operator will notify users via e-mail.

1. Controller

I. Name and address of the controller

In the interests of transparency, we would first like to point out that the entire marketplace business of real GmbH was transferred to Kaufland Marketplace GmbH with effect as of September 29, 2020 pursuant to a spin-off and contribution agreement.

The "controller" within the meaning of the GDPR and other national data protection laws of the member states and any other data protection law provisions is:

Kaufland Marketplace GmbH
registered office: Stiftsbergstraße 1,
74172 Neckarsulm
HRB no.: HR B 774318, Local Court (Amtsgericht) of Stuttgart

II. Contact details and address of our data protection department

Should you have any questions relating to the processing of your personal data, you can contact us at the following addresses:

Contact data

Via e-mail:

[email protected]

Via post:

Kaufland Marketplace GmbH
Data protection officer Marketplace postal address: Marktplatz , c/o Kaufland e-commerce Services GmbH & Co. KG Habsburgerring 2
50674 Cologne, Germany

III. Contact details and address of the data protection officer

datenschutz süd GmbH Dr. Christian Borchers Wörthstraße 15
97082 Würzburg, Germany 97082 Würzburg, Germany, [[email protected]](mailto: [email protected])

2. General information on using the Online Marketplace Websites/app area

We collect and use personal data of our users primarily for the specific purpose for which the data was provided to us, i.e., specifically for providing the contractual services, processing your order, sending newsletters or coupons subscribed/ordered by you, for notifications in connection with prize draws, or where this is necessary in order to provide functional websites as well as our content and services.

Information on the specific processes:

I. Provision of the Online Marketplace Websites/App area and creation of log files

(1) Description and scope of data processing

Each time you access our website, our system automatically collects data and information from the computer system of the requesting computer. The following data is collected in this process, insofar as it is transmitted due to your browser settings:

• information on the browser type and version used
• the user's operating system
• the user's IP address
• date and time of access
• the last web page from which the user's system accessed our website
• country and location of access

The data is stored in our system's log files for a short time. It is not stored together with other personal data of the user.

(2) Legal basis for the data processing

The legal basis for the temporary storage of data and log files is Art. 6 para. 1 (1) lit. (f) GDPR.

(3) Purpose of the data processing

The temporary storage of the IP address by the system is necessary to allow for delivery of the website to the user's computer. For this purpose, the user's IP address must be stored for the duration of the session. Log files are stored in order to ensure the functionality of the Online Marketplace Websites. We also use the data to optimize the Online Marketplace Websites and ensure the security of our IT systems.These purposes constitute our legitimate interest in data processing in accordance with art. 6 para. 1 (1) f) GDPR.

(4) Recipients/categories of recipient

The data can generally only be accessed by the departments within the Kaufland Group charged with managing the Online Marketplace Websites. No data will be transferred to third parties outside the Kaufland Group.

(5) Duration of storage

The log files are stored in the active systems for 14 days and thereafter archived. Archive log files are stored for two years because they may be required for analytical purposes in order to effectively combat cyber crime.

(6) Right to object and removal

Collecting the data for the provision of the website and storing the data in log files is required in order to operate the website. Provided the requirements of Article 21 GDPR are met, you have the right to object to this data processing. However, in addition to objecting to the processing, you must demonstrate grounds relating to your particular situation, because the processing of the data is necessary for the site's operation.

II. Use of cookies in general

We, Kaufland Marketplace GmbH, are also the controller with respect to data processing in connection with the use of "cookies" and other similar technologies to process usage data on the Online Marketplace Websites.

Cookies are small text files that are created automatically by your browser and stored on your end device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not cause any harm to your end device, nor do they contain any viruses, trojans or other malware. The cookie merely stores certain information that results in connection with the specific end device deployed. This does not, however, mean that we will immediately become aware of your identity.

Cookies and the other technologies used to process usage data are deployed for the following purposes, depending on the categories of cookie/other technologies:

Technically necessary: These are cookies and similar technologies that are necessary for you to use our services (for example to correctly display our website/the functions you request, to record you signing in or to fill your shopping cart when making online purchases, etc.).

Preferences: Using these methods, we can take into account your actual or perceived preferences to enhance the user experience. For example, we can use your settings to display the items most recently viewed on our websites.

Statistics: These methods enable us to tailor the design of our services by producing pseudonymized statistics about how they are used. For example, we can use them to determine how better to adapt our websites to user habits.

Marketing: These enable us to display relevant advertising content based on an analysis of your pseudonymized usage behavior. Your usage behavior can also be tracked over various websites, browsers or devices via a user ID (unique identifier). Your consent to the collection of the pseudonymized user profile and its disclosure for marketing purposes together with the pseudonymized user ID enables relevant advertising content to be displayed to you on other Kaufland websites and services and, where applicable, other** third-party channels, that corresponds to your presumed interests based on your user profile**. We also analyze your use of our Kaufland websites (e.g., advertising banners viewed or clicked), firstly to optimize our advertising and offers for you and other customers, and secondly to provide our advertising partners pseudonymized data for billing purposes and to optimize their marketing campaigns. Our advertising partners cannot use this information to identify you. If you do not give your consent or if you withdraw your consent with effect for the future, you will only be displayed random content on the respective web banners on our services and websites and those of third parties.

Advertising using the IAB TCF: For some advertising, we use a specific standard for obtaining and implementing consent in connection with i.e. personalised advertising, called the Transparency and Consent Framework ("TCF") of the Interactive Advertising Bureau Europe (“IAB”) (see below for more information).

Most browsers have functions which allow users to opt out of cookies generally or to delete cookies accepted by a website after the end of the session. The "help" function in the menu bar of most web browsers explains how to set your browser to reject new cookies, alert you when you receive a new cookie, or even how to delete all cookies you have already received and block your browser from receiving any more. On the other hand, under VII. Right to object and removal, you may withdraw your consent with respect to the use of technically unnecessary cookies on our website. This will delete all cookies that were set for the respective domain of the Online Marketplace Websites and are technically unnecessary.

III. Use of technically necessary cookies in connection with operating the Online Marketplace

(1) Description and scope of data processing

1a. Order processing and account services

We use technically necessary cookies to, for example, save your shopping carts or wish lists in order to make it easier for you to place an order next time. Once you have completed your order, and you visit our website the next time, you will be recognized as a customer with the help of a corresponding cookie, which will make it easier for you to place new orders.

For example, the following data is stored in and transmitted via cookies:

• language settings
• items in a shopping cart
• login details

1b. Performance metrics and A/B testing

We also use technically necessary cookies for performance metrics and A/B testing. We use the following technologies for this purpose:

Lux by Speedcurve

We use LUX technology by SpeedCurve to obtain anonymized metrics of the load times of our web pages. This is necessary to ensure proper performance.

For details, see https://support.speedcurve.com/en/articles/2044623-data-protection-gdpr-compliance-at-speedcurve.

Optimizely Full Stack

We also use Optimizely technology in two different ways:

On the one hand, we use the tool to quickly switch on and off or control essential functionalities of the websites ("feature flagging"), such as the display of product descriptions or the display of contact options. We classify the use of Optimizely in the context of the feature flagging as "technically necessary", because it controls essential functionalities of our websites and is the only way we can ensure their stable functionality.

We also use the tool to run and track A/B tests. A/B tests are tests in which certain page features are made visible to only a portion of our users. Certain performance metrics are then measured over the runtime of the A/B test by assigning a user to group A (has not seen feature) or group B (has seen feature). Usage behavior will only be measured by data transfer to Optimizely if a user has consented to "statistics" cookies. The information generated about your use of our website is transmitted to one of Optimizely's servers in the U.S. and stored there. Optimizely will use this information for the purpose of evaluating your use of our website in order to compile reports on website activity for us. To the extent prescribed by law or where third parties process such data on behalf of Optimizely, this information will also be disclosed to those third parties.

The data is used in anonymized form and only in the event that you have been randomly categorized into a tester group, in which case the following data will be stored in particular:

• browser information
• the accessed website (only where a test is being conducted there or target achievement is being measured)
• date, time and duration of the visit to our website

For details, see Optimizely.

(2) Legal basis for the data processing

The legal basis for the use of technically necessary cookies and similar technologies is section 25 para. 2 no. 1 Telecommunications Digital Services Data Protection Act (TDDDG) and Art. 6 para. 1 (1) b)) and f) General Data Protection Regulation (GDPR), i.e. we process your personal data in the course of contract initiation or contract processing if you place orders on the marketplace and in our legitimate interest to provide you with our website and services.

(3) Purpose of the data processing

The purpose of using technically necessary cookies is to make websites more user-friendly and consistently maintain their utility. Some functions of our website cannot be offered without the use of cookies because they require that the browser be recognized even after a page change.

These purposes also constitute our legitimate interest in processing the personal data under Article 6(1)(f) GDPR.

(4) Recipients/categories of recipient

Insofar as the above-listed service providers are given access to personal data for support purposes, data processing agreements in accordance with Article 28 GDPR have been entered into with them.

(5) Duration of storage, right to object and removal

The data will be deleted as soon as it is no longer required for our record-keeping purposes.

