Data protection is a matter of trust and we would like to reassure you that your data is in good hands with us. The protection and legally compliant collection, processing and use of your data is of utmost importance to us, so you can be rest assured that your privacy is respected.
This Privacy Notice is applicable to customers of the C&A Group, the company affiliates of C&A AG, including current, former, potential customers, users and recipients of a product or service offered by us, visitors to our official websites, stores or members of our loyalty program.
1. Which C&A company is responsible?
The C&A Group consists of different legal entities and the company responsible for the processing of your personal data is dependent on the purpose for which it is collected. For each processing purpose you will be clearly and transparently informed of the responsible company. It will be either the C&A Mode GmbH & Co. KG or one of our local affiliates.
The controller responsible for processing your data in terms of the European General Data Protection Regulation (GDPR) when you use the C&A online shop is
C&A Mode GmbH & Co. KG
Wanheimer Straße 70
40468 Düsseldorf
Therefore, “we,” “us,” or “C&A” as used hereinafter shall mean C&A Mode GmbH & Co. KG as the operator of the C&A online shop. For further details about our company and contact details, please refer to our legal details.
You can reach our data protection officer at DataProtectionOnline@canda.com or at our above-mentioned postal address by adding “For the attention of the Data Protection Officer” in the subject line.
2. What data we collect
2.1 When you visit our website
You can visit the C&A online shop without providing information about yourself. In that case, we will collect the technical access data that your browser will transmit automatically to our server when you browse our websites. Access data include the following information, in particular:
Time and date of access
Address of the accessed website and of the accessing website
Content of the Request (addresses and names of the requested files)
Information on the browser and operating system used (versions, language settings)
Online identification data (e.g. IP address, device identification, session IDs)
Error messages, where applicable (if the requested content cannot be displayed)
Last visited page from where you were redirected to a page of the C&A online shop via a link
When visiting our website, your access data will be automatically stored in our server's log files and subsequently anonymized by abbreviating or deleting your IP address. It will then no longer be possible to draw conclusions as to your person based on the server log files.
Moreover, when you visit the C&A online shop we will also collect such data that you provide directly by using the functions provided. We will, for example, learn about the products that you are interested in when you put an item on the wish list or use the search function.
2.2 Cookies
We use cookies in the C&A online shop. Such cookies may be C&A cookies or third-party cookies. A cookie is a standardized text file that is kept on your computer by your web browser for a period of time as predefined by the respective provider. Cookies enable us to locally store information such as language settings, shopping cart contents and temporary identification features that may be called up during subsequent website visits in order to reload the respective settings. You can review and delete the cookies used in the security settings of your browser. You can configure your browser settings according to your preferences and, for example, refuse to accept third-party cookies or any cookies. Please note that in this case you may not be able to use all features of our website.
Our own C&A cookies are meant to make your website visit more user-friendly and safer.
We use third-party cookies for web analyses and advertising purposes. For more detailed information please refer to sections 6 and 7 in this Data Protection and Privacy Policy.
2.3 When you register for a C&A account
Of course, you do not have to create a personal C&A account but can shop as a guest in our C&A online shop. However, registration with our online shop can make future shopping with us easier and provide a more customized, simpler shopping experience. For example, your address data, payment methods, and delivery service provider are pre-selected for your next order. For example, we can store the data related to your account (e.g. order data and wish lists contents as well as the products you have viewed) in our customer database and use such connected data to show you personalized product recommendations and more relevant search results that are geared towards your former shopping interests.
If you register for a C&A account, we will provide you with direct password protected access to your master data (e.g. C&A customer number, name, address, date of birth, telephone number, e-mail address, payment data), order data (ordered products, item numbers, size information), and other information (e.g. wish list products) stored by us. Normally, any mandatory information required for registration is marked separately, e.g. with an asterisk (“*”). If we are asking for optional information, we will inform you about why we are collecting such information. For security reasons, we will also briefly store your IP address used during registration.
You can delete your C&A account and any data stored therein at any time. To do so, please send us an informal notice (e.g. via e-mail) to service_eu@shop-c-and-a.com or use our contact form. Please note: Deletion of your account does not automatically extend to the order processes and the personal data stored for this purpose (cf. section 9: For how long will my data be stored?).
2.4 When you place an order with the C&A online shop
We will collect data about the products you order or store on your wish list. We will also store data that accrue directly in connection with the execution of your orders. Order data include the following, in particular:
Information on the products ordered, such as item numbers and size
IP address
Email adress
Invoice and delivery address
Payment data
Information on payment behavior and creditworthiness data that we may receive from credit agencies about you
Details on returns and complaints (e.g. reasons for return, notice of defects)
Order numbers
Shippers' tracking numbers (e.g. DHL International)
Even if you place several orders as a guest and use identical master data, our systems will keep your data in a uniform customer data record to facilitate maintenance of our customer database. If you use such master data at a later point in time to register for a C&A account we can link your customer data record to your account to enable you to access your former orders.
