This Privacy statement describes the way in which we process all the personal data with we are provided or that we have obtained via our Dufry websites and apps, as well as in our retail stores.
- Controller, Sources of personal data and which personal information on customers is collected in the Dufry websites and apps
- Legal basis and purposes for the collecting and processing of personal data
- Sharing your Personal data
- Storing your Personal data
- Personal data security
- Transfer of data outside your country
- Preservation of Personal data
- What are your rights?
- What are my options?
- Where to submit a complaint in relation to the processing of data?
2. Controllers, Sources of personal data and which personal information on customers is collected in the Dufry websites and apps.
(a) Controller and Processors of Personal data
Dufry AG, a Swiss company, with registered offices at Brunngässlein 12, Basel CH 4052, Switzerland, and listed on the Companies Register of Basel under number CHE-110.286.241, and World Duty Free Group, S.A.U., a company established in Spain, with registered offices at Calle Josefa Valcárcel 30, 28027 Madrid, Spain, listed on the Companies Register of Madrid under Page M-365571, Volume 20.644, Folio 105 and onwards, with tax identification code A-84205863, are the joint controllers of the personal data that you (the data subject) provide us with or that we receive through our Stores and Dufry websites and apps.
(b) Types of Personal data collected and Sources of Personal data
We collect personal data directly from our customers via the Dufry websites and apps and through our Stores.
We collect the following types of personal data on you from the sources indicated below:
Information you provide us with: We receive and store the information that you enter in the Dufry websites and apps and in the Stores; that you provide in any other manner during: your registration and access to your account or profile; when sending enquiries or as part of a survey or competition; when using gift cards; through the customer service department or your communications with us; your purchases in Stores; or when using our products or services.
Through these actions, you can provide your (i) name, postal address, e-mail address, telephone numbers, (ii) necessary data to process your payments (including credit card/payment method information and the personal security code associated to your credit card) for purchases in Store or the on-line purchase of gift cards, to pre-reserve purchases (using the Dufry “Reserve & Collect” App), to request a refund, or to communicate with customer services regarding a refund on a credit card or on the corresponding method of payment, (iii) flight destination, date of flight and delivery address for the products; and/or the location of the airport to collect pre-reserved products using “Reserve & Collect” or purchase new products and services in the Stores. Demographic data, such as age, sex, country, preferred language and country of residence, is also collected.
In addition, you must be the holder of a valid airline ticket to be able to make duty-free or duty-paid purchases in Dufry. This information is collected so that we may fulfil our contractual obligations with the airport authorities, and legal obligations relating to customs and other regulatory authorities.
When you register, subscribe to services or to the newsletter or to other marketing communications, such as blogs or customer comments, use the Dufry websites and apps, or shop in our Stores, we collect the login data, passwords, password recovery questions and clues, similar security information for account authentication and access, and to access your personal account and profile and to use the “Reserve & Collect” services or the RED customer loyalty services of the Dufry websites and apps or of our Stores.
You can choose not to provide certain information; although in this case you might not be able to use many of the different functions of the Dufry websites and apps. See the “What are my options?” section.
Information collected automatically through your interaction with us: We receive and store information when you interact with us through our products and services, including on-line technologies (such as Cookies), and through the receipt of error or user data reports based on software apps on our on-line devices or through WiFi communications in Stores.
We collect and analyse data on the device, on connectivity and settings, and the Internet Protocol (IP) address, as indicated in the Cookies Policy [https://www.redbydufry.info/politica-de-cookies/]
Mobile or Dufry apps: When you decide to use or download Dufry websites and apps or allow for connectivity through WiFi connections on your device, we receive information on your location and mobile device, including a unique personalised identifier for your device, your GPS data or the wireless network (WLAN) data. Location data is not stored or transferred to third parties. If you accept the location function, we can provide you with services based on your location, such as advertising, search results, and personalised contents. If you are near one of our Stores, we can send you automatic e-mail communications if you have agreed to receive these communications and advertising.
Most mobile devices enable you to disable location-related services. For further information, see the “What are my options?” section.
E-mail communications: To provide more personalised and interesting e-mail communications, we receive confirmation when you open an e-mail from the Dufry websites and apps or when your device is near one of our Stores, if your computer or device is compatible with this possibility. If you do not wish to continue receiving e-mails or post from us, you can adjust your customer communication preferences in the profile of your account.
Information from other sources: We receive information on you from other sources and add it you our account information. These third-party sources include:
- Updated data on delivery and contact addressed from third parties, which is used to update our records and make it easier to send you next purchase;
- Social networks, where you give permission to the Dufry websites and apps to access your data in one or more of these networks;
- Service providers who help us determine a location depending on your IP address to adapt certain products to your location;
- Our partners with which we offer services under a joint brand name or with which we implement joint marketing activities;
- Sources publicly available in government databases or other data of public domain.
(a) Legal basis
The Group processes your personal data based on a legal obligation to do so, to the extent required or permitted under applicable law.
In most cases, the processing of your personal data shall be justified by one of the following legal bases:
- It is set forth accordingly in the contract with us to supply the products and services you request;
- It is necessary for us to fulfil a legal obligation;
- You agree to such with your informed consent, given freely and unequivocally, for certain purposes of processing, or
It corresponds to our legitimate interests as a company and supplier of the contractually requested goods, and our interested are not overridden by yours or by your rights or fundamental freedoms, including the legitimate interests set forth below.
(b) Purposes of processing personal data
We obtain, use, disclose and, in general, process personal data on customers to:
- process the transactions they request, such as the selection of on-line “Reserve & Collect” services and mobile transactions,
- verify that the identity of the holder corresponds to the owners of the RED loyalty card, ensuring RED points are earned or used; and confirm the status of a customer in order to allow for the correct discount to be applied to the sale of products purchased in Store or products reserved using the “Reserve & Collect” app;
This information shall enable us to provide access to all areas of the loyalty programme, and to the “Reserve & Collect” and “Red by Dufry” applications on the Dufry websites and apps.
- review and collect data on the boarding card, the nationality, the destination, and the holder of the valid board card to ensure the customer is a passenger and that Dufry or the Group can provide duty-free goods under the terms of the contractual agreement with the airport authorities;
- provide payment services, including credit cards, for on-line reservations and in-Store purchases;
- provide requested information to customers on goods and services (i.e. an e-mail address has been provided where they regularly receive a newsletter)
- protect the login data of subscribers and the system integrity of the Dufry websites and apps,
- communicate with you and personalise our communications, i.e. answer your queries or fulfil your preferences and your membership registration for a programme. We communicate with you by e-mail or text message to inform you of our services, on how to keep your subscription or your account active, to communicate regarding a refund or a customer enquiry or to provide assistance with the website or on access to or technical enquiries regarding the Dufry websites and apps,
- We process personal data in order to undertake your contractual operations with us and provide our products (such as the reservation and pre-reservation of duty-free products listed in the “Reserve & Collect” app for collection in the requested Store), as requested by you. This includes using your personal information to register with or subscribe to any services offered via the Dufry websites and apps.
We collect personal data to fulfil our legal obligations, especially:
- The name of the passenger and the boarding card, to ensure the consumer reserving the products is a valid passenger, in order to fulfil our contractual obligations with the airport authorities and in accordance with the long-term concession agreement, and to be able to calculate VAT or other tax exemptions that must be calculated for the customs authorities.
- To comply with legal obligations, policies and procedures, and for administrative purposes and internal analysis, and
- To process information or claims relating to incidents in Stores.
Where we process your personal data based on our legitimate interests, this shall include our interests in:
- The range and improvement of the products we provide and the implementation of fundamental commercial activities. This includes implementing the products, maintaining and improving the yield of said products, developing new functions, performing studies and providing customer service.
- The protection of the virtual and physical security of our products and of our customers, in terms of detecting and preventing fraud and confirming the validity of the subscriber’s connection to the Dufry websites and apps;
- The use of personal data for statistical and analytical purposes. Wherever reasonably possible, we shall anonymise this information before using it for statistical and analytical purposes. This information shall be processed in line with the legitimate interests of Dufry AG to maintain the effectiveness, relevance and availability of Dufry websites and apps;
- The administration and effective operation of Dufry and of the Group companies, the structure of which can be consulted at the following link;
- To maintain our commercial relationship, whenever you are a user or subscriber of our Dufry websites and apps, or a RED loyalty member;
- To improve the Dufry websites and apps, the quality of services and the shopping experience with customers;
Advertising: To send you newsletters, inform you of special offers or promotions or ask you to take part in customer surveys or offer you invitations to attend events or provide advertising based on your interests (as indicated by your cookies), where you indicate these options in your preferences.
4. Sharing your Personal data
We do not transfer or disclose your personal information, apart from that indicated below:
- For internal administration and effective operation by Dufry and by the companies in its Group, and to the extent that certain services are centralised;
- to third-party service providers (companies or individuals) that we employ to perform duties on our behalf, such as meet order, make deliveries to retail points or to Stores, send post and e-mails, delete repeated information on customer lists, analyse data, provide marketing support, streamline search results and links, process payments by credit card and provide customer service. These providers have access to personal information that is required to perform their duties, although they may not use it for other purposes, and include the following categories of data recipients:
(i) advertising and media consultancies;
(ii) market research consultancies;
(iii) technical service providers;
(iv) website designers and developers;
(v) cloud service providers;
(vi) electronic storage providers;
(vii) customer services;
(x) recruitment agencies;
- to fulfil legal and regulatory requirements or obligations in accordance with the corresponding law, with a court order or with a summons,
- with competent authorities, airport authorities, with lessor proprietors of Dufry AG and of the Group and with partners of the concession, and with customs and tax authorities, in order to show the calculation of the corresponding tax exemptions;
- with data analysis companies, Google Analytics Inc.;
- in emergency situations, such as to protect a person’s life, health or assets;
5. Storing your Personal data
The personal data you have provided to one or both of the joint controllers shall be held in a customer database management software tool located in the cloud and belonging to Dufry AG and located in data centres in the territories of the EES, except where local data protection laws require the local entity of Dufry to include it in a file held by the Local entity of Dufry in order to manage the commercial relationship with you, in accordance with local data protection laws. However, where the personal data and the customer relationship is held by the local entity of Dufry, it shall be accessible or may be communicated to the group or to associated companies of Dufry AG.
Dufry AG and World Duty Free Group, S.A.U. shall manage the customer relationship with you and all marketing material that, in line with your preferences or otherwise, you might provide for Dufry in its capacity as Controller or the local entity of Dufry in its capacity as joint controller, or that it may process on behalf of Dufry AG.
Your personal data shall be protected by the adopting of security measures that correspond to the sensitivity of the personal data processed. To this end, Dufry and all Group companies shall maintain the corresponding physical, technical and administrative security means of protecting personal data from theft, accidental loss, unauthorised alteration, accidental or unauthorised access, processing, deletion, use, disclosure or copying, as well as accidental or illegal destruction.
Once we have provided (or you have chosen) a password to access certain advantages of the Dufry websites and apps, you are responsible for protecting it and ensuring its confidentiality, and agree not to allow use of it by any third party. Unfortunately, the transfer of information over the internet is not completely secure. Although we adopt all the due commercial measures to protect your personal data, we cannot guarantee the security of the information or personal data you disclose on line. You therefore accept the implications inherent to security involving internet use and, to the extent permitted by law, we are not liable for any security breach, except where our actions are severely negligent and only within the limits established in the terms and conditions of use of the Dufry websites and apps.
7. Transfer of data outside your country
- Your contact and profile information contained in systems, such as the company communications systems, in customer relationship management databases or in directories shall be accessible to marketing, sales and customer assistance or service employees forming part of the Group companies and who are linked to the management of the requested services.
- Your personal data shall be transferable and accessible to and for Group employees located outside your country and/or for a person or company that does not form part of the Group and is located inside or outside your country, provided it requires knowledge of such to render the service requested. Transfers outside the EU may be undertaken in accordance with the Standard contractual clauses of the European Commission (“SCC”), with the EU-US privacy shield certification and all other legally acceptable mechanisms that guarantee an adequate level of protection. Where permitted by law, you shall also be entitled to receive, on request to your Local Data Protection Coordinator, a copy of all contractual documentation to prove that the appropriate guarantees have been adopted to protect your Personal data transferred outside the EU.
- Transfers may be made to respond to requests from law enforcement agencies and forces or disclosure procedures, or where required or permitted by applicable law, or by way of court order, governmental or public authority regulation (including tax and employment authorities). These transfers may involve access by the courts or by government authorities outside your country once the fact that only the minimum data necessary shall be disclosed and transferred is guaranteed, or that said data has been anonymised or that, where possible, the corresponding specific court orders have been issued.
You can consult the list of non-EU countries to which your Personal data may be transferred, along with an indication as to whether or not the European Commission has determined that it offers adequate protection for Personal data, at https://ec.europa.eu/info/strategy/justice-and-fundamental-rights/data-protection/data-transfers-outside-eu_en.
Transfers of Personal data in accordance with this Section 7 are based on the same legal basis applicable to the respective processing purposes indicated above.
