been violated and that he had been publicly defamed. It was not considered to be a notification that violated the rights of the person concerned by PENNY. • An employee of a store took pictures from the security monitor for an alleged theft and asked different people outside the store if they knew the person. The person concerned made a complaint in this regard that he was defamed for an alleged theft. A confidentiality statement was signed with the store employee and all information regarding the customer was deleted from all owned media. The data protection authority was notified following this incident. • From a PENNY employee to the RetuRo fraud solving employee, video images from the SGR bottle recycling area with a number of 7 people were shared in order to file a complaint with the competent authorities, without their faces being blurred beforehand. All measures were taken to delete the images, the notification being to the competent bodies anonymously. • 2 people had access in the human resources platform to additional information that they should not have been able to view. The incident was isolated, it was reported in due time and the information was not disseminated. • An e-mail was sent to an employee in which information related to the store to which the employee belonged was entered to the entire REWE Romania company. The email was deleted with the intervention of the IT department within a few minutes and no risk was created for the data subject. These situations were detected by our team and were addressed as soon as possible after their occurrence, in order to avoid their recurrence. Thus, only one notification was sent to the ANSPDC, not receiving a response or update on it until today. In 2024, there were 9 incidents related to the security of personal data that could have affected approximately 5 800 people. All events were isolated, with no data leaks due to the company's fault. These events were: • Sending a newsletter to subscribers in Hungarian, who must receive it in Romanian. The fault is not of REWE Romania, the database being imported by the Austrian entity. No complaint was registered in this regard by any data subject. • The appearance of a recording from the PENNY store whose actions took place in 2019 (most likely being disseminated at the same time). No further identification measures could be taken for this situation, as the statute of limitations intervened. • Following a complaint related to an allegedly duplicated payment, the customer was contacted via WhatsApp and evidence of this transaction was provided. The customer later returned to the call center complaining that she had been contacted without right on her personal number. It was not considered a violation to be reported to the authority, and measures were taken to delete all information about the customer from the employee's phone, and a privacy statement was also signed in this regard. • A security guard recorded an alleged theft with the mobile phone and showed the person he suspected when he returned to our store. The client made a complaint to PENNY in this regard, the images were not disseminated on any online or offline environment, they were deleted from the agent's device and no additional risk was created for the data subject. • A complaint came from a customer who got into an altercation with a security guard, the security guard using his name. The client complained that his rights had MESSAGE FROM THE GENERAL MANAGEMENT SUSTAINABILITY STRATEGY AND GOVERNANCE ABOUT US AND OUR VALUE CHAIN ABOUT THE REPORT THE FUTURE IS MADE TODAY SUSTAINABILITY MILESTONES SUSTAINABILITY REPORT PENNY ROMANIA 2024 104/276
RkJQdWJsaXNoZXIy MjUyMDg2Nw==