As of: March 24, 2020
We process personal data in connection with the Symptom Check Olly (“Olly”) service in order to provide Olly with its functionalities. The processing of personal data also enables us to better and more specifically orient our services to the needs and interests of our users and to further develop our offers. As a rule, we only process particularly sensitive personal data such as health data with your express consent.
1. Who Are We?
Migros Digital Solutions AG
3. Which Personal Data Do We Process and for What Purposes?
We process various personal data for different reasons and purposes. You can find further details in this section and often in the general terms and conditions, terms of participation, and additional privacy policies.
We generally collect your personal data directly from you, for example when you transfer data to us or communicate with us. As a rule, you are not obliged to disclose personal data to us unless such disclosure is necessary to fulfill a contractual obligation. However, we are often unable to provide an offer or service if you do not provide us with the necessary information.
Besides yourself, personal data may also be collected from other sources, for example from other Migros Group companies or from third parties such as credit reference agencies, media monitoring agencies, providers of online services such as providers of web analytics services, financial service providers when payments are involved, mailing list brokers, public registers, the media, or the Internet, etc.
For example, we process personal data, which may include sensitive personal data, in the following situations for the following purposes:
- Communications: We process personal data if you contact us or we contact you, for example, when you contact Customer Services, if you write to us, or if you call us. In such cases, details such as your name and contact data, the time of the notifications in question, and their content, which may also include the personal data of third parties, generally suffice. We use this data to ensure that we can provide you with information or notifications, deal with your concerns, and communicate with you, as well as for quality assurance and training purposes. We also forward information within the Migros Group to the relevant company officers, for example if your concern relates to another company.
- Use of services: We also process personal data when you use our services, e.g. when you order a service from us. In doing so, we process your personal data, e.g. in the context of processing contracts.
- Online offers and apps: We will also process personal data when you use online offers in order to provide, improve, and enhance these offers. This also applies even if you do not purchase any goods and services. Depending on the type of offer, this information may include details of customer accounts and the use of such accounts as well as information on the installation and use of mobile apps. Here, we also process personal data to personalize the offering and to provide you with offers in line with your interests and affinities.
- Information and direct marketing: We process personal data, to the extent permitted by law, in order to send information and advertising messages either in writing or electronically, provided you have not objected to this processing. We process, for example, your contact data so that we can personalize the relevant messages and send them to you. In the case of email newsletters, push notifications, and other electronic messages, we may also process information regarding your use of the messages (e.g. whether you downloaded embedded images in an email, i.e. that you opened the email). We do so in order to get to know you better, to gear our offers more precisely towards your needs, and to improve our offers in general. If you do not agree to the processing of usage data, you may generally block such processing in your email program.
- Competitions, prize draws, and similar events: We now and again organize competitions, prize draws, and similar events. In such cases, we will process your contact information and details about your participation for the purposes of conducting the competitions and prize draws. Where applicable, we will also process this data to enable us to communicate with you and for advertising purposes. Further information in this regard can be found in the relevant terms of participation.
- Market research and media monitoring: We process personal data for market and opinion research purposes. To do so, we may use information about your shopping habits (further information in this regard can be found under “Purchase of goods and use of services) as well as information from customer surveys, questionnaires and studies, and other information, for example from the media, social media, the Internet, and other public sources. We may also make use of media monitoring services or conduct our own media monitoring, and in doing so process personal data.
- Contact with our company as a business partner: We work with various companies and business partners, for example with suppliers, commercial purchasers of goods and services, cooperation partners, and service providers (e.g. IT service providers). For purposes relating to contract initiation and performance, planning, and accounting, as well as for other purposes associated with the respective contract, we may also process personal data pertaining to contacts at the relevant companies, for example their name, role, title, and communications with us. Depending on the area of activity, we are also required to check the company in question and its employees in more detail, for example by performing a security check. In this case, we will collect and process additional information, including information from third parties, where applicable. We may also process personal data to improve our customer focus, levels of customer satisfaction, and customer retention (customer/supplier relationship management).
- Administration: We process personal data for our own and intra-Group administration. For example, we may process personal data in connection with the Migros Cooperatives members’ register or for IT administration or real estate management purposes. We also process personal data for accounting and archiving purposes and, in general, with a view to reviewing and improving internal processes.
