Privacy policy for Salling Group A/S

Version 3, July 2023

Contents

1. General information about Salling Group's personal data processing

1.1 Privacy policy's scope

This privacy policy forms the basis for our processing of your personal data and informs you of how we process your personal data. This applies regardless of whether you are a customer, supplier or another type of business partner.

If you are an employee of Salling Group A/S, this privacy policy does not apply to our processing of your personal data pursuant to your employment. This processing is covered by our privacy policy for employees, which you can find here.

Section 1 of the privacy policy contains an overall description of Salling Group A/S' personal data processing.

The subsequent sections describe our personal data processing within a number of specific areas, formats or websites. Direct links to these sections are available from the respective websites etc.

In the last section of the privacy policy, you can read about your rights as a data subject and how you can exercise these rights.

In addition to this privacy policy, you can also read about our personal data processing in the privacy policies that further describe specific processing in relation to our webshops, apps, +-membership clubs, customer surveys, competitions and events, etc. You will also always be able to find a reference to the specific privacy policy in relation to the specific processing activity.

As far as our websites’ use of cookies is concerned, please also see the cookie policy on the individual sites.

Salling Group A/S operates, among others, the Bilka, føtex, Netto, BR, Starbucks, Salling Department Stores, Flowr, Skagenfood and Carl's Jr. formats, all of which are thereby covered by this privacy policy. In relation to the other companies in the Salling Group company, including foreign companies, please refer to the separate privacy policies for these companies.

1.2 We take your data protection seriously

We have adopted this privacy policy, and it forms the basis for our processing of your personal data and informs you about how we process your personal data.

We continuously consider the best possible ways to process your personal data, and we are particularly focussed on ensuring that your fundamental rights are not adversely affected. We are particular aware, therefore, of the risk of discrimination, ID theft, financial loss, loss of reputation and general confidentiality.

1.3 Data controller and contact information

The data controller for the processing of your personal data is:

Salling Group A/S
CRN no.: 3595 4716
Rosbjergvej 33-35
8220 Brabrand
Telephone no.: +45 8778 5000
Email: privacy@sallinggroup.com
Web: sallinggroup.com/en/contact

We encourage you to contact us via gdpr@sallinggroup.com if you have any questions or wish to exercise your rights.

Salling Group A/S is the data controller for the following websites and webshops:

bilka.dk

bilkaelev.dk

bilkajob.dk

bilkamadudafhuset.dk

bilkatogo.dk

br.dk

carlsjr.dk

flowr.dk

foetex.dk

foetexelev.dk

foetexmadudafhuset.dk

nettalk.dk

netto.dk

nettoelev.dk

salling.dk

sallinggroup.com

sallinggroupelev.dk

SCOcykler.dk

smagsalling.dk

This list is updated on a continual basis. We also link to the privacy policy from all the sites covered.

1.4 We inform you about the processing

When we collect personal data from you, the latest we will inform you about our processing of the data is at the time of your personal data collection.

When we collect your personal data from others, we will inform you about our processing of the data as soon as possible.

You will either receive the information by being forwarded to this privacy policy or a particular privacy policy that can better describe the specific processing.

We strive to ensure that you always receive all information as early as possible. In some cases, however – in order to make the information more easily accessible – you will receive the most essential information immediately and will then be forwarded to the full information about the processing by another means. This can, for example, be the case for competitions, physical order forms and the like.

1.5 The personal data we process about you

Our processing of your personal data takes place, fundamentally, to provide a better service to you and to ensure the quality of the products and services that we offer you.

We may collect and process your personal data in connection with the following contact with us:

Use of one of our websites and webshops without purchasing taking place, including through the issuing of cookies

Purchases via one of our webshops

The use of our mobile apps

Visiting our stores

The creation of a Salling Group Profile (see the privacy policy for Salling Group Profile: Salling Group Profile privacy policy)

Inquiries made to us via email, telephone, chat or ordinary mail

Inquiries to customer service via our online customer service portal

Participation in customer surveys, competitions, events and the like.

Claims, complaints, disputes, etc.

Personal data that we collect and process typically includes one or more of the following types:

Contact information, e.g., name, address, telephone number and email

Order data and purchase history

Payment details

Contact information for employees of our suppliers and sub-suppliers

User behaviour, which is collected, for example, via cookies or via your clicking behaviour

Opinions and other expressions you make in connection with customer surveys

Image or video material in connection with CCTV surveillance in our physical stores

1.6 The purposes for processing your personal data

Your personal data is processed for specific purposes. The purposes will typically be elaborated in a specific privacy policy that describes the particular processing in more detail – for example, in relation to a specific competition, visit to a specific website, creation of a Salling Group Profile or participation in an event.

In general, however, we typically process personal data for the following purposes:

Processing of your purchase and delivery of our services

Fulfilment of an agreement based on your request

Administration of your membership in one of our customer clubs

Operation and optimisation of our websites and mobile apps

Fulfilment of requirements according to legislation

Customer service and other communications with us upon your request

Administration of supplier relationships

Sending of marketing, including newsletters

Targeting of marketing

Administration of your participation in competitions and events

1.7 Sole purposes of processing relevant and necessary personal data

Your personal data will be processed solely on the basis of the purposes stated at the time of collection, including any necessary forwarding to this privacy policy and the purposes listed herein. Only personal data that is necessary to fulfil these purposes will be relevant, and our processing will therefore be limited to such personal data.

Before collecting your personal data, we make a concrete assessment of whether it is possible to limit the amount and type of personal data to be collected and processed. We also carry out a concrete assessment of whether it is possible to process your personal data anonymised or pseudonymised.

We continuously focus on minimising the extent and types of personal data that we process.

1.8 Consent as a basis for processing

In some cases, we base our processing of your personal data on your consent, cf. the General Data Protection Regulation art. 6(1)(a).

In these cases, we inform you about the purpose of processing your personal data so you can choose to give your consent or refuse the processing on an informed basis. The information is provided with reference to this privacy policy or a specific privacy policy.

We always strive to provide you with complete information prior to the collection of your data. In order to create clarity and meet practical challenges, however, in some cases we will prioritise giving you the most important information first and then refer you to a privacy policy where you can read more about the processing activity in question.

For example, we obtain consent to the processing of personal data in the following instances:

Processing of personal data collected via cookies when you visit our websites

Processing of personal data via participation in competitions, events and the like

Processing of personal data for the purpose of sending direct marketing to you, including through the collection of your user and click behaviour in newsletters, on websites and in apps

Use of your images or statements from you for marketing

Your consent is voluntary, and you can withdraw it at any time by contacting us via gdpr@sallinggroup.com.

Please be aware that if you withdraw your consent, we will not process your data any further unless we are either obliged to do so or our continued processing is necessary for legal claims to be established, asserted or defended, cf. the General Data Protection Regulation art. 17(3)(b and e).

There will also be certain features or services that you may not be able to use without consent.

If you withdraw your consent, this does not affect the legality of our processing of your personal data up to the time of withdrawal.

1.9 Other bases for processing other than consent

In some instances, we base our processing of your personal data on grounds other than consent. In such cases, the processing will be proceed on a basis that follows from the General Data Protection Regulation, the Danish Data Protection Act or another law.

The following items do not constitute an exhaustive list of cases where we base our processing on grounds other than consent. We therefore also refer you to the specific sections here in the privacy policy, as well as to our other privacy policies.

1.9.1 Use of one of our websites, including webshops, without purchasing

When you visit our websites for the first time, you will be greeted by a cookie banner. You can always bring up the cookie banner by clicking on the small "cookie" icon in the bottom left corner of the web page.

The banner provides you with information about the cookies that the website places on your device.

Our websites always issue necessary cookies. These are placed without your consent, which is in accordance with the legislation on cookies.