If you have purchased goods and services from us, we are also entitled to send you information about our own similar goods and services via the e-mail address sent when you made the purchase. You can object to this use of your e-mail address at any time, either to cover all merchandising of our goods and services in general or for individual merchandising measures, e.g. by e-mail, without incurring any costs other than the transmission costs according to the basic rates.
2.5 When you participate in polls, sweepstakes, or promotions
We will collect the data you provide when participating in polls, sweepstakes, or promotions.
For example, every now and then we will conduct polls to find out how our customers use our offers and how satisfied our customers are with our processing of returns or our customer service.
When conducting sweepstakes, we use your contact details for winner notifications and possibly to prevent repeat participation.
For detailed information, please refer to the separate data privacy notices for the respective poll, sweepstakes, or promotion.
2.6 When you contact us
We will collect the communication data that accrues when you contact us via a contact form on our website, via email, by telephone, or other means. Depending on the channel you use, this may comprise for example your contact details (e.g. your email address or phone number) and the contents of your message. Telephone conversations with C&A customer service will be recorded only with your express consent (e.g. for training and quality management purposes).
We will also use the offers provided by social networks such as Facebook, Instagram, and Twitter to interact with our customers. Please note that C&A has no influence on the social networks' terms of service or their data processing practices. So please make sure to carefully check the personal information that you provide us with through social networks.
2.7 When you sign up for the C&A newsletter
If you have signed up for the C&A newsletter, we will store your data that you have provided to this end for the purpose of compiling and mailing the newsletters.
For more detailed information, please refer to the Data protection and privacy notices for the C&A Newsletter.
2.8 When you click on links to third-party websites
When you click on links to third-party websites, you will leave our website. Please note that once you are redirected to a third-party website, the site may collect information about you, such as your IP address, browsing behavior, and other personal data. Our website does not transmit any personal data to these third-party sites directly. We are not responsible for their content or processing activities. For more details about their processing activities, please review the privacy policies of these third-party sites.
3. For which purposes will by data by used by C&A?
3.1 Provision of the C&A online shop
When visiting the C&A online shop websites, we will process the access data, server log files, and cookies that accrue in this context to provide you with our website and the contents and functions called up by you and to ensure stability and safety for our IT systems and databases.
Legal basis:
The legal basis when using the C&A online shop with your C&A account is Article 6 para. 1 lit. b GDPR (performance of a contract and taking of steps prior to entering into a contract).
The legal basis when using the C&A online shop without registering is Article 6 para. 1 lit. f GDPR (weighing of interests based on our above-mentioned legitimate interests).
The overriding legal basis if you have consented to data processing is your consent (Article 6 para. 1 lit. a GDPR).
3.2 Contract performance, in particular purchasing process
We process your data in order to perform the contracts that we have concluded with you and to render the services you have requested. The purposes are based primarily on the specific contract contents or purpose of the services you have requested. You may find further details on the purposes of processing in the respective contract documents and terms and conditions, for example in our General Terms and Conditions. Examples include:
Set-up and provision of your account
Performance of purchase contracts
Performance of sweepstakes and promotions
Non-promotional communication with you (e.g. safety information and changes related to contracts)
We validate your address and email address with the assistance of a British service provider to prevent incorrect details from being entered into our system.
Your data may therefore be processed in the United Kingdom and thus be transferred outside the EU or European Economic Area (EEA). The EU Commission has determined that an adequate level of data protection equivalent to GDPR is provided in the United Kingdom. Data transfers to the United Kingdom are therefore permitted in accordance with Art. 45 GDPR. We have concluded a contract with the service provider regarding the processing of orders to ensure the legitimacy of this data processing. Further information about the processing of your data by external service providers can be found in Section 7 of this Privacy Policy.
Legal basis:
The legal basis for this type of data processing is Article 6 para. 1 lit. b GDPR (performance of a contract and taking of steps prior to entering into a contract)
3.3 Personalization of the C&A online shop
Information that we receive from you helps us to consistently improve your shopping experience and our service and to design it to be more customer-friendly and individual for you. The information transferred by you and automatically generated information (e. g. access, master, and order data, as well as search entries and wish list products) are therefore used to personalize the contents in the C&A online shop based on your interests and needs derived therefrom. We can thus make it easier for you, for example, to find products that are relevant for you more quickly (we can, for example, show products in the search results first that match the products saved in your wish list or that match categories that you select particularly often).
