Data of legal entities, such as a limited liability company, are generally not subject to the scope of data protection regulations, in particular the General Data Protection Regulation (GDPR) or the Federal Act on Data Protection (FADP). If personal data that you provide to Galaxus (e.g. as part of the onboarding process) and/or is collected by Galaxus in any other way (e.g. names of managing directors, data in the Partner Portal) nevertheless falls within the scope of data protection law, Galaxus will provide the following information with regard to the processing of the relevant data. 

The protection of personal data is a matter of trust, and your trust is important to us. In this Privacy Notice, we therefore explain to you how and why we process and use your personal data in the context of the contractual relationship in the role of a supplier or marketplace participant (collectively referred to as “Partner”) to Galaxus. In this Privacy Notice, you will learn, among other things: 

• what personal data we collect and process; 

• the purposes for which we use your personal data; 

• for how long we process your personal data; 

• what rights you have with respect to your personal data; and  

• how you can contact us. 

We have based this Privacy Notice on both the Swiss Data Protection Act (Federal Act on Data Protection, FADP) and the European Union’s General Data Protection Regulation (GDPR). The GDPR has established itself globally as a standard for rigorous data protection. However, whether and to what extent the GDPR applies depends on each individual case. 

According to data protection law, responsibility for data processing lies with the company that determines whether such processing is to take place, for what purposes it is to take place and how it is to be configured. Responsibility for data processing in accordance with this Privacy Notice is outlined below: 

• For matters/data in connection with the online shops galaxus.ch/digitec.ch: Digitec Galaxus AG, Pfingstweidstrasse 60b, CH-8005 Zurich 

• For matters/data in connection with the online shops galaxus.de/galaxus.at/galaxus.fr/galaxus.it/galaxus.nl/galaxus.be: Galaxus Deutschland GmbH, Hoheluftchaussee 18, DE-20253 Hamburg. 

Galaxus is part of the Migros Group. We and other companies of the Migros Group may also be jointly responsible for data processing if we are involved in decisions concerning the configuration or purpose of such data processing. Further information about the companies belonging to the Migros Group can be found in the most recent Annual Report of the Federation of Migros Cooperatives. 

This Privacy Notice applies to all persons whose data we process in the context of the contractual relationship with Partners and in particular the use of our Partner Portal. It applies both to the processing of personal data that has already been collected and to personal data that will be collected in the future. 

Our data processing activities may, in particular, affect the following categories of persons if we process their personal data: 

• Visitors to our Partner Portal; 

• Dealers who offer products and services through our online stores; 

• Contact persons of our suppliers. 

Please also consult the contractual terms for individual services (e.g. General Terms and Conditions of Purchase). These may contain additional information about our data processing activities. 

“Personal data” constitute information that can be associated with a specific person. We process various categories of such personal data. The key categories are set out below for your orientation. However, we may also process other personal data in individual cases. 

You can find out more about the origin of this data in Section 5 and about the purposes for which we process this data in Section 6. 

Master data comprises the fundamental data about you, such as your salutation, name and contact details. We collect master data, for example, if you use our Partner Portal or contact us in other ways or because you have been named as a contact person and representative of contractual partners. 

Examples of master data include: 

• salutation, first name, last name, gender; 

• address, e-mail address, telephone number, and other contact details; 

• customer numbers; 

• username; 

• details about your relationship with us (e.g. supplier); 

• details about related third parties (e.g. contacts, recipients of services, or representatives); 

• official documents in which you appear (e.g. ID documents, commercial register extracts, permits, etc.); 

• information on titles and function in the company; 

• date and time of registrations. 

Contract data is personal data that arises in connection with the conclusion or execution of the contract, e.g. information on the conclusion of the contract, claims and receivables acquired. We conclude contracts primarily with customers and business partners. 