- Corporate transactions: We may also process personal data for the purposes of performing preparatory work and undertaking corporate takeovers and sales, as well as purchases and sales of assets. The subject matter and scope of any data collected or transmitted will depend on the stage and object of the transaction.
- Compliance with legal requirements: We process personal data in order to comply with legal requirements and to prevent and identify breaches. This includes, for example, the acceptance and processing of complaints and other notifications, internal investigations, and the disclosure of documents to an authority if we have a material reason or are legally obliged to do so. In doing so, we may also process the personal data of third parties.
- Safeguarding of rights: We may process personal data in various forms in order to safeguard our rights, for example to enforce our rights both in or out of court and before national or foreign authorities, or to defend against any claims. In doing so, we may process your personal data and third-party personal data and disclose personal data to third parties, either in Switzerland or abroad, to the extent required and permitted.
4. How Do We Process Personal Data When You Visit Our Websites?
Which personal data do we process?
- Technical data (log files): When you visit our websites, we will process personal data based on the offer and functionality involved. For technical reasons, this initially includes data automatically collected and stored in log files. This includes, for example, the IP address and device-specific details such as the MAC address and operating system of the terminal (e.g. tablet, PC, or smartphone), details of your Internet service provider; details of the accessed contents and the date and time of the website visit or detail of the logins.
- Firstly, we use session cookies in which, among other information, details about the origin and storage period of the cookie are stored. These cookies are deleted following any visit to our website. We use such cookies, for example, to enable shopping baskets to be saved over several visits to the site by the user.
- Secondly, we use permanent cookies that also remain stored for a certain period once the browser session has been completed. Such cookies allow a visitor to be recognized again upon a subsequent visit, for example in order to save language settings over several browser sessions or display contents on the website tailored to the visitor’s interests. We thus collect, for example, information about your visits as well as the pages you accessed, the articles you viewed, and your shopping basket. Following the expiry of the programmed duration (generally between one month and two years), these cookies are automatically deactivated.
We also use similar technologies such as pixel tags (small image files that are loaded from a server and provide the server operator with certain information) or fingerprints (information about the configuration of a device or a browser). Some cookies or similar technologies also originate from other Migros Group companies and third-party companies. This is the case, for example, if we use functions on our website that are provided by third parties. It also involves analysis services, which also work with cookies; detailed information on this point can be found below. Such cookies also enable our partners to display tailored advertisements to you on our websites or the websites of third parties as well as on social networks and to measure their effectiveness.
- Social plug-ins: Our webpages use social plug-ins, for example those of Facebook, YouTube, Twitter or Instagram. Buttons for the relevant providers are therefore shown, for example the Facebook “Like” button, or contents of the provider in question are integrated into the website. If you access a website that uses a social plug-in of this kind, your browser will establish a connection to the relevant provider. The content of the social plug-in is transmitted to your browser by the provider in question and added by the provider to the relevant website. Due to this process, the relevant provider will receive, in particular, the following information:
- the information that your browser has accessed the website in question;
- the IP address of the device used, even if you do not have an account with the provider.
If you are logged in with the relevant provider simultaneously, it may assign the visit to your personal profile. If you interact using a social plug-in, for example by clicking on a “Like” button or leaving a comment, the corresponding information will be transferred from your browser to the relevant provider and saved by it. This information may be published by the provider in question in your profile and displayed to your contacts. Also if you visit our social media pages (e.g. Facebook fan pages) or interact with social plug-ins integrated in our websites (e.g. the Facebook “Like” button), personal data may be transmitted directly to or collected and saved by the relevant provider. Primary responsibility for the processing of this data lies with the provider of the relevant social network. In cases in which the Federation of Migros Cooperatives is jointly responsible with the relevant provider, we conclude a corresponding agreement with the provider. Information on the key content of such agreements can be obtained from the provider in question. Further information on data processing by the providers of social networks can be found in the privacy policies of the relevant social networks (e.g. Facebook, YouTube, Twitter, Instagram).
For What Purposes Do We Process these Personal Data?