(6) Right to object and removal

The use of technically necessary cookies is required in order to operate the website. If the data processing is based on Art. 6 para. 1 (1) f) GDPR, the user has the right to object in accordance with Art. 21 GDPR. However, in addition to objecting to the processing, you must demonstrate grounds relating to your particular situation, because the processing of the data is necessary for the site's operation.

IV. Use of cookies to take into account your actual or perceived preferences (preferences)

1. Description and scope of data processing As described above, cookies are used at this point on our website to enable the convenient use of our websites based on your actual or perceived preferences. To do this, we use settings you choose or information about your interactions to customize the user interface (e.g., to show you your most recently viewed products or make suggestions based on your preferences as determined by us). This data is not linked to a permanent identifier.

2. Legal basis for the processing of personal data
   The legal basis for using cookies and similar technologies with respect to A/B tests as well as data processing is your consent as based on section 25 para. 1 TDDDG and Art. 6 para. 1 (1) a) GDPR.

3. Purpose of the data processing
   Processing users' personal data allows us to optimize our website and customize it so that you receive the offers that are relevant to you.

4. Recipients/categories of recipient The data can generally only be accessed by the departments within the Kaufland Group charged with managing the Online Marketplace Websites. Insofar as service providers are given access to personal data, data processing agreements in accordance with Article 28 GDPR have been entered into with them.

5. Duration of storage
   The data will be deleted as soon as it is no longer required for our record-keeping purposes.

6. Right to object and removal
   Please refer to the information under VII. Right to object and removal.

V. Use of cookies for statistical web analytics on the Online Marketplace

(1) Description and scope of the processing of personal data

We use various analytical tools on our website, which, among other things, provide information about the web browsing behaviour of our users.

Specifically:

1a. Google Marketing Platform/Analytics 360
Our website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, which uses "cookies".

The following data is stored in particular whenever individual pages on our website are accessed:

• two bytes of the IP address of the user's accessing system
• information on the accessing system's operating system
• browser information
• the website accessed
• the website from which the user reached the website accessed (referrer URL)
• the sub-pages accessed from the website accessed
• the time spent on the website
• the date and time of your visit to our website

The information about your use of our website may be transmitted to one of Google's servers in the U.S. and stored there. Google will use this information for the purpose of evaluating your use of our website in order to compile reports on website activity for us and to provide other services relating to the use of the website and the Internet. We have entered into an agreement with Google in this regard to process data on our behalf pursuant to Article 28 GDPR.

To the extent prescribed by law or where third parties process such data on behalf of Google, Google will transfer it to those third parties as well. The data in this case will be used in anonymized or pseudonymized form. For details, see Google.

Cross Device Tracking

If you log in to a third party provider with your own user data, the respective recognition attributes of different browsers and terminal devices can be linked. So if, for example, the third party provider has created a separate attribute for each laptop, desktop PC, or smartphone or tablet you use, these individual attributes can be assigned to each other as soon as you use your login data to access a third party provider's service. This way, the third party provider can precisely manage our advertising campaigns even across multiple terminal devices.

Processing in a third country under data protection law

If the data is processed outside the EU or EEA in this context, please note that there is a risk that authorities may be able to access the data for security and monitoring purposes without you being informed of this or having any legal recourse. If we use providers in unsafe third countries and you consent, the transfer to a third country is based on Art. 49 para. 1 (1) a) GDPR.

You may withdraw your consent to the processing at any time (see information in section 5). The data processing will be lawful until such time as consent is withdrawn. If you do not want Google Analytics to have access to your usage behavior as just described, you can install an opt-out add-on for your browser. For details on this add-on and how to enable it, see: https://tools.google.com/dlpage/gaoptout/.

Google Consent Mode (Behavioral Modeling):

As your privacy is very important to us, you have the option to decline statistics cookies. In order to be able to determine the utilization of our website even in these cases, Google Consent Mode employs behavioral modeling estimates. These are used to estimate the behavior of users on our websites who decline cookies. For this purpose, information (the page the user is on, device type, browser, time) is collected so that a suitable behavioral modeling estimate can be used. The IP address is replaced entirely by a general IP address of a kaufland.de server. This way, the user's IP address is not visible for Google and the information cannot be used to directly identify and recognize the user.

1b. Google Optimize

We use Google Optimize to test different variants of our website using so-called A/B tests in order to determine which variant performs best. Google Optimize analyzes the usage of different website variants which allows us to adjust the user experience to match the behavior of the website users. Google Optimize is a tool integrated in Google Analytics and uses cookies.

1c. ContentSquare

Our website also uses ContentSquare, a web analytics service provided by Content Square S.A.S, which uses "cookies".

The following data is stored in particular whenever individual pages on our website are accessed:

• two bytes of the IP address of the user's accessing system
• information on the accessing system's operating system
• the website accessed
• the website from which the user reached the website accessed (referrer URL)
• the sub-pages accessed from the website accessed
• the time spent on the website
• the date and time of your visit to our website
• information on interactions with web page elements (clicks, mouse position, scroll, hover, blur, focus, anonymized HTML content)
• product-related transaction data

ContentSquare will use this information for the purpose of evaluating your use of our website in order to compile reports on website activity for the website operators and to provide other services relating to the use of the website and the Internet. The data in this case will be used in pseudonymized form.

If you do not want ContentSquare to have access to your usage behavior as just described, you can install an opt-out add-on for your browser. Otherwise please refer to the information on your right to object and removal provided below.

(2) Legal basis for the processing of personal data

The legal basis for using statistical cookies and similar technologies in cooperation with the various web analysis service providers, as well as data processing, is your consent as based on section 25 para. 1 TDDDG and Article 6 para. 1 (1) a) GDPR.

The legal basis for data processing with respect to Google Consent Mode is Article 6 para. 1 (1) f) GDPR.

(3) Purpose of the data processing

Processing users' personal data allows us to analyze the web browsing behavior of our users. By analyzing the data, we can compile information on the use of the individual website elements in aggregated form and ensure and continuously optimize the user-friendliness and utility of the website.

We use Google Consent Mode so that we can track how many users visit our website, which parts of our website they visit and how often. This allows us to avoid user-unfriendly experiences and optimize the use of our website.

(4) Recipients/categories of recipient

Insofar as the above-listed service providers are given access to personal data, data processing agreements in accordance with Article 28 GDPR have been entered into with them.

(5) Duration of storage

The data will be deleted as soon as it is no longer required for our record-keeping purposes.

(6) Right of withdrawal, right to object and removal

Please refer to the information under VII. Right to object and removal.

VI. Use of marketing cookies on the Online Marketplace

(1) Description and scope of the processing of personal data

We work with various targeting service providers for advertising and marketing purposes. For this purpose, we store cookies on our server which allow us to analyze the use of our website by you and others (see information above). These cookies are used to record information about the use of our website, which is then transmitted to one of the servers operated by our service providers and stored there.

1a. Google Remarketing

We also use the remarketing technology offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. With this technology, users who had previously visited our websites and online services and were interested in the services offered are re-targeted by interest-based ads on the pages of the Google Partner Network. Ads are displayed by deploying cookies. Specifically, they are used to analyze users' behavior when they visit the website and then place targeted product recommendations and interest-based ads.

You can opt out of Google’s interest-based advertising cookies by going to https://adssettings.google.de/ or users can opt out of third-party cookies by going to https://optout.networkadvertising.org/. By using our services, you consent to the processing of data about you collected by Google as described herein and for the purposes set out above. Please be advised that Google has its own data protection policies which are independent of ours. We assume no responsibility or liability for these policies and procedures. Before using our website, please read the information at https://business.safety.google/privacy/.

1b. Google Marketing Platform/Display & Video 360 und Campaign Manager

With the Google DoubleClick tool, we use a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, in order to display ads of relevance to you. Cookies are used for this purpose, which do not contain any personal data. The DoubleClick cookies use a pseudonymized ID number assigned to your browser, which is used to verify the display and viewing of ads. This allows Google and its partner sites to place ads based on previous visits to the Online Marketplace or other websites. The information that these DoubleClick cookies generate is transmitted by Google to a server in the U.S. and stored there. Data will only be transferred to third parties in accordance with statutory provisions or in the context of a commissioned data processing arrangement. By using the Online Marketplace Websites, you consent to Google using the aforementioned data and processing it as described above. You may configure your browser settings to disable cookies. However, please be advised that in such a case you may not be able to use all the functions of our website and pages may not be displayed properly. If you do not want to disable cookies generally but do not want DoubleClick cookies to be used, you can go to Google and download and install the browser plugin to opt out of Google’s DoubleClick service.

1c. Facebook Custom Audiences

As part of our interest-based online advertising, we also use communication tools offered by the social media network Facebook, in particular the product "Website Custom Audiences". Basically, a non-reversible and non-personal code (hash) is generated from your usage data, which can be transmitted to Facebook for analysis and marketing purposes. For Website Custom Audiences, the Facebook cookie is deployed for this process. Further information on the purpose and scope of data collection and further processing and use of the data by Meta Platforms Inc-and your options to protect your privacy is available in Facebook's privacy policy at https://www.facebook.com/policy.php. If you want to opt out of Facebook Website Custom Audiences, you can do so at https://www.facebook.com/.