Contract data includes details: 

• about the initiation and conclusion of contracts, e.g. date of contract conclusion, details from the application process, and details of the contract in question (e.g. type and duration or, if necessary, proof of identity such as copies of official IDs); 

• about the processing and administration of contracts (e.g. contact details, delivery addresses, successful or unsuccessful deliveries, and information about payment methods); 

• in connection with our customer service and support with technical issues; 

• about our interactions with you (where applicable, a history with corresponding entries); 

• in connection with security checks (e.g. checking for fraudulent actions on orders) and other checks with regard to the establishment or continuation of a business relationship. 

If you contact us or we contact you, for example when you contact a customer service, or when you write to us, or call us, we process the exchanged communication contents and information about the type, time, and place of communication. In certain situations, we may also ask you to provide proof of identity. 

Examples of communication data are: 

• name and contact details such as postal address, e-mail address, and telephone number; 

• content of e-mails, written correspondence, chat messages, telephone conversations, video conferences, etc.; 

• details of the type, time, and in certain circumstances place of communication; 

• marginal communication data. 

Telephone conversations and video conferences with us may be recorded; we will inform you of this at the start of each conversation. If you do not want us to record such conversations, you may terminate the conversation at any time and contact us in another manner (e.g. by e-mail). 

When you use our Partner Portal, we often collect data about this use. Examples of transactional and behavioral data include the following information if available to us as personal data: 

• about your behavior in the Partner Portal, e.g. which page(s) you have visited.

When you make use of our Partner Portal, we collect certain technical data such as your IP address or device ID. Technical data also include the protocols in which we record the use of our systems (log files). In some cases, we may also assign a unique code number (an ID) to your end device (tablet, PC, smartphone, etc.), for example by using cookies or similar technologies, in order to be able to recognize it. Further details concerning this can be found in our Cookie Notice. 

Technical data can in particular also be used to collect behavioral data, that is, details about your use of the Partner Portal. Technical data include: 

• the IP address of your device and further device IDs (e.g. MAC address); 

• code numbers assigned to your device by cookies and similar technologies (e.g. pixel tags); 

• details of your device and its configuration, such as operating system and language settings; 

• details about the browser with which you access the offer, and its configuration; 

• information about your movements and actions on our websites and in our apps; 

• details about your Internet provider; 

• your approximate location and the time of use; 

• system recordings of accesses and other events (log files). 

For more information on the processing of technical data, please also see our Cookie Notice.

You often disclose personal data to us by yourself, for instance when sending us data or communicating with us. Master, contract, and communication data in particular are generally something you disclose to us yourself. 

For example, you provide us with personal data yourself in the following cases: 

• You become our business partner and conclude a contract; 

• You create an account for the Partner Portal; 

• You contact our customer service. 

The provision of personal data is largely voluntary, which means that you are not generally obliged to disclose your personal data to us. However, we do have to collect and process the personal data that are required for processing contractual relationships and fulfilling associated obligations or that are prescribed by law, such as mandatory master and contract data, as we would otherwise be unable to conclude or continue the contract in question. 

If you send us data about other persons (e.g. employees), we assume that you are authorized to do so and that this data is correct. Please also make sure that these other persons have been informed about this Privacy Notice. 

We may also collect personal data about you ourselves or automatically, e.g. when you use our Partner Portal. This is often behavioral and transactional data, as well as technical data (e.g. the time at which you visit our website). 

For example, we independently collect personal data about you in the following case: 

• You use our Partner Portal. 

We may also receive personal data from other companies of the Migros Group. Further information about this can be found in Section 8. Moreover, we may also receive information about you from other third parties, such as from companies with which we cooperate, persons who communicate with us, or public sources. 

For example, we may receive information about you from the following third parties: 

• your employer and work colleagues in connection with a contractual relationship and your professional responsibilities; 

• third parties if correspondence and discussions concern you; 

• credit reference agencies, for example if we wish to obtain information about creditworthiness; 

• providers of cybersecurity services; 

• providers of information services for compliance with statutory requirements such as anti-money laundering and export restrictions; 

• public registers such as the debt collection or commercial register, from public offices such as the Swiss Federal Statistical Office, from the media, or from the Internet. 