We also use this information for individual product recommendations, to the extent that they are part of our personalized service offers (e. g. C&A customer account, C&A newsletter, and consultation services, for example in connection with the C&A style guides and our Click&Collect) or subject of our advertisement directly addressed to you.
For example, we regularly send our existing customers e-mail advertisements comprising personalized offers within the scope permitted by law which we select based on your previous orders (unless you objected to this).
Legal basis:
The legal basis when using the C&A online shop or another personalized service with your C&A customer account is Article 6 para. 1 lit. b GDPR (performance of a contract and taking of steps prior to entering into a contract).
When you use the C&A online shop or another personalized service without logging in, the personalization is based on Article 6 para. 1 lit. f GDPR (weighing of interests based on our above-mentioned legitimate interest to provide you with personalized contents and product recommendations).
To the extent that the personalization is based on your consent, your consent constitutes the prevailing legal basis (Article 6 para. 1 lit. a GDPR).
You do not want personalization?
If you do not want us to use your master and order data for the personalization during your visit in the C&A online shop, you can log out of your personal customer account at any time and use the C&A online shop as a guest. Then, we will no longer consider the data from your C&A customer account for the personalization. The personalization is then exclusively based on your access data, which we collect as part of the web analysis (section 5) during your visit.If you do not want us to do this either, you can deactivate the personalization based on your access data at any time by deactivating the web analysis services mentioned in section 5.You can also find detailed notes regarding your data protection rights and selection options in section 9 (Your data protection rights) and section 10 (Rights of withdrawal and objection).
3.4 Customer service and communication under existing customer relationships
We will process your data as part of our customer service. This will include the following, for example:
Processing of your concerns and requests by our C&A customer service
Non-promotional communication with you (e.g. safety information and technical support)
Legal basis:
The legal basis for this type of data processing is Article 6 para. 1 lit. b GDPR (performance of a contract and taking of steps prior to entering into a contract)
3.5 Payment processing
Depending on the payment method agreed, the data necessary for payment processing (e.g. direct debit or credit card data) will be passed on to the respective payment service provider. Some of the payment service providers will collect such data on their own authority, in which case their respective privacy notices will apply.
The transmission of your data to external payment service providers is based on Article 6 para. 1 lit. b GDPR (contract performance).
If you choose to pay by credit card in the check-out process, your credit card company will carry out a two-factor risk/authentication check.
In the first step, the following data will be sent to the credit card company:
Your name (title, first name, surname)
Your address
Delivery address if this is different (including Click & Collect and Packstations)
Your email address.
If the transmitted data indicates discrepancies that could indicate an increased risk, a second check level follows, in which case additional interaction with the cardholder is required (request of a second factor, such as a password or PIN entry).
1. Data recipient
Computop Paygate GmbH, Schwarzenbergstr. 4 is assigned as our processor under Article 28 of GDPR for the technical control of payment transactions, including the execution of customer authentication. Other recipients are the banks involved (the issuing bank – the issuer – and our bank as a bank that accepts credit cards – the acquirer).
2. Purpose and legal basis of data processing
Data transmission takes place for the following purposes and is based on the following legal bases:
a) Contract execution
You have signed a contract with us and, on check-out, have selected a specific payment method, which requires the transmission of certain data to complete the payment.
Legal basis: Article 6(1)(1)(b) GDPR.
b) Customer authentication obligations
For credit card payments, we are obliged to transfer the above-mentioned data.
Legal basis: Article 6(1)(1)(c) GDPR in conjunction with the corresponding provisions of EU Directive 2015/2366 (PSD 2) or the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG).
c) Preventing card misuse
With contracts that contain a credit risk or where the counterparty may fear a potential payment default, there is a legitimate interest in minimising this risk through additional authentication.
Legal basis: Article 6(1)(1)(f) GDPR
3. Intention of the controller to transmit the personal data to a third country or to an international organisation
Data processing by Computop Paygate, the payment platform of Computop Paygate GmbH, takes place in Germany. Data transfer to third countries can potentially occur in cases where the banks involved (firstly, the card-issuing bank – the issuer – and secondly the merchant's bank that accepts credit cards – the acquirer) are located in third countries.
This transmission is permitted under Art. 49 GDPR.
4. Duration for which the personal data are stored or, if this is not possible, the criteria for determining the duration
By default, Computop Paygate implements the following deletion periods for payment transactions, including authentication checks (unless an individual deletion is requested beforehand):
a) Computop Paygate Database and Computop Analytics
Deletion of payment transactions after 12 months.
b) Computop Reporter Database
Deletion of payment transactions after 24 months.
c) Storage of database backups
Deletion of backups after a further 12 months.
