Vulnerability Disclosure


Service provider within the meaning of Section 5 TMG (Telemediengesetz, German Telemedia Act):

ALDI International Services SE & Co. oHG
ALDI SOUTH Group of Companies
Mintarder Straße 36-40
45481 Mülheim an der Ruhr

Local Court of Duisburg HRA 8577
VAT identification number DE 120353372

E-Mail: vdp-contact-nope[at] | Contact Form (Important! Do not report vulnerabilities via this e-mail/ contact form.)

We aim to provide prompt and informative answers to your enquiries and, if necessary, offer you fair and pragmatic solutions. We have decided not to take part in dispute resolution through a consumer conciliation body; instead, we will respond to any enquiries in this fast, uncomplicated way. This information is in line with Section 36 of the Consumer Dispute Resolution Act (Verbraucherstreitbeilegungsgesetz,VSBG).

ALDI International Services SE & Co. oHG is represented by ALDI International Services GmbH, located in Duisburg in the jurisdiction of the Local Court of Duisburg: Department B (HRB) 34355, and represented by its Managing Directors: Inka Rückle, Dr David Godschalk, Daniel Koch, and Reiner Mischke.

Other partners: all ALDI GmbH & Co.KGs (private limited partnerships) belonging to the ALDI SOUTH Group

ALDI SE & Co. KG Adelsdorf, Holzäckerstraße 1, 91325 Adelsdorf
ALDI SE & Co. KG Aichtal, Riedstraße 8 – 12, 72631 Aichtal
ALDI SE & Co. KG Bingen, An den Steinäckern 1, 55411 Bingen am Rhein
ALDI SE & Co. KG Bous, Am Bommersbacher Hof 1 - 5, 66359 Bous
ALDI SE & Co. KG Butzbach, In der Alböhn 1, 35510 Butzbach
ALDI SE & Co. KG Donaueschingen, Pfohrener Straße 50, 78166 Donaueschingen
ALDI SE & Co. KG Dormagen, Edisonstraße 12, 41542 Dormagen
ALDI SE & Co. KG Ebersberg, Anzinger Straße 6, 85560 Ebersberg
ALDI SE & Co. KG Eschweiler, Mariadorfer Straße 1, 52249 Eschweiler
ALDI SE & Co. KG Geisenfeld, Römerstraße 2, 85290 Geisenfeld-Ilmendorf
ALDI SE & Co. KG Helmstadt, Würzburger Straße 56, 97264 Helmstadt
ALDI SE & Co. KG Kerpen, Humboldtstraße 38 – 44, 50171 Kerpen
ALDI GmbH & Co. KG Ketsch, Karlsruher Straße 2, 68775 Ketsch
ALDI SE & Co. KG Kirchheim, Rosengartenweg 11, 67281 Kirchheim a. d. Weinstraße
ALDI SE & Co. KG Kleinaitingen, Messerschmittstraße 2, 86507 Kleinaitingen
ALDI SE & Co. KG Langenfeld, Karl-Benz-Straße 4 - 6, 40764 Langenfeld
ALDI SE & Co. KG Langenselbold, Am Seegraben 16, 63505 Langenselbold
ALDI SE & Co. KG Mahlberg, Rotacker Straße 19 – 51, 77972 Mahlberg-Orschweier
ALDI SE & Co. KG Mönchengladbach, Korschenbroicher Straße 605, 41065 Mönchengladbach
ALDI GmbH & Co. KG Montabaur, Am Alten Galgen 21, 56410 Montabaur
ALDI SE & Co. KG Mörfelden, Hessenring 1 – 3, 64546 Mörfelden
ALDI SE & Co. KG Murr, Lehmgrube 5, 71711 Murr
ALDI SE & Co. KG Rastatt, Im Wöhr 7 – 9, 76437 Rastatt
ALDI SE & Co. KG Regenstauf, Benzstraße 11, 93128 Regenstauf
ALDI SE & Co. KG Rheinberg, An der Rheinberger Heide 11, 47495 Rheinberg
ALDI SE & Co. KG St. Augustin, Im Mittelfeld 11, 53757 St. Augustin

Privacy Notice

This Privacy Policy explains our online and offline information practices, the kinds of information we may collect, how we intend to use and share that information, and how you request access to or correction or deletion of such information.