We wish to remain in contact with you and address your individual requirements. We therefore process personal data for communication with you, in order to answer inquiries and for customer care, for instance. In particular, we make use of communication and master data for this, as well as contract data if the communication concerns a contract. 

The purpose of communication particularly comprises: 

• responding to inquiries; 

• contacting you in the event of questions; 

• customer service and customer care; 

• the delivery of other notifications (e.g. order status information); 

• authentication, for example when using our Partner Portal. 

We wish to offer you the best possible service. We therefore process personal data in connection with the initiation, administration and processing of contractual relationships. 

The purpose of contract processing generally comprises everything that is necessary or appropriate for concluding, executing, and, where applicable, enforcing a contract.  

For example, this includes processing in order to: 

• decide whether and how we enter into a contract with you (including credit assessment); 

• provide customer services; 

• review whether we are willing and able to cooperate with a company and to monitor and assess its services. 

We aim to improve our offers continuously and make them more attractive for you. We therefore process personal data for market research and product development purposes. To do so, we particularly process master, behavioral, and transactional data, as well as communication data, surveys, questionnaires and further information, for example from the media, the Internet and other public sources. As far as possible, we make use of pseudonymized or anonymized information for these purposes. 

Market research and product development in particular include: 

• the conducting of customer surveys, other surveys, and studies; 

• the further development of our offers; 

• the optimization and improvement of user-friendliness of the Partner Portal; 

• the review and improvement of our internal processes. 

We wish to guarantee your and our security and prevent misuse. We therefore also process personal data for security purposes, to guarantee IT security, to prevent theft, fraud, and misuse, and for evidentiary purposes. This can concern all the personal data categories listed in Section 4, in particular transactional and behavioral data. We can acquire, analyze, and store this data for the purposes mentioned. 

Examples of the purpose of security and prevention include: 

• the analysis of transactional and behavioral data in order to detect suspicious behavior patterns and fraudulent activities; 

• the evaluation of system recordings of the use of our systems (log files); 

• the prevention, mitigation, and detection of cyber and malware attacks; 

• analyses and tests of our networks and IT infrastructures, and system and error checks; 

• control of access to electronic systems (e.g. logins for user accounts); 

• documentation purposes and creation of backups. 

We wish to lay the foundations for compliance with statutory requirements. We therefore also process personal data in order to comply with legal obligations and to prevent and detect infringements. Examples of this include receiving and processing complaints and other messages, complying with court and administrative orders, measures for detecting and investigating misuse as well as the legally required retention of metadata from telecommunications traffic (mobile and Internet subscriptions). This can apply to all the personal data categories listed in Section 4. 

Compliance with statutory requirements particularly includes: 

• clarifications concerning business partners; 

• the conducting of internal investigations; 

• the disclosure of information and documents to authorities if we have an objective reason (e.g. because we ourselves are the injured party) or are legally obliged to do so; 

• assistance with external investigations, for instance by criminal prosecution or supervisory authorities; 

• guaranteeing the legally required standard of data security; 

• fulfillment of duties of disclosure, duties to provide information, or reporting obligations, for instance in connection with obligations under supervisory and tax law, such as in the case of archiving obligations and for the prevention, detection, and investigation of criminal and other offenses; 

• the statutory combating of money laundering and of the financing of terrorism.   

All such cases may concern Swiss law or foreign regulations to which we are subject, as well as self-regulations, industry and other standards, our own corporate governance, or official directives. 

We wish to be able to enforce our claims and to defend ourselves against the claims of others. We therefore also process personal data for the protection of rights, for instance in order to enforce claims judicially, before or out of court, and before authorities in Switzerland and abroad, or to defend ourselves against claims. Depending on the situation, we process different categories of personal data, such as contact data and details of events that have led to or could lead to a dispute. 

The purpose of the protection of rights in particular includes: 

• establishment and enforcement of our claims, which may also include claims of companies affiliated with us and of our contractual and business partners; 

• defense against claims made against us, our employees, affiliated companies, and our contractual and business partners; 

• clarification of case prospects and other issues of a legal, economic, or other nature; 

• participation in proceedings before courts and authorities in Switzerland and abroad. For example, we may secure evidence, have case prospects investigated, or submit documents to authorities. Authorities may also request us to disclose documents and data carriers containing personal data. 

