1.1. Controller – AmRest Holdings SE with its registered seat in Madrid (Paseo de la Castellana 163, 28046 Madrid, Spain).
1.2. Personal Data – any information about a natural person, identified or identifiable by one or several factors defining his/her physical, physiological, genetic, psychic, economic, cultural or social identity, including the IP of the device, location data, online identifier and information collected through cookie files and other similar technologies.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
1.5. Website – an online service run by the Controller at the address https://www.amrest.eu
1.6. User – any natural person visiting the Website or using one or more services or functionalities described in the Policy.
2. DATA PROCESSING IN CONNECTION WITH THE USE OF THE WEBSITE
2.1. In connection with the User’s use of the website, the Controller collects data with the scope necessary to provide its respective services and collects information about the User’s activity on the Website. The detailed rules and purposes of processing the personal data collected during the use of the Website by the User are described below.
3. PURPOSES AND LEGAL BASIS OF DATA PROCESSING AT THE WEBSITE
USE OF THE WEBSITE
3.1. Personal data of all the persons using the Website (including the IP address or other identifiers and information collected through cookie files and other similar technologies) who are not registered Users (i.e. persons with no profile on the Website) are processed by the Controller:
3.1.1. to provide services electronically to provide Users with an access to the content collected on the Website – in this case, the legal basis for the processing is that processing is necessary for the performance of a contract (Article 6(1)(b) of GDPR);
3.1.2. for analytical and statistical purposes – in this case, the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to analyze the activity of Users and their preferences in order to improve the functionalities used and the services provided;
3.1.3. to determine and pursue possible claims or defend against claims – the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to protect its rights.
3.2. Activity of a User on the Website, including his/her personal data, is recorded in system logs (a special computer program for storing a chronological record of information about events and actions concerning the IT system used for providing services by the Controller). The information collected in logs is processed mainly for purposes related to the provision of services. The Controller also processes the information for technical, administrative purposes and in order to ensure security of the IT system and to manage the system and also for analytical and statistical purposes – in this respect, the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR).
3.3. The Controller ensures technical solutions for contacting it by using electronic contact forms. Using the form requires that personal data are provided, which is needed to contact the User and answer his/her inquiry. The User may also give other data to facilitate contact or inquiry handling. Provision of data marked as mandatory is required to accept and handle an inquiry, and the failure to provide them makes it impossible to handle it. Provision of other data is voluntary.
3.4. Personal data are processed:
3.4.1. to identify the sender and handle his/her inquiry sent by the provided form – the legal basis for the processing is the necessity of the processing to perform a contract for providing a service (Article 6(1)(b) of GDPR);
3.4.2. for analytical and statistical purposes – the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to perform analyses of the inquiries made by Users through the Website to enhance its functionalities.
4.1. The Controller processes personal data of Users to perform marketing activities which may involve sending e-mail messages about interesting offers or content, which in some cases may include commercial information (newsletter service).
4.2. The Controller provides the newsletter service on the terms and conditions set forthin the regulations, to the people who provided their e-mail addresses for this purpose. Provision of data is required to provide the newsletter service, and a failure to provide them makes it impossible to send the newsletter.
4.3. Personal data are processed:
4.3.1. to provide the newsletter sending service – the legal basis for the processing is that the processing is necessary for the performance of a contract (Article 6(1)(b) of GDPR);
4.3.2. for analytical and statistical purposes – the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to analyze the activity of Users on the Website to enhance the functionalities used;
4.3.3. to determine and pursue possible claims or defend against claims – the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR).
5. SOCIAL MEDIA
5.1. The Controller processes personal data of Users who visit the Controller’s profiles in the social media (Facebook, YouTube, Instagram, Twitter). The data are processed only in connection with maintaining the profile, also in order to inform the Users about the Controller’s activity and promote various events, services and products. The legal basis of the personal data processing by the Controller for the above purpose is the Controller’s legitimate interest (Article 6(1)(f) of GDPR) to promote its own brand.
