Info on orders placed before 1st June

Data Privacy Statement

1. Objective And Responsibility

This Data Privacy Statement is to inform you about the nature, scope and purpose of how Heinemann TRFB (“HEINEMANN”, “we”, “us”) processes personal data.

The data controller for the processing is:

  • Heinemann TRFB GmbH (Zur Westmole 1a, 23769 Puttgarden, Germany), when visiting our BorderShops at Puttgarden or Rostock, the Click & Collect Webshop or our stores on board of a ferry sailing under German flag
  • Heinemann TRFB Denmark ApS (C/O Gebr. Heinemann Retail ApS, Vestvej 1, 2770 Kastrup, Denmark), when visiting our stores on board of a ferry sailing under Danish flag

If you have any questions regarding data privacy, you can contact us at dataprotection@gebr-heinemann.de.

2. Processing Of Personal Data

2.1 Export Declaration

Beverage cans and plastic bottles may be sold without a deposit in our BorderShops under a specific exemption, provided the customer can proof residence in Scandinavia. This proof is provided via an Export Declaration, which can be submitted through the Click & Collect Webshop, at a terminal in the BorderShop, or on paper form. For the Export Declaration, we process first and last name, place of residence and date of birth of the person exporting the goods. In case the Export Declaration is submitted via terminal, a receipt with a barcode providing access to the data will be printed. If the Export declaration is submitted via Click & Collect Webshop, the receipt will be sent by email together with the order confirmation. Therefore, an email address must also be provided in addition.

The export declaration must be presented together with an identification document at checkout so that the exporter’s identity and purchase authorization can be verified. Optional, for your convenience, in addition to manual data entry, we offer the option to automatically import your name and address from your Danish health insurance card. For this purpose, the relevant data from the encoded data string is automatically transferred into the form. The data from the card is processed locally on the terminal and is only transmitted to our systems once the export declaration is actively submitted. Only the data required for the export declaration is transferred. The data string is then irreversibly deleted.

Also, for convenience, Swedish driving license holders have the option to use their driving license for identification purposes. To enable this, the QR code on the license providing only the license ID is scanned at the terminal when entering the export declaration data. The scanned ID is used to check whether a previously submitted export declaration exists. If so, the stored data is retrieved and displayed at the terminal. For this purpose, the ID is stored together with the export declaration to allow future retrieval without re-entering the data, ensuring that the information can be properly linked and stored.

Legal Basis

The processing of your personal data for the export declaration is based on our legal obligation under Article 6 (1) (c) GDPR. We are required to document eligibility for deposit-free sales and to provide evidence to customs authorities. Providing optional features for your convenience, such as the reuse of previously entered data, the storage of your export declaration for future purchases, or the automated import of your data, is based on our legitimate interest pursuant to Article 6 (1) (f) GDPR.

This processing is necessary to simplify and accelerate the data entry process and to avoid repeated manual input for subsequent purchases. Without such processing, customers would need to re-enter the same information for each transaction, which would significantly reduce the usability and efficiency of the purchasing process, particularly in a busy retail environment. When relying on this legal basis, we carefully balance our interest in providing a convenient and efficient customer experience against your rights and freedoms. We consider this processing to be proportionate, as it is limited to a minimal set of data, does not involve automated decision-making with legal effects, and is only carried out in connection with a specific purchase context. In addition, the use of these features is entirely voluntary. You can choose at any time to enter your data manually instead of using automated import or reuse functions. We therefore consider that your interests or fundamental rights and freedoms do not override our legitimate interest.

Recipients

To provide this service, we use IT service providers.

Retention Period

For your convenience, we retain the Export Declaration in the POS system for 12 months after it is recorded. In the event of a purchase, we store the receipt together with the Export Declaration in accordance with the tax law retention period. The paper forms are scanned for archiving and then destroyed.

2.2 Customer Service

If you have any questions or issues regarding our products or services, you can contact our customer service team by phone or email. In this case, a customer ticket will be created and, depending on the communication channel you have chosen, we will process your contact data such as your email address, name and telephone number together with any other personal data contained in your message in order to clarify your request and respond to your enquiry.

Legal Basis

If the processing of personal data is related to a purchase (e.g. complaint or return), the legal basis is Art. 6 (1) (b) GDPR (Conclusion and performance of contracts). Otherwise, the processing is based on our legitimate interest in accordance with Article 6 (1) (f) GDPR. Our legitimate interest lies in ensuring customer satisfaction through good service.

Recipients

Your data will not be transferred to third parties, unless this is necessary to process your request or required by law.

Retention Period

The personal data relating to your service ticket will be deleted as soon as it is no longer required to process your request and no statutory retention requirements or warranty and guarantee rights exist. Therefore, we will delete your message within three years at the latest.

2.3 Processing of your personal data through our online services

2.3.1 Processing Of Logfiles

When visiting our website, personal data is automatically transmitted by the user's terminal device; this includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Legal Basis

The processing of this information is based on our legitimate interest according to Art. 6 (1) (f) GDPR in ensuring the smooth set-up of the connection and in ensuring the security of the processing (e.g. for the prevention and investigation of cyber attacks) pursuant to Art. 5 (1) (f) GDPR.

Recipients

To provide this service, we use IT service providers.

Retention Period

The log files are automatically anonymized at the end of the session.

2.3.2 Cookie Consent Management

We use cookies, pixels and similar other technologies (collectively referred to as “cookies”), including those from third parties, which we need to operate the website and to monitor performance (“essential cookies”) and to display personalized advertising (“marketing cookies”). For the purpose of recording and documenting your consent to the use of cookies, we use the Usercentrics Consent Management Platform (CMP). Usercentrics stores opt-in/opt-out and timestamp, device and browser information and anonymized IP address in the local storage of your browser so that your individual settings are saved for further visits to our website and the consent field is not displayed again each time.

Legal Basis

The legal basis for our processing of your personal data is according to Art. 6 (1) (c) GDPR our obligation to comply with Telecommunications Digital Services Data Protection Act (TDDDG) and our legitimate interest pursuant to Art. 6 (1) (f) GDPR. Our legitimate interest lies in the efficient management of consent data and optimizing user experience.

Recipients

To provide this service, we use IT service providers.

Retention Period

The consent data (consent given and withdrawal of consent) will be stored for one year, provided that there are no legal obligations to retain data.

2.3.3 Newsletter / Direct Marketing

If you give us your consent, we will send you a newsletter with regular updates on offers, current promotions, and new products that can be tailored to your preferences and interests using personal data. To do this, we will store and process your name, email address, country, and title.

Legal Basis

The legal basis for the processing of your personal data is your consent, which you have provided to us in accordance with Article 6(1)(a) of the GDPR. You may withdraw your consent at any time with future effect, without this affecting the lawfulness of the processing carried out to date.

Recipients

To provide this service, we use IT service providers.

Retention Period

We will process your data for as long as we have your consent.

2.3.4 Processing Of Pre-orders (Click & Collect)

Heinemann TRFB offers the option to pre-order goods, which can then be collected at designated pick-up points. For this purpose, we process the information you provide when placing a order, including your salutation, name, email address, telephone number, and country of residence. After placing your order, you will receive an order confirmation by email containing an order number and a barcode, which are required to collect your pre-ordered goods.

Legal Basis

The legal basis for our processing of your personal data is the initiation of a sales contract (Article 6 (1) (b)).

Recipients

To provide this service, we use IT service providers.

Retention Period

Your personal data will be deleted once your pre-order has been fulfilled or the pickup window has expired.

2.4 Data Processing When Visiting Our Stores

2.4.1 Video Surveillance On Board The Ferry

Our shops on board of the ferry are under video surveillance. Video recordings are processed for the following purposes:

  • protection of the domiciliary right
  • prevention and investigation of criminal offences, in particular theft, attacks, fraud, damage and vandalism

Legal Basis

The legal basis for the processing is Art. 6 (1) (f) GDPR (legitimate interests). Our legitimate interests are the protection of property and assets as well as the protection of customers, visitors and employees.

Recipients

A use or transfer of the video recordings that goes beyond this shall only take place to the extent that this is necessary within the framework of a possible criminal prosecution. In this case, the recipients shall be the competent law enforcement authorities. We use external service providers to operate the video surveillance.

Retention Period

Video recordings are only used in cases of specific incidents and are automatically deleted in accordance with applicable data protection legislation. Video recordings may be stored longer only if necessary for the enforcement of legal claims or the prosecution of criminal offenses in a specific case.

2.4.2 Payment Service

For the best possible customer experience, we offer a range of electronic payment options.

Legal Basis

The legal basis for the processing of your personal data is the fulfilment of the purchase contract in accordance with Art. 6 (1) (b) GDPR. There is no statutory or contractual obligation for you to provide your data. Nevertheless, if you don’t provide your data, we cannot offer you the respective service

Recipients

We use WORLDLINE (Worldline Financial Services (Europe) S.A., Atrium Business Park, 33, rue du Puits Romain, 8070 Bretrange, Luxemburg) for the processing of payments with Mastercard, Visa, Alipay, WeChat and American Express Europe S.A. (address) for the processing of payments with the Amex Card. Depending on the payment method, in particular IBAN or account number and bank sort code, card expiry date and card suffix and other transaction data (e.g. date/time of the transaction, payment amount) are processed.

Retention Period

WORLDLINE stores and processes personal data for as long as it is necessary to fulfill its contractual and legal obligations. More Information on the data protection provisions of WORLDLINE can be found at https://worldline.com/en-lu/compliancy/data-privacy. The privacy notice of American Express can be found here: https://www.americanexpress.com/nl-nl/bedrijf/legaal/privacy-centrum/?inav=nl_legalfooter_privacy_centrum

3. Sharing Personal Data With Third Parties

Besides what is described above, disclosure of personal data to third parties only occurs within the framework of legal requirements. We only disclose personal data of users to third parties, if this is required e.g. for billing purposes or other purposes, if the disclosure is necessary to ensure the fulfilment of contractual obligations towards the users (in accordance with Article 6 (1) (b) of the GDPR. We may also disclose personal data to accountants, lawyers and other external advisors based on our legitimate interests in professional consulting services (in accordance with Article 6 (1) (f) of the GDPR and Article 5 (2) (f).

If we engage subcontractors for our online service, we have made appropriate contractual arrangements as well as adequate technical and organizational measures with these companies. If we transfer your personal data to recipients whose registered offices are located in a third country, such transfer is based on the EU-U.S. Data Privacy Framework, other adequacy decisions, or the EU Commission’s standard contractual clauses which you may obtain a copy of by contacting us as stated above.

In line with the data transfer provisions under, we may transfer your personal data abroad within the framework of the Icelandic Data Protection Board’s standard contractual clauses, which you may obtain a copy of by contacting us as stated above.

4. Data Subject Rights

  1. Right of access (Article 15 GDPR)
  2. Right to rectification (Article 16 GDPR)
  3. Right to erasure (“right to be forgotten”) (Article 17 GDPR)
  4. Right to restriction of processing (Article 18 GDPR)
  5. Right to data portability (Article 20 GDPR)
  6. Right not to be subject to a decision based solely on automated processing, including profiling, where applicable (Article 22 GDPR)
  7. Right to lodge a complaint with a competent data protection supervisory authority (Article 77 GDPR)
  8. Right to withdraw consent at any time, where processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, without affecting the lawfulness of processing prior to withdrawal

5. Right To Object

According to Article 21 GDPR you have at any time the right to object to processing, on the grounds relating to your particular situation, to processing your personal data concerning you which is based on point (e) or (f) of Article 6 (1) GDPR, including profiling based on those provisions. In case of objection, we will no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms of you or for the establishment, exercise or defence of legal claims.

Where your personal data are processed for direct marketing purposes, you have the right to object to such processing at any time. In this case, your personal data will no longer be processed for such purposes.

6. Automated Decision-Making Including Profiling

Automated decision-making including profiling referred in Article 22 (1) and (4) GDPR does not exist within our processing activities of your personal data.

Status: April 2026