Depending on the purpose of the data processing, our processing of personal data is based on different legal grounds. In particular, we may process personal data if: 

• doing so is necessary to fulfill an agreement with the person concerned or for pre-contractual measures (e.g. to review a request for an agreement); 

• it is necessary for the exercise of legitimate interests, for example when data processing is a central component of our business activities; 

• doing so is based on consent; 

• doing so is required for compliance with Swiss and foreign legal obligations. 

In particular, we have a legitimate interest in processing for the purposes set out in Section 6 above and the disclosure of data in accordance with Section 8 and the associated objectives. The legitimate interests in each case include our own interests and the interests of third parties. 

Examples of these legitimate interests include interests in connection with: 

• good customer support, maintaining contact and other communications with customers, including outside the framework of a contract; 

• improving existing products and services and developing new ones; 

• facilitating management and communication within the Group, which is necessary with a group that requires cooperation between parties; 

• mutually supporting the Group companies in their activities and objectives; 

• combating fraud and preventing and investigating offenses; 

• ensuring IT security, especially in connection with the use of websites, apps, and other IT infrastructure; 

• the enforcement or defense of legal rights and claims; 

• complying with Swiss and foreign law, as well as internal rules and regulations. 

We may disclose personal data that we receive from you or third-party sources to other Migros Group companies. Disclosure may serve to facilitate intra-Group administration or support of the group companies concerned and their own processing purposes (Section 6), such as when we support the development and improvement of products and services, the conducting of credit assessments, or endeavors to prevent theft, fraud, and misuse. The personal data received may also be matched and linked to existing personal data by the relevant group companies.  

For example, this may include the following disclosures of data: 

• All personal data categories listed in Section 4 for the administration and processing of contractual relationships, especially in connection with products and services involving multiple Group companies; 

• Master data, contract data, communication data, transactional data and behavioral data for the prevention of fraud and misuse and for credit assessments (e.g. in connection with a purchase on account); 

• Security-relevant information for security purposes and compliance with statutory requirements; 

• Information to support the safeguarding of rights. 

Section 2 contains more information on the companies belonging to the Migros Group. 

We may disclose your personal data to companies outside the Migros Group if we make use of their services. These service providers generally process personal data on our behalf as so-called “contract processors”. Our contract processors are obliged to only process personal data in accordance with our instructions and to take suitable measures to ensure data security. Certain service providers are also responsible jointly with us or independently (e.g. collection agencies). We ensure through the selection of service providers and suitable contractual agreements that data protection is upheld during the entire processing of your personal data. 

Examples include services in the following areas: 

• Corporate management services, for example accounting or asset management; 

• Payment services; 

• Credit assessments, for example if you want to make a purchase on account; 

• Collection services; 

• Insurance service providers; 

• IT services, for example in the areas of data storage (hosting), cloud services, the delivery of e-mail newsletters, and data analysis and refinement; 

• Advisory services, for example the services of tax advisers, lawyers, management consultants, or advisers in the field of personnel recruitment and placement. 

It is also possible that we may disclose personal data to other third parties for their own purposes, for example if you have granted your consent or we are legally obliged or authorized to share such information. In such cases, the data recipient is legally responsible as the controller of the data. 

Examples of such cases include the following: 

• The disclosure of personal data to courts and authorities within Switzerland and abroad, such as criminal prosecution authorities in case of suspected criminal activities; 

• The processing of personal data in order to comply with a court or administrative order, or to enforce or defend legal rights or claims, or if we consider such processing to be necessary on any other legal grounds. We may also disclose your personal data to other parties involved in any proceedings. 

Please also note our Cookie information (Section 13) on independent data collection by, or the transfer of data to, third-party providers whose tools we have integrated on our websites and apps. 