You can choose to consent to other cookies. This applies to statistical, functional and marketing cookies. If you consent to cookies, the accepted cookies will collect certain personal data about you and your behaviour on our websites. The cookie banner also contains a link to this privacy policy, where you can read more about the processing of personal data collected via cookies in section 1.13.

1.9.2 Inquiries to us via email, telephone or regular mail

When you contact us, either through customer service or in another way, we will, in the vast majority of cases, have to process your personal data in order to be able to reply to you.

You will receive a reference to our privacy policy in connection with our reply to your inquiry.

If you call us, the processing of your personal data will be described here and in section 2.6 on customer service.

The basis for our processing of your data depends on your inquiry.

If you contact us with a view to entering into an agreement with us, we will process your personal data in order to be able to fulfil the agreement with you, cf. the General Data Protection Regulation art. 6(1)(b).

If you contact us to make a claim, we will typically process your personal data because we are legally obliged to do so, cf. the General Data Protection Regulation art. 6(1)(c).

If you contact us to assert your legal rights, for example, in relation to the General Data Protection Regulation, we will process your personal data because we are legally obliged to do so, cf. the General Data Protection Regulation art. 6(1)(c).

If you contact us with a question, complaint or other inquiries, we will process your personal data pursuant to the General Data Protection Regulation art. 6(1)(f), as we have a legitimate interest in responding to your inquiry or complaint. Since you have chosen to contact us yourself, we consider that our legitimate interest exceeds your interest in us not processing your personal data.

1.9.3 Purchases via webshops without creating a user profile

When purchasing via one of our webshops where you provide contact information and payment information without also creating a user profile, we will process your personal data in order to complete the purchase.

We therefore process your personal data in order to fulfil the agreement with you, cf. the General Data Protection Regulation art. 6(1)(b).

In addition, we also process your personal data in order to be able to fulfil our obligations under the law, including the Danish Bookkeeping Act, cf. the General Data Protection Regulation art. 6(1)(c).

1.9.4 Purchases via webshops where you create a user profile

When purchasing via one of our webshops where you are logged in with your Salling Group Profile, we will process your personal data in order to complete the purchase.

We therefore process your personal data in order to fulfil the agreement with you, cf. the General Data Protection Regulation art. 6(1)(b).

In addition, your personal data will also be processed in accordance with the privacy policy for Salling Group Profile: Privacy Policy for Salling Group Profile

1.9.5 Administration of supplier relationships

We process data about our suppliers and employees of suppliers where necessary.

We do this so we can manage our contractual relationship with the supplier, cf. the General Data Protection Regulation art. 6(1)(b), as well as in certain other cases, so we can pursue our legitimate interests in managing the cooperation, cf. the General Data Protection Regulation art. 6(1)(f).

1.9.6 Creation of a customer profile / Salling Group Profile

Please refer to the privacy policy for Salling Group Profile: Privacy Policy for Salling Group Profile

1.10 Your personal data will be updated on an ongoing basis

Personal data that we process about you will be updated on an ongoing basis so we can ensure that the data obtained is not incorrect or misleading.

In order to ensure the quality of your personal data, we have adopted internal rules and established procedures for the continuous control and updating of your personal data. 

We encourage you to inform us of relevant changes related to your personal data so we can ensure that they are correct. You can read more about your rights under section 4, including what to do if there are changes to your personal data.

1.11 Storage and erasure of personal data

When the purpose of the processing of your personal data has been fulfilled, the data will be erased if there is no other authority or demand for continued processing.

We have evaluated and determined the following data retention periods, which do not, however, constitute an exhaustive list. We therefore refer you to the specific details in section 2 of this privacy policy as well as in our other specific privacy policies.

1.11.1 When visiting one of our websites (cookies)

If you visit one of our websites, we may collect personal data about you via cookies. It is made clear in the specific website's cookie declaration how long the various cookies remain on your computer, phone or other device.

In terms of the personal data collected via cookies, we refer you to the section on cookies. Here you can read more about the specific storage periods for personal data collected via cookies.

1.11.2 Inquiries to us via email, telephone or regular mail

Inquiries to customer service are stored in accordance with the privacy policy for customer service, which you can find under section 2.6.

Contacts made in relation to insurance cases are stored in accordance with the privacy policy for insurance cases, which you can find under section 2.7.

Direct inquiries to one of our employees by email, or email forwarded by one of our business partners to one of our employees and which concerns us, are deleted when the purpose for the storage has ended. This is concretely assessed according to the individual email in relation to the purpose of the inquiry and the content of the email, including whether the email falls under one of the other categories listed in this section.

Inquiries made by email to one of our employees where the content does not relate to Salling Group will be deleted after notification to the sender, if the inquiry does not give the employee reason to take further action.

We have a general erasure policy, according to which employees must erase or anonymise personal data when there is no longer a purpose or basis for processing.

1.11.3 Purchases via webshops

Personal data collected in connection with your purchases via our webshops is stored for the relevant financial year + 5 years in order to fulfil our obligations according to the Danish Bookkeeping Act. Please also see the terms and conditions for the specific webshop, which you can find on the webshop's website.

Please note that if you make a purchase through your Salling Group Profile, the retention period of your purchase history will follow the privacy policy for the Salling Group Profile: Salling Group Profile Privacy Policy.

1.11.4 The creation of user profiles on one of our websites, apps or webshops

Please see the privacy policy for the Salling Group Profile, as well as the privacy policy for the specific user profile on the specific website, app or webshop. 

1.11.5 Competitions, events and the like

We store your personal data collected in connection with competitions, events and the like, as long as there is a purpose for the storage.

For example, the storage period for a competition will typically be until the winner is announced, and for events until the event is completed.

You can find more information about the specific storage period in the privacy policy for the competition, event, etc.

1.11.6 Distribution of newsletters and other marketing

If you have consented to receive newsletters or other direct marketing, we will store your data until you unsubscribe from the newsletter or from receiving marketing.

In terms of any individual pieces of marketing material that you have consented to receive, we store your data until there is no longer a purpose for the storage or in accordance with the specific consent.

See also section 2.1 on the privacy policy for newsletters and other direct marketing.

1.11.7 Supplier relations and business partners

We erase personal data about suppliers/partners and any employees of suppliers/partners when the contractual relationship has ended or the cooperation has ended and all balances have been settled.

However, certain personal data is stored for the relevant financial year + 5 years in accordance with the Danish Bookkeeping Act.

1.12 Protection of personal data

Our processing of personal data takes place according to procedures and rules that we have drawn up and continually adapt to accommodate our processing of your personal data. The rules contain instructions and security measures with the aim of protecting your personal data in the best possible way.

With these measures, we will process your personal data in such a way that we prevent your personal data from being erased, changed or published without authorisation and ensure that unauthorised persons do not gain access to or knowledge of your personal data. 

We have therefore established procedures for granting access rights to those of our employees who process personal data. We control the access of employees through logging and monitoring, and we establish our workflows to minimise the risk of unauthorised access to the wrong data or too much data. This is one of our measures to protect the confidentiality of your personal data, which of course also means that we continuously develop and maintain our IT security.

To avoid the loss of personal data, we regularly back up our data, including the personal data we collect.

In the event of a security breach that results in a high risk to you, we will notify you of the incident and the details thereof as soon as possible. There will, for example, be a high risk if we assess that you may be exposed to discrimination, ID theft, financial loss, loss of reputation or other significant disadvantages.

We also report breaches of personal data security to the Danish Data Protection Agency in accordance with legislation.

1.13 Cookies

1.13.1 Data controller and contact information

Salling Group A/S is the data controller for the processing of your personal data via cookies. See our contact information under section 1.3.

We are also a joint data controller with Meta when you accept marketing cookies that include cookies from Meta. 

