Privacy policy

Introduction

We are pleased that you are interested in data protection at ALDI SÜD / HOFER.

The protection of your personal data is very important to us. We would therefore like to inform you transparently about how we process your data within the supplier portal of the ALDI SÜD / HOFER Group. In this data protection declaration, we explain which and how we collect your personal data, for which purposes we use this data, on which legal basis this is based, and which rights and claims result from this for you.

Personal data is all information that can be directly or indirectly associated with your person. The legal framework for processing is in particular the European Data Protection Regulation (GDPR). We process and transmit your data exclusively within the framework of the legal requirements for the legally permissible purposes described in more detail below.

Controller of the data

Responsible controller and first contact for you is:

ALDI International Services SE & Co. oHG
ALDI SOUTH Group
Mintarder Str. 36–40
45481 Mülheim an der Ruhr
E-Mail: dataprotection.international@aldi-sued.com

Data Protection Officer

You can reach out to our data protection officer at:

Kay-Torsten Schuy
E-Mail: Datenschutzbeauftragter@aldi-sued.de

Please note that the above e-mail address is a shared e-mail address (functional mailbox), so the e-mails can also be read by persons other than the DPO. If you wish to exchange confidential information, please use the above e-mail address to establish direct contact at first.

Further controllers

Since our supplier relationships are used and deployed worldwide, and all involved national companies of the ALDI SUED-HOFER Group have access to the supplier portal for this purpose, this portal is operated on behalf of all companies of the ALDI SUED-HOFER Group. The participating companies have agreed that the primary contact person is the office mentioned under 1.1. However, you are free to contact the other companies as well. The contact details are as follows:

• ALDI Inc., 1200 North Kirk Road, Batavia, IL 60510-1477, USA
• ALDI Magyarország Élelmiszer Élelmiszer Bt, Mészárosok útja 2, 2051 Biatorbágy, Hungary
• ALDI S.r.l., Via Cassa Di Risparmio 18 CAP 39100 Bolzano, Italy
• ALDI SUISSE AG, Niederstettenstr. 3, CH-9536 Schwarzenbach, Switzerland
• ALDI Stores (A Limited Partnership), 1 Sargents Road, Minchinbury NSW 2770, Australia
• ALDI Stores (Ireland) Limited, Holly Lane, Atherstone, Warwickshire CV9 2SQ, Ireland
• ALDI Stores Limited, Holly Lane, Atherstone, Warwickshire CV9 2SQ, United Kingdom
• ALDI SÜD Dienstleistungs-GmbH & Co. oHG, Burgstraße 37, 45476 Mülheim an der Ruhr, Germany
• Hofer KG, Hofer Str. 1, 4642 Sattledt, Austria
• Hofer trgovina na drobno d.o.o., Kranjska cesta 1, 1225 Lukovica (Ljubljana), Slovenia
• ADO Solutions Hong Kong Limited, 18/F, Millennium City 6, 392 Kwun Tong Road, Kwun Tong, Kowloon, Hong Kong SAR
• ALDI Services Asia Limited, 18/F, Millennium City 6, 392 Kwun Tong Road, Kwun Tong, Kowloon, Hong Kong SAR
• ALDI Sourcing Asia Limited, 18/F, Millennium City 6, 392 Kwun Tong Road, Kwun Tong, Kowloon, Hong Kong SAR

Website visit

Secure data transmission

We take all technical and organisational measures to protect your personal data from loss, unauthorized access and misuse. Accordingly, your data will only be transmitted in encrypted form. We use state-of-the-art encryption methods for this purpose. This protects the communication between you and us and helps to prevent misuse of the data by third parties.

Log files

Each time our website is accessed or attempted to be accessed, at least the following data is collected and stored in a log file:

• • Timestamp
  • IP Adress of user
  • Severity level of audit log
  • location
  • tenantID= Identifier of Platform Service provided by SAP
  • Identifier to link connected requests
  • state of the action
  • Action being logged
  • what type of account is being used
  • user ID
  • Category of audit log
  • how access was being granted
  • type of authentication
  • session date
  • origin of login, who authenticated the user
  • information with regard to further SAP BTP services being used

This data is stored for ninety days. The processing of the data serves our legitimate interest,

• • to monitor the data and operational security of the portal,
  • to protect the portal from attacks
  • to ensure system stability
  • to detect technical errors at an early stage,
  • to ensure the functionality of our websites and systems,
  • in the event of harmful incidents, to clarify and prosecute legal violations.