1d. Google Ads

As an AdWords customer, we also use Google Conversion Tracking, an analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When you are redirected to our websites via a Google ad, Google AdWords places a cookie on your computer. These cookies cannot be used to identify you and expire after 30 days. If you visit our site within the 30-day period and the cookie has not yet expired, we and Google can recognize that someone clicked on the ad and was redirected to our site. Each AdWords customer receives a different cookie. This means that cookies cannot be tracked via the websites of AdWords customers. The information obtained from the conversion cookie allows conversion statistics to be created for AdWords customers who have opted for conversion tracking. AdWords customers thereby receive information about the total number of users who clicked on their ad and were redirected to a page containing a conversion tracking tag. However, they do not receive any information that could personally identify users.

You may configure your browser settings to disable the automatic acceptance of cookies if you do not wish to participate in conversion tracking. You may also disable cookies for conversion tracking by configuring your browser so that cookies from the domain googleleadservices.com are blocked.

Google Consent Mode (Conversion Modeling):

As your privacy is very important to us, you have the option to decline marketing cookies. In order to be able to determine the impact of our marketing efforts even in these cases, Google Consent Mode employs behavioral modeling estimates. These are used to estimate the behavior of users on our websites who decline cookies. For this purpose, information (the page the user is on, device type, browser, time and an anonymized IP address) is collected so that a suitable behavioral modeling estimate can be used. The IP address is replaced entirely by a general IP address of an Online Marketplace server. This way, the user's IP address is not visible for Google and the information cannot be used to directly identify and recognize the user. We do not store any data of yours in the context of using Google Consent Mode. The recipient of the anonymized data is Google. No personal data of yours is disclosed in the process.

1e. Google AdSense

We also use Google AdSense, a web advertising service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to place ads (text ads, banners, etc.). As such, your browser may store a cookie sent by Google or third parties. The information stored in the cookie may be recorded, collected and analysed by Google or third parties. Google AdSense also uses “web beacons” (small invisible images) to gather information. Through the use of web beacons, simple actions such as visitor traffic to the website can be recorded, collected and analysed. The information generated by the cookie and/or web beacon will be transferred to a Google server in the U.S. and stored there. Google will use this information to evaluate your use of the site with respect to AdSense ads. Google may transfer this information to third parties if this is prescribed by law or if third parties are processing this data on Google’s behalf. Google will not associate your computer’s IP address with any other data stored by Google. Here, too, you can prevent cookies from being stored on your hard drive and the display of the web beacons. As already described for the other cookies, you must disable the acceptance of cookies in your browser settings. By using our services, you consent to the processing of data about you collected by Google as described herein and for the purposes set out above. Please be advised that Google has its own data protection policies which are independent of ours. We assume no responsibility or liability for these policies and procedures. Before using our website, please read the information at https://business.safety.google/privacy/.

1f. Microsoft Bing Ads

Finally, we use Microsoft Bing Ads. When you are redirected to our websites after clicking on a Microsoft Bing Ad, a cookie is placed on your computer. This allows Microsoft Bing and us to recognize that a user has clicked on an ad, was redirected to our websites and has reached a "conversion site". This only serves to provide us with information on the total number of users who have clicked on a Bing Ad and were then redirected to the conversion site. No personal information on the user's identity is communicated. If you do not wish to participate in tracking, you may also reject the cookie required for this, for example via browser settings that generally disable the automatic acceptance of cookies. For more information on data privacy and cookies used by Microsoft Bing, see: https://privacy.microsoft.com/de-de/privacystatement.

1g. Shopping24

The websites use recomAD, a tool for providing product recommendations offered by shopping24 Gesellschaft für multimediale Anwendungen mbH, Poßmoorweg 2, 22301 Hamburg, Germany. recomAD matches user search requests with suitable product recommendations and displays these to the user.

With each product click, recomAD places cookies which enable recomAD to detect natural clicks.

Whenever a product recommendation is clicked on, recomAD collects and stores data such as the IP address, browser type and the site visited. This data is collected and stored solely for billing-related purposes by detecting non-natural clicks. No data is stored in the cookie that would permit the user to be identified. For more information on data privacy and the cookies used, see Shopping24's website at: https://www.s24.com/datenschutzerklaerung/. (2) Legal basis for the processing of personal data

The legal basis for using self-promotional cookies and similar technologies in cooperation with the various web analysis service providers, as well as data processing, is your consent as based on section 25 para. 1 TDDDG and Art. 6 para. 1 (1) a) GDPR.

The legal basis for data processing with respect to Google Consent Mode is Article 6 para. 1 (1) f) GDPR.

(3) Purpose of the data processing

Processing users' personal data allows us to optimize our online marketing and customize it so that you receive the offers that are relevant to you. These services also help finance the website.

We use Google Consent Mode so that we can track the impact of our online marketing efforts and whether they were useful for us as well as for you as a customer.

(4) Recipients/categories of recipients

Insofar as the above-listed service providers are given access to personal data, data processing agreements in accordance with Article 28 GDPR have been entered into with them.

(5) Duration of storage

The data will be deleted as soon as it is no longer required for our record-keeping purposes.

(6) Right to object and removal

Please refer to the information under VIII. Right to object and removal.

VII. Use of cookies for advertising using the IAB TCF

(1) Description and scope of the processing of personal data

We cooperate with Virtual Minds GmbH (Ellen-Gottlieb-Straße 16, D-79106 Freiburg im Breisgau, Germany) for the display of personalised advertising outside Kaufland Online Marketplace (accessible via www.kaufland.de), as mutually responsible within the meaning of Art. 26 DSGVO. We use the so-called Transparency and Consent Framework ("TCF") of the Interactive Advertising Bureau Europe ("IAB"), a standard for obtaining and implementing consent declarations in connection with personalised advertising, for example.

With your consent, cookies will be stored on your end device (and read from it), by means of which the data specified in more detail below will be collected and then processed for the purposes stated below.

You can contact either us or Virtual Minds GmbH when exercising your data subject rights described below with regard to the data processing described in this paragraph. In the Virtual Minds GmbH Data Privacy Statement, you will also find further information on how you can exercise your data subject rights directly towards Virtual Minds GmbH.

Advertising using the IAB TCF includes the display of advertising on third-party digital media (i.e. outside the scope of our website), such as other websites, apps, smart TVs, etc. (“third-party media”). If you have consented to this, we may store cookies on your device that enable these third-party media to recognise your browser.

Depending on the specific scope of your consent, the following types of personal data may be processed (for details, please see the buttons of the specific purposes within the consent):

Data about your use of our website and third-party media, e.g.

• content from websites,
• click paths,
• display of and interactions with advertisements
• Your IP address
• The TC string generated for you (a coded string containing information about the granting and scope of your consent)
• Your location data
• Data about the end devices you use
• Products you placed in a shopping cart in our online marketplace and whether you purchased them
• If a member of your household has also given their consent to this, we will also link your data with that of the member of your household, particularly with data about the end devices they use
• Attributes derived from this (e.g. age group, product interest);

(2) Legal basis for the processing of personal data

The legal basis for the use of cookies and similar technologies for advertising and performance measurement using IAB TCF as well as the associated data processing is your consent in accordance with Section 25 (1) TDDDG and Art. 6 (1) a) GDPR.

(3) Purpose of the data processing

With your consent, we may, together with Virtual Minds GmbH, create an individual profile about you and/or target groups into which we categorise you (so-called ‘segments’) in order to enable third parties to play personalised advertising on third-party media via the end devices assigned to you and your household members.

Along with the display of the advertising and with your consent, processing is carried out for ad measurement (in particular to determine the performance and success of an advertisement), to gain knowledge about target groups (in particular to learn more about the target groups to which the advertising is displayed), for product development and for the technical safeguarding and optimisation of these advertising displays. If a member of your household has also provided their consent, we will also link your data to that of your household member and process it with their consent for the stated purposes or process your data for the purposes requested by the household member. The individual purposes and functions and the processing operations assigned to the data are specified in more detail in the consent

(4) Recipients/categories of recipients

As already described, we are jointly responsible with Virtual Minds GmbH for the data processing described here. We will be happy to provide you with the fundamental content of the underlying agreement upon request – use the options provided under “Contact details”.

We work together with other advertising partners to display the advertising. These partners are only involved in the processing in connection with the display of the advertisements on the third-party media and the related (technical) functions, not in the creation and analysis of your advertising profile as presented in the context of the consent. We only pass on to these advertising partners key figures that only we can assign to a specific usage behaviour – divided into specific customer or usage categories (segments). Information about your individual usage behaviour will not be passed on to advertising partners under any circumstances. Our advertising partners are as follows: The UK Trade Desk Ltd., c/o The Trade Desk, Inc., 42 N. Chestnut Street, Ventura, CA 93001, USA; regarding the Active Agent service: Virtual Minds GmbH, Ellen-Gottlieb-Straße 16, D-79106 Freiburg im Breisgau, Germany; Xandr Inc., 28W. 23rd Street 4th Floor, New York, NY, 10010, USA; Trakken GmbH, Zirkusweg 1, 20359 Hamburg, Germany and Adform A/S, Silkegade 3B, ST &1, 1113 Copenhagen, Denmark DK26434815.

