Data protection

Data protection information of Otto (GmbH & Co KG),
Werner-Otto-Str. 1-7, 22179 Hamburg, Germany

As of: 25 May 2018

In the area of data protection, the unified standards of the EU General Data Protection Regulation (the “GDPR”) have been applicable throughout Europe since 25 May 2018. In the following data protection information, we will inform you about the processing of personal data by Otto (GmbH & Co KG), Werner-Otto-Str. 1-7, 22179 Hamburg, Germany (“Otto,” and/or “we,” and/or the “Controller”) in accordance with the GDPR and the Bundesdatenschutzgesetz (the Federal Data Protection Act (“BDSG 2018”)).

Please read through our data protection information carefully. Should you have any questions or comments concerning our data protection information, please contact us at dtnschtzbftrgtrttgrpcm.


1. Name and contact data of the processing Controller
2. Contact data for the data protection officer
3. Purposes of the data processing, legal bases, and legitimate interests that are pursued by the Controller or by a third party, as well as categories of recipients
3.1. Retrieval of our websites/applications
3.1.1. Log files
3.1.2. Cookies, tracking, and social media plug-ins
3.2. Entering into, performance of, and/or end of a contract
3.2.1. Data processing upon entering into a contract
3.2.2. Transfer of data to transportation service providers
3.3. Data processing for marketing purposes
3.3.1. Newsletter
3.3.2. Contests
3.3.3. Data processing in the context of events
3.4. Online presence and website optimisation (with cookies)
3.4.1 Cookies – general information Technically necessary cookies
3.4.2. Web analytics with Matomo
3.5. Categories of recipients
3.5.1. Processor
3.5.2. Other third party partners
4. Document Requests
5. Advertising partners/third-party cookies
6. Social media plug-ins
6.1. Facebook and YouTube
6.2. Twitter
6.3. Instagram
6.4. Xing and LinkedIn
7. Contact
8. Recipients outside the EU
9. Your rights
9.1. Overview
9.2. Right to object
9.3. Right to withdrawal

1. Name and contact data of the processing Controller

This data protection information applies to data processing by:

Otto (GmbH & Co KG)
Werner-Otto-Straße 1-7
22179 Hamburg, Germany
Telephone: +49(0)40 - 3603 3603
Email address: dtnschtzbftrgtrttgrpcm 

represented by:

Alexander Birken (Chairman)
Dr Marcus Ackermann
Sergio Bucher
Sebastian Klauke
Petra Scharner-Wolff
Kay Schiebur


for the following websites:

2. Contact data of the data protection officer

You can reach the company data protection officer(s) of the Controller at:

Otto (GmbH & Co KG)
Werner-Otto-Straße 1-7
22179 Hamburg, Germany

Email: dtnschtzbftrgtrttgrpcm 

3.1. Retrieval of our websites/applications

3.1.1. Log files

Each time access is made to websites/applications, information is sent by the respective internet browser on your respective end device to the server of our website/application, and temporarily stored in log data files, the so-called log files. The data sets stored in this way contain the following data which are stored up until automatic erasure: date and time of the retrieval, name of the site retrieved, IP address of the inquiring device, referrer URL (source URL, from which you arrived at our websites), the data quantity transferred, loading time, and the product and version information of each browser used as well as the name of your access provider.

The legal basis for the processing of the IP address is Article 6(1)(f) GDPR. We have a legitimate interest in:

  • guaranteeing that connections are established smoothly,
  • guaranteeing convenient use of our website/application, and
  • evaluating system security and stability.

No immediate inference as to your identity is possible by means of the information; nor do we draw any such inference.

The data are stored and automatically erased after the aforementioned purposes have been achieved. The standard periods for erasure are determined by the criterion of necessity.

3.1.2. Cookies, tracking, and social media plug-ins

For our website/applications, we use so-called cookies, tracking tools, targeting procedures and social media plug-ins. The precise procedures involved, and the manner in which your data are used for them, are explained in detail below.