Their contact details are as follows:
 Meta Platforms Ireland Limited,
 Block J, Serpentine Avenue,
 Dublin 4, Ireland
 You can read more about Meta's personal data processing here:

Meta's Privacy Policy - How Meta Collects and Uses User Data | Privacy Center | Manage your privacy settings on Facebook, Instagram and Messenger | Privacy settings on Facebook .

You can read more about the joint data responsibility framework here.

We are also joint data controllers with TikTok when you accept marketing cookies and thus the TikTok Pixel on salling.dk.

Their contact details are as follows:

TikTok Information Technologies UK Limited,
6th Floor, One London Wall, London,
EC2Y 5EB, United Kingdom ("TikTok UK")

And

TikTok Technology Limited,
10 Earlsfort Terrace, Dublin,
D02 T380, Ireland ("TikTok Ireland")

You can read more about TikTok's personal data processing here: Privacy Policy | TikTok .

You can read more about the joint data responsibility framework here under section 3: Advertising on TikTok | TikTok Ads .

We are also joint data controllers with Pinterest when you accept marketing cookies on flowr.dk.

Their contact details are as follows:

Pinterest Europe Ltd.,
Palmerston House, 2nd Floor,
Fenian Street, Dublin 2, Ireland

You can read about Pinterest's personal data processing here: Privacy policy | Pinterest Policy

You can read more about the joint data responsibility framework here: Pinterest Business

1.13.2 What are cookies?

A cookie is a small text file that is stored on your computer, phone or other device that you use to visit a website.

Cookies are either placed on your device by us (1st party cookies) or one of our business partners (3rd party cookies).

We divide cookies into the following categories:

Necessary

Functional

Statistical

Marketing

1.13.3 For what purposes do we use cookies?

We use the necessary (technical) cookies to make our websites work. For example, necessary cookies ensure that you remain logged in while using the website, and they help us remember what you have put into your digital shopping basket.

The functional (personalised) cookies help us to get an overview of your visits and your preferred settings and choices on the website so we can continuously optimise and target the websites and our services for you. This allows us to provide you with a better user experience with more relevant content. 

We use statistical cookies to track your behaviour on our websites so we can optimise the design, user-friendliness and efficiency of the website.

We use marketing cookies to track your behaviour on our websites so we can target marketing and advertisements on our websites or our partners' websites, or via email if you have signed up for newsletters or other direct marketing from us.

Under section 2.1. of this privacy policy, you can read more about our personal data processing in relation to direct marketing.

You can always read more about our use of cookies, precisely which cookies are placed and how you can reject or delete cookies in the cookie policies of the specific websites.

1.13.4 Personal data we process about you on the basis of cookies

The types of cookies we place, if you give your consent, are stated on the cookie banners and the cookie declarations on the specific websites you visit. You can also access the full list of cookies on the website by clicking on ‘show details’ in the cookie banner.

You can always find the cookie banner by clicking on the cookie icon in the bottom lefthand corner of the website.

Our cookies can collect the following types of data about you, which may, depending on the circumstances, constitute personal data:

a unique ID

technical information about your computer, tablet or mobile phone

page settings and preferences, e.g., for language

the IP address of your terminal equipment

your geographical location

which pages you click on (interests and search history) 

information about transactions

1.13.5 The legal basis for our processing of your personal data based on cookies

The legal basis for our processing of your personal data proceeds from the following:

Necessary cookies collect personal data, which we process pursuant to the provisions of the Danish Data Protection Act art. 6(1)(f), as the processing is necessary for our legitimate interest in making the website usable and functional by enabling basic functions. This legitimate interest exceeds that of the data subject as the website cannot function properly without these cookies.

You cannot, therefore, opt out of the placement of necessary cookies, but you can read more about how to delete these cookies in the cookie policy on the specific websites.

Functional cookies, Statistical cookies and Marketing cookies collect personal data that we process on the basis of the General Data Protection Regulation 6(1)(a) as the collection takes place on the basis of your consent to the cookies in question.

You can read more about how to delete these cookies and how to adjust your consent in the cookie policies on the specific websites, which you can find via the small ‘cookie’ icon in the bottom left corner of the website.

1.13.6 Deletion of personal data collected via cookies

The cookie policy on the specific website contains instructions on how to delete your cookies.

Please note that even if you delete your cookies, the personal data that the cookie has already collected will still be processed.

We delete your personal data when the purpose of collecting and processing your personal data has been fulfilled.

In addition, you always have the option to request us to delete your personal data.

Where it is stated that we pass on personal data collected via cookies on our websites to third parties, please see the deletion policy in the privacy policy or equivalent policy of the receiving third party. You can find the third party's privacy policy via links in the cookie declaration in the cookie banner.

1.13.7 Distribution of personal data collected via cookies and transfers to third countries

In relation to the transfer of personal data that we process on the basis of cookies to recipients of personal data in third countries, please see section 1.16.1 of this privacy policy.

1.14 Tracking pixels

1.14.1 Data controller and contact information

Salling Group A/S is the data controller for the processing of your personal data via cookies. See our contact information under section 1.3.

We are also a joint data controller with Meta when you accept tracking pixels from Meta. 

Their contact details are as follows: 
Meta Platforms Ireland Limited,
Block J, Serpentine Avenue,
Dublin 4, Ireland
You can read more about Meta's personal data processing here: Meta's Privacy Policy - How Meta Collects and Uses User Data | Privacy Center | Manage your privacy settings on Facebook, Instagram and Messenger | Privacy settings on Facebook.

You can read about the services Salling Group A/S and Meta have joint data control here.

You can read more about the joint data responsibility framework here.

We are also joint data controllers with TikTok when you accept marketing cookies and thus the TikTok Pixel on salling.dk.

Their contact details are as follows:

TikTok Information Technologies UK Limited,
6th Floor, One London Wall, London,
EC2Y 5EB, United Kingdom ("TikTok UK")

And

TikTok Technology Limited,
10 Earlsfort Terrace, Dublin,
D02 T380, Ireland ("TikTok Ireland")

You can read more about TikTok's personal data processing here: Privacy Policy | TikTok .

You can read more about the joint data responsibility framework here under section 3: Advertising on TikTok | TikTok Ads .

We are also joint data controllers with Pinterest when you accept marketing cookies on flowr.dk.

Their contact details are as follows:

Pinterest Europe Ltd.,
Palmerston House, 2nd Floor,
Fenian Street, Dublin 2, Ireland

You can read about Pinterest's personal data processing here: Privacy policy | Pinterest Policy

You can read more about the joint data responsibility framework here: https://business.pinterest.com/en-us/pinterest-advertising-services-agreement/rest-of-emea/?change_language=true

1.14.2 What are tracking pixels?

In connection with sending marketing via e-mails, we use tracking pixels.

Tracking pixels are very small, monochrome images that typically blend in with the background. A tracking pixel can, for example, be a 1x1 pixel white image on a white background.

When you open an e-mail with a tracking pixel in it, or open/load a website with a tracking pixel on it, your (e-mail) system will retrieve the image from the third party that offers that pixel. In this process, your (e-mail) system reports certain information back to the third party.

Based on this data, we receive information about how many and who opens the e-mail or the website when you do so, which links and buttons are clicked, whether this takes place from a mobile or a computer and your operating system.

1.14.3 For what purposes do we use tracking pixels?

We use the information to keep statistics, analyse the effect of our marketing via e-mails and to target our marketing based on your behaviour on our websites with tracking pixels.

Under section 2.1. of this privacy policy, you can read more about our personal data processing in relation to direct marketing.