In addition, other contract processors are also involved in the display of advertising, who support us in particular in the planning, control and processing of the respective advertising campaign.

Provided that these advertising partners or other processors receive access to personal data, processing contracts have been concluded with these service providers in accordance with Art. 28 DSGVO.

(5) Duration of the storage

The data will be deleted as soon as it is no longer required for the aforementioned purposes. More detailed information about the respective cookie is available below under the “Expiry” column. If “persistent” is entered in the “Expiry” column, the cookie is stored permanently until the corresponding consent is revoked.

(6) Possibility of revocation and removal

In this regard, reference is made to the statements under VIII. Right to object and removal.

VIII. Right to object and removal

You may withdraw your consent to the processing at any time. The data processing will be lawful until such time as consent is withdrawn.

If you wish to exercise your right of withdrawal, click on the following link to withdraw your consent to the use of cookies on our website. This will delete all cookies that were set for the domain www.kaufland.de and are technically unnecessary.

IX. Promotional newsletters by e-mail & direct advertising

(1) Description and scope of data processing

1.1 Standard newsletter

Our website offers an option to subscribe for a free newsletter. When you sign up for the newsletter, the data from the input screen is transmitted to us.

The following data is processed and constitutes required information:

• e-mail address
• Date and time of signing up for the newsletter
• Website through which you signed up
• Type of page through which you signed up

If you sign up for the newsletter, you consent to us sending regular you e-mails at the e-mail address you provided with information about current offers, products, special promotions, satisfaction surveys relating to products, services, events and prize draws of the Kaufland Group.

The process will be as follows: First of all, we will send an e-mail to the e-mail address provided containing a link for verifying your e-mail address (double opt-in process). If you do not confirm registration, your data will be deleted after seven days. If you click on the link to verify your e-mail address, we will store this confirmation of your e-mail address in a log file as evidence of your consent. Only then do we process your e-mail address for the purpose of sending the newsletter you signed up for until you withdraw your consent. If you open our e-mail newsletter, click on embedded links or send a website form after clicking on a link, this is recorded, but is not stored in a manner that allows you to be identified personally. This data is anonymous and can only be evaluated in the form of aggregated statistics. We therefore do not create a personal profile about your newsletter reading habits without your express additional consent.

1.2 Consent to newsletter customization

If you additionally consent to the customization of the newsletter you have subscribed for (optional), you consent to us:

• linking the newsletter to your existing Kaufland customer account in order to tailor the content of the newsletter to your presumed interests and shopping preferences based on both past and future transaction data and transaction-related data in your customer account (this includes products purchased, returns, support tickets, ratings, value of goods in shopping cart, purchase frequency, delivery address, name, gender, birthday); and
• provided you separately accept advertising cookies on our websites, also evaluating your click and browsing habits on websites of the Online Marketplace and in the app (this includes clicks on products, search terms, referrer sites (websites through which users are directed to the current site), viewed products, add to cart events, products added to wish list, group for A/B testing, information about the device used, device manufacturer, operating system, browser, IP address and localization data derived from that) so as to also use this information to tailor the content of the newsletter to your presumed interests and shopping preferences.

1.3 Direct advertising

If you have made a purchase through the Online Marketplace, we will also use the e-mail address you provide in connection with the purchase to send you service information such as customer satisfaction surveys and e-mails to advertise our own similar products or services. In such case, only direct advertising for similar products or services will be sent.

(2) Legal basis for the data processing

The legal basis for processing data after subscription to the newsletter by you is consent by subscribers in accordance with Art. 6 para. 1 (1) a) GDPR. Likewise, the legal basis for personalisation of the newsletter is Art. 6 para. 1 (1) a) GDPR.

The provision of data is voluntary. If you do not provide your data, you will not be able to receive the newsletter or a customized newsletter based on separate consent.

The legal basis for direct advertising for similar goods or services after a sale of goods and services is Art. 6 para. 1 1 f) GDPR in conjunction with Art. 7 para. 3 Unfair Competition Act (Unlauterer Wettbewerbsgesetz, UWG).

(3) Purpose of the data processing

Processing users' personal data allow us to keep users informed about current offers and to advertise them.

(4) Recipients/categories of recipient

The data is processed within the Kaufland Group by Kaufland Marketplace GmbH. We use the system of our processor (Mailjet GmbH, Alt-Moabit 2, 10557 Berlin, Germany), to send the newsletter. It receives and processes the data on our behalf on the basis of Article 28 DSGVO in order to send the e-mails. Furthermore, we use the system of our processor (Heureka Group a.s. Karolinská 706/3, Karlín, 186 00 Prague, Czech Republic), who we have commissioned on the basis of Art. 28 GDPR to receive and process data for sending evaluation requests, with the intention of handling the sending of these evaluation requests in Slovakia and the Czech Republic. Your data is not processed outside the EU/EEA.

(5) Duration of storage

The data is deleted as soon as it is no longer required for the purpose for which it was collected. The user's e-mail address is therefore stored at least as long as the newsletter subscription is active. After revocation by you or discontinuation of the service, the personal data will be deleted three years after revocation/discontinuation of the service for the purposes of accountability pursuant to Art. 5 (2) GDPR and to defend against any claims for damages (Art. 83 (8) GDPR in conjunction with § 41 BDSG and § 31 (2) No. 1 OWiG and legitimate interest pursuant to Art. 6 para. 1 (1) f) GDPR), unless there are legal retention obligations.

(6) Right of withdrawal, right to object and removal

You may withdraw your consent to receiving the newsletter at any time. You may also object to direct advertising at any time. Until consent is withdrawn, the processing of data based on this consent is lawful. Please note that for technical reasons, it may take 24 hours for the withdrawal of consent to be registered in the system. Please excuse us if you receive a newsletter during this period, however in certain cases this is unavoidable. You can notify us of your withdrawal in text form by sending an e-mail to: [email protected] (for newsletters) or [email protected] (for direct advertising), or use the link provided in every e-mail. This also allows you to withdraw your consent/object to direct advertising.

For processing based on Article 6 para. 1 (1) f) GDPR, you have a right to object under Article 21 GDPR.

Es erfolgt keine automatisierte Entscheidungsfindung gem. Art. 22 Abs. 1 und 4 DSGVO.

X. Misuse of the Online Marketplace

(1) Description and scope of data processing

Where the disclosure of personal data serves to identify any misuse of the Online Marketplace requiring the enforcement of rights or where there is a statutory disclosure obligation, such data will be disclosed to authorities (in particular law enforcement agencies and tax authorities), our legal defense counsel and, if necessary, to injured third parties. Data may also be disclosed if this is necessary for enforcing our standard terms and conditions or other agreements or is required based on a statutory, official or court order. We also use the device information specified in I) 1) no. 1, no. 3, and no. 6 to identify any potential misuse of a customer account. To protect your customer account, we will send you an e-mail if we detect any unusual login activity, such as login attempts from a different location than usual or via a different device.

(2) Legal basis for the data processing

The legal basis for processing your data is Art. 6 para. 1 (1) f) GDPR.

(3) Purpose of the data processing

The data processing is required in order to ensure the security of our IT systems and processes and to comply with statutory and official requirements. The processing also indirectly serves the interests of the data subjects and the integrity of their personal data. These purposes constitute our legitimate interest in data processing in accordance with art. 6 para. 1 (1) f) GDPR.

(4) Recipients/categories of recipient

Authorities (in particular law enforcement agencies and tax authorities), our legal defense counsel and, if necessary, injured third parties.

(5) Duration of storage

The data is deleted as soon as it is no longer required for the purpose for which it was collected.

(6) Right to object and removal

You have the right to object to this data processing. However, in addition to objecting to the processing of the data, you must demonstrate grounds relating to your particular situation, because in cases of misuse, the processing of the data is necessary in order to counteract the misuse of the services provided and prevent our rights and the rights of third parties from being infringed.

3. Further information for customers

We only store your personal data if you provide it to us. We require this data, in particular your name, address and e-mail address, for processing your order via the Online Marketplace or, for example, when you participate in a prize draw or subscribe to a newsletter. The data is collected when you enter your data in the respective input screen of the order or contact form. Information on the specific processes:

I. Registration

(1) Description and scope of data processing

In order to use all of our websites' services, you must register and provide your personal data. When you enter the data in the required fields, they will be transmitted to us and stored. We collect the following data during the registration process:

• first name
• last name
• gender
• e-mail address
• password (encrypted)
• acceptance of the standard terms and conditions and confirmation of acknowledgment of the Privacy Policy, incl. the date/time of consent
• optionally, whether a newsletter has been subscribed for, incl. date/time of consent

If you have created an Online Marketplace customer account, we specifically use the e-mail provided there so that we can send you important service information or notify you of changes to your customer account. Data will also be disclosed to third parties, including in the context described below. Otherwise, you can select the "stay logged in" box in your customer account and the next time you visit the website, depending on your selected account services, you will be able to access services more quickly without having to log in again first.

