Our Handling of Personal Data
As a European company, we are subject to the rules of the European General Data Protection Regulation (starting May 25, 2018, until then German Federal Data Protection Act as a German company). We comply with the strict provisions of the regulation regarding the use, storage and processing of personal data. Our customers can view their personal information on their customer account at any time, meaning they always know what personal information about them we can access. If customers want further information, we provide this free of charge. We only pass on the personal data of our customers to third parties, such as logistics service providers or banks, as far as it is legally permitted, in particular, if this is required for the execution of the contract, invoicing, or if the customer has previously consented to it. In turn, our service providers may use the forwarded data only to fulfill their task. They must also strictly adhere to the provisions of the applicable data protection laws.
The use, storage and processing of personal information is based on the strict rules imposed by the German Data Protection Act, the German Telemedia Act and European directives.
Best Surfing Experience
Cookies are used primarily to optimize the purchasing experience and to adapt offers to meet the wishes of customers.
Personal data is passed on to third parties such as chairs or banks only if it is legally permissible to do so or our customers have approved such a transmission of data.
Personal data whether at the point of order or login is transmitted in encrypted form using SSL technology. This means that we protect our customers’ data against unauthorized access by third parties.
The manner in which visitors use our shops is evaluated in pseudonymized* form, which means that at no point is behavior assigned to any individual person or persons.
Payment by Credit Card
We are PCI-DSS-certified, which means that we abide by the very high standards of the credit card industry in order to protect personal data during credit card transactions.
We offer customers methods of payment, thereby enabling a convenient purchasing experience. We pass on such data to our payment service providers only for data for which the handling of payments is required.
In order that we can constantly maintain our high security standards we established an internal tech security team, that works closely with outside experts.
*Pseudonymization involves personal characteristics such as the name of the customer being replaced by a pseudonym, for example a combination of numbers. This means the person concerned can be identified only if the pseudonymization process is traced; this requires use of the appropriate "key".
1. Zalando’s Security Measures
1.1 Data Security
To avert the risk of breaches of data security, all customer data is transmitted in encrypted form. This applies both to order data and customer login data. For this, we use the SSL (Secure Sockets Layer) coding system. This encryption ensures that the data cannot be viewed by third parties. Additionally, to protect us from external attacks, we rely on special security technology, which continuously monitors our systems and immediately detects and displays abnormalities. We also use technical and organizational measures to protect our websites and other systems against the loss, damage, access, modification or dissemination of customer data by unauthorized persons. In this way, we want to keep the risk of unauthorized access as low as possible. However, like other companies, we cannot guarantee absolute protection.
1.2 Payment and Credit Rating
We offer our customers the usual payment methods in online retail: advance payment, credit card, PayPal or invoice. We pass on to our payment service providers only the data required for processing the payment. Usually, this is just the payment data, the bank account details and the relevant identification information, such as name of the customer. The cooperation with our payment service providers is carried out in accordance with the German Federal Data Protection Act. Therefore, the compliance of the legal requirements is ensured. We are also PCI-DSS certified, meaning that we meet the very high standards of the credit card industry for the protection of personal data in credit card transactions.
Offering our customers the best possible options for the choice of payment method, we must protect them and ourselves from fraud. We therefore work with credit rating service providers. Generally, service providers in the areas of credit ratings or debt collection require additional information such as customer addresses or order details. For this reason, when a customer places an order, we send the personal data required for a credit check – including address information – to an external service provider. The service provider then performs an appropriate assessment and calculates the possibility of a payment default. We use this to make a balanced decision on the selection of the various payment methods that we can offer our customers. We also use this service to protect us in the event of default on invoice or direct debit payments. In accordance with the legal requirements, credit rating service suppliers also use the aforementioned data for other companies (e.g. other online retailers) for the purpose of address verification or identity checks as well as the resulting scoring applications.
1.3 Deletion of Data
Personal data is deleted if a customer submits a valid deletion request, which does not conflict with any statutory retention obligations. If customers wish to make information and deletion requests, they can find all necessary information in our data protection declarations (more precisely: under the heading “Right to information of involved parties.”) Data is also deleted if its storage is no longer required to fulfill the intended purpose, or if its storage is not permitted for other legal reasons.