As a matter of principle, we are not subject to any professional duty of confidentiality (such as banking or medical secrecy). Please inform us in individual cases if you believe that specific personal data is subject to a duty of confidentiality so that we can review your concerns. 

We process and store personal data mostly in Switzerland and the European Economic Area (EEA). In certain cases, however, we may also disclose personal data to service providers and other recipients (see Section 8) who are located outside this area or who process personal data outside this area (in principle in any country in the world). The countries in question may not have laws that protect your personal data to the same extent as in Switzerland or the EEA. If we transfer your personal data to such a country, we will ensure the protection of your personal data in an appropriate manner. 

One means of ensuring adequate data protection is, for example, to conclude data transfer agreements with the recipients of your personal data in third countries that ensure the required level of data protection. This includes agreements that have been approved, issued, or recognized by the European Commission and the Swiss Federal Data Protection and Information Commissioner, known as standard contractual clauses. An example of the data transfer agreements generally used by us can be found here. Please note that such contractual arrangements can partially compensate for weaker or missing statutory protection but cannot rule out all risks completely (e.g. government access abroad). Data may also be transferred to countries without adequate protection in exceptional cases, for example if consent is granted, in connection with legal proceedings abroad, or if transfer is necessary for the processing of an agreement. 

We process and store your personal data: 

• for as long as it is required for the purpose of processing and compatible purposes, in the case of contracts normally for at least the duration of the contractual relationship; 

• for as long as we have a legitimate interest in storing it. This may be the case, in particular, if we need personal data to enforce or defend claims, for archiving purposes, and to ensure IT security; 

• for as long as it is subject to a statutory retention requirement. For example, a ten-year retention period applies to certain data. Shorter retention periods apply for other data, for example for recordings from video surveillance or for recordings of certain online processes (log data). 

For example, we adhere to the following retention periods, although we may deviate from them in individual cases: 

• Customer accounts: Personal data is stored for the duration that the account is active. If a customer account is ordered to be deleted, the data will be deleted after any open claims or other relevant points that prevent an immediate deletion have been examined, and after 30 days at the latest. 

• Contracts: We generally retain master and contract data for ten years as of the last contractual activity or contract expiry. However, this period may be longer if this is necessary for the provision of evidence, due to statutory or contractual provisions, or for technical reasons. Transaction data in connection with contracts are generally retained for ten years. 

• Technical data: The storage period of cookies is normally between a few days and two years unless they are immediately deleted at the end of the session. 

• Communication data: E-mails, messages via the contact form and written correspondence are generally retained for ten years. 

You have the right to object to data processing particularly if we process your personal data on the basis of a legitimate interest and the other applicable requirements are met. 

Provided the applicable conditions are met and there are no applicable statutory exceptions, you also have the following rights: 

• The right to request information about your personal data stored by us; 

• The right to have inaccurate or incomplete personal data corrected; 

• The right to request the deletion or anonymization of your personal data; 

• The right to request that the processing of your personal data be restricted; 

• The right to receive certain personal data in a structured, commonly used and machine-readable format; 

• The right to revoke consent with effect for the future, insofar as processing is based on consent.  

Please note that these rights may be restricted or excluded in individual cases, e.g. if there are doubts about the identity or if this is necessary to protect other persons, to safeguard interests worthy of protection or to comply with legal obligations. 

In addition, you are free to lodge a complaint with a competent supervisory authority if you believe that the processing of your personal data may be in breach of applicable law. 

• The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC). 

• The competent supervisory authority in the Principality of Liechtenstein is the Data Protection Authority of the Principality of Liechtenstein. 

• The competent supervisory authority in Germany is the Hamburg Commissioner for Data Protection and Freedom of Information, Klosterwall 6 (Block C), 20095 Hamburg, Germany. 

If you have any questions or concerns relating to this Privacy Notice or the processing of your personal data, please contact the company responsible using the contact details stated on its website. 