(2) Legal basis for the data processing

The legal basis for processing with respect to creating a customer account is Art. 6 para. 1 (1) b) GDPR.

The legal basis for data processing with respect to the “Stay logged in” function is Art. 6 para. 1 (1) a) GDPR.

(3) Purpose of the data processing

The registration of users is necessary in order to provide certain content and services, such as the processing of orders, on our websites. This is because, in an Online Marketplace like ours, in contrast to purely online shops, it is particularly important to be able to consolidate customer data in a customer account. Among other things, this allows you as a customer to purchase several products from different sellers in a single order via our Online Marketplace. The requirement of registering a customer account ensures that orders are properly assigned and processed in the event of a complaint. This is also in keeping with the data protection law principle of data minimization because the procedure allows us to reduce the transfer of data to the sellers to the minimum necessary for processing orders.

(4) Recipients/categories of recipient

Please refer to the information under II. Order processing.

(5) Duration of storage

Customer accounts are generally deleted once a request to delete is received, unless statutory retention obligations apply.

With regard to personal data associated with customer accounts, a distinction is made as to whether or not deletion is precluded by compliance with a legal obligation. If not, the data will be blocked for further processing.

(6) Right of withdrawal, right to object and removal

You have the option to cancel your registration as a user at any time. You may have the data stored about you changed at any time. Simply log in to your customer account or contact customer service with your request. If the data is required for the performance of a contract or to take steps prior to entering into a contract, it may only be deleted early to the extent that contractual or legal obligations do not preclude such deletion. As a user, you also have the option to withdraw your consent to the processing of personal data in the context of the "stay logged in" function at any time. Simply de-select the "stay logged in" box.

II. Order processing

(1) Description and scope of data processing

The marketplace operator provides an Online Marketplace at the various Online Marketplace Websites, which it itself uses as a direct distribution channel. Various natural persons, legal entities, and partnerships ("marketplace retailers" or "sellers") can post offers to sell products in this Online Marketplace. In addition to selecting the product, the customer can also choose between various sellers. In their capacity as legal sellers, they are designated as such in the product presentation under "seller" and will be listed in the context of order processing.

(2) Legal basis for the processing

The legal basis for processing data is Art. 6 para. 1 (1) b) GDPR.

(3) Purpose of the data processing

The data is processed for purposes of order processing and thus required for the performance of a contract with the user or to take steps prior to entering into a contract.

(4) Recipients/categories of recipient

Data will be disclosed to third parties, including in the context described below:

Marketplace retailers/sellers

In cases where marketplace sellers operate their own shop in the Online Marketplace or sell you their products via the Online Marketplace, they do so in their own name. We merely act as an intermediary between sellers and purchasers. Therefore, it is essential to include the sellers in the processes in order to be able to ensure prompt processing of your order and handling of complaints. For this reason, in addition to receiving the data required for fulfillment of the legal transaction in the context of order processing, sellers also have access to the complaints system and can view the correspondence regarding the tickets (for more information, see below).

Dropshipping suppliers

Where the seller of the goods is the marketplace operator itself, the marketplace operator will procure the goods either from its own warehouses or from warehouses of suppliers, so-called "dropshippers". In such cases, the suppliers need to be included in the processes for purposes of order processing. Therefore, the shipping data necessary for the fulfillment of the legal transaction will be provided to the supplier exclusively for order processing.

Other service providers

In some cases, it may also be necessary to disclose your data to service providers such as call centers, billing offices and carriers in order to process your inquiry. Particularly in the case of transaction-related e-mail correspondence, data may be transferred to a server in the U.S. and stored there.

However, in such cases, data will only be transferred to third parties in accordance with statutory provisions or in the context of a commissioned data processing arrangement.

(5) Duration of storage

The data is deleted as soon as it is no longer required for the purpose for which it was collected. Insofar as the data collected does not serve the purpose of entering into a contract with the user, the data collected during the registration process will be deleted if the registration on our websites is canceled or modified. With respect to data collected when orders are placed, in order to perform a contract or to take steps prior to entering into a contract, the data will be deleted once it is no longer required for the performance of the contract. Even after entering into a contract, it may be necessary to store the counterparty's personal data in order to comply with contractual or statutory obligations, such as those arising from the limitation periods for warranty claims or record-keeping obligations under tax law.

(6) Right to object and removal

You have the option to cancel your registration as a user at any time. You may have the data stored about you changed at any time. Simply log in to your customer account or contact customer service with your request.

If the data is required for the performance of a contract or to take steps prior to entering into a contract, it may only be deleted early provided that contractual or legal obligations do not preclude such deletion.

III. Payment services and payment methods, credit check

(1) Description and scope of data processing

For purposes of settling payments between customers and sellers, the marketplace operator has engaged cflox GmbH (the "Payment Service Provider"). The Payment Service Provider is entered in the commercial register of the Local Court of Hamburg under number HRB 127858. It is authorized to provide payment services and is authorized by the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) as a payment institution within the meaning of section 1 (1) no. 5 of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG). It is entered in the Register of Payment Institutions published on BaFin's website under ID no. 148789.

For more information on processing personal data with respect to the cooperation partner, we refer you to the data protection notice of the payment service provider in section “B. Data protection notice of cflox GmbH”.

The Payment Service Provider offers payment services for the settlement of contracts for the purchase and sale of products between the customer and the marketplace sellers which are entered into via the Online Marketplace. The Payment Service Provider receives payments from customers remitted using various payment methods on behalf of the marketplace sellers on its own account at a credit institution and pays out the funds from the sale of the products to the marketplace sellers.

Customers may select from the payment options available on the online marketplace or the payment methods offered by associated third party providers, such as the financing service of Klarna or Consors Finanz in Germany, to remit payment.

The data that you enter for the purpose of remitting payment at check-out will be processed primarily in the context of your order and the associated payment processing and in this context may be disclosed to third parties, in particular to payment product providers.

At the same time, however, in the context of the payment process, various internal business- and customer-related security measures will also be taken, where applicable with the involvement of third parties, to minimize and control the risks of money laundering and terrorist financing in accordance with the requirements of the German Money Laundering Act, fraud prevention measures will be taken on the part of the Payment Service Provider or one of the affiliated payment product providers, and a credit check for specific payment methods via the credit agencies SCHUFA and/or Bürgel may be performed in individual cases where there is a risk of non-payment or increased risk of fraud.

For example, if the payment methods "payment on Klarna invoice" and "payment by Klarna installments" are selected, Klarna will check and evaluate the information provided by the customer and exchange information with other companies and credit agencies if it has legitimate cause to do so. If the customer's creditworthiness is not guaranteed, the customer's selected payment method(s) may be declined by Klarna and it must be advised of alternative payment options.

If the payment method "Consors Finanz" is selected, Consors Finanz will check and evaluate the information provided by the customer and exchange information with other companies and credit agencies if it has legitimate cause to do so. If the customer's creditworthiness is not guaranteed, the customer's selected payment method(s) may also be declined by Consors Finanz and it must be advised of alternative payment options. Other processing operations worthy of note include, in particular, internal business- and customer-related security measures, such as transaction monitoring or implementing fraud prevention measures in the context of credit card payments in order to minimize the risks of money laundering and terrorist financing.

(2) Legal basis for the data processing

The legal basis for processing data is Art. 6 para. 1 (1) b) GDPR and Art. 6 para. 1 (1) c) GDPR in conjunction with Art. 6 GWG. Article 6 para 1) (1) f) GDPR serves as an additional legal basis for the processing of the user’s personal data.

(3) Purpose of the data processing

The processing of data in the context of payment processing is necessary particularly for the processing of orders on our website. Processing in this case serves the purpose of performing a contract with the user or taking steps prior to entering into a contract.

Implementing internal business- and customer-related security measures in order to minimize and control the risks of money laundering and terrorist financing serves the purpose of complying with the requirements of the German Money Laundering Act.

The SCHUFA and/or Bürgel credit checks performed in individual cases or fraud prevention measures in the case of credit card transactions also serve the purpose of minimizing the risk of non-payment and preventing credit card misuse. These purposes constitute our legitimate interest in the processing of data in accordance with art. 6 para. 1 (1) f) GDPR.

(4) Recipients/categories of recipient

Data collected in the context of payment processing will only be transferred to third parties in accordance with statutory provisions or in the context of a commissioned data processing arrangement.

(5) Duration of storage

The data is deleted as soon as it is no longer required for the purpose for which it was collected. With respect to data collected in order to perform a contract or to take steps prior to entering into a contract, the data will be deleted once it is no longer required for the performance of the contract. Even after entering into a contract, it may be necessary to store the counterparty's personal data in order to comply with contractual or statutory obligations, such as those arising from the limitation periods for warranty claims or record-keeping obligations under tax law.

(6) Right to object and removal

Until you submit your order, at which point the data will be definitively recorded, you may change the data yourself, delete it from the input screen or change the payment method as you wish. Thereafter, processing is required in order to process the order. Users will no longer have any option to object.

