Data protection with "Good Priv@cy®"

Customer loyalty programs significantly professionalized the marketing of many providers in the 1990s. They made a significant contribution to the development of customer relationship management (CRM) and have been firmly anchored in this discipline ever since. The principle is simple and convincing: the better you know your customers (acquisition and evaluation of their purchase data), the more flexibly you can tailor your offers to them (product range, special offers, etc.). Well informed customers are the better customers, it is said. Customers are rewarded for the data they collect, for example in the form of points that bring them monetary benefits. Cumulus is also based on this mode of operation.

"So it's only natural that Cumulus cardholders want to know what's happening with their data," underlines Marketing Project Manager & Data Protection Officer Jan Vonderlinn in an interview. "They trust that their data will not be misused. And rightly so, because customer data is sensitive information that requires special protection. That's why data protection is so important to Cumulus."

But what exactly is the "Good Priv@cy®" seal of approval? And how can it help build trust between the customer and Cumulus? Jan Vonderlinn answered our questions about this.

Mr. Vonderlinn, what is Good Priv@cy®?
Jan Vonderlinn: Good Priv@cy® is a market-protected data protection certificate. An independent body (SQS) certifies that the authorized user (Cumulus) complies with the legal requirements for data protection and information security and that it has a functioning data protection management system.

What criteria must Cumulus meet for Good Priv@cy®?
The following strict criteria must be demonstrated in daily practice:

• a formulated and implemented data protection policy
• a functioning and documented data protection management system DMS
• compliance with all legal or contractual data protection regulations relevant to the certified area
• guaranteeing the information security required by data protection law by means of appropriate organisational, personnel and technical measures
• effective monitoring and continuous improvement of processes relevant to data protection.

How does Good Priv@cy® benefit Migros?
Data protection is becoming increasingly important to the public. It has a strong influence on whether a company or an authority is perceived as trustworthy. A data protection seal of approval makes it possible to objectively document and effectively communicate one's own data protection performance to customers, business partners and the public. It also creates trust. And trust is the basis for a good relationship between Migros and its customers.

What are the benefits of the seal of approval for Cumulus participants?
Membership in the Cumulus program is based on the General Terms and Conditions and the Privacy Policy. These clearly and unambiguously list the use of data by Cumulus. With the certification, an independent and well-known certification body confirms that Cumulus operates in accordance with the law and adheres to the various self-imposed restrictions that have been defined in the interest of the customers. This gives Cumulus participants the assurance that their data is being handled with care.

What customer data does Cumulus collect?
Cumulus participants leave their personal details when registering. Each time the Cumulus Card is used, the items purchased and the place of purchase are recorded.

"Only transparency builds trust."

"Transparent" customers, then, with every purchase?
Certainly not. Because with every purchase, the customer decides for himself whether he wants to have the purchase recorded or not. What's more, the Cu-mulus card is a household card. Mig-ros therefore does not know who scores with the card and the discount coupons. The purchases are not assigned to a person, but to the household. In fact, Cumulus is not interested in the shopping behaviour of individual persons. In most cases, the aim is to form customer target groups that are large enough to be addressed with offers and information. The Data Protection Act stipulates "purpose limitation" here. Accordingly, Migros may collect and process Cumulus data for statistical purposes.

How long does Migros store the data it collects?
The purchasing data of Cumulus participants is kept for a maximum of 5 years. After that, the personal data is deleted. The transaction data itself is kept for 10 years for accounting purposes (OR). Every customer can call up detailed purchasing data for the last two years at www.migros.ch under "My Migros" or by calling the Cumulus Infoline.

What does Cumulus actually do with customer data?
This process is transparently documented: The customer addresses are made available to the following companies in the Migros community: Migros-Genossenschafts-Bund, Mig-ros-Genossenschaften, M-Electronics, Sport XX, Bike World by SportXX, Outdoor by SportXX, Do it + Garden Migros, Micasa, Obi, Migusto (formerly Saisonküche), LeShop.ch, Ex Libris, Migrol, Migrolino, Migros Ferien, Depot. The customer data collected allows the Migros Community to provide customers with targeted, needs-based information and offers from the Migros Community, usually in conjunction with customer benefits.

Does Cumulus give or even sell customer data to third parties?
No, Cumulus data is only used within the Migros community. By the way: In the case of criminal investigations, Cumulus would have to provide data according to the law, but only if criminal proceedings have been opened and an investigating judge orders the data to be handed over.

What if customers voice their concerns?
The Cumulus Customer Service Center receives approximately 50,000 calls and contact forms per month. The majority of these concern questions about accounts, applications or discount coupons. Only 0.05% to 0.1% are complaints. If these are justified, unbureaucratic and accommodating solutions are offered. As experience and customer surveys of recent years have shown, customers appreciate this attitude. This strengthens the trust in our performance promise.

"Customer data needs protection."

In summary: What is Migros' experience with Good Priv@cy®?
Acceptance is high. The Migros general management supports the programme. Cooperation with the SQS auditors is also professional and constructive. Their suggestions for improvement are a regular item on the agenda at the regular data protection meetings. And the current status is always reported to the management team.
logged.