- Provision of the website: The recording of certain log files and the use of certain cookies and technologies is essential for the provision of the website and its functions for technical reasons. Other cookies and technologies help us to provide and safeguard the various functions and offers available on our website as well as to make our website more attractive.
- Website management: The saving and use of log files and cookies and other technologies helps us with maintenance and troubleshooting, in safeguarding the security of our websites, and in combating fraud.
- Personalization of website: We adjust certain areas and content of our websites in line with your needs and interests, for example by saving your chosen language or personalized content display.
- Analysis of user behavior: We use web analysis services in order to better understand the use of our websites and to improve their content, functionality, and retrievability.
- Advertising: We can display interest-based advertising on our websites or third-party websites or show our advertisements on other sites after you leave our website as you continue to browse the web.
- Cookies and similar technologies allow the companies in question to provide services to us or to display advertisements to you that may be of particular interest to you.
How can you prevent these processes?
You can configure your end device to display a message before a new cookie is created. This means you can also reject cookies. Furthermore, you can delete cookies from your end device. You also have the option to prevent the recording of data (such as your IP address) by downloading and installing an appropriate browser add-on. The rejection or deactivation of cookies and other technologies may, however, mean that you are unable to use all of the website’s functions.
You can prevent the use of Google Analytics by installing a browser add-on. You also have the option to withdraw any consent issued to providers or to object to their processing activities, for example, those performed by Google via https://adssettings.google.com.
If you do not want that a provider of a social network collect data about you via our website, you must log out from the site of the relevant provider prior to visiting our website. Even when you are logged out, providers may collect data on an anonymized basis via social plug-ins. If you log in with the provider in question at a later time, this data may be assigned to your profile. In such cases, the relevant provider processes the personal data under its own responsibility and in accordance with its own data protection provisions. If you wish to prevent the provider from assigning data to your profile, you will need to erase the corresponding cookies. You can also completely prevent the loading of social plug-ins using add-ons for your browser, for example NoScript.
5. How Do We Process Personal Data In Connection With Apps?
Which personal data do we process?
In connection with Apps, we collect and process Personal Information when you install an App, when you use the App and the features available through it, when you register and when you update the App.
On the one hand, we process personal data that you provide to us, e.g. when you enter your age and gender or record your symptoms. On the other hand, we process personal data that is automatically collected or generated by your use of the App, e.g. the analysis results of symptom checks or technical information. In each case, this may also be personal data that is particularly sensitive. In particular, the processed personal data may allow conclusions to be drawn about your health and health-related behaviour.
This includes in particular the following personal data:
- User information such as pseudonym/nickname, date of birth and gender;
- contact data such as e-mail address;
- user information such as age, gender, region of residence, stays abroad and results of previous symptom checks (if user account is created);
- Health information such as habits, previous illnesses, symptoms, analysis results of a symptom check and recommendations;
- Information on the use of the app, such as participation in competitions and content accessed.
- Technical information such as device type, operating system, time and duration of installation, as well as information on the use of the app.
Data on user behavior: To analyze and categorize user groups and to play out push messages, we use the Google-Firebase service, a service provided by Google LLC in the USA. The information generated about the use of the apps is stored on a Google server in the USA. However, your IP address will first be shortened in the EU or EEA. Only in exceptional cases will the full IP address be transferred to the USA. Google is bound by the US Privacy Shield Program in the USA. Based on this information we receive evaluations from Google. The usage data forms the basis for statistical evaluations, so that trends can be identified which can be used to improve the offer accordingly. Google-Firebase uses an advertising ID. You can restrict this usage in the device settings of your mobile device. For Android: Settings > Google > Ads > Reset Ad ID; for iOS: Settings > Privacy > Ads > No Ad Tracking. For more information about Google Firebase and Google product privacy, click here and on Google.
For what purposes do we process this personal information?
We process your personal data in connection with apps, in particular for the following purposes:
- Provision of the offer: We process personal data in order to make the apps available and to be able to process the offer. This may also include the opening and administration of a user account.
- Evaluation and optimization: We process personal data in order to better understand and evaluate the use of the apps. This enables us to further develop the app and better tailor it to the needs of our users.