5. Information about whether the personal data must be provided by law or under contract or to conclude a contract, whether the data subject must provide the personal data, and what the potential consequences of not providing that data are
In the context of the chosen payment method we are obligated to provide the personal information needed for the legally required customer authentication. The consequence of not providing that information would be denial of the selected payment type.
6. The existence of automated decision-making, including profiling according to Article 22 Paragraphs 1 and 4 and, at least in these cases, meaningful information about the logic involved and the scope and intended impact of such processing on the data subject.
An automated authentication or risk assessment takes place. An analysis software calculates a score for each transaction, based on the transmitted data. If a transaction is classified as low risk, it is approved without the cardholder being asked to enter an additional code. One result may be failure of the authentication and denial of the chosen payment method.
You want to object to your credit card data being stored?
If you do not want your credit card data to be stored, you can object at any time by sending us an informal notice to the address or email address provided under section 1 above. In this case, you will have to re-enter your credit card details for each purchase.
Our payment service provider for payments via PayPal is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (“PayPal”).
Our credit card acquirer for payments by Visa and Mastercard is EVO Payments International GmbH, Elsa-Brandström-Str. 10-12, D-50668 Cologne.
3.6 Internal market research, optimization, and enhancement of our offer
We will use your access data and the data you provide (e.g. master data, order data, returns data) for internal statistical purposes and market research purposes. Prior to that we will pseudonymize or anonymize your data, for example by replacing your name and other data suitable for identification with random data.
That way we can learn, for example, which of our shop pages and products are particularly popular, which devices our customers use in general, and which regions our website is accessed from. This information helps us to continuously optimize our existing offer and to develop new functions and services.
Legal basis:
The legal basis for this type of data processing is Article 6 para. 1 lit. f GDPR (weighing of interests based on our above-mentioned legitimate interests).
3.7 Processing for consented purposes
The overriding legal basis if you have consented to the processing of your data for specific purposes is your consent (Article 6 para. 1 lit. a GDPR).
Withdrawal of consents
Article 7 para. 3 GDPR gives you the right to withdraw any consent once given at any time. This means that in future we will no longer continue data processing that was based on your consent. The withdrawal of your consent will not affect the lawfulness of processing based on consent before its withdrawal.
4. C&A store finder (Google Maps)
Our website uses the “Store Finder” function of Google Maps provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). In order for the Google Maps material that we use to be integrated and displayed in your web browser, your web browser must establish a connection to a Google server, which may be also located in the U.S., when requesting the contact page. Google has submitted to the EU-US Privacy Shield in case that personal data is to be transmitted to the U.S. This way, Google will be informed that our website's contact page was called up from your device's IP address.
The Store Finder will also look for C&A stores close to you based on location data and will show them on Google Maps. To this end, you can enter address data in the search field at will (country, ZIP code, place and/or street name). If you want to search only for stores in your current area you can also use the Store Finder's automatic positioning function by clicking the “Stores in your area” button. This way you will activate the “Geolocation” HTML5 function for automatic positioning that is supported by all common browsers. Before your browser can perform the positioning operation, you must expressly consent for data privacy reasons by clicking once again. Depending on the browser and device you use, your IP address, signals received from WLAN networks, and (especially when using a mobile device) GPS and radio signals will be used for subsequent positioning. The address data that you have entered in the Store Finder's search field or the location determined automatically by your browser will be transmitted to Google via an interface so that the C&A stores found in your area can be shown on Google Maps.
The legal basis for this type of data processing is Article 6 para. 1 lit. f GDPR based on our legitimate interest in providing the above-described store finder functionality.
When accessing Google Maps on our website while logged into your Google account, Google may also link this event to your Google profile. If you do not want this event to be linked to your Google profile, you must log out of your Google account before using our store finder. Google will store your data and use it for advertising and market research purposes and to personalize Google Maps. You can object to such data being collected by Google.
Further information in this context can be found in the Google Privacy Policy and in the Google Maps Additional Terms of Service.
5. Web analysis
5.1 Google Analytics
Our website uses the web analysis function “Google Analytics” provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses cookies valid for a period of 14 months to collect your access data when visiting our website. Google combines the access data on our behalf into pseudonymous user profiles and transmits them to a Google server located in the U.S. after first anonymizing your IP address. Therefore, we cannot determine which user profiles are associated with a specific user. This means that we can neither identify nor determine how you use our website based on the data collected by Google. Google has moreover submitted to the EU-US Privacy Shield in case that personal data is to be transmitted to the U.S. in exceptional cases. Google has thus undertaken to guarantee the European data privacy principles and the present data privacy level also during data processing in the U.S.
Google will use the information collected through cookies on our behalf to analyze use of our website, to compile reports on the website activities, and to provide other services relating to website use and Internet use for us. You may also find further information in the Google Analytics Privacy Policy.