IV. Contact form, e-mail contact and use of the complaints system

(1) Description and scope of data processing

As a user of our websites, you have several ways of contacting us (e.g., by telephone, contact form, e-mail, fax, letter or in the context of using the complaints system). If you contact us, all data related to the communication will be collected. This specifically includes:

• name
• e-mail address
• invoice/delivery address
• transaction data
• date of birth and telephone number, if applicable
• IP address (contact via the contact form

The user's personal data transmitted during this process is stored and used to process the communication. Disclosure to third parties takes place, inter alia, within the framework described below: For example, it may be necessary to transfer your data to service providers such as call centres, billing offices, suppliers or carriers in order to process your enquiry. In addition, we forward enquiries we have received by mistake regarding Kaufland-branch business, the Kaufland Card and the other Kaufland programmes of Kaufland Dienstleistung, for which we are not responsible in terms of content and thus also as regards data protection, together with the personal data of the inquirer to Kaufland Dienstleistung GmbH & Co. KG, as the responsible contact person.

(2) Legal basis for the data processing

The legal basis for processing the data is art. 6 para. 1 (1) f) GDPR in order to be able to answer your request. If it is a contract-related question, data processing may be necessary for the fulfilment of a contract pursuant to Art. 6 para. 1 (1) b) GDPR or for the implementation of pre-contractual measures taken at the request of the data subject.

The legal basis for processing your data is Art. 6 para. 1 (1) f) GDPR. The legitimate interest in this (data) transfer lies in the interest of the Group to be able to correctly allocate customer enquiries and to be able to process the content in the interest of the customers.

(3) Purpose of the data processing

The personal data from the input screen is processed for the purpose of processing the contact inquiry.

(4) Recipients/categories of recipient

Marketplace retailers/sellers

In cases where marketplace sellers operate their own shop in the Online Marketplace or sell you their products via the Online Marketplace, they do so in their own name. We merely act as an intermediary between sellers and purchasers. Therefore, it is essential to include the sellers in the processes in order to be able to ensure prompt processing of your order and handling of complaints. For this reason, in addition to receiving the data required for fulfillment of the legal transaction in the context of order processing, sellers also have access to the complaints system and can view the correspondence regarding the tickets (for more information, see below).

Dropshipping suppliers

Where the seller of the goods is the marketplace operator itself, the marketplace operator will procure the goods either from its own warehouses or from warehouses of suppliers, so-called "dropshippers". In such cases, the suppliers need to be included in the processes for purposes of order processing. Therefore, the shipping data necessary for the fulfillment of the legal transaction will be provided to the supplier exclusively for order processing.

Other service providers

In some cases, it may also be necessary to disclose your data to service providers such as call centers, billing offices and carriers in order to process your inquiry. Particularly in the case of transaction-related e-mail correspondence, data may be transferred to a server in the U.S. and stored there.

However, in such cases, data will only be transferred to third parties in accordance with statutory provisions or in the context of a commissioned data processing arrangement.

(5) Duration of storage

The data is deleted as soon as it is no longer required for the purpose for which it was collected.

(6) Right to object and removal

Users have the option to object to the processing of their personal data at any time. In that case the communication may not be able to be continued. Contact customer service with your inquiry in this regard.

V. Age verification

(1) Description and scope of data processing

The marketplace operator confirms the age of the person ordering by way of various identity checks. This check happens automatically as soon as an age-restricted item is added to a user’s shopping cart.

Kaufland.de uses age verification with SCHUFA in the checkout process. In this context, there is no credit check carried out using the data stored with SCHUFA. Of the data transmitted to SCHUFA (name, date of birth, address), only the address will be stored in the SCHUFA database for verification purposes relating to the Premium identity check. More information on the activities of SCHUFA can be found on the SCHUFA information sheet in accordance with Art. 14 GDPR or online at www.schufa.de/datenschutz.

For age verification, the Cidaas ID Validator is also used on all top-level domains as an eIDAS-compliant automatic identification service. This European-cloud-based identity and access management system provided by Widas ID GmbH is regularly reviewed by the German Federal Network Agency.

As part of the automatic process of personal identification by the Cidaas ID Validator, the customer must first authenticate themselves and give their consent to the identification procedure. The purpose of the identity check, the type of data collected and the scope of storage are specified. Then the customer identification process is carried out. Depending on the method and identification document used, this document is scanned and a facial comparison is made. A signature is created and stored as proof of successful identification. The storage period is necessary for verification in the event of fraud and is limited to 6 months. More information is available at https://www.cidaas.com/privacy-policy/.

(2) Legal basis for data processing

The legal basis for processing data is Art. 6 para. 1 (1) b) GDPR.

Processing during the checkout process serves to fulfil contractual relationships or to carry out pre-contractual measures to which the user is a party.

(3) Purpose of the data processing

The exchange of data with SCHUFA and with the cloud identity and access management system Cidaas of Widas ID GmbH serves the purpose of performing identity checks if an item with age restrictions is in the shopping cart. The performance of identity checks is necessary to ensure that the requirements for sales of products with age restrictions can be met and therefore constitutes a pre-contractual measure.

(4) Recipients/categories of recipients

The marketplace operator will transfer personal data collected within the scope of this contractual relationship relating to the application, execution, and termination of this business relationship to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany.

Furthermore, the data for Cidaas ID Validator will be transferred to Widas ID GmbH, Maybachstraße 2, 71299 Wimsheim, Germany.

(5) Duration of the storage period

The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected.

(6) Options for objection and removal

If the data is necessary for the fulfilment of a contract or for the implementation of pre-contractual measures, premature deletion of the data is only possible if there are no contractual or legal obligations that prevent deletion.

VI. Other services

(1) Special benefits from userwerk GmbH

We have integrated an advertising service from userwerk GmbH, Ehinger Str. 19, 89077 Ulm, Germany, e-mail: [email protected], into our website. userwerk provides benefits to suppliers of a range of products, e.g. trial subscriptions for various media. The offer is aimed exclusively at adults. After the order process, as a thank you for ordering, you will be able to choose from the product providers’ benefits. In order to display these to you, information comprising country, postcode, your order ID as well as the hash of the e-mail address are sent to userwerk in pseudonymised form. The hash of the e-mail address is evaluated in pseudonymous form to detect whether you previously objected to advertising in connection with the e-mail address submitted. The transmission of the order ID serves exclusively to correctly process the settlement with userwerk by not billing multiple times in the event of multiple loading. The data is only saved in the browser and expires when the browser is closed. After the customer selects their chosen offer, an order form operated by userwerk appears. This is pre-filled with the customer’s personal data that was saved by us during their purchase in the shop system (first name, surname and address). This is also pre-filled in the customer’s browser. The data (first name, surname, address, selected offer) is only sent to userwerk when the order has been initiated. From there, it is sent to the product provider. The legal basis for temporarily saving the data for the display of the benefits and subsequent display of your order details is section 25 para. 2 no. 2 Telecommunications Digital Services Data Protection Act (TDDDG) and Art. 6 para. 1 (1) f) GDPR (legitimate interest in displaying the benefits to you as a thank you and facilitating the order process). Under no circumstances will userwerk use the data collected from the advertisement of benefits to draw conclusions about your person. Furthermore, analysis of the hash of the e-mail address is used to exclude a possible advertising objection in a legally compliant manner; the legal basis for this data processing is Art. 6 para. 1 (1) f) GDPR.

The data (first name, surname, address, selected offer) is only sent to userwerk when the order is initiated. Then is it sent to the product provider. This data processing serves the fulfilment of the contract between you and the product provider according to Art. 6 para. 1 (1) b) GDPR.

If you do not wish to receive any offers of benefits, you can declare your objection by contacting us via e-mail at [email protected]. Alternatively, you can reach us via post at the following address:

Kaufland Marketplace GmbH, Data Protection Officer, Marketplace postal address:

Marketplace, c/o. Kaufland e-commerce Services GmbH & Co. KG Habsburgerring 2 50674 Cologne Germany

These parties are responsible for when the personal data which is sent to userwerk and the product provider is deleted. You can find out more about the details in the respective provider’s privacy policy.

There is no third-country processing and no automated decision making.

You can find further information on how userwerk collects and processes personal data here: https://www.userwerk.com/datenschutzerklaerung/ (German language version)

(2) Insurance

Finally, we offer you as a customer the opportunity to use various services of cooperation partners via our website. In the context of these collaborative arrangements, the products and services offered by the cooperation partners are included on the Online Marketplace using so-called iFrames. iFrame technology is used to embed content from another source into the website. Therefore, we are happy to inform you about the relevant products and services and the cooperation partner responsible for providing them. However, any personal data will be processed solely by our cooperation partners. For details please contact the partners specified in the given case.