1.14.4 Personal data we process about you on the basis of tracking pixels

Our tracking pixels can collect the following types of data about you, which may, depending on the circumstances, constitute personal data:

a unique ID

technical information about your computer, tablet or mobile phone

page settings and preferences, e.g., for language

the IP address of your terminal equipment

your geographical location

which pages you click on (interests and search history) 

information about transactions

text entered into form fields

1.14.5 The legal basis for our processing of your personal data based on tracking pixels

The legal basis for our processing of your personal data proceeds from the following:

Our processing takes place on the basis of consent to marketing cookies on our websites, cf. the General Data Protection Regulation art. 6(1)(a).

You can read more about how to delete these cookies, and thus also deactivate tracking pixels, and how to adjust your consent in the cookie policies on the specific websites.

1.14.6 Deletion of personal data collected via tracking pixels

The cookie policy on the specific website contains instructions on how to delete your cookies. When you remove your consent to cookies, it also follows that our tracking via pixels ends.

You always have the option to request us to delete your personal data.

Where it is stated that we pass on personal data collected via cookies on our websites to third parties, we refer you to the deletion policy in the privacy policy or equivalent policy of the receiving third party. You can find the third party's privacy policy via links in the cookie declaration in the cookie banner.

1.14.7 Distribution of personal data collected via tracking pixels and transfers to third countries

In relation to the transfer of personal data that we process on the basis of tracking pixels to recipients of personal data in third countries, please see section 1.16.1 of this privacy policy.

1.15 Transfer and disclosure of personal data

If it is necessary for the processing of your personal data for the specified purposes, then we hand over or forward your personal data, depending on the circumstances, to the following categories of recipients:

Data processors, e.g., IT suppliers as part of the operation and support of our websites and systems or suppliers of services for targeting marketing

Other companies in the Salling Group company

Our business partners in the form of suppliers and sub-suppliers of goods and services

Accountants, lawyers and other advisers

Public authorities where required by law

1.16 The transfer or forwarding to recipients in third countries

1.16.1 The transfer or forwarding to recipients in third countries via cookies and tracking pixels

In general

We pass on personal data on the basis of cookies and tracking pixels to a number of recipients outside the EU and EEA.

The placement of cookies and tracking pixels, and their collection of personal data, may involve transfers to third countries to these companies:

Amazon Web Services --> Amazon Web Services, Inc. (USA)

Microsoft, Bing, Microsoft Azure --> Microsoft Corporation (USA)

Google Analytics, Google Marketing Platform, YouTube, Google Tag Manager --> Google LLC (USA)

Zendesk --> Zendesk, Inc. (USA)

Scarab Research, Emarsys --> Emarsys North America, Inc. (USA)

Facebook --> Meta Platforms, Inc. (USA)

Datadog --> Datadog, Inc. (USA)

New Relic --> New Relic, Inc. (USA)

Cloudflare --> Cloudflare, Inc (USA)

Vimeo --> Vimeo.com, Inc. (USA)

ContentSquare, Hotjar (Carls Jr.) --> ContentSquare Ltd. (UK)

TikTok--> TikTok companies in third countries (USA, China, Brazil, Malaysia , The Philippines and Singapore)

Pinterest flowr.dk)-->USA

This is a non-exhaustive list based on the cookies and tracking pixels we currently use (May 2023) and applies to salling.dk, netto.dk, bilka.dk and foetex.dk.

Please note that one of our websites can place cookies that involve third country transfers and which do not appear on this list. You will always be able to find the current cookies via the specific website's cookie banner. 

In the case of transfers to secure third countries, including the UK, the transfer basis is the General Data Protection Regulation art. 45.

In the case of transfers to unsafe third countries, e.g., the USA, the transfer basis is the EU's Standard Contractual Clauses (EU SCC), cf. the General Data Protection Regulation art. 46(2)(c).

You can read more about transfers to third countries on the Danish Data Protection Agency's website here: https://www.datatilsynet.dk/hvad-siger-reglerne/vejledning/internationalt-

You can read about the Standard Contractual Clauses on the EU Commission's website here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

And you can read the EU's Standard Contractual Clauses here: https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en

1.16.2 The transfer of personal data to recipients in third countries that does not take place via cookies or tracking pixels

In certain cases, we use data processors, suppliers or sub-suppliers that are based outside the EU and the EEA or who process personal data outside the EU and the EEA.

In these cases, the transfer of personal data to third countries may occur. This can happen, for example, if you shop via one of our webshops or participate in a competition or event.

When transfers of personal data to third countries occur, we always ensure that the transfer takes place in accordance with chapter 5 of the General Data Protection Regulation.

This is intended to ensure that the level of protection guaranteed to you under the General Data Protection Regulation in the EU is not undermined when your personal data is transferred out of the EU/EEA.

In any transfers to a so-called safe third country, e.g., the UK, the transfer will take place on the basis of an adequacy decision made by the EU Commission and based on the General Data Protection Regulation art. 45.

In cases where there are transfers to an unsafe third country, the transfer will typically take place on the basis of the General Data Protection Regulation art. 46(2)(c) because the EU Standard Contractual Clauses (EU SCC) have been agreed.

You can read more about transfers to third countries on the Danish Data Protection Agency's website here: https://www.datatilsynet.dk/hvad-siger-reglerne/vejledning/internationalt-

You can read about the Standard Contractual Clauses on the EU Commission's website here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

And you can read the EU's Standard Contractual Clauses here: https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en 

2. Specific privacy policies

2.1 Privacy policy for marketing distribution

In this section, you can read about our processing of your personal data in connection with the distribution of direct marketing. You can consent to receiving direct marketing on several of our webshops, mobile apps or when shopping in our physical stores.

In the following, we refer to all types of direct marketing, including newsletters, offers, campaigns, competitions, etc. under the collective term 'marketing'. Direct marketing can be sent, for example, via e-mail, SMS, phone calls, push notifications and messages in mobile apps.

2.1.1 Data controller and contact information

Salling Group A/S
CVR-nr. 35954716
Rosbjergvej 33
8220 Brabrand
www.sallinggroup.com

We encourage you to contact us via gdpr@sallinggroup.com if you have any questions or wish to exercise your rights.

2.1.2 The purpose and legal basis for the processing of your personal data

We process your personal data for the following purposes:

Sending direct marketing, e.g., via emails or SMS, with news, campaigns, offers, as well as information about competitions and events

Marketing of similar products after purchasing

Administration of your relationship with us as someone registered for marketing

Statistical purposes for optimising our marketing and websites

Targeting of our marketing to you on the basis of your clicking behaviour, cookies and the data we receive from you in connection with your registration, including through the use of profiling. You can read more about profiling under section 2.1.8.

Registration of parentage/guardianship when collecting information about children

The legal basis for our processing of your personal data proceeds from the following:

1) Your consent to receive direct marketing, cf. the General Data Protection Regulation art. 6(1)(a)

2) Our legitimate interest in being able to send marketing based on previous purchases, cf. the General Data Protection Regulation art. 6(1)(f)­­

3) Our legitimate interest in being able to manage your registration for marketing, cf. the General Data Protection Regulation art. 6(1)(f)

4) Our legitimate interest in processing personal data for statistical purposes to optimise our marketing and websites, cf. the General Data Protection Regulation art. 6(1)(f)

5) Your consent to marketing cookies, according to which we may use data collected about you and your user behaviour for marketing and data provided by you when registering, cf. the General Data Protection Regulation art. 6(1)(a)

6) Our legitimate interest in processing personal data about parenthood for the administration of benefits and offers intended for children and for statistical purposes so we can optimise our marketing, cf. the General Data Protection Regulation art. 6(1)(f)

2.1.3 Categories of personal data

Personal data that may be processed includes:

Contact information, including name, telephone number and e-mail

Your clicking behaviour in relation to distributed marketing and behaviour on our websites and apps

Name, date of birth and purchase history regarding children in relation to marketing where the content is determined by your child's age

Information about parentage/guardianship

Purchase history from webshops

Other data as specified under section 1.13 on cookies with respect to marketing cookies and data specified under section 1.14 on tracking pixels.