You can object to such web analysis by Google at any time by using one of the following options:
You can set your browser to block Google Analytics cookies.
You can adjust your Google ads settings in Google.
You can use an opt-out cookie by clicking here: Google Analytics Opt-out
You can install the opt-out plugin provided by Google under http://www.google.com/settings/ads/plugin in your Firefox, Internet Explorer, or Chrome browser (does not work for mobile devices).
The legal basis for this type of data processing is Article 6 para. 1 lit. a GDPR (your consent).
5.2 Adobe Analytics
We also use the web analysis service Adobe Analytics (Omniture) provided by Adobe Systems Software Ireland Limited, Ireland, 4–6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland (“Adobe”). For this, Adobe uses cookies valid for a period of 14 months on our behalf to collect pseudonymous access data to enable us to analyze and regularly improve use of our website based on Adobe's reports. Your IP address is anonymized prior to any such analysis. Direct reference to a specific user is therefore excluded. Adobe has submitted to the EU-US Privacy Shield in case that personal data is to be transmitted to the U.S. in exceptional cases.
You can object to such web analysis by Adobe at any time by clicking on the “Opt-out” buttons at http://www.adobe.com/de/privacy/opt-out.html.
The legal basis for this type of data processing is Article 6 para. 1 lit. a GDPR (your consent).
5.3 Exactag
We use the analysis service of Exactag GmbH, Philosophenweg 17, 47051 Duisburg, Germany (“Exactag”). For this, Exactag uses cookies valid for a period of 6 months on our behalf to collect pseudonymous access data to enable us to analyze and regularly improve use of our website based on Exactag's reports. Your IP address is anonymized prior to any such analysis. Direct reference to a specific user is therefore excluded.
You can object to such web analysis by Exactag at any time by clicking on the “object to the data processing” link at https://www.exactag.com/datenschutz/.
The legal basis for this type of data processing is Article 6 para. 1 lit. a GDPR (your consent).
5.4 mParticle
We also use the web analysis service of mParticle Inc, 257 Park Avenue South Floor 9, New York, NY 10010, USA. We take your privacy into account in the use of this service, as the customer data platform only stores the data that you share with us. This means that when you visit our shop as a guest, your personal data is only processed based on either limited data (e.g. email address) or completely anonymous data.
We store information about preferences on mParticle’s customer data platform, based on browsing behaviour in our online shop and/or purchases in our stores. We also save any permissions granted to us (e.g. consent, cookies or newsletter subscription). Using this data, we aim to offer you an even better shopping experience and even better customer service.
Further information about mParticle and the associated privacy policy can be found here: https://www.mparticle.com/privacypolicy/
The legal basis for the processing of this data is Article 6 Paragraph 1(a) GDPR (Your consent).
5.5 Algolia
We use Algolia SAS ("Algolia"), 55 Rue d’Amsterdam, 75008 Paris, France as our search platform, which tracks various data points to optimise and personalise our services. For search queries, the search terms entered are analysed to improve the relevance of the search results and algorithms.
The data collected serves multiple purposes: optimising search by improving the relevance and accuracy of search results, personalization by customising search results and recommendations based on individual user preferences and behavior, and security by protecting against fraudulent activity and misuse of the C&A online shop.
If transfers are to a country for which the EU Commission has not issued an adequacy decision, Algolia uses the EU standard contractual clauses to contractually require that your Personal Data receives a level of data protection consistent with the EEA.
Further information about Algolia and the associated data protection can be found here: https://www.algolia.com/pdf/DPA-latest.pdf
The legal basis for the processing of this data is Article 6 Paragraph 1(a) GDPR (Your consent).
5.6 Bazaarvoice
We use the platform services of Bazaarvoice GmbH, Liebherrstrasse 22, 80538 Munich, Germany, to collect, moderate and display authentic user-generated content. This service offers customers valuable information to support them with their purchase decisions. The data handled by Bazaarvoice includes customer reviews, ratings, photos, videos, questions and answers, covering both quantitative aspects (star ratings and review counts) and qualitative aspects (review text and customer feedback).
Reviews and ratings give you detailed information about a product's features, benefits and downsides from real users. This helps other customers to better understand the product and make more intelligent decisions. Furthermore, the tracking of data by the platform helps to adapt the entire customer journey, and to improve it by addressing customer problems.
By analysing general questions and concerns expressed in reviews and feedback, companies can proactively address these problems, improve their customer support and offer a faster, more efficient service.
Further information about Bazaarvoice and the associated data protection can be found here: Privacy Policy
The legal basis for the processing of this data is Art. 6(1)(a) GDPR (Your Consent).
