REWE Group's data protection organization, which was expanded in 2018, covers all responsibilities required under the EU GDPR, such as those related to accountability, data protection governance, implementation, advice, monitoring or coordination. The existing roles of the 'responsible staff', i.e., management bodies, specialized departments, and the data protection officer, have been complemented by the roles of the data protection governance function, the business segment data protection officer and the data protection coordinator. Data protection officers report directly to the management of the company or to the central data protection management of the REWE Group. It in turn reports regularly to the Group's executive board and supervisory board. In 2023, there were 4 incidents related to the security of personal data that could have affected approximately 3,000 people. All events were isolated, with no data leaks due to the company's fault. These events were: z An illegal viewing of information from two reports on one of our platforms, remedied by remotely identifying and deleting the generated documents, plus signing confidentiality agreements with the employees who viewed the respective data that also contains personal data, checking and testing the platform and training employees on similar cases. z Unlawfully requesting an identity card in a store to generate an invoice. The store employees were retrained on the compliant processing of personal data, the document was only viewed and retained until the office where the invoice was printed, it was not copied or processed in any other way. z Email mistakenly sent containing personal data to a service provider with personal data from other providers. Measures were immediately implemented, and written confirmation was obtained that the data had been deleted and not used in any way, and a confidentiality statement was also signed with the employee who received the email. z The electronic signature provider was subjected to a ransomware cyberattack through which personal data of users with electronic signature were accessed. The event was notified to ANSPDC (The National Supervisory Authority for Personal Data Processing) by the service provider and technical and organizational measures were implemented. These situations were detected by our team and were addressed as soon as possible after their appearance, to avoid their recurrence. Thus, we have not registered any complaints or notifications from external stakeholders. SUSTAINABILITY REPORT PENNY ROMANIA 2023 102/256 MESSAGE FROM THE GENERAL DIRECTORS SUSTAINABILITY STRATEGY AND GOVERNANCE ABOUT US AND OUR VALUE CHAIN ABOUT THE REPORT THE FUTURE IS MADE TODAY SUSTAINABILITY MILESTONES CONTENTS
RkJQdWJsaXNoZXIy MjUyMDg2Nw==