You are also welcome to contact us as follows: 

Digitec Galaxus AG 
Pfingstweidstrasse 60b 
CH-8005 Zurich 

Galaxus Deutschland GmbH 
Hoheluftchaussee 18 
DE-20253 Hamburg 

You can contact our Data Protection Officer for specific questions regarding data protection: 

Digitec Galaxus AG 
Datenschutz 
Pfingstweidstrasse 60b 
CH-8005 Zurich 

E-mail: datenschutz@digitecgalaxus.ch 

Galaxus Deutschland GmbH 
Datenschutz
Hoheluftchaussee 18 
DE-20253 Hamburg 

E-mail: datenschutz@galaxus.de 

This Cookie Notice describes in detail how and why we collect, process, and utilize personal and other data when you make use of the Partner Portal (“website”) with cookies and similar technologies. 

Each time our websites are used, certain data is automatically accumulated for technical reasons and temporarily stored in so-called log files. Examples include the following technical data: 

• IP address of the requesting end device; 

• Information about your Internet service provider; 

• Information about the operating system of your end device (tablet, PC, smartphone, etc.); 

• Information about the referring URL; 

• Information about the browser used; 

• Date and time of access; and 

• Contents accessed when visiting the website. 

This data is processed for the purpose of facilitating the use of our websites (connection establishment) and ensuring their smooth operation, guaranteeing system security and stability, facilitating the enhancement of our websites and for statistical purposes. 

The IP address is also analyzed together with other log files and further data available to us, if applicable, in the event of attacks on IT infrastructure or other potential unlawful or improper use of the websites for solution and aversion purposes, and may be used during criminal proceedings for the identification of persons concerned and for action taken under civil and criminal law against these persons. 

Cookies are files that your browser automatically stores on your end device when you visit our websites. Cookies contain a unique code number (ID) enabling us to distinguish individual visitors from others, but normally without identifying them. Depending on their intended use, cookies may contain further information, for example about visited sites and the duration of a visit to a site. We use both session cookies that are deleted again when the browser is closed, and permanent cookies that remain stored for a given period after the browser is closed (normally between a few days and two years) and serve to identify visitors again on subsequent visits. 

We may also use similar technologies such as pixel tags, fingerprints and other technologies for storing data in the browser. Pixel tags are small, normally invisible images or a program code loaded by a server that provide the server operator with specific information such as whether and when a website was visited. Fingerprints comprise information collected during your website visit about the configuration of your end device or your browser that enables your end device to be distinguished from other devices. Most browsers also support further technologies for the storage of data in the browser that are similar to cookies and that we may also make use of (e.g. web storage). 

You can configure the settings in your browser in such a way as to block certain cookies or similar technologies or delete existing cookies and other data stored in the browser. You can also expand your browser with software (so-called “plug-ins”) to block tracking by specific third parties. You can find further information in the help pages of your browser (normally under the key word “data protection”). Please note that our websites may no longer function to their full extent if you block cookies and similar technologies. 

We use the following types of cookies and similar technologies: 

• Necessary cookies: Necessary cookies are required in order for a website and its functions to be used. For example, these cookies ensure that you are able to navigate between pages without details entered in a form being lost. 

• Performance cookies: Performance cookies collect information about how a website is used and enable us to conduct analyses, for example to find out which pages are most popular and how visitors move around a website. These cookies serve to simplify and speed up website visits and generally to improve user-friendliness. 

• Experience cookies: Experience cookies enable us to offer extended functions and display personalized contents. For example, these cookies allow us to display products to you based on those previously viewed that may also be of interest to you. 

The cookies and/or similar technologies used by us may originate from us or from third-party companies, for instance if we make use of functions provided by third parties. Such third-party providers may be located outside Switzerland and the European Economic Area (EEA) as long as the protection of your personal data is adequately safeguarded. 

In the following overview you will find the companies whose cookies and similar technologies we use. 

This Privacy Notice may be updated over time, especially if we change our data processing activities or if new legal provisions become applicable. We will actively inform individuals whose contact details are registered with us of any material changes, provided that we can do this without disproportionate effort. In general, the version of the Privacy Notice in effect at the time at which the data processing activity in question commences is applicable.