5.7 Microsoft Clarity
We use the services of Microsoft Clarity, a web analytics tool provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, to gain insights into user interaction on our website. This tool helps us better understand how users engage with various elements on our site through features such as heatmaps, session recordings, and detailed user behavior analytics. Clarity is designed to improve website usability and overall user experience by providing both visual and statistical data. It identifies areas of the site that capture the most attention and highlights potential pain points where users may experience difficulties or confusion. The tool automatically masks sensitive data inputted on the website, including fields containing personal information. Users have the option to opt-out of Clarity's data collection by adjusting their browser settings to disable cookies or via specific settings provided by Microsoft. The legal basis for this data processing is Article 6(1)(a) of the GDPR (your consent). Further information about Microsoft Clarity’s data protection and privacy practices can be found here: Clarity Privacy Policy.
6. Online ads
We use various partner advertising networks in connection with the C&A online shop in order to be able to present you with interesting ads, also on external websites. To this end, our C&A online shop has integrated various technologies that allow for recognition (e.g. via a cookie set during a visit to the shop that is recognized later on). However, we do not at any time pass on data to our partners that would enable them to identify you directly. Our partners are not provided with names or contact details but only with specific identifiers that facilitate reconnecting. This enables us and our partners to present advertising that is based on our assessment of what you are interested in. This means that our partner network websites will present you with ads for products or product categories that you have viewed earlier in our shop or which we believe might be of interest to you.
The legal basis for this type of data processing is Article 6 para. 1 lit. a GDPR (your consent).
You can prevent such third-party cookies, which are used to implement the data processing described below, from being stored by setting your browser accordingly (as described in section 2.2). The following descriptions also include further options to object. Please note that we may cooperate (in cases temporarily) with partners that are not listed below.
6.1 QUALTRICS
We use the analysis services from Qualtrics LLC, 333 W. River Park Drive, Provo, UT 84604, United States of America („Qualtrics"). Qualtrics is a web-based application that allows us to create surveys to gather customer feedback, analyze, and store the data produced from those surveys. We use this community feedback to improve services and engagement for both external and internal stakeholders.
We collect personal and survey response data solely for the purpose of improving our services and enhancing user experiences. This data may include contact information, demographic details, and responses to surveys.The data collected is used for research, analysis, and service improvement.
If transfers are to a country for which the EU Commission has not issued an adequacy decision, Qualtrics uses the EU standard contractual clauses to contractually require that your Personal Data receives a level of data protection consistent with the EEA.
Further information about Qualtrics and the associated privacy policy can be found here: https://www.qualtrics.com/privacy-statement/
The legal basis for this type of data processing is Article 6 para. 1 lit. a GDPR (your consent).
6.2 USER ZOOM
We use the services from Userzoom/User Testing that allows us to create surveys to gather customer feedback, analyze, and store the data produced from those surveys, as well as interviews. We use this community feedback to improve our web shop, services and engagement for both external and internal stakeholders. We collect personal and survey response data solely for the purpose of improving our web shop, services and enhancing user experiences. This data may include contact information, demographic details, and responses to surveys.The data collected is used for research, analysis, and service improvement. Further information about User Testing and the associated privacy policy can be found here: https://www.usertesting.com/privacy-center
6.3 Facebook
For marketing purposes, our websites use so-called conversion and retargeting tags (also referred to as “Facebook pixels”) of the social network Facebook, a service of Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA (“Facebook”). We use Facebook pixels to analyze general use of our websites and the efficacy of Facebook ads (“conversion”). Moreover, we also use Facebook pixels to present you with customized ads based on your interest for our products (“retargeting”). To this end, Facebook processes data collected on our websites through cookies and similar technologies.
Facebook may send the data collected in this context for analysis to a server located in the U.S. where the data is then stored. Facebook has submitted to the EU-US Privacy Shield in case that personal data is to be transmitted to the U.S.
If you have registered with Facebook and have set the Facebook account privacy settings accordingly, Facebook may moreover link the data collected about your visit on our website to your Facebook account and use it for setting up target-oriented Facebook ads. You can view and change the privacy settings of your Facebook profile at any time. If you do not have a Facebook account, you can prevent data processing by Facebook by clicking on the opt-out button referring to the provider “Facebook” on the external TrustArc Opt-out website. You can prevent data processing also by clicking on the following buttons.
If you opt out of data processing by Facebook, Facebook will only display general Facebook ads that are not selected based on data gathered about you.
For more detailed information, please visit Facebook's Privacy Policy.
6.4 Google Adwords and Adwords remarketing
Our website uses the “AdWords conversion tracking” and “AdWords remarketing” services of Google. C&A-defined customer actions (such as ad clicks, page views, downloads) are recorded and analyzed with “AdWords conversion tracking.” We use “AdWords remarketing” to present you with customized ads for our products on Google partner websites. Either service uses cookies and similar technologies to this end. Google may send the data collected in this context for analysis to a server located in the U.S. where the data is then stored. Google has submitted to the EU-US Privacy Shield in case that personal data is to be transmitted to the U.S.