3.2. Entering into, performance of, and/or end of a contract

3.2.1. Data processing upon entering into a contract

Whenever you register at one of our websites/applications and/or enter into a further contract with us, e.g., whenever you order one of our business reports and/or other documents, then we shall process the data necessary for entering into the contract, for its performance, or for ending the contract with you. Such data include:

  • first name, last name
  • delivery address
  • company/institution
  • email address

The legal basis for such is Article 6(1)(a) and (b) GDPR, i.e., you are making the data available to us upon the basis of the respective contractual relationship between you and us.

To the extent that we do not use your data for further purposes (see below), we shall store the data collected for fulfillment of the contract for the term of the contract as well as until the expiration of the statutory or any potential contractual warranty and guarantee rights. After expiration of this time period, we shall retain the information about the contractual relationship, which information is necessary pursuant to commercial and tax law, for the statutorily determined time periods. During this time period, the data will again be processed, solely for the event of an examination by the financial administration.

Furthermore, for transacting the order over our websites/applications, the following data processing is necessary:

We shall share the details of your delivery address with the logistics company and shipping partners engaged by us, in order to make the delivery of orders possible. The respective data shall be transferred to our contractors solely for the respective purposes and shall be erased after delivery has been effected.

3.2.2. Transfer of data to transportation service providers

For the purpose of delivering goods ordered, we cooperate with logistics services providers/transportation companies and/or shipping partners. For the purpose of delivering the goods ordered or for the notification thereof, these companies shall be able to receive transfers of the following data: first name, last name, mailing address, email address.

The legal basis of the processing is Article 6(1)(b) GDPR.

3.3. Data processing for marketing purposes

3.3.1. Newsletter

On our websites/applications, we offer you the opportunity to register for our newsletter. In order to ensure that no mistakes have been made while entering the email address, we use the so-called double opt-in procedure (DOI procedure): after you have entered your email address into the registration field and issued your consent to receiving our newsletter, we will send you a confirmation link at the address provided. Only when you click on this confirmation link will your email address be taken into our distribution list for sending our newsletter. The legal basis for this data processing is Article 6(1)(a) GDPR.

Notice of right to revoke

At any time, you can revoke your consent effective prospectively, by sending a notice to srvcttd or by using the opportunity to unsubscribe provided at the bottom of each newsletter.

3.3.2. Contests

Whenever you register for contests organized by us, we will use the data provided by you during the respective registration for the purpose of performing on the participant contract, particularly for the purpose of notification of winning. You can find more detailed information in the respective terms and conditions of participation for the respective contest. The legal bases for this data processing are Article 6(1)(a) GDPR, Article 6(1)(b) GDPR, and Article 6(1)(f) GDPR.

3.3.3. Data processing in the context of events

On this website, you have the opportunity to register for events in order to participate. If you wish to participate in an event, the necessary information of the participating persons will be collected. This concerns your first name, last name, address and contact details (e.g. e-mail address). If you also provide additional personal data, we process that personal data, that you voluntarily provide here, exclusively in the context of the realisation of the event.

3.4. Online presence and website optimisation (with cookies)

3.4.1.  Cookies – general information

On various sites, we use cookies in order to make the visit to our website attractive and to enable the use of certain functions, as well as to record statistics about the use of our website. Cookies are small text data files which your browser automatically creates and which are saved on your end device (laptop, tablet, smartphone, and the like) whenever you visit our site. Cookies do not damage your end device; nor do they contain any viruses, Trojan horses, or any other malware. The cookie stores information that ensues in each instance in connection with the specifically used end device. However, this does not mean that we thereby receive any direct knowledge of your identity.

Most of the cookies used by us are deleted again after the end of the browser session (so-called session cookies). Using these, we can offer you, for example, the cross-website shopping basket display, from which you can see how many articles are already in your shopping basket and the current amount of your purchases. Other cookies remain on your computer and enable us to recognize your computer again during the next visit (so-called permanent or cross-session cookies). These cookies, in particular, serve to make our offer user-friendly, more effective, and more secure. Thanks to these data files, it is possible, for instance, for you to receive on the site displays of information that are customized to your interests.