- Marketing: We also process personal data to better understand the interests of our app users and to inform you about discounts, vouchers and other offers. We only process health data for marketing purposes if you have given us your consent.
The use of the apps is voluntary but requires that we can process certain personal data.
6. What Is The Legal Basis for Processing Personal Data?
Depending on the purpose of the data processing, our processing of personal data is based on different legal grounds. In particular, we may process personal data if:
- doing so is necessary to fulfill an agreement with the data subject or for pre-contractual measures upon your request (e.g. to review your request for an agreement);
- doing so is necessary to safeguard legitimate interests;
- For example, to better and more specifically align our services to your needs and to expand and improve our offerings. This is important for us so that we can successfully assert ourselves in the market.
- doing so is based on effective consent that has not been revoked; and/or
- doing so is required for compliance with legal obligations.
We generally process sensitive personal data such as health data only on the basis of express consent unless the relevant data has clearly been disclosed publicly by the person in question or the processing is required to safeguard rights or comply with legal obligations. Depending on the functions offered, we may also ask you for your consent in other cases.
Data is only transmitted abroad under the conditions named in section 7 and section 8.
7. To Whom Do We Disclose Personal Data?
Our employees only have access to your personal data if this is necessary for the described purposes and the activities of the employees concerned. This may also include employees in other departments and support areas such as IT. In doing so, they act in accordance with our instructions and are obliged to maintain confidentiality and secrecy in handling your personal data. Your personal information will only be passed on to other companies to the extent described below. Under no circumstances will we sell your personal data to third parties. We do not trade with personal data.
Further we may disclose your personal data to companies, should they supply services to us. These may also involve companies outside the Migros Group. In selecting contract data processors and by entering into appropriate agreements, we ensure that privacy is safeguarded throughout the processing of your personal data, including when data is processed by contract data processors. Our contract data processors are under an obligation to process personal data solely on our behalf and in accordance with our instructions, as well as to implement suitable technical and organizational measures with respect to data security. This primarily concerns services in the area of credit assessments, for example if you want to make a purchase on account, and of IT services, for example in the areas of hosting, cloud services, the delivery of email newsletters, and data analysis and enhancement, etc.
In individual cases, it is also possible that we disclose personal data to recipients outside the Migros Group for their own purposes, for example if we consider this to be legally necessary or necessary to protect our interests. In such cases, the data recipient is legally responsible as the controller of the data. This would apply in particular in the following circumstances:
- We may disclose your personal data to third parties (e.g. to the courts and authorities within Switzerland and abroad) if this is required by law or by the authorities. We also reserve the right to process your personal data in order to satisfy a court order or for the purpose of enforcing or defending legal rights or claims or if we consider such processing to be necessary on any other legal grounds. We may also disclose your personal data to other parties involved in any proceedings.
- If we transfer claims against you to other companies, such as collection agencies.
- If we review or conduct transactions including company mergers or the acquisition or sale of individual parts of a company or its assets, we may, under certain circumstances, be required to transfer personal data to another company in connection with the transaction in question, or become ourselves the subject of a transaction.
8. When Do We Transfer Your Personal Data Abroad?
The recipients of your personal data (see section 7) may also be located abroad – including outside of the EU or EEA. The countries in question may not have laws in place that afford your personal data the same level of protection as provided in Switzerland or in the EU or the EEA. If we transfer your personal data to such a country, we are required to ensure the protection of your personal data in an appropriate manner. One means of doing so is to conclude data transfer agreements with the recipients of your personal data in third countries that ensure the required level of data protection. This includes agreements that have been approved, issued or recognized by the European Commission and the Swiss Federal Data Protection and Information Commissioner, known as standard contract clauses. Data may also lawfully be transferred to recipients that are subject to the US Privacy Shield Program. An example of the data transfer agreements generally used by us can be found here. Please contact us if you would like further information on the data transfer agreements concluded by us or on other suitable safeguards applied by us for the transfer of data abroad. Data may also be transferred to countries without adequate protection in exceptional cases, for example if consent is expressly granted or to enforce, exercise, or defend legal rights.