1. Information on the Controller

Responsible for data processing:

ALDI International Services SE & Co. oHG, Mintarder Str. 36-40, 48481 Mülheim an der Ruhr

Data protection officer: Kay-Torsten Schuy -

2. Categories of personal data

The following types of data are processed:

  • Data for resolving IT security vulnerabilities:
    • Report title (e.g. “SQL injection allows access to other customer’s data”)
    • Systems affected (e.g. “”)
    • Steps to reproduce
    • Severity (CVSS score)
    • Attachments (e.g. exploit code)
    • E-mail (can be provided voluntarily for follow-up-questions)
  • Data for Hall of Fame:

    All following data is non-mandatory to report IT security vulnerabilities. If consented to, this information will be published on our webpage:

    • Name (can be only first name or first- and last name) or alias (nick name)
    • Personal URL (e.g. LinkedIn profile)

    If you want your "Hall of Fame" information changed or deleted, please directly contact us.

  • Log files:

    Each time you access or attempt to access our website, at least the following data is collected and stored in a log file:

    • IP address
    • Name of the file retrieved
    • Date and time of retrieval
    • Transferred data volume
    • Notification as to whether data retrieval was successful
    • Notification as to why the data retrieval failed, if applicable
    • Operating system and browser software installed on your computer
    • Screen resolution
    • Browser language
    • Colour depth
    • Browser plug-ins (JavaScript, Flash Player, Java, Silverlight, Adobe Acrobat Reader, etc.)
    • Website from which you visit us

    The processing is based on Article 6 para. 1 lit. f GDPR in order to provide our website, guarantee the stability of our systems, ensure data protection and the reliability of our systems, and implement legal provisions. The data will be erased after thirty days.

3. Purpose of processing the data

The data is processed for the following purpose(s):

  • The main purpose of the VDP (Vulnerability Disclosure Policy) is to ultimately fix IT security vulnerabilities, which were reported by external security researchers acting in good faith. If a researcher provided contact details, we will solely use it for the purpose of resolving the reported security vulnerabilities.
  • Vulnerabilities can be reported without providing any personal information. Only if actively agreed to be added to our “Hall of Fame”, we would manually add the provided details (e.g. researcher name and URL) to show the security researcher’s contribution to improve ALDI’s security.

4. Legal basis for processing data

The legal basis for processing data is Art. 6 para. 1 lit. f) GDPR (processing is necessary for the pur-poses of the legitimate interests pursued by the controller).

5. Source of the data

The data is retrieved from the following source(s): (vulnerability reporting and contact forms).

6. Categories of recipients

In case a vulnerability is reported which refers to a webpage/application controlled by another ALDI SOUTH entity, your provided information including your contact details may be forwarded to that respective entity, including entities outside of the EEA. We will use the provided personal data exclusively for the purpose of processing and resolving your reported vulnerability.

ALDI SOUTH commissions third-party service providers in order to support us in providing our technological infrastructure, designing our websites and offering our services. These service providers may be granted access to your personal data in this context. These service providers are obliged by contract to only process data as instructed by ALDI SOUTH and to take all measures necessary to ensure an appropriate level of data protection and data security.

Recipients can be outside of the European Union if a vulnerability report requires it.

Data is only processed in states outside the European Union and/or the European Economic Area if the EU Commission has decided that this country offers an appropriate level of data protection or if the processor has committed to ensuring an appropriate level of data protection by concluding Standard Contractual Clauses, among other things.

7. Storage period

Your data will be stored and processed for the following period:

  • Reported vulnerability data will be stored for up to ten years in internal systems.
  • "Hall of Fame" contributions will be there for unlimited time. "Hall of Fame" information can be removed after a request with proof of identity.

8. No obligation to provide personal data

You are not obliged to provide any personal data. Also, the amount of provided personal information is up to the reporter (e.g. only an e-mail address OR only a nick name could be provided). Vulnerabilities can be submitted anonymously without providing any personal data.

9. Automated decision-making and profiling

Automated decision-making is not applied.

10. Data subject rights

Provided that the necessary requirements as stipulated by Article 15 et seq. GDPR are met, you are entitled to exercise your rights of access, rectification, erasure, restriction of processing and data portability at any time.

  • Right of access to the personal data stored concerning yourself (Art. 15 GDPR)
  • Right to rectification of inaccurate personal data concerning yourself and, if applicable, completion of incomplete personal data (Art. 16 GDPR)
  • Right to erasure if one of the grounds specified in Art. 17 GDPR applies
  • Right to restriction of processing if one of the grounds specified in Art. 18 GDPR applies
  • Right to data portability under Art. 20 GDPR
  • Right to object on grounds relating to your particular situation (Art. 21 para. 1 GDPR)
  • Right to lodge a complaint with the competent supervisory authority. The competent supervisory authority is: Landesbeauftragte für Datenschutz und Informationsfrei-heit Nordrhein-Westfalen (North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information (LDI NRW) ), PO box 20 04 44, 40102 Düsseldorf, Tel.: 0211/38424-0, e-mail: