Information security and data protection


Information security and data protection

In our daily business activities, we collect and process large quantities of confidential information and personal data, particularly from customers, employees, business partners, and investors. HORNBACH takes the responsible treatment of this data very seriously and ensures that all data is only processed in accordance with strict statutory requirements. 

This requires highly effective and secure IT infrastructure. We implement those technical and organizational measures that are required by law and economically reasonable in our IT systems, online shops, and websites in order to minimize the likelihood of unauthorized access, unauthorized changes to or processing of data, and the loss or destruction of such data and resultant damages. The IT infrastructure is maintained and optimized within reasonable economic limits by qualified internal and external experts. We base our actions on the relevant information security and cybersecurity standards and have put suitable checks in place where necessary.

Our technical and organizational cybersecurity measures have been certified with the “Cyber Trust Europe” label (silver).

The criteria of the Cyber Trust Europe certificate are aligned with the requirements of the EU Directive on Security of Network and Information Systems (NIS Directive) and are recognized accordingly in NIS audits. The NIS Directive provides for various risk management measures and reporting obligations for companies. These include, in particular, the creation of risk analysis and security concepts for information systems, concepts for dealing with incidents, the reporting of security-relevant events, and ensuring security in the supply chain.

The most significant data protection requirements result from the EU General Data Protection Regulation (GDPR).

Our Group companies outside the EU also base their actions on this regulation. Should they work with personal data, our employees and external service providers are obliged to comply with the requirements of data protection law. Data processors who receive data from us are selected in accordance with strict criteria and must have adequate technical and organizational measures in place to protect the data entrusted to them.

We inform all persons affected (“data subjects”) about the processing of their data.

  • Information about the processing of our employee data is available to all employees on the intranet.

We ensure that data subjects are able to assert their data protection rights. In particular, such persons have the following rights:

  • Information
  • Rectification
  • Erasure
  • Blocking / restriction of processing
  • Objection
  • Data portability
  • Lodge a complaint with the relevant supervisory authority
  • Withdraw consent with future effect

Responsibility for data protection and information security is incumbent respectively on the Board of Management of HORNBACH Holding KGaA (represented by HORNBACH Management AG) and HORNBACH Baumarkt AG, as well as on the management at individual Group companies. The Information Security Officer reports directly to the Boards of Management of HORNBACH Management AG and HORNBACH Baumarkt AG. Where required by law and commercially relevant, all HORNBACH companies have appointed data protection officers. 

HORNBACH Group employees receive training on information security and data protection where necessary and relevant. The corresponding company policies are available to all employees on the intranet.