2.1 What Are Cookies?
Cookies are small data files, which are stored on the customer’s device (i.e. web browsers) and save certain settings and data for exchanges with the provider’s system. Generally, there are two different types of cookies: session cookies, which are deleted as soon as customers close their browser, and temporary or permanent cookies, which are stored on the customer’s device for a longer period of time or indefinitely. Storing data helps us to tailor the Zalando websites and services to our customers. It also makes the websites easier to use, for example, by saving certain entries so that they do not have to be keyed in repeatedly.
2.2 Which Cookies Does Zalando Use?
2.3 What Data Is Stored in the Cookies?
Using cookie technology, we receive only pseudonymous information, such as visited pages of our online shop or viewed products. When a cookie is activated, it is assigned an identification number. The personal data of our customers is not assigned to this identification number. Names, IP addresses or similar customer data that would allow the cookie to be attributed to our customers are not stored in the cookie.
2.4 What Is On-Site Targeting?
Data used to optimize our advertising and the entire online service is collected on the Zalando websites using cookie technology. This data is not used to personally identify our customers, but provides a pseudonymous evaluation of the use of the Zalando homepage. In doing so, customer data is never combined with the personal data that is stored by us.
We can use this technology to display advertisements and/or special offers and services relevant to our customers. Their content is based on information retrieved in connection with the clickstream analysis. For example, an advertisement based on information that only sports shoes have been viewed over the past few days. Why do we do this? We want to make our online service as attractive as possible for our customers and present them with advertisements that correspond with their interests.
2.5 Are There Also Third-Party Cookies?
Zalando uses a number of advertising partners who help make the service and websites more attractive to our customers. Therefore, when customers visit the Zalando websites, cookies from partner companies are also stored on their devices. The cookies of our partner companies also contain only pseudonymous and, most often, anonymous data. This includes data about which products our customers have viewed, whether something has been purchased or which products have been searched for. Some of our advertising partners collect information from our website on which pages our customers visited previously or which products they displayed an interest in. Our customers are therefore only shown advertisements that match their interests at the best possible rate. This is a standard procedure in the advertising industry. The pseudonymous customer data is never combined with the personal data of our customers. The sole purpose of collecting this data is to allow our advertising partners to show our customers advertisements they may be interested in.
2.6 What Is Retargeting?
Our websites use retargeting technology. We use this technology to make our service even more attractive for our customers as it allows us to display advertisements on the websites of our partners for internet users who have visited the Zalando online shop. We are convinced that displaying personalized, interest-related advertisements for internet users as a general rule is more compelling and a more accepted practice than displaying advertisements that do not include personal references and are therefore of significantly less relevance. The advertisements displayed on our partners’ web pages are based on cookie technology and the analysis of previous user behavior. This form of advertising is completely pseudonymous. User profiles are never combined with the personal data of our customers.
2.7 How Can Our Customers Prevent the Storage of Cookies?
3. How Can Our Customers Prevent Common Risks of Fraud?
3.1 Recognize Phishing Emails
Unfortunately, it may occur that fraudsters send emails about a supposed purchase from Zalando. These could be in the form of fake order confirmations or payment reminders. Criminals use these emails to try and obtain user data and passwords from customers or to install malicious programs on their computers via email attachments.
Important: Links or attachments contained in these phishing emails should never be opened.
We never ask our customers for their password via email or telephone. If in doubt about the authenticity of an email, customers can contact our customer service team for advice at any time. Our service hotline is free of charge. You can also contact us at email@example.com If you think that fraudsters have accessed your personal information, for security reasons we recommend that you change your password under “My user data” as soon as possible. You should also check, and if necessary change the login details for other important accounts (such as online banking).
3.2 Avoid Using the Same Password Multiple Times
One of the most common causes of online fraud is the use of the same password for various services and online accounts. For example, many users have identical passwords for their e-mail account, online banking and customer login for the online shop. If attackers manage to gain unauthorized access to a customer’s password – for example, by using phishing – it is then possible for them to log in to all the services for which the same password is used. Often, attackers use automated processes to quickly test for which online shops or services a password works. This type of attack is usually carried out at night, as the attackers then have more time to make fraudulent purchases. Zalando uses several different technical and manual fraud prevention processes to protect its customers from fraudulent purchases as much as possible. A simple and effective first step is using different passwords. Password managers can be used to help organize passwords.