To be sure, you can set up your browser in such a manner that it does not store our cookies in your end device. The help function in the menu bar of most web browsers explains how to prevent your browser from accepting new cookies, provided that you set up your browser to notify you whenever you receive a new cookie, or how you can delete all of the cookies already received and block any additional ones.

Please proceed as follows:

In Internet Explorer 

Select “Internet Options” in the “Tools” menu.
Click on the “Privacy” tab.
Now you can make security adjustments for the internet. Here, you can set whether and which cookies are supposed to be allowed or blocked.
Confirm your setting by clicking on “OK.”

In Firefox: 

Click the menu button and choose “Options.”
Click on “Privacy & Security.”
Select the entry “Use custom settings for history” in the drop-down menu.
Now you can set whether cookies ought to be accepted, how long you wish to keep these cookies and make exceptions for the websites that you wish to always or never allow to use cookies.
Confirm your setting by clicking on “OK.”

In Google Chrome: 

Click on the Chrome menu on the symbols bar of the browser.
Select “Settings.”
Click on “Advanced.”
Under “Privacy and security,” click on “Content settings.”
Under “Cookies” you can make the following settings for cookies:
Delete cookies
Block cookies by default
Delete cookies and website data by default after closing the browser
Allow exceptions for cookies from particular websites or domains

However, we would like to point out that in this event, it is possible that you will not be able to use all of the features of this website in their fullest scope.

Insofar as personal data are involved with these cookies and/or the information contained therein, the legal basis of the data processing is Article 6(1)(f) GDPR. Our interest in optimizing our website is in the course of such to be regarded as legitimate within the meaning of the aforementioned regulatory provision.  Technically necessary cookies

This website uses cookies. Cookies are small text files that are generated automatically by your browser and stored on your device (notebook, tablet, smartphone, and suchlike). Information is stored in the cookie relating to the specific device being used. This does not mean, however, that we obtain direct knowledge of your identity. Some of the cookies we use are deleted at the end of the browser session (known as session cookies).

As a rule, it is only permitted by law to store information on devices (desktops, smartphones, tablets, and suchlike)—e.g., by setting cookies—and to access information on devices (tracking) if you have given your prior consent. The legal basis for this is Section 25 para. 1 sentence 1 of the Telecommunications and Telemedia Data Protection Act (TTDSG). Consent is not required if this form of storage/tracking is necessary in order to make the website available. The legal basis for this is Section 25 para. 2 number 2 TTDSG. Necessity is deemed to include assurance of the following functionalities/the achievement of the following objectives:

- To ensure system security
- To enable billing of partners
- To provide the services requested by the website visitor

You do not have the right to object to data processing that is necessary for operation of the website.

You can use the website at without data being tracked or stored on your device that are not necessary in order to make this website available. Only ‘basic tracking’ is therefore enabled on this website.

3.4.2.  Web analytics with Matomo

We use the open source software by the web analytics provider Matomo for the purpose of demand-oriented design and continuous optimization of this website, and in doing so invoke the legal basis provided in Article 6 para. 1 point f) of the General Data Protection Regulation (GDPR), namely our legitimate interest. The Matomo plug-in enables us to store cookies (text files) on your computer that allow us to analyze your use of our website. We will evaluate your use of the website in this regard and compile reports on website activities.

3.5. Categories of recipients

3.5.1. Processor

We use processors (Article 28 GDPR) as part of the processing of your personal data. A processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the data controller. Processors do not use the data for their own purposes, but carry out data processing exclusively for the controller.

3.5.2. Other third party partners

In addition, we may use other third-party partners who are necessary for the provision of services and the achievement of various purposes. We transfer personal data to these third-party partners if this is necessary within the scope of the service provision.

The legal basis for this data transfer is Article 6 para. 1 lit. b), f) DSGVO

4. Document Requests

Should you request documents on our website (e.g., an annual report), we will use the data specified by you for this purpose exclusively to send these documents.

The legal basis for this processing is Article 6, para. 1 point f) GDPR.

9.1 Overview

5. Advertising partners/third-party cookies

We cooperate with advertising partners to configure the online offer on our website for you in a more interesting way. For this purpose, cookies of our advertising partners are also placed during the visit to our website (so-called third-party cookies). Similarly, information about your user behavior and your interests when visiting our site are deposited using pseudonyms in the cookies of our advertising partners. Sometimes, in addition, information is recorded that were generated on other sites prior to the visit to our site. By means of this information, advertising banners of interest to you belonging to our advertising partners are displayed. No personal data are stored, and nor will any use profiles be combined with your personal data.

You can prevent the interest-based advertisement banners of our advertising partners by means of a corresponding cookie setting in your browser.


Doubleclick by Google is a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (“Google”). Doubleclick by Google uses cookies in order to present you with relevant advertising displays. In so doing, a pseudonymous identification number (ID) is assigned to your browser, in order to examine which displays will be shown in your browser and which displays were clicked on. The cookies do not contain any personal information. Using the Doubleclick cookies enables Google and its partner websites merely to set up displays on the basis of prior visits to our or other websites on the internet. The information generated by the cookies is transferred by Google for analysis to a server in the United States of America and stored there. A transfer of the data by Google to third parties takes place only on the basis of legal rules and regulations or in the course of data processing. Under no circumstances does Google combine your data with other data recorded by Google.

You can prevent Google’s recording of the data generated by the cookies and related to your use of the websites, as well as Google’s processing of these data, by managing your settings here

You can further prevent the interest-based advertisement banners from our advertising partners by means of a corresponding cookie setting in your browser.

The legal basis of the data processing is Article 6(1)(a) and (f) GDPR.

6. Social media plug-ins

On our website, we use social media plug-ins from the social media networks Facebook, Google, and Twitter, on the basis of Article 6(1)(f) GDPR, in order to make our company better known through them. The responsibility for operation in conformity with data protection is to be guaranteed by their respective providers.

In the respective data protection notices of the provider, you can find information about the purpose and scope of the data collection, the further processing and use of the data by the respective providers, your rights in this respect, and the possible settings for protecting your privacy.

By logging out beforehand from social network sites as well as by deleting cookies already set, you can prevent social networks from assigning the information collected about you during your visits to to your user account at the respective social network. If you do not wish social networks to assign the data collected through our web presence directly to your profile, then you will have to log out of the corresponding social networks prior to your visit to our website. You can also completely prevent the plug-ins from being loaded by using add-ons for your browser, e.g., with the script blocker “NoScript,” available at

6.1 Facebook and YouTube

Social plug-ins from Facebook and Google (YouTube) are used on this website. These involve offers from the American companies Facebook Inc. (1601 S. California Ave., Palo Alto, CA 94304 USA (“Facebook”) and Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”)).

Whenever you visit a website that contains such a plug-in, your browser can create a connection to Facebook or Google, and the contents from these sites can be loaded. Your visit to this website can, by this means, be tracked by Facebook and Google, as applicable, even if you do not actively use the function of the social media plug-in. If you possess an account at Facebook or Google, then you can use such a social media plug-in and in this way share information with your friends. We do not have any influence upon the content of the plug-in or the transfer of information.

Facebook and Google provide detailed information about the scope, nature, purpose, and further processing of your data on their websites. Here you can also find further information about your rights and the possible settings for protecting your privacy.

Data protection notices of Facebook:
Data protection notices of Google:

6.2 Twitter

Moreover, functions of the service Twitter are also integrated into this website. These functions are offered by Twitter Inc., 795 Folsom St., Ste. 600, San Francisco CA 94107 USA (“Twitter”). Through the use of Twitter and of the “re-tweet” function, the websites that you have visited are linked with your Twitter account and are made known to other users. In this manner, data are also transferred to Twitter. For this purpose, your internet browser creates a direct connection to Twitter’s servers and transfers data to Twitter.

We point out that we do not receive any knowledge of the content of the transferred data or their use by Twitter. You can find further information in the Twitter privacy policy: You can change your data protection settings for Twitter in the account settings

6.3 Instagram

Additionally, the plug-ins of the social media network Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025 USA (“Instagram”) are integrated into the website. You can recognise the Instagram plug-in on the “Instagram” button on our website.

If you click on the “Instagram” button while logged onto your Instagram account, then you can link the contents of our sites to your Instagram profile. In this manner, Instagram can assign the visit to our sites to your user account. We point out that we do not receive any knowledge of the content of the transferred data or of its use by Instagram. You can find out further information from the Instagram data protection policy:

6.4 Xing und LinkedIn

Also integrated into this website are the plug-ins of the social media networks LinkedIn, of the LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043 USA, and of Xing AG, Gaensemarkt 43, 20354 Hamburg, Germany. You can find information about data protection from the LinkedIn and Xing privacy policies in accordance with their websites, located here:

7. Contact

You have the opportunity to contact us in several ways: via email, telephone, or surface mail. If you contact us, then we will use the personal data that you provide us voluntarily in this context, exclusively for the purpose of getting in touch with you and being able to process your inquiry.

Article 6(1)(a), Article 6(1)(b), Article 6(1)(c), and Article 6(1)(f) GDPR establish the legal basis for this data processing.

8. Recipients outside the EU

With the exception of the processing set forth herein, we do not share your data with any recipients having their seat outside the European Union or the European Economic Area. The processing activities set forth herein include a data transfer to the servers of the providers of tracking or targeting technology whom we have retained. These servers are located in the United States of America. The data transfer is effected upon the basis of so-called "standard contractual clauses" of the EU Commission.

9. Your rights

9.1 Overview

Alongside the right to withdrawal of the consents you have given to us, if the respective statutory prerequisites are fulfilled, then you are entitled to the following additional rights:

  • the right of access to your personal data stored by us (Article 15 GDPR), in particular, you can obtain access to information on the purposes of the processing, the category of the personal data, the categories of recipients to whom your data were or are being disclosed, the envisaged period of storage, and the source of your data, insofar as these were not collected directly from you;
  • the right to rectification of inaccurate data or to completion of accurate data (Article 16 GDPR),
  • the right to erasure of your data stored with us (Article 17 GDPR), to the extent that we do not have to comply with any statutory or contractual retention periods or other duties or rights by operation of law concerning further storage by us,
  • the right to the restriction of processing of your data (Article 18 GDPR), to the extent that the accuracy of the data is contested by you, that the processing is unlawful, but you oppose its erasure; the Controller no longer needs the data, but that you, however, require the data for the establishment, exercise, or defense of legal claims, or have filed an objection to the processing as contemplated under Article 21 GDPR,
  • the right to data portability in accordance with Article 20 GDPR, i.e., the right to receive selected data stored with us about you transferred in a commonly used, machine-readable format, or to obtain the transfer to another controller,
  • the right to lodge a complaint with a supervisory authority. As a rule, for this purpose you can turn to the supervisory authority at your habitual residence or place of work, or at our company seat..

You can avail yourself of the above rights to which you are entitled with regard to us at

9.2 Right to object

It is possible under the prerequisites of Article 21(1) GDPR to object to the data processing on grounds relating to the particular situation of the data subject.

The general right to objection above applies to all processing purposes described in this data protection information, which purposes are processed on the basis of Article 6(1)(f) GDPR. In contrast to the special right of objection oriented to data processing for promotional purposes, we are obligated under the GDPR to implement such a general right of objection only if you set forth to us reasons of overarching significance (e.g., a potential risk to life or health).

9.3 Right to withdrawal

Insofar as we process data upon the basis of a consent that you have issued, you have the right to withdraw the consent issued at any time. The withdrawal of the consent does not result in the data processing becoming ineffective which has taken place upon the basis of the consent up to the date of the withdrawal.