If you have a Google account, Google may, depending on your Google account settings, link your web and app browser history to your Google account and use information from your Google account to customize ads. If you do not want this link to your Google account, you must log out of your Google account before accessing our website.
You can opt out of processing of your personal data for customized online ads on the Google advertising network at any time by using one of the following options:
You can adjust your Google ads settings at https://www.google.de/settings/ads.
You can install the free of charge opt-out plugin provided by Google under http://www.google.com/settings/ads/plugin in your Firefox, Internet Explorer, or Chrome browser (does not work for browsers on mobile devices).
Moreover, you can also opt out of customized Google ads and ads provided by numerous other providers who participate in the “Your Online Choices” initiative on the central website at http://www.youronlinechoices.eu.
Please note that if you opt out of customized advertising, Google will only display general ads that are not selected based on your collected access data.
6.5 Google reCAPTCHA
In certain cases, we use the Google Inc. reCAPTCHA service to ensure sufficient data security when transmitting forms. This serves mainly to distinguish whether data is entered by a natural person or improperly by machine or automated means. The service involves sending the IP address and any other data required by Google for the reCAPTCHA service to Google. The deviating data protection regulations of Google Inc. apply for this purpose. For more information about Google Inc.'s privacy policy, please visit www.google.de/intl/en/privacy or www.google.com/intl/en/policies/privacy/
7. With whom will my data be shared?
Basically, we will share your data only if:
you have expressly consented to this under Article 6 para. 1 lit. a GDPR,
sharing is necessary under Article 6 para. 1 lit. f GDPR in order to assert, exercise, or defend legal claims, and there is no reason to assume that you have an overriding legitimate interest in your data not being shared,
sharing is necessary for compliance with a legal obligation in terms of Article 6 para. 1 lit. c or e GDPR, in particular if we are required to provide information to a public authority, or
sharing is permitted by law and necessary under Article 6 para. 1 lit. b GDPR in order to perform a contract with you or take steps at your request prior to entering into a contract.
Some of the data processing described herein may be performed by external service providers acting on our behalf. The service providers mentioned herein may include, in particular, computer centers storing and maintaining our website and databases, IT service providers servicing our systems as well as consulting companies.
If and insofar as we share data to our service providers, such data may be used only to perform their tasks and duties. Processing of your data by commissioned service providers will take place within the scope of order processing in terms of Article 28 GDPR. Service providers were carefully selected and commissioned by us. They are contractually bound by our instructions, have implemented adequate technical and organizational measures to protect the rights of the data subjects, and are subject to regular controls performed by us.
If and insofar as your data is shared to a service provider located outside the European Economic Area (EEA), we will inform you separately thereof and of the specific guarantees on which the data transfer is based, if necessary. Please contact our data protection officer if you wish to receive copies of guarantees as proof of reasonable data protection (cf. section 1).
8. For how long will my data be stored?
Unless otherwise provided herein, your data will be stored only for as long as necessary to fulfill our contractual or statutory obligations or the purposes for which the data was originally collected or for as long as we have a legitimate interest in storing such data.
In all other cases your personal data will be deleted, except for such data that we must keep to comply with statutory retention periods. However, in such cases we will restrict data processing, i.e. your data will only be used to comply with statutory obligations.
If you decide to cancel or delete your C&A account, all personal data stored therein will be deleted. If and insofar as your data cannot or does not have to be deleted completely for legal reasons, the data concerned will be restricted for further processing. Normally, your order and payment data and other data, if applicable, will be subject to statutory retention obligations, for example under the German Commercial Code and German Tax Code. We are hence obligated to retain such data for up to ten years.
Even if your data is not subject to statutory retention obligations, we may refrain from deleting your data in cases permitted by law and restrict its processing instead. This may apply, in particular, in those cases where the data concerned may be required for further contract processing or to assert rights or for legal defense purposes. The duration of restriction of processing will depend on the statutory limitation periods.
9. Your data protection rights
You may contact our data protection officer at any time to exercise your statutory data protection rights described hereinafter (cf. section 1):
You always have the right to obtain information about our processing of your personal data. When providing such information, we will explain our data processing process and provide you with an overview of your personal data we store.
If any of the data we store is incorrect or no longer current, you have the right to have such data rectified.
You can also demand that your data be erased. If erasure is not possible in exceptional cases due to other legal provisions, the data will be blocked such as to be available only for said statutory purpose.
You can also restrict the processing of your data, e.g. if you think that the data stored by us is not correct.