(3) YouTube

From time to time, video files can be made available for playback in a YouTube frame on some subpages or partially on the main page of the online marketplace. Playing the video means that you access the website www.youtube.com, from Google Inc., via the frame itself. We have no influence on the scope of the data and the handling of your data by Google Inc. that results from accessing the YouTube website. Google Inc. itself is legally responsible for this. However, you can find details on how Google handles your data at the following link: https://policies.google.com/privacy?hl=en&gl=en

4. Further information for sellers

I. Registration on and use of the online marketplace

(1) Description and scope of data processing

On our online marketplace, we offer sellers the opportunity to register by providing personal data. The data is entered into an input screen, transmitted to us, and stored. The processing of this data then allows sellers to list products on the online marketplace, sell them to private customers via the online marketplace, receive marketing services and participate in payment processing.

As part of the registration process, it is also necessary to conclude a payment service framework agreement with the cooperation partner, cflox GmbH (“cflox”). cflox provides payment services for the processing of contracts for the purchase and sale of products between end customers and sellers that are concluded via the online marketplace. This includes, in particular, the fiduciary acceptance of payments from end customers and the forwarding of the money to the seller. Through the involvement of the cooperation partner, the sellers conclude a contract with the operator of the online marketplace and cflox. During the registration process, all data required for the use of the online marketplace and the payment services is requested. The necessary data relating to the payment services is requested by cflox on behalf of the operator of the online marketplace.

(2) Personal data/data categories

2.1 Master and contact data
In the context of initiating and executing contractual relationships, the master data and contact details of sellers are collected, in particular:

• First and last name,
• Address,
• Phone number,
• E-mail address.

This data is always collected directly from the sellers.

2.2 Billing data
Within the scope of the Marketplace’s management of the Seller’s billing accounts, we receive payment data from cflox in order to pay out the funds from the Underlying Transaction to the Seller (“Payment Files”). The Payment Files include:

• Amounts from the individual transactions of the Underlying Transaction
• Recipient data such as Seller IBAN, Seller account number, bank details and other information required depending on the means of payment

This will comprise personal data relating to you if you as a natural person become a contractual partner of cflox as a Seller (e.g. retail salesperson). If, on the other hand, the Seller is a legal entity (e.g. GmbH, AG), the Payment File will only include company-related information. No personal data relating to you personally will be collected.

2.3 Agreement and communication data
The following data in particular is collected within the scope of contract implementation and communication with sellers:

• Agreement data (e.g. contract number, contract content, contract term),
• Communication data (e.g. content of e-mails, phone calls, letters).

This data is always collected directly from the sellers.

(3) Legal basis for data processing

The legal basis for processing data is Art. 6 para. 1 (1) b) GDPR.

Both the processing during registration and the scope of the seller’s use of the marketplace serve to fulfil the contractual relationships or to carry out pre-contractual measures for which the user is a party.

(4) Purpose of the data processing

The registration of the user is necessary for the establishment, implementation and execution of the contractual relationships with the user or for the implementation of pre-contractual measures, in particular for the provision of the services owed under the contractual relationships, for billing and for communication with the user in connection with the contractual relationships.

(5) Recipients/categories of recipients

Data may be passed on to third parties in the following cases, among others: In general, the operator is supported by various service providers in the provision of the online marketplace. For example, various call centres are involved in processing your enquiries. In addition, it may be necessary to pass on your data to service providers such as payment service providers, other payment providers or the bank involved in securing the funds in order to process payments. The data may also be disclosed to the end customer during the ordering process or to other companies within the Schwarz Group. Such transfer of data to third parties only takes place within the framework of the statutory provisions or order data processing.

(6) Duration of the storage period

The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected.

With regard to data collected during the registration process for the fulfilment of a contract or for the implementation of pre-contractual measures, this is the case when the data is no longer required for the implementation of the contract. Even after the contract is concluded, it may be necessary to store personal data of the contractual partner in order to fulfil contractual or legal obligations.

(7) Options for objection and removal

As a user, you have the option of cancelling your registration at any time. You can have the data stored about you amended at any time. Simply log in to your customer account or contact Marketplace Support with your enquiry.

If the data is necessary for the fulfilment of a contract or for the implementation of pre-contractual measures, premature deletion of the data is only possible if there are no contractual or legal obligations that prevent deletion.

II. Identification of business partners/internal security measures

(1) Description and scope of data processing

As part of the registration process, you will find a link to the online identification procedure of our partners, such as ID-Now, to ensure the identification of the business partner. In addition, business- and customer-related security measures are taken to manage and minimise the risks of money laundering and terrorist financing. The processing of your data is necessary in this context, as the connected payment service provider is obligated under the provisions of the Money Laundering Act to identify its contractual partners and to create appropriate security measures to prevent money laundering and terrorist financing.

(2) Personal data/data categories

Certain identification data about the seller will be collected to the extent necessary to comply with money laundering regulations under the German Money Laundering Act (GwG). This includes, in particular:

• Place of birth,
• Date of birth,
• Nationality,
• First name and surname
• Residential or postal address,
• Copies of ID and other legitimation documents,
• If applicable, information on the nature and scope of your business interest,
• Audio and/or video recordings.

This data is always collected directly from the sellers.

(3) Legal basis for data processing

The legal basis is Art. 6 para. 1 (1) c) GDPR in conjunction with. § 11 ff. GwG.

(4) Purpose of the data processing

The purpose of processing personal data is to fulfil a legal obligation to which the marketplace operator or a connected service provider is subject.

(5) Recipients/categories of recipients

Such exchange of data with third parties only takes place within the framework of the statutory provisions or order data processing.

(6) Duration of the storage period

The data shall be deleted as soon as it is no longer required in order to achieve the purposes for which saving it is required and there is no longer a legal obligation to save it.

(7) Options for objection and removal

Premature deletion of the data is only possible if there are no contractual or legal obligations to the contrary.

III. Use of further services

(1) Description and scope of data processing

As a seller, you have the option of using various functionalities when using the online marketplace. These include services that can contribute to increasing the attractiveness of your products (e.g. Sponsored Product Ads), that can increase the visibility of your products through marketing and advertising measures (e.g. Promotion Service), that can support product presentation (e.g. Performance Coach) or that can also facilitate returns management.

(2) Basis of the data processing

The legal basis for processing data is Art. 6 para. 1 (1) b) GDPR.

Processing during the checkout process serves to fulfil contractual relationships or to carry out pre-contractual measures to which the seller is a party.

(3) Recipients/categories of recipients

Such exchange of data with third parties only takes place within the framework of the statutory provisions or order data processing.

(4) Duration of the storage period

The data shall be deleted as soon as it is no longer required in order to achieve the purposes for which saving it is required and there is no longer a legal obligation to save it.

(5) Options for objection and removal

Premature deletion of the data is only possible if there are no contractual or legal obligations to the contrary.

IV. Fraud prevention and prosecution of potential infringements

(1) Description and scope of data processing

As part of our fraud prevention measures, we collect personal data in order to recognise and prevent potential activities at an early stage. In addition, we collect personal data to process potential legal infringements by sellers in order to clarify the concerns of customers or other third parties and offer solutions. In the course of disputes with third parties, this concerns the information relating to the dispute and necessary for the defence, which is made available to us by the seller during the review process.

(2) Basis of the data processing

The legal basis for processing data is Art. 6 para. 1 (1) f) GDPR.

(3) Purpose of the data processing

In this context, the processing of your data is necessary to maintain the integrity of our services, to ensure the security of our customers and other third parties and to assert the legitimate interests of customers and other third parties.

(4) Recipients/categories of recipients

Such exchange of data with third parties only takes place within the framework of the statutory provisions or order data processing. As part of fraud prevention, there is an exchange with credit agencies in particular. In the event of an examination of potential infringements of the law, your data may be transferred to authorities or other third parties tasked with investigating the infringement.

(5) Duration of the storage period

The data shall be deleted as soon as it is no longer required in order to achieve the purposes for which saving it is required and there is no longer a legal obligation to save it.

(6) Options for objection and removal

Premature deletion of the data is only possible if there are no contractual or legal obligations to the contrary.

IV. Further information on using the In-store Business Websites

The respective national companies are the operators of the In-store Business Websites such as https://filiale.kaufland.de/ and provide the services listed on those sites. In Germany, for example, this is Kaufland Dienstleistung GmbH & Co. KG. The respective policies and information provided on the In-store Business Websites, for example, for Germany at https://filiale.kaufland.de/datenschutz.html, shall apply.

V. Rights of data subjects

Pursuant to Article 15(1) of the GDPR, you have the right to request information, free of charge, on the personal data stored about you at Kaufland. If the statutory requirements are met, you also have a right to rectification (Article 16 GDPR), erasure (Article 17 GDPR) and restriction of processing (Article 18 GDPR) of your personal data.

If the data processing is based on Art. 6 para. 1 (1) e) or f) GDPR, you have the right to object in accordance with Art. 21 GDPRIf you object to processing, your data will no longer be processed thereafter, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests of the data subject in the objection. If you have provided the processed data yourself, you have a right to data portability under Article 20 GDPR.

If the data processing is based on consent in accordance with Art. 6 para. 1 (1) (a)) or Art. 9 (2) (a) GDPR, you can withdraw your consent at any time with effect for the future without affecting the lawfulness of the previous processing.