The legal basis is Art. 6 para. 1 lit. f GDPR.

Cookies

So-called cookies are used on our website. Cookies are small text files that are saved by your browser and stored on your computer. The use of cookies serves to make the Internet offer more user-friendly. For example, it is possible to recognize the user for the duration of the session without having to constantly re-enter the username and password. The cookies do not cause any damage to your computer. The cookies we use are deleted immediately after you close your browser (so-called session cookies).

Data processing in connection with cookies, which serve solely to establish the functionality of our online offer, is based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR.

If you do not wish cookies to be used, you can set your browser so that the storage of cookies is generally not accepted. Please note, however, that the use of our website may not function smoothly in this case.

Business partners

In the context of existing business relationships or in preparation of a business relationship, we process your personal data. The processing is justified by the business relationship or its initiation. The legal basis is Art. 6 para. 1 lit. b GDPR.

If we are subject to statutory retention obligations (e.g. in Germany commercial law retention obligations from § 257 HGB or financial law retention obligations from § 147 AO), we store your data in accordance with these legal requirements. The legal basis in this respect is Art. 6 para. 1 lit c GDPR.

It is the overriding legitimate interest of the ALDI-SUED/HOFER Group to make communication with business partners such as suppliers and auditing institutes as simple as possible and to continuously optimize internal processes. This includes the use of a central digital portal such as this one. The data is processed in a way that ensures that only authorized persons have access to the systems and that only those who need it get access. The purpose of properly carrying out and continuously optimizing business processes, e.g. in the area of quality assurance, represents our overriding legitimate interest in this regard within the meaning of Art. 6 (1) lit. f GDPR.

The user data provided is basically processed within the scope of the purpose known to the users. The purpose of use may only be changed or extended if this is permitted by law and the users have been informed of this or have given their consent. If the processing is based on consent, this can be revoked at any time using the contact details provided above.

In particular, the following categories of data are processed by contact persons of business partners such as suppliers, testing institutes, logistics providers or agencies:

• • Job title
  • First, middle and last name(s)
  • Business e-mail address(es)
  • Business phone number(s)
  • Business fax number(s)
  • Company name
  • Postal address of the company
  • Type of business partner
  • (System-generated) IDs
  • User and authorization/role information
  • Language
  • Timestamp of logon

Further events will be logged such as:

• • Project assignment
  • Task assignment
  • Request assignments and creator identification
  • Identification of author of comments

Business partner screening

To the extent necessary as part of our compliance requirements, we conduct a business partner check using various due diligence tools (sanctions and terror list screenings). Therefore, the data listed above may also be processed for this purpose if necessary. The legal basis for this is our overriding legitimate interest within the meaning of Art. 6 (1) lit. f GDPR in complying with legal requirements.

Contact

Personal data (e.g. your name, address data or contact data) that you provide to us voluntarily, e.g. as part of an inquiry or in any other way, or that is provided to us by your employer/organisation, will only be processed for correspondence with you and only for the purpose for which this data was provided to us. The processing of this data is based on our overriding legitimate interest in responding to your inquiry within the meaning of Art. 6 (1) lit. f GDPR. If there is a direct contractual relationship with you within which the inquiry is made, or if a future contractual relationship is the content of the communication, the legal basis for the processing is Art. 6 (1) lit. b GDPR. Deletion takes place as soon as the underlying purpose has ceased to exist and there are no further reasons for storage.

Other processing activities

Within this portal, various services are provided to facilitate collaboration with business partners at various interfaces. In principle, processing for these purposes is in our overriding legitimate interest, Art. 6 (1) lit. f DSGVO.

Insofar as deviations from the data protection information presented here arise in the downstream systems, you will find the additional information within the corresponding applications.