You have a right to data portability, i.e. we will provide you with a digital copy of the personal data you have provided, at your request.
You also have the right to lodge a complaint with a data protection supervisory authority. Our competent supervisory authority is Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestraße 2-4, 40213 Düsseldorf, Germany.
10. Right of withdrawal and objection
If you wish to exercise your right of withdrawal or objection below, please send us an. informal notice to the contact addresses mentioned in section 1 above.
Withdrawal of consents
Article 7 para. 3 GDPR gives you the right to withdraw any consent once given at any time. This means that in future we will no longer continue data processing that was based on your consent. The withdrawal of your consent will not affect the lawfulness of processing based on consent before its withdrawal.
Objection to the processing of your data
If and insofar as we process your data based on legitimate interests pursuant to Article 6 para. 1 lit. f GDPR, you have the right under Article 21 GDPR to object to our processing of your data if there are reasons for this that follow from your particular situation or if the objection is directed against direct advertising. In the latter case, you have a general right of objection that will be complied with even if you fail to provide reasons.
11. Data security
We have adequate technical measures in place to ensure data security, in particular to protect your data against risks during data transmission as well as against unauthorized access by third parties. These measures will be adjusted from time to time in line with the state of the art. To secure the personal data you provide on our website we use transport layer security (TLS) which encrypts the data you provide.
12. Changes to this Data Protection and Privacy Policy
We will update this Data Protection and Privacy Policy occasionally, for example when we adjust our website or when the statutory or official provisions change. Material changes will be documented in this Data Protection and Privacy Policy, and we will procure our customers' consent, if necessary.
As of 04 December 2024
Data Protection Information for the C&A Newsletter
Status: May 2018
1. Registration
When registering for the C&A Newsletter, please provide the following mandatory information:
E-Mail adress
Interest/Collection
We require this information to send and personalize the C&A Newsletter. If you have already provided this information when registering for the C&A customer account, we may not have to request it again.
We also use any information provided voluntarily to personalize the C&A Newsletter. If you provide us with your date of birth when registering for the newsletter or the C&A customer account, you will receive a little birthday surprise as well.
In the context of joint initiatives, you may also be able to register for the C&A Newsletter through a campaign partner. In this case, we will receive your information from the partner through whom you register for the C&A Newsletter.
To prevent any abuse of email addresses, we generally ask applicants to confirm their application by email in an automated process (double-opt-in process). Your registration and, if applicable, confirmation are recorded. For documentation purposes, we take note of the IP address used for this purpose as well.
2. Unsubscribe
You can unsubscribe from the C&A Newsletter at any time. To unsubscribe, you may use, for example, the unsubscribe link which is found in every C&A Newsletter or the contact form.
3. Personalization
Every C&A Newsletter is provided with a randomly assigned identifier. We use this identifier to determine whether and when a newsletter was opened and what links were clicked on. Based on this information, we form user profiles under a pseudonym. When you click on a link in the newsletter, we also merge this user profile on the basis of cookie technology with the pseudonymous user profiles that are generated when using the C&A Online Shop (e.g., surfing and shopping behavior). We use this information in a pseudonymous form to uniformly personalize our newsletter and the C&A Online Shop so that we can, for example, provide you with offers in the newsletter that match products you had previously searched for in the C&A Online Shop.
If you have a C&A customer account or have purchased from us by using the same email address, we may directly use the data stored in connection with your C&A customer account or the email address that was used (e.g., order information, the content of your wish list, the shopping cart) to improve the quality of the personalization.
You do not want us to send you personalized offers?
If you do not want us to use your data in the aforementioned manner for personalization purposes, you can unsubscribe from the C&A Newsletter at any time. In such a case, we will delete the user profiles that were generated. To unsubscribe, you may use, for example, the unsubscribe link which is found in every C&A Newsletter or the contact form.
4. Use of Newsletter Service Providers
We use technical service providers for the data processing described in this data protection information. If we have to transfer your data to a service provider for this purpose, this is done in the context of a data processing agreement performed in accordance with our instructions.
5. Legal Bases and Other Important Data Protection Information
The legal basis for the data processing described above is Article 6 para. 1 lit. a GDRP (consent).
You can find information about your data protection rights and other important notices in the general C&A Data Protection and Privacy Policy, which applies as well.
Please download our privacy policy in your language here:
CZ - Prohlášení o ochraně osobních údajů
CZ - Pokyny pro ochranu osobních údajů pro informační zpravodaj C&A
PT - Informações sobre a proteção de dados pessoais para a Newsletterda C&A
RO - Politică de protecție a datelor cu caracter personal
RO - Indicații privind protecția datelor cu caracter personal pentru Newsletter-ul C&A