8. Preservation of personal data
The Dufry data preservation policy requires that it must not be kept for longer than necessary to fulfil the purposes for which it has been collected. Dufry AG can provide a copy of the Group’s data preservation policy on request addressed to the e-mail: email@example.com. In general, the personal data or records containing personal data shall be kept for the necessary periods in line with applicable legal, tax or accounting obligations. Under specific circumstances, and in accordance with applicable law, Dufry may withhold your personal data for longer (for example, for the limitation periods for the liabilities arising from processing) so that we have a precise record of our relationships with you or to protect the legitimate interests of Dufry AG or World Duty Free Group, S.A.. In all cases, as soon as your information is no longer necessary Dufry shall ensure it is securely deleted.
The Dufry websites and apps do not provide products and services to minors. Although we sell toys and sweets that might be attractive to children, our products and services can only be reserved by adults over the age of 18. We do not intentionally collect persona information on minors below the age of 18 without the consent of their parents or guardian. As a result, the father or mother must complete and send a paternal consent form for personal data, fully completed and signed, along with justification of the identity of the person, to the e-mail address: firstname.lastname@example.org.
Under applicable law, you are entitled to access, obtain a copy of and correct personal data involving you, regardless of the limited exceptions that the applicable laws might foresee. Where justified and imposed by applicable law, you may also ask for your personal data to be deleted or blocked, or you might be entitled to obtain information on the processing of your data or object to any subsequent processing thereof.
Where your personal data is processed following your own consent, you are entitled to withdraw said consent at any time, without this affecting the legality of the processing based on your consent given before it was withdrawn. There are several ways of doing so: (i) in some cases, by deleting the appropriate Personal data from the corresponding computer system (although in this case remember that back-up copies and related systems might remain in place until they are deleted in line with our data preservation policy) or (ii) by contacting your local Data Protection Coordinator.
As of 25 May 2018, you also have the following additional rights:
- Data portability – when the legal basis for processing lies on your consent or on the fact that processing is necessary to enforce a contract in which you are a party, and where the personal data is processed using automated means, you are entitled to receive all the personal data you provided to Dufry or to the Group in a structured, commonly used and electronically legible format, as well as to ask us to transfer it to another controller, if technically viable.
- Right to restrict processing – you are entitled to restrict the processing of your personal data if:
- you question the precision of the personal data until we have taken sufficient measures to correct or verify its precision;
- processing is illegitimate but you do not want us to delete your personal data;
- we no longer need your personal data for processing purposes, but you want us to keep said personal data in order to file, enforce or defend legal action; or
- you have objected to processing based on the legitimate interests of Dufry (see the text below) during the process to verify whether the legitimate interests of Dufry or of the Group may prevail.
Where your personal data is subject to a restriction of this type, we shall only process it with your consent or for the purposes of filing, enforcing or defending legal action.
- Right to object to processing justified by legitimate interests – when we have a legitimate interest in processing your personal data, you are entitled to object to this processing. If you object, we must stop said processing unless we can prove a valid legitimate basis for processing that is a greater legal standing that your interests, rights and freedoms; or where we must process the personal data in order to file, enforce or defend legal action. Where we have a legitimate interest in processing, we believe that we can validly prove the prevalence of said legitimate interest but we analyse each situation individually.
- Right to object to processing for marketing purposes – you are entitled to object to any processing of your data for marketing purposes (including the preparing of profiles). In addition, see the section below relating to your options.
You can contact us by sending a request form for access by the data subject, available on request, in writing or by e-mail to one of the addressees indicated below.
Dufry has appointed a Global data protection coordinator who can be contacted securely and confidentially at the following e-mail address: email@example.com. You can also send your request form for access by the data subject, written comments, questions or queries to
For the attention of: Global data protection coordinator
Locally, World Duty Free Group S.A.U. has appointed a Local data protection coordinator who can also be contacted securely and confidentially at the following address: Calle Josefa Valcárcel 30, 28027 Madrid, Spain, for the attention of the Local data protection coordinator and/or by e-mail at: firstname.lastname@example.org
11. What are my options?
The Dufry websites and apps provide access to a range of information on your account and your interactions with us. To ensure your personal data is precise and up to date, we recommend you review and update it regularly as required, or whenever you change your communication preferences or your contact details or address. If you have subscribed to the Dufry websites and apps, especially the Red by Dufry app or the “Reserve and Collect” app, you can access your profile and make changes or request the changes be made by sending an e-mail with a document attached that proves your identity to email@example.com.
13. Where to file a complaint regarding Data protection?
Please be advised that you are entitled to petition the Spanish Data Protection Agency via its website www.agpd.es.