The following data is processed in the aforementioned applications and their downstream systems. A large part of the data listed below must be provided, otherwise it is not possible to use the systems. The data will be stored in personal form only for as long as is necessary for the purposes for which they are processed or until the expiry of any statutory retention periods.

We reserve the right to adapt our offer to the changing requirements of an efficient work organisation and may add, supplement or remove individual tools for this purpose. In particular, we have integrated the following services into this portal:

ALDI/HOFER Portal & Identity Management System (Empower-ID)

Within the ALDI/HOFER portal (supplier portal), personal data is only stored for the duration of the user session and otherwise transferred to other systems for which there are separate retention periods.

You can only access the ALDI/HOFER portal if you have previously authenticated yourself as a registered user in the identity management system (Empower-ID). Without this information, access to the contents of the portal is not possible. Empower-ID stores your login information in cookies so that it only has to be entered once per session. Your data will be processed for the following purposes:

• • Collection of user data and authorizations as a basis for authentication and authorization.
  • Authentication and authorization of users on the ALDI/HOFER portal (supplier portal), on the identity management system and on various downstream IT systems
  • Provision of user interfaces for access to business processes that are mapped in downstream systems

Within the scope of using the ALDI/HOFER portal (supplier portal), SAP Ariba as well as the identity management system, the following categories of data of contact persons of business partners, such as suppliers, testing institutes, logistics service providers or agencies are processed:

• • Job title
  • First, middle and last name(s)
  • Business email address(es)
  • Business telephone number(s)
  • Business fax number(s)
  • Company name
  • Postal company address
  • Business partner type
  • (System generated) identification numbers
  • User and authorization/role information
  • Language setting
  • Login timestamp

Personal data is provided by the company`s own identity management system. Data maintenance and deletion in this system is done independently by the business partner/user.

SAP Ariba

The SAP Ariba system processes data for the following purposes:

• • Support of purchasing in the area of tender management
  • Support of purchasing in the area of contract management
  • Support of purchasing in the area of supplier management as well as supplier master data management
  • Support of purchase order and invoice processing in the indirect area.

In the context of SAP Ariba, the following data categories are recorded as required:

• • First, middle and last name or company name.
  • Postal company address
  • Business mail addresses
  • Business phone numbers
  • Business fax number
  • Business bank details
  • Language setting
  • Business partner type

This data is stored during ongoing business relationships and is retained within the scope of legal retention obligations.

Recipients of the data

We have involved service providers who support us in providing the technical infrastructure and the cloud services involved and who may have access to personal data in the process. The service providers are contractually obligated to process data only as instructed by ALDI SÜD and to take all necessary measures for data protection and data security (data processing agreement pursuant to Art. 28 GDPR). If data is transferred to countries outside the European Union or the European Economic Area for this purpose, we use the instruments of the GDPR (e.g., by concluding standard contractual clauses that have been approved in advance by the European Commission as an adequate measure to ensure data protection) to ensure that an appropriate level of data protection that corresponds to the European area is also maintained in the other countries.

Your rights

Under the conditions of Art. 15 - 21 GDPR, the user has the right to information, correction, deletion, restriction and data portability of his stored data at any time. In this matter, the user may contact us at the contact details provided above. We may, in the event of unfounded or excessive requests by the user pursuant to Art. 12 para 5 GDPR, either demand an appropriate fee for the requests or refuse to process the request.

In addition, you have the right to lodge a complaint with the data protection authority. If you believe that the processing of your personal data violates legal provisions, you have the right to contact a competent supervisory authority. For this purpose, you can contact the data protection supervisory authority responsible for you or the authority of the federal state in which the responsible party has its registered office. With regard to our online presence, the competent supervisory authority is the State Commissioner for Data Protection and Freedom of Information NRW in Düsseldorf, Germany.

Scope and amendment of this privacy policy

We reserve the right to adapt the information provided in this data protection declaration to any changes in legislation or jurisdiction without prior notice.

Please note that this data protection declaration only refers to the use of the ALDI SÜD / HOFER portal. If you are involved in further processes, you will find corresponding data protection information at the appropriate place. In particular, this information does not apply to your activities on websites that you can access via links on our websites. Please inform yourself separately about the data protection provisions on these websites.