2.1.4 Recipients or categories of recipients

We hand over your personal data to be processed by the following categories of recipients:

Our suppliers of IT systems for the administration and distribution of marketing

Our operational and support suppliers of internal IT systems, including IT systems for your registration for direct marketing

Our suppliers of solutions for use in statistics and optimisation

Other companies in the Salling Group company

Our suppliers of marketing services, including suppliers of third-party cookies and tracking pixels

2.1.5 Transfer to recipients in third countries

We use suppliers who are either established in countries outside the EU/EEA or who use sub-suppliers outside the EU/EEA, so we will therefore transfer your personal data to recipients outside the EU/EEA.

These are the following countries concerned: India, Costa Rica, Malaysia, The Philippines, USA, UK, Hong Kong, Canada, Australia and Serbia.

These are the following categories of recipients:

Our suppliers of IT systems for the administration and distribution of marketing

Our operational and support suppliers of internal IT systems, including IT systems for your registration for direct marketing

Our suppliers of marketing services, including suppliers of third-party cookies and tracking pixels

Some of our suppliers use Amazon Web Services in relation to hosting, for example. In connection with this, personal data may be transferred to countries contained in this list: https://aws.amazon.com/compliance/sub-processors/

The transfer bases are:

Transfers to the UK take place pursuant to the General Data Protection Regulation art. 45 as the transfer is based on the EU Commission's decision of 28 June 2021 on the adequacy of the level of protection in the UK.

Transfers to other third countries take place pursuant to the General Data Protection Regulation art. 46(2)(c) as the necessary guarantees are secured through standard contractual clauses on data protection adopted by the European Commission (EU-SCC).

You can read more about third country transfers on the Danish Data Protection Agency’s website here: Third country transfers (datatilsynet.dk)

2.1.6 Where your personal data comes from

We collect your personal data directly from you in connection with your registration to receive marketing and through your clicking behaviour via cookies and tracking pixels.

2.1.7 Storage of your personal data

We store your personal data as long as you are registered to receive marketing from us. However, we anonymise your personal data if 1 year has passed since you last read the marketing received from us.

If we process your personal data on the basis of your consent and you withdraw your consent, then your personal data and the consent will be deleted immediately after you withdraw the consent. You can read more about this under section 2.1.9.

We store data about your digital behaviour, for example, your clicking behaviour, information from cookies etc. for 12 months.

2.1.8 Profiling

We use profiling to target our advertising.

The profiling will not significantly affect individuals as it is limited to marketing use.

Profiling can be done by comparing personal data about your behaviour on our websites and apps with the data you have provided in connection with purchases and the data you have provided in your consent to receive marketing.

We profile which products or product groups you are most interested in so we can target our marketing and thus offer you the most relevant offers, news and products.

You can, at any time, object to profiling for the purpose of direct marketing, after which we will stop processing your personal data as stated and erase the personal data collected about you. 

2.1.9 The right to withdraw consent

Your consent is voluntary and you can withdraw it at any time by contacting us. Contact us if you have any questions or wish to withdraw your consent .

Please note that if you choose to withdraw your consent in relation to data provided to us, we will not be able to process your data further unless we are obliged to do so or our continued processing is necessary for legal claims to be established, asserted or defended, cf. the General Data Protection Regulation art. 17(3)(b and e). There will also be certain features or services that you may not be able to use without consent.

If you choose to withdraw your consent, this does not affect the legality of our processing of your personal data based on your previously communicated consent and up to the time of the withdrawal. If you withdraw your consent, therefore, it only takes effect from the point you do so.

2.1.10 Your rights

See section 4. in this privacy policy. 

2.2 Privacy policy for reservations at webshops (Click & Collect (Bilka) and Klik & Hent (føtex))

2.2.1 Data controller and contact information

Salling Group is the data controller for the processing of the personal data that we have received about you in relation to your reservation.

Salling Group A/S
CVR-nr. 35954716
Rosbjergvej 33
8220 Brabrand
www.sallinggroup.com

We encourage you to contact us via gdpr@sallinggroup.com if you have any questions or wish to exercise your rights.

2.2.2 The purpose and legal basis for the processing of your personal data

We process your personal data for the following purposes:

Reservation of the selected item(s)

Administration of your relationship with us

Compliance with our obligations under the law, including, for example, the Danish Bookkeeping Act

The legal basis for our processing of your personal data proceeds from the following:

The processing is necessary for the conclusion and fulfilment of our agreement with you regarding the reservation of goods or services via our webshop, cf. the General Data Protection Regulation art. 6(1)(b).

Our legitimate interest in being able to manage your data as a customer with us, cf. the General Data Protection Regulation art. 6(1)(f).

Processing in order to be able to fulfil our obligations according to legislation, including the Danish Bookkeeping Act, cf. the General Data Protection Regulation art. 6(1)(c).

Please note that if you are logged in with your Salling Group Profile, your personal data will also be processed in accordance with the privacy policy for the Salling Group Profile, which you can find here.

2.2.3 Categories of personal data

We process the following categories of personal data about you:

Name, telephone number and email

Address

Payment information, if the reservation is made through Bilka Click & Collect

Your order

IP address

The personal data associated with your Salling Group Profile, if you are logged into your profile when ordering. Read more about our personal data processing in relation to your Salling Group Profile here.

2.2.4 Recipients or categories of recipients

We forward or hand over your personal data to the following recipients:

Data processors who provide services for internal data processing in connection with your reservation. This can, for example, be suppliers of software solutions that enable the administration and delivery of your order

Data processors who process personal data externally, such as in hosting the system in which your order is stored

Other companies in the Salling Group company

Our business partners in the form of suppliers and sub-suppliers of goods and services

Accountants, lawyers and other advisers

Public authorities, where required

2.2.5 Transfer to recipients in third countries

In certain cases, we transfer data to suppliers or sub-suppliers outside the EU and EEA when you make reservations for goods via our webshop.

These will involve transfers to:

UK

USA

When transfers of personal data to third countries occur, we always ensure that the transfer takes place in accordance with chapter 5 of the General Data Protection Regulation.

This is intended to ensure that the level of protection guaranteed to you under the General Data Protection Regulation in the EU is not undermined when your personal data is transferred out of the EU/EEA.

In any transfers to a so-called safe third country, e.g., the UK, the transfer will take place on the basis of an adequacy decision made by the EU Commission and based on the General Data Protection Regulation art. 45.

In cases where there are transfers to an unsafe third country, the transfer will typically take place on the basis of the General Data Protection Regulation art. 46(2)(c) as the EU Standard Contractual Clauses (EU SCC) have been agreed.

You can read more about transfers to third countries on the Danish Data Protection Agency's website here: https://www.datatilsynet.dk/hvad-siger-reglerne/vejledning/internationalt-

You can read about the Standard Contractual Clauses on the EU Commission's website here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

And you can read the EU's Standard Contractual Clauses here: https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en 

2.2.6 Where your personal data comes from

You have submitted the data yourself in connection with the reservation. In this instance, we will have also collected the IP address from your mobile, computer or any other type of equipment used.

2.2.7 Storage of your personal data

We store your personal data for 2 hours from your reservation.

Data required by bookkeeping obligations will be stored for the relevant financial year (calendar year) of the reservation in question + 5 years, cf. the Danish Bookkeeping Act.

 2.2.8 Your rights

See section 4

2.3 Privacy policy for stock notifications at webshops

2.3.1 Data controller and contact information

Salling Group is the data controller for the processing of the personal data that we have received about you in relation to your notification requests.

Salling Group A/S
CVR-nr. 35954716
Rosbjergvej 33
8220 Brabrand
www.sallinggroup.com

We encourage you to contact us via gdpr@sallinggroup.com if you have any questions or wish to exercise your rights.