9. Do We Conduct Profiling?
“Profiling” refers to a procedure during which personal data is processed on an automated basis in order to analyze or predict personal aspects. We perform profiling on a regular basis. For example, we analyze shopping behavior, the use of our websites and apps, as well as other transaction and behavior data, and make assumptions about your personal interests, preferences, affinities, and habits on this basis. This profiling helps us to gear our offer more precisely to your needs and, to the greatest extent possible, in only showing you advertisements and offers that are actually relevant to you. In order to improve the quality of our analyses, we may also combine personal data that originates from different sources, for example, data collected offline and online as well as data that has been collected via our different services or that we have received from other Migros Group companies. Provided the profiling is related to direct advertising, you have the right to object as described in section 13.
10. Do We Use Automated Decision-Making?
In general, we do not use automated individual decision-making. We will inform you separately should we opt to utilize automated individual decision-making in individual cases. “Automated individual decision-making” refers to any decision that is made on a fully automated basis, i.e. with no relevant human influences, and may have negative legal implications or other similar adverse consequences for you.
11. How Do We Protect Your Personal Data?
We take appropriate technical measures (e.g. encryption, pseudonymization, record keeping, access restrictions, data backups) and organizational measures (e.g. instructions issued to employees, confidentiality agreements, audits) in order to safeguard your personal data, protect you against unauthorized or unlawful processing activities, and to address the risk of loss, unintentional changes, inadvertent disclosure, or unauthorized access. In general, however, security risks cannot be completely ruled out; certain residual risks are unavoidable in most cases.
12. For How Long Do We Store Your Personal Data?
We store your personal data in a personalized form for as long as it is required for the specific purpose for which it was collected. In the case of contracts, personal data is stored for at least the duration of the contractual relationship. We also store personal data if we have a legitimate interest in storing it. This may be the case, in particular, if we need personal data to enforce or defend claims, for archiving purposes and to ensure IT security. We also store your personal data if it is subject to a statutory retention requirement. For example, a ten-year retention period applies to certain data. Shorter retention periods apply for other data, for example for recordings from CCTV or for recordings of certain online processes (log data). In certain cases, we will also ask for your consent if we want to store your personal data for longer periods (e.g. for job applications that we wish to keep on file). At the end of the periods specified, we will erase or anonymize your personal data.
13. What Rights Do You Have in Connection with the Processing of Your Personal Data?
You have the right to object to data processing if we process your personal data on the basis of a legitimate interest. You can also object to data processing in connection with direct advertising (e.g. advertising emails) at any time. This also applies to profiling, to the extent this is related to direct advertising.
Provided the applicable conditions are met and there are no applicable statutory exceptions, you also have the following rights:
- Right of access: You have the right to request access to any personal data stored by us at any time free of charge. You therefore have the opportunity to check what personal data about you we process. In certain cases, the right of access may be restricted or excluded, in particular if there is any doubt concerning your identity or this is required to protect other individuals.
- Right to rectification: You have the right to have inaccurate or incomplete personal data rectified or completed and to be informed about such rectification.
- Right to erasure: You have the right to request the erasure of your personal data if the personal data is no longer required for the intended purposes, you have effectively withdrawn your consent or have objected to the processing of your data, or the personal data is being processed unlawfully. In certain cases, the right to have personal data erased may be excluded, especially if the processing activity is required to exercise the right of freedom of expression or to safeguard legal claims.
- Right to restriction of processing: Under certain conditions, you have the right to request that the processing of your personal data is restricted. This may mean, for example, that personal data is (temporarily) no longer processed or that published personal data is (temporarily) removed from a website.
- Right to data portability: You have the right to receive personal data that you have provided to us in a structured, commonly used, and machine-readable format if the specific data processing activity is based on your consent or is required for the performance of a contract, and the processing is performed with the assistance of automated processes.
- Right to withdraw consent: If we process your personal data on the basis of consent, you have the right to withdraw your consent at any time. Should you withdraw your consent, this will only apply to the future; data processing activities performed in the past on the basis of your consent will not become unlawful due to you withdrawing consent.
You are also free to lodge a complaint to a competent supervisory authority with respect to the manner in which your personal data is processed if you believe that the data processing breaches applicable law. The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
14. How Can You Contact Us?