6. COOKIES AND SIMILAR TECHNOLOGIES
6.1. Cookies are small text files installed on the device of a User browsing the Website. Cookies collect information to facilitate using a website, e.g. by remembering the User’s visits at the Website and actions performed by him or her.
6.2. The Controller uses the so called “service” cookies primarily to provide the User with services electronically and improve the quality of these services. Accordingly, the Controller and other entities providing analytical and statistical services on its behalf, storing information or gaining access to information already stored in the User’s terminal telecommunications equipment (a computer, telephone, tablet, etc.). Cookie files used for the above purpose include:
6.2.1. user input cookies (session identifiers) stored for the duration of a session;
6.2.2. authentication cookies used for services that require authentication for the duration of a session;
6.2.3. user-centric security cookies, e.g. used to detect abuses concerning authentication;
6.2.4. multimedia player session cookies (e.g. flash player cookies);
6.2.5. persistent user interface customization cookies for the duration of a session or slightly longer,
6.2.6. cookies used to monitor online traffic, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyze how the User uses the Website, to compile statistics and reports about the operation of the Website). Google does not use the data collected to identify a User and neither does it combine any information items to make such an identification possible. Detailed information on the scope and rules of collecting data in connection with the service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.
7. COOKIES SETTINGS
7.3.1. Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer...
7.3.2. Mozilla Firefox: https://support.mozilla.org/en-US/kb/misette
7.3.3. Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
7.3.4. Opera: http://help.opera.com/Windows/12.10/pl/cookies.html
7.3.5. Safari: https://support.apple.com/kb/PH5042?locale=en-GB
7.4. The User may, at any time, verify the status of his current privacy settings within the internet browser by using tools available at the following websites:
8. PERIOD OF PERSONAL DATA PROCESSING
8.1. The period of data processing by the Controller depends on the type of provided service and the purpose of the processing. In principle, data are processed for the entire period of providing the service or fulfilling a purchase order until the moment of withdrawing consent or filing an effective objection to the data processing in the cases where the legal basis for the processing is the Controller’s legitimate interest.
8.2. The data processing period may be extended if processing is necessary to determine and pursue possible claims or defend against claims and, after that time, only when and to the extent required by law. After the elapse of the processing period, the data are irreversibly deleted and anonymized.
9. RIGHTS CONNECTED WITH PERSONAL DATA PROCESSING
RIGHTS OF USERS
9.1. The users have the following rights:
9.1.1. right to information on personal data processing – on that basis, the Controller provides the person making the request with information about data processing, including first of all about the purposes and legal grounds for the processing, the scope of the data held, entities to which they are disclosed and the planned date for deleting the data;
9.1.2. right to receive a copy of the data – on that basis, the Controller provides a copy of the data processed to a person making the request;
9.1.3. right to rectification – the Controller is obligated to remove any non-compliance or errors in personal data processed and supplement them if they are incomplete;
9.1.4. right to erasure – on that basis, one may demand deleting the data whose processing is no longer necessary to achieve any of the purposes for which they were collected;
9.1.5. right to restriction of the processing – if such a request is made, the Controller stops performing any operations on the personal data except for those to which the data subject has given consent and except storing them in accordance with the adopted retention rules or until the reasons for restricting the processing disappear (e.g. the supervisory authority issues a decision permitting further data processing);
9.1.6. right to data portability – on this basis, to the extent that the data are processed in connection with an executed contract or given consent, the Controller delivers the data provided by the data subject in a machine-readable format. Is it also allowed to request that the data are transmitted to another entity on condition, though, that both the Controller and the other entity have the technical capabilities to do so;
9.1.7. right to object to personal data processing for marketing purposes – the user has the right to object at any time to personal data processing for marketing purposes without the obligation to justify such an objection;
9.1.8. right to object to data processing for other purposes – the user may object at any time to personal data processing carried out on the basis of the Controller’s legitimate interest (e.g. for analytical or statistical purposes or for reasons connected with protecting property); such an objection should include a justification;
9.1.9. right to withdraw consent – if data are processed on the basis of a given consent, the user may withdraw it at any time, which does not have, however, any effect on the lawfulness of processing based on consent before its withdrawal.
9.1.10. right to complain – if the user believes that the personal data processing breaches the provisions of GDPR or other personal data protection regulations, the data subject has the right to lodge a complaint with the President of the Personal Data Protection Authority.
NOTIFICATION OF REQUESTS ASSOCIATED WITH EXERCISING THE RIGHTS
9.2. A request about exercising the rights of users may be filed:
9.2.1. by letter to the address: AmRest Holdings SE with its registered seat in Madrid (Paseo de la Castellana 163, 28046 Madrid, Spain).
9.2.2. by e-mail to the address: email@example.com
9.3. If the Controller is unable to identify the person filing a request on the basis of the notification made, the Controller will ask the petitioner for additional information. Provision of such data is not mandatory, however failure to provide them will result in a request recognition refusal.
9.4. The request may be filed in person or through an attorney-in-fact (e.g. a family member). In view of data security, the Controller encourages data subjects to use a power-of-attorney in the form certified by a notary public or an authorized legal counsel or attorney-at-law, which will significantly accelerate verification of the request’s authenticity.
9.5. A reply to the request should be provided within one month of its receipt. If it is necessary to extend the deadline, the Controller shall inform the applicant about reasons for the delay.
9.6. Where the application is submitted to the Company electronically, the response is given in the same form unless the applicant requests otherwise. In all other cases the response is given in writing. When the deadline for exercising the request makes it impossible to reply in writing and the applicant's data processed by the Controller allow for contact by electronic means, the response should be provided electronically.
RULES OF CHARGING FEES
9.7. The proceeding concerning filed requests is free of charge. Fees may be charged only if:
9.7.1. making a request to provide the second and each further copy of the data (the first copy is free of charge); in such a case, the Controller may demand that fees are paid in the amount of 10 euro.
The above fee includes administrative expenses connected with recognizing the request.
9.7.2. making requests by the same person that are excessive (e.g. extremely frequent ones) or manifestly unfounded; in such a case, the Controller may demand that fees are paid in the amount of 10 euro.
The above fee includes costs of carrying on communication and costs connected with taking requested actions.
9.8. If the data subject challenges the decision to charge fees, the person may lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. In Poland the competent Supervisory Authority is the President of the Personal Data Protection Authority.
10. DATA RECIPIENTS
10.1. In connection with the implementation of services, Personal Data will be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems and entities associated with the Administrator, including companies from its capital group.
10.2. The Controller reserves the right to disclose selected information items referring to the User to relevant authorities or third parties which will demand that they are provided such information pursuant to an appropriate legal basis and in compliance with prevailing laws.
11. TRANSFER OF DATA OUTSIDE THE EEA
11.1. The level of personal data protection outside the European Economic Area (EEA) differs from that guaranteed by the European law. For this reason, the Controller transmits personal data to places outside the EEA only when necessary and ensuring an adequate protection level, mainly by:
11.1.1. cooperating with personal data processors in the states with respect to which a relevant decision of the European Commission has been issued;
11.1.2. application of standard contractual clauses issued by the European Commission;
11.1.3. application of binding corporate principles approved by the relevant supervisory authority;
11.1.4. if data is transferred to the USA – cooperation with entities participating in the Privacy Shield program, approved by a decision of the European Commission.
11.2. At the data collection stage, the Controller always informs the User of the intention to transfer personal data outside the EEA.
12. PERSONAL DATA SECURITY
12.1. The Controller conducts an ongoing risk analysis to ensure that personal data are processed in a secure manner, guaranteeing first of all that access to the data is provided only to authorized persons and only to the extent necessary for them to perform their tasks. The Controller makes sure that any operations on personal data are recorded and performed only by authorized employees or collaborators.
12.2. The Controller takes any necessary actions so that also its subcontractors and other cooperating entities guaranteed the application of appropriate security measures in each case when they process personal data on the Controller’s behalf.
13. CONTACT DATA
13.1. The Controller may be contacted by e-mail firstname.lastname@example.org or by letter sent to the mailing address.
14.1. The policy is verified on an ongoing basis and updated when needed.