2.3.2 The purpose and legal basis for the processing of your personal data

We process your personal data for the following purposes:

To notify you when the item is in stock

For the administration of your relationship with us

The legal basis for our processing of your personal data proceeds from the following:

Entering into an agreement for notification when the item is back in stock, cf. the General Data Protection Regulation art. 6(1)(b)

Our legitimate interest in being able to manage your data as a customer with us, cf. the General Data Protection Regulation art. 6(1)(f).

2.3.3 Categories of personal data

We process the following categories of personal data about you:

Email address

Your order

IP address

The personal data associated with your Salling Group Profile, if you register for notifications using this. Read more about our personal data processing in relation to your Salling Group Profile here.

2.3.4 Recipients or categories of recipients

We forward or hand over your personal data to the following recipients:

Data processors who provide services for internal data processing; these can, for example, be suppliers of software solutions that enable us to register your email address and notification request

Data processors who process personal data externally; these can, for example, be for hosting the platform on which the website is stored.

Our business partners in the form of suppliers and sub-suppliers of goods and services

Other companies in the Salling Group company

Accountants, lawyers and other advisers

Public authorities, where required

 2.3.5 Transfer to recipients in third countries

In certain cases, we transfer data to suppliers or sub-suppliers outside the EU and EEA, for example, when you make goods reservations via our webshop.

We use the following suppliers where the transfer of personal data to countries outside the EU/EEA may occur:

Microsoft Corporation: Headquartered in the USA

Google LLC: Headquartered in the US, and transfers may take place to India.

Trustpilot A/S: transfers to the USA and Australia can take place

The transfer basis is:

All data processors listed above use the EU Commission's Standard Contractual Clauses (SCC) as a transfer basis, cf. the General Data Protection Regulation art. 46.

2.3.6 Where your personal data comes from

You have submitted the data yourself in connection with the notification request. In this instance, we will have also collected the IP address from your mobile or computer.

2.3.7 Storage of your personal data

We store your personal data until you have been notified or until we find that the item is out of stock.

2.3.8 Your rights

See section 4 

2.4 Privacy Policy for Social Media

The following describes how we process your personal data in connection with your and our use of social media (" SoMe ").

2.4.1 Data controller and contact information

Salling Group is the data controller for the processing of your personal data via SoMe when you use, like, share, comment or otherwise interact with us via our SoMe profiles.

Salling Group A/S
CVR-nr. 35954716
Rosbjergvej 33
8220 Brabrand
www.sallinggroup.com

We encourage you to contact us via gdpr@sallinggroup.com if you have any questions or wish to exercise your rights.

In certain situations, we are joint data controllers with Meta. This applies to the following processing activities:

If you use your profile for a SoMe owned by Meta (for example, Facebook or Instagram) for login to our apps and/or websites

In connection with our Facebook pages and Instagram profiles, and the activities and interactions you make through them

Their contact details are as follows:
 Meta Platforms Ireland Limited,
 Block J, Serpentine Avenue,
 Dublin 4, Ireland

You can read more about Meta's personal data processing here: Meta's policy on the protection of personal data - How Meta collects and uses user data | Privacy Center | Manage your privacy settings on Facebook, Instagram and Messenger | Privacy settings on Facebook .

In certain situations, we are joint data controllers with TikTok. This applies to the following processing activities:

Collection and data analysis of data concerning activity and interactions with our profiles and advertisements on TikTok.

Their contact details are as follows:

TikTok Information Technologies UK Limited,
6th Floor, One London Wall, London, EC2Y 5EB, United Kingdom ("TikTok UK")
and
TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland ("TikTok Ireland")

You can read more about our joint data control here: Advertising on TikTok | TikTok Ads

There is a direct link to this from the social media in question, so you can read about our processing and your rights in connection with your use of our pages, etc., which are based on or use the platform of the social media concerned.

In relation to the processing of personal data that results from you creating and using a profile on SoMe, we refer you to the respective providers' conditions.

2.4.2 Interactions with Salling Group on social media

See section 2.6. regarding the processing of personal data in customer service via Salling Group's SoMe profiles.

2.4.3 The purpose and legal basis for the processing of your personal data

We process your personal data for the following purposes:

To offer the use of your Facebook profile to log in to our websites and mobile apps.

To answer your inquiries to us made via SoMe communication tools, e.g., private messages, including via our customer service.

In holding competitions and publishing user content via SoMe

For personalisation of marketing, including newsletters, and our websites for you, including via profiling based on cookies. See also section 2.1.8.

For internal analysis and reporting of campaigns and communication actions, including the gathering of statistics

The legal basis for our processing of your personal data proceeds from the following:

Our legitimate interest in handing over your username and associated email on our websites and mobile apps to SoMe, where you use SoMe for login, cf. the General Data Protection Regulation art. 6(f)

Our legitimate interest in being able to answer your inquiries to us via SoMe, cf. the General Data Protection Regulation art. 6(f)

Your consent in participating in one of our competitions via SoMe, cf. the General Data Protection Regulation art. 6(a)

Your consent to, and our legitimate interest in being able to collect and manage your data, including via cookies and tracking pixels placed by Meta, to optimise our advertising, websites and emails with marketing, news, etc. for you (profiling), cf. the General Data Protection Regulation art. 6(a), (f) and art. 22, subsection 2(c).

Fulfilment of legal obligations, e.g., as a result of inquiries from public authorities or courts, cf. the General Data Protection Regulation art. 6(c)

Our legitimate interest in preparing internal analysis and reporting of campaigns and communication actions, cf. the General Data Protection Regulation art. 6(f)

2.4.4 Categories of personal data

Data that may be collected and processed include:

When logging in via SoMe on our websites or mobile apps: the profile information that you have made publicly available to us on the relevant SoMe, e.g., name, contact details, your friends/contacts (depending on your privacy settings on the respective SoMe platform).

Your behaviour on our pages, groups and events, e.g., your interaction with us and others, including your comments, messages, posts and sharing of content in general, as well as your clicks on ads and features, including likes, follows, interests, sharing of pages etc.

The data that you submit in your messages, comments or postings either directly to us or publicly on the page, group or event,

If you have signed up to receive marketing, including one of our newsletters, we will send your email to Facebook/Instagram for the purpose of targeting marketing on Facebook and Instagram. We also refer you to section 1.

Information about your specific purchases and orders via one of our stores or webshops where your inquiry to us via SoMe concerns these

The photos and videos that contain personal data that you may send to us or share on our pages, groups or events on SoMe

Data about you shared by other users on our pages, groups and events on SoMe

2.4.5 Recipients or categories of recipients

We hand over your personal data to be processed by our data processors in the form of suppliers of IT systems that we use to manage our SoMe sites, groups and events, and profiles.
In addition, in certain cases your personal data is forwarded to other companies in the Salling Group company.

2.4.6 Transfer to recipients in third countries

Forwarding as a result of us using SoMe:

We forward your username and your associated email to Facebook Inc. and LinkedIn, if you use your Facebook or LinkedIn profile to log in to one of our websites or mobile apps. In this instance, the respective SoMe provides data processing for us.

The different providers also collect personal data in the form of your behaviour on our SoMe pages and so on, and will be able to compare the data with your SoMe profile, whereby the respective SoMe providers will be able to identify you. In this instance, the individual providers are independent data controllers for certain personal data, while for other data, the SoMe providers are joint data controllers with us. We therefore refer you to the privacy policy of the relevant SoMe provider for your profile and their other policies for use of the platforms.

Transfer basis for the SoMe platform providers:

Meta Platforms Ireland limited (Facebook and Instagram) – USA

EU Standard Contractual Clauses, cf. the General Data Protection Regulation art. 46

Read about Meta Platform's Standard Contractual Clauses here

TikTok – USA, China, Brazil, Malaysia, The Philippines and Singapore

EU Standard Contractual Clauses, cf. the General Data Protection Regulation art. 46

Forwarding due to having data processed by Falcon.io ApS, whose software we use to process your communication with us via SoMe, including in relation to customer service.

Falcon.io ApS may, depending on the circumstances, transfer or hand on your personal data to suppliers of IT and software services with the following transfer basis:

USA

EU Standard Contractual Clauses, cf. the General Data Protection Regulation art. 46

Brazil

EU Standard Contractual Clauses, cf. the General Data Protection Regulation art. 46

India

EU Standard Contractual Clauses, cf. the General Data Protection Regulation art. 46

China

EU Standard Contractual Clauses, cf. the General Data Protection Regulation art. 46

You can read more about the transfer basis here:

EU Standard Contractual Clauses: Read more here

You can also read more about the transfer basis on the Danish Data Protection Agency's website www.datatilsynet.dk .

2.4.7 Where your personal data comes from

The data you have submitted in connection with your use of our pages, groups and events on Facebook and LinkedIn, and the data we have collected via cookies placed by SoMe providers. In relation to Facebook's and Instagram's placement of cookies, please see the individual platforms' privacy policies, cookie policies, etc.

See also section 1.13 about our placement of cookies related to SoMe and section 2.4.10 on profiling.

2.4.8 Storage of your personal data

We store your personal data in the form of posts, messages, likes, images and so on via our SoMe pages or one of our postings until you choose to delete these. Private messages are stored as long as there is a purpose for them, for example, in connection with customer service.

In relation to our gathering of behavioural data about your use of our Facebook and Instagram pages via cookies, including on the basis of your registration to receive marketing, please see section 1.13 on cookies and section 2.1 on marketing.

2.4.9 Profiling

We use profiling to target our advertising and marketing to you based on your behaviour on our Facebook and Instagram pages, groups and events, together with the data you have provided in connection with purchases via our webshops, including your purchase history, use of our mobile apps and our websites outside of Facebook and Instagram, as well as when signing up for one of our newsletters, other marketing distribution or one of our customer clubs.

In relation to our gathering of behavioural data about your use of our Facebook and Instagram pages via cookies on the basis of your registration to receive marketing, including one or more of our newsletters, we refer to section 2.1 on marketing.

In relation to the collection of data in connection with your purchases via our webshops, we refer you to the terms and conditions for the webshop in question as well as the cookie policy for the webshop's website.

The profiling will not significantly affect individuals as it is limited to marketing use.

We profile you so we can target our advertising and therefore offer you the most relevant offers, news and products on Facebook and our other social media, mobile apps, newsletters and websites.

You can object to profiling and marketing at any time, after which we will cease the activity and erase the personal data collected about you.

2.4.10 Your rights

See section 4 

2.5 Privacy policy for CCTV surveillance in Salling Group stores

Salling Group processes image and video material gathered through CCTV surveillance from Salling Group's stores, storage facilities and head office.

2.5.1 Data controller and contact information

Salling Group A/S
CVR-nr. 35954716
Rosbjergvej 33
8220 Brabrand
www.sallinggroup.com

We encourage you to contact us via gdpr@sallinggroup.com if you have any questions or wish to exercise your rights.

2.5.2 The purpose and legal basis for the processing of your personal data

We process your personal data for the following purposes:

To proactively prevent crime

To increase security for Salling Group's employees and customers

To safeguard Salling Group's values and assets

To clarify any disputes and insurance and compensation cases through the recordings

To clarify any customer complaints and customer cases, including insurance and compensation cases, through the recordings

The legal basis for our processing of your personal data proceeds from the following:

1: our legitimate interest in proactively preventing crime, cf. the General Data Protection Regulation art. 6(1)(f)

2: our legitimate interest in increasing the safety of Salling Group's employees and customers, cf. the General Data Protection Regulation art. 6(1)(f)

3: our legitimate interest in securing Salling Group's values and assets, cf. the General Data Protection Regulation art. 6(1)(f)

4: our legitimate interest in resolving any disputes, insurance cases and criminal matters and keeping the relevant documentation, cf. the General Data Protection Regulation art. 6(1)(f)

5: our legitimate interest in clarifying customer complaints and customer cases, cf. the General Data Protection Regulation art. 6(1)(f)

In cases where the image and video material contains data that concerns criminal offences, the processing will be based on section 8, para. 3 of the Danish Data Protection Act, as the processing is necessary to safeguard a legitimate interest, cf. the General Data Protection Regulation art. 10.

In cases where data concerning criminal matters is processed so that legal claims can be established, asserted or defended, the authority follows from the Danish Data Protection Act section 8, para. 5, cf. section 7, para.1, cf. the General Data Protection Regulation art. 9(2)(f).

2.5.3 Categories of personal data

We process the following categories of personal data about you:

General data in the form of pictures and video (without sound) recorded in our stores, warehouses, storage facilities, etc.

In special cases, personal data concerning criminal offenses may be processed in connection with specific incidents

2.5.4 Recipients or categories of recipients

Depending on the circumstances, we may hand over your personal data to the following categories of recipients:

Data processors, such as the security company that manages surveillance, as well as external IT suppliers as part of the hosting, operation and support of the systems that store CCTV surveillance

Other companies in the Salling Group company

Lawyers and other advisers.

Public authorities, where required by law, including the police.

2.5.5 Transfer to recipients in third countries

Image and video material can be accessed from India in connection with IT systems support.

The transfer basis for this is the EU Standard Contractual Clauses, cf. the General Data Protection Regulation art. 46(2)(c). 

You can read more about transfers to third countries on the Danish Data Protection Agency's website here: https://www.datatilsynet.dk/hvad-siger-reglerne/vejledning/internationalt-

You can read about the Standard Contractual Clauses on the EU Commission's website here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en  

And you can read the EU's Standard Contractual Clauses here: https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en

 2.5.6 Where your personal data comes from

Your personal data is collected in connection with CCTV surveillance from our stores, warehouses, central warehouses, administration buildings, etc.

2.5.7 Storage of your personal data

Image and video material is stored for 21 days. After this, the material is then automatically deleted.

In connection with access requests and specific cases, personal data (the video material) is stored for as long as it is necessary to fulfil the access request, or as long as it is necessary for the purposes of the specific case.

2.5.8 Your rights

See section 4

2.6 Privacy Policy for Customer Service

2.6.1 Data controller and contact information

Salling Group A/S
CVR-nr. 35954716
Rosbjergvej 33
8220 Brabrand
www.sallinggroup.com

We encourage you to contact us via gdpr@sallinggroup.com if you have any questions or wish to exercise your rights.

2.6.2 The purpose and legal basis for the processing of your personal data

We process your personal data for the following purposes:

Answering inquiries from our customers in relation to specific purchases, including claims, carrying out repairs and complaints

Answering inquiries from our customers in relation to general matters, including service announcements, assortment, events, products, stores, etc.

Responding to requests in relation to the General Data Protection Regulation (GDPR), including processing to ensure that you have the opportunity to exercise your rights in relation to the General Data Protection Regulation (GDPR) and for our administration and documentation thereof.

Recording of telephone conversations for the purpose of training and improving our customer service. 

Contact by email or telephone for the purpose of preparing customer satisfaction surveys to improve our customer service.

The legal basis for our processing of your personal data proceeds from the following:

1): The processing is necessary for the purpose of fulfilling a contract, cf. the General Data Protection Regulation art. 6(1)(b), or Salling Group's legitimate interest in being able to defend ourselves in the event of legal claims or complaints, cf. the General Data Protection Regulation, art. 6(1)(f)

2): Salling Group's legitimate interest in, for example, being able to offer customer service to customers, cf. the General Data Protection Regulation art. 6(1)(f)

3): The processing is necessary to comply with a legal obligation resting on the data controller, cf. the General Data Protection Regulation art. 6(1)(c)

4): Your consent for us to record telephone conversations, cf. the General Data Protection Regulation art. 6(1)(a)

5): Salling Group's legitimate interest in improving our customer service on the basis of customer satisfaction surveys, cf. the General Data Protection Regulation art. 6(1)(f)

2.6.3 Categories of personal data

We can, for example, process the following categories of personal data about you, depending on the specific request:

General personal data in the form of:

Name, address

Email, telephone number

Personal data included in your specific complaint, request, inquiry, claim, error description for repairs or compliments

Order data, profile data, payment data

Preferences, data concerning behaviour

Case number in customer service

Personal data we process from Salling Group's other systems in order to handle your specific enquiry

Recipients or categories of recipients

In connection with processing your inquiry to customer service, Salling Group may share your personal data with certain data processors and business partners. These recipients depend on your inquiry.

These are the following categories of recipients:

Other companies in the Salling Group company

External IT suppliers, for example, as part of our IT systems' operations and support

Our business partners in the form of suppliers and sub-suppliers of goods and services to you on our behalf, e.g., transport, delivery of goods from webshops and carrying out repairs.

If you contact us via one of our profiles on social media, the personal data you provide in your inquiry will be shared with the relevant social media.

Accountants, lawyers and other advisers

Public authorities where required by law

2.6.4 Transfer to recipients in third countries

In connection with the handling of your inquiry made to us via a social media platform, your personal data may be transferred to third countries from the relevant social media. The social media in question is the independent data controller for the processing of your personal data in connection with your use of the media. You can read more about this on the relevant social media sites.

In connection with handling your inquiry, we use various IT suppliers. Here, your personal data may be transferred to third countries.

The transfer basis for this is, as a rule, the EU Standard Contractual Clauses, cf. the General Data Protection Regulation art. 46(2)(c). However, one of our suppliers uses binding corporate rules for transfers between the supplier's subsidiaries, so the authority here is the General Data Protection Regulation art. 47.

You can read more about transfers to third countries on the Danish Data Protection Agency's website here: https://www.datatilsynet.dk/hvad-siger-reglerne/vejledning/internationalt-

You can read about the Standard Contractual Clauses on the EU Commission's website here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

And you can read the EU's Standard Contractual Clauses here: https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en

2.6.5 Where your personal data comes from

Your personal data is collected from you. The collection takes place in connection with your inquiry to us or where you use other of our services.

2.6.6 Storage for GDPR inquiries

If you have contacted us to exercise your rights pursuant to the General Data Protection Regulation (e.g., requested access to or erasure of personal data we process about you), we will generally store your request until the case is closed, unless it is specifically necessary to store the request for a longer period of time.

2.6.7 Storage of inquiries to customer service

The retention period for inquiries to customer service will depend on the nature of the inquiry, including whether the data is stored as part of a claim, use of a product guarantee or on another legal or contractual basis. As a starting point, your inquiry and personal data collected in connection with this will be stored for 3 ½ years.

Telephone conversations recorded in customer service are automatically deleted after three months, unless you withdraw your consent before the expiry of this period. 

2.6.8 The right to withdraw consent

Your consent for us to record your telephone conversations with customer service is voluntary, and you can withdraw it at any time by contacting us. Contact us if you have any questions or wish to withdraw your consent .

Please note that if you choose to withdraw your consent in relation to data provided to us, we will not be able to process your data further unless we are obliged to do so or our continued processing is necessary for legal claims to be established, asserted or defended, cf. the General Data Protection Regulation art. 17(3)(b and e). There will also be certain features or services that you may not be able to use without consent.

If you choose to withdraw your consent, this does not affect the legality of our processing of your personal data based on your previously communicated consent and up to the time of the withdrawal. If you withdraw your consent, therefore, it only takes effect from the point you do so.

2.6.9 Your rights

See section 4

2.7 Handling of insurance and compensation cases

Here you can read about how we process your personal data if you:

as a customer are injured in one of our stores

as a customer have your property damaged in one of our stores

if a product you have purchased in one of our stores causes you, or a person you have the custody or guardianship of, to be injured or have property damaged. 

These insurance cases are handled by our insurance company:

Salling Group Forsikring A/S

CVR-nr. 21503886

Rosbjergvej 33

8220 Brabrand

insurance@sallinggroup.com

You can read more about Salling Group Forsikring A/S' processing of your personal data in connection with insurance cases here.

2.8 Privacy Policy for employees of Salling Group A/S

Please see the current version of the applicable privacy policy, which you can find at: https://sallinggroup.com/kontakt/medarbejdere/

If you wish to exercise your rights, please contact us via https://hrgdpronly.sallinggroup.com/

3. Protection of personal data

Our processing of personal data takes place according to procedures and guidelines implemented at Salling Group A/S. These contain instructions and measures aimed at protecting your personal data.

We will therefore process your personal data in a way that prevents personal data from being destroyed, lost, changed, made public without authorisation, and against unauthorised persons gaining access to or knowledge of your personal data.

We have established procedures for granting access rights to those of our employees, including fund administrators who process personal data and data that reveals information concerning personal interests and habits. We control their specific access through logging and monitoring. To avoid data loss, we regularly back up our data sets.

In the event of a security breach that results in a high risk to you of discrimination, ID theft, financial loss, loss of reputation or other significant disadvantages, we will notify you of the security breach as soon as possible.

4. Your rights

According to the General Data Protection Regulation, you have a number of rights in relation to our processing of data about you.

If you want to exercise your rights, please contact us here .

You can read more about your rights in the Danish Data Protection Agency’s guidance on the rights of data subjects, which you can find at www.datatilsynet.dk.

4.1 Right to see data (right of access)

You have the right to gain an insight into the data we process about you, as well as a range of other data concerning the processing, cf. the General Data Protection Regulation art. 15.

4.2 Right to rectification

You have the right to have incorrect personal data corrected, cf. the General Data Protection Regulation art. 16.

4.3 Right to erasure

In a number of cases, you have the right to have personal data erased before our general deletion occurs, cf. the General Data Protection Regulation art. 17.

4.4 Right to restriction of processing

In certain cases, you have the right to have the processing of your personal data limited to storage only, cf. the General Data Protection Regulation art. 18.

4.5 Right to object

In certain cases, you have the right to object to our otherwise lawful processing of your personal data and to object to the processing of your personal data for direct marketing, cf. the General Data Protection Regulation art. 21.

4.5 Right to transmit data (data portability)

In certain cases, you have the right to receive your personal data in a structured, commonly used and machine-readable format, and to have this personal data transferred from one data controller to another without hindrance, cf. the General Data Protection Regulation art. 20.

4.7 Complaints to the Danish Data Protection Agency

You have the right to lodge a complaint with the Danish Data Protection Agency if you are dissatisfied with the way we process your personal data. You can find the Danish Data Protection Agency’s contact information at www.datatilsynet.dk .

5. Changes and version history

We reserve the right to make changes to this privacy policy. Upon such changes, the date and version number of the privacy policy will be changed. The current version of the applicable privacy policy will be available on our website https://www.sallinggroup.com/

Version number

Link to policy

Version 3

The above and currently applicable policy July 2023

Version 2

 

Version 1

https://storage.sallinggroup.com/media/2162/privatlivspolitik-juni-2018-pdf.pdf

Salling Group A/S

Rosbjergvej 33
8220 Brabrand
Denmark

CVR: 35 95 47 16

Contact

Salling Group HQ
+45 8778 5000
Office hours: 08.00 - 16.00
Follow us on LinkedIn

Press

Information

Customers

Suppliers

Employees

Contact

Salling Group insurance

Profile conditionsPrivacy policyCookies