In the above-mentioned cases, or if you have questions or complaints, please write to or e-mail the data protection officer. You also have a right to lodge a complaint with a data protection supervisory authority. The data protection supervisory authority located in the state in which you live or where the controller is domiciled has jurisdiction.

B. Data protection notices for cflox GmbH

cflox GmbH (hereinafter “cflox” or “we”) takes the protection of personal data very seriously and processes it in accordance with the applicable data protection laws, in particular the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

cflox provides payment services for the processing of contracts for the purchase and sale of products between end customers and sellers that are concluded via the e-commerce platforms of Kaufland Marketplace GmbH (“Marketplace”). This includes, in particular, the fiduciary acceptance of payments from end customers and the forwarding of the money to the seller.

This data protection notice for end customers (“Data Protection Notice”) applies to the processing of personal data of end customers by cflox in the context of processing payments that end customers make to sellers (whether a third-party provider or the marketplace itself as a seller) when purchasing products on the marketplace’s e-commerce platform. This data protection notice is aimed at end customers, provided they are natural persons (“you”).

In the following, we explain which personal data we collect about you, how we process it and what rights you have with regard to the processing of your data. The sole purpose of this Data Protection Notice is to fulfil our information obligations pursuant to Art. 13 and 14 GDPR. This data protection notice does not create any contractual obligations for cflox.

I. Who is responsible for processing my data? How do I contact the responsible party?

Responsible party: cflox GmbH, Gaußstraße 190c, 22765 Hamburg, Germany, Phone: +49 40 22 86 97 85; E-mail: [email protected]

Data protection officer: cflox GmbH, René Hoffmann, Gaußstraße 190c, 22765 Hamburg, Germany, Phone: +49 40 22 86 97 85; E-mail: [email protected]

When contacting the data protection officer, please state the company to which your enquiry relates. Please refrain from including sensitive information, such as a copy of your ID, with your enquiry.

II. Which kind of personal data is processed? From which sources is the data taken?

In connection with the processing of payments made by you on the marketplace and in the event of refunds to you, we may collect the following personal data,0 as explained in more detail below in this section:

• First name and surname;
• Address (billing and shipping);
• E-mail address;
• Telephone number, if applicable (if you provided this when purchasing)
• Content/price of the e-commerce purchase
• IBAN;
• If applicable, credit card information (card number, CVC, expiry date, name of the cardholder);
• Transaction details (amount, date, payment status, transaction IDs);
• IP address;
• Payment method, if applicable (only in the case of repayments);
• Purchase history.

The above-mentioned data is collected by the end customer payment service providers contractually linked to cflox and the marketplace via the respective payment interface or by the marketplace. This data is processed by the payment service providers - generally in the role of an independent and separate controller within the meaning of Art. 4 (7) GDPR - for the provision of payment services (Adyen NV, Simon Carmiggeltstraat 6-50, 1011 DJ Amsterdam, Netherlands; BNP Paribas S.A., Schwanthalerstraße 31, 80336 Munich, Germany; PayPal, Inc., 2211 North First Street, San Jose, CA 95131; PayPal Pte. Ltd, 5 Temasek Boulevard #09-01, Suntec Tower Five, Singapore 038985; Ivy GmbH, Sandstraße 33, 80335 Munich, Germany; Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden).

The end customer payment service providers share the data with us, and we process it or the service providers process it on our behalf as processors in accordance with our instructions, to the extent necessary for the processing purposes specified in section0 . In exceptional cases, e.g. in the case of repayments (e.g. in the case of advance payment) or FIU notifications (see section 3 below), we receive the data directly from the marketplace.

III. For what purposes and on what legal basis is my personal data processed?

1.) Processing of payments

We process your data insofar as this is necessary for the processing of payments that you make as an end customer when purchasing products on the e-commerce platform of the marketplace to merchants (be it a third-party provider or the marketplace itself as a seller), the forwarding of the funds to the seller and, if necessary, for the execution of refunds to you. We base this on the necessity of processing your data to safeguard our legitimate interests in the proper provision of payment services in accordance with our contractual obligations to the seller and marketplace and the applicable legal requirements, in particular under the Payment Services Supervision Act (Art. 6 para. 1 sentence 1 f) GDPR).

2.) Money laundering and other legal requirements

We process your data insofar as this is necessary to carry out legally prescribed money laundering processes relating to merchants, in particular customer due diligence obligations and sanctions list checks. In this respect, we rely on the necessity of the processing to ensure and document compliance with our legal obligations under the Money Laundering Act (Art. 6 para. 1 (1) c) GDPR).

We also process your data to ensure and document compliance with other legal obligations, in particular retention obligations under commercial and tax law in accordance with section 257 of the German Commercial Code (HGB) and section 146 of the German Fiscal Code (AO). We base the processing on the necessity to fulfil our legal obligations or on our legitimate interest in the fulfilment of these obligations (Art. 6 para. 1 (1) c) and f) GDPR).

Furthermore, we may process your data insofar as this is necessary to protect our legitimate interests in the assertion, exercise and defence of legal claims (Art. 6 para. 1 (1) f) GDPR).

3.) Fraud prevention, systems security and product improvement

We process your data in order to

• detect, track and prevent fraudulent behaviour;
• prevent chargebacks;
• protect our IT infrastructure and recognise, track and prevent cyber-attacks.

We base this processing on our legitimate interests as well as the legitimate interests of our customers and contractual partners to prevent and detect fraudulent activities and chargebacks as well as ensure the security of our services and IT infrastructure (Art. 6 para. 1 (1) f) GDPR).

IV. Who will my personal data be shared with?

We will only pass on your data to other organisations if this is necessary to achieve the processing purposes listed above in point 0 of this Annex. In particular, we pass on your data to the following recipients in accordance with this provision:

• Marketplace;
• Bank of the seller;
• Credit card organisations (e.g. VISA, MasterCard) and payment providers;
• Authorities (in particular investigating authorities) in the event of justified requests for information;
• Central Financial Transaction Investigation Unit (FIU) in the event of necessary suspicious activity reports to the FIU.

In addition, we may pass on your data to service providers who act on our behalf and in accordance with our instructions (Processors). They support us in areas such as the provision and operation of our corporate IT and the implementation of money laundering prevention processes, among other things.

V. Will my personal data be processed outside the EU and the EEA?

Some of the recipients of your personal data listed above in point 0. of this Annex may be located in countries outside the European Union (EU) or the European Economic Area (EEA), i.e. third countries. Should cflox transfer your personal data to recipients in third countries which do not guarantee a level of data protection deemed adequate by the European Commission in an adequacy decision pursuant to Art. 45 GDPR, cflox has taken appropriate protective measures to ensure that your data is always adequately protected in accordance with any imminent risks. This is done in particular by agreeing to the standard contractual clauses approved by the EU Commission (pursuant to Art. 46 para. 2 c) GDPR) and, where necessary, by implementing supplementary measures such as additional technical, organisational and contractual protective measures. If appropriate protective measures cannot be concluded due to special conditions, a transfer to third countries without an adequacy decision will only take place on the basis of a legal exception within the meaning of Art. 49 GDPR. You can obtain a copy of the measures we have taken and further information on the recipients and third countries on request using the contact details provided in point 0. of this Annex.

VI. How long will my personal data be stored?

Your data will only be stored for as long as is necessary to fulfil the purposes listed in point 0. of this Annex. As a rule, your data will be stored for a period of up to 10 years following its termination in compliance with retention obligations under commercial and tax law. Your data will be deleted thereafter, unless deletion conflicts with statutory retention obligations in individual cases or longer storage is necessary in a specific case so as to fulfil other legal obligations or protect the legitimate interests of cflox (assertion, exercise or defence of legal claims).

VII. Do any automated decision-making processes take place? How is my personal data protected?

No decision-making takes place based solely on automated processing. We take technical and organisational measures pursuant with the requirements outlined in Art. 32 GDPR to protect your personal data.

VIII. What rights do I have in relation to the processing of my personal data and how can I exercise them?

In accordance with statutory provisions, you have the right vis-à-vis cflox as the controller responsible for the processing of your personal data to:

• request information about the processed personal data as well as a copy of this data (right to information);
• request the rectification of inaccurate data and, taking into account the purposes of the processing, the completion of incomplete data (right to rectification);
• request the erasure of your data where there are legitimate grounds (right to erasure; “right to be forgotten”);
• demand the restriction of the processing of your data, provided that the legal requirements are met (right to restriction of processing);
• if the legal requirements are met, receive the data provided by you in a structured, commonly used and machine-readable format and to transmit this data to another controller or, if technically feasible, to have it transmitted by cflox (right to data portability).

You also have the right to object to the processing of your data for reasons arising from your particular situation in accordance with the statutory provisions (right to object). If personal data is processed for the purpose of direct marketing – which is not the case here – you have the right to object to this processing at any time without the need for special reasons.

To exercise your rights, please use the contact details listed in point 0. of this Annex. In addition, without prejudice to any other legal remedies, you have the right to lodge a complaint with a supervisory authority at any time. This can be exercised, for example, with the supervisory authority responsible for cflox: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany.