I. DEFINITIONS

Controller/ We –AmRest Holdings SE, based in Spain, Madrid, Paseo de La Castellana 163, 28046

Personal data - information about a natural person identified or identifiable by one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, internet identifier and information collected via cookies and other similar technology.

Policy - this Privacy Policy.

GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC.

Website - a website run by the Controller at www.amrest.eu

User and/or you - any natural person visiting the Website or using the functionalities described in the Policy.

II. DATA PROCESSING IN CONNECTION WITH THE USE OF THE WEBSITE

In connection with the User's use of the Website, the Controller collects data to the extent necessary to provide individual services offered, as well as information about the User's activity on the Website. The detailed rules and purposes of processing Personal Data collected during the use of the Website by the User are described below.

III. OBJECTIVES AND LEGAL BASIS FOR DATA PROCESSING ON THE WEBSITE USING THE SERVICE

USING THE SERVICE

Personal data of all persons using the Website (including IP address or other identifiers and information collected via cookies or other similar technologies) are processed by the Controller:

a) in order to provide electronic services in the scope of making the content of the Website available to Users - then the legal basis for processing is the necessity of processing to perform the contract;

b) for analytical and statistical purposes - then the legal basis for processing consisting in conducting analyzes of Users' activity, as well as their preferences in order to improve the functionalities and services provided, is the consent expressed by the User via the cookie banner in accordance with point V below;

c) in order to possibly establish and pursue claims or defend against claims - the legal basis for processing is the Controller's legitimate interest, consisting in the protection of its rights.

The User's activity on the Website, including his/her Personal Data, is recorded in system logs (a special computer program used to store a chronological record containing information about events and activities related to the IT system used to provide services by the Controller). The information collected in the logs is processed primarily for purposes related to the provision of services. The Controller also processes them for technical and administrative purposes, for the purposes of ensuring the security of the IT system and managing this system - in this respect, the legal basis for processing is the Controller's legitimate interest.

CONTACT FORMS

The Controller ensures technical solutions for contacting it by using electronic forms. Personal data of all persons using the electronic contact forms (including among others: name, last name, phone number and e-mail address ) that are enabled in our website are processed by the Controller:

a) to identify, send and handle an inquiry sent by the User through the provided form– the legal basis for processing is the necessity of processing to perform the contract.

Provision of data marked as mandatory is required by Controller to accept and handle a User inquiry. Failure to provide such information makes it impossible to handle an inquiry. Provision of other types of data is voluntary. The User may however provide these to facilitate contact with the Controller or the handling of his/her inquiry.

MARKETING

The Controller processes personal data of Users to perform marketing activities. These may involve the sending of e-mail messages about interesting offers or contents, which in some cases may include commercial information (newsletter service). This newsletter service is provided by the Controller to the people who provided their e-mail address for this purpose.

Personal data of persons (including e-mail address) are processed by the Controller:

a) To provide the newsletter sending service – the legal basis for processing is the consent expressed by the User via the acceptation of the relevant check-box for the receipt of newsletters;

b) for analytical and statistical purposes - then the legal basis for processing consisting in conducting statistical analyses of the effectiveness of our marketing activities, is our legitimate interest in improving our marketing communications;

c) in order to possibly establish and pursue claims or defend against claims - the legal basis for processing is the Controller's legitimate interest, consisting in the protection of its rights.

Provision of the aforementioned data is required by Controller to provide the marketing and newsletter service. Failure to provide such information makes it impossible for us to send Users marketing communications and/or provide the newsletter service.

IV. COOKIES AND SIMILAR TECHNOLOGY

Cookies are small text files installed on the device of the User browsing the Website. Cookies collect information that facilitates the use of the website - e.g. by remembering the User's visits to the Website and the activities performed by the User. A detailed description of the cookies used on the Website is available in the cookie management tool (link available at the bottom part of the Website under 'Cookie Settings'). Below is a general description of the categories of these tools that we use on the Website.

a) ESSENTIAL COOKIES - the Controller uses the so-called necessary cookies primarily to provide the User with services provided electronically and to improve the quality of these services. Our use of essential cookies is necessary for the proper functioning of the Website. These files are installed in particular for the purpose of remembering login sessions or filling in forms, as well as for the purposes related to setting the privacy options;

b) ANALYTICAL COOKIES - analytical cookies make it possible to check the number of visits and traffic sources on our website. They help us find out which pages are more and less popular and understand how users navigate the page. This allows us to study statistics and improve the performance of our website. The information these cookies collect is aggregated so it is not intended to identify you. If you do not allow these cookies, we will not know when you visited our website;

c) FUNCTIONAL COOKIES – functional cookies remember and adapt the Website to the User’s choices, such as language preferences. If you do not allow these cookies, we will not be able to analyse your choices and adapt the Website accordingly.

d) MARKETING - ADVERTISING COOKIES - marketing and advertising cookies allow you to adjust the displayed advertising content to your interests, not only on the Website, but also outside it. They can be installed by advertising partners through our website. Based on the information from these cookies and activity on other websites, your interest profile is built. Marketing and advertising cookies do not directly store your personal data, but identify your internet browser and hardware. If you do not allow these cookies, we will still be able to show you advertisements, but they will not be tailored to your preferences.

e) MARKETING – SOCIAL MEDIA COOKIES – social media cookies are installed by our partners to adjust the advertising content displayed to Users on their social media. User information from these cookies and activities on other websites or social media is used to build an interest profile which ensures that the content displayed is tailored to User needs. If you do not allow these cookies to be used, we will not be able to enable you to like and share our Website content in social media.

V. MANAGING COOKIES SETTINGS

The use of cookies to collect data through them, including access to data stored on the User's device, requires your consent. The Website receives consent from the User via the cookie banner. This consent may be withdrawn at any time according to the rules described below.

Consent is not required for the necessary cookies, the use of which is necessary to provide a telecommunications service on the Website (data transmission to display content). In addition to consenting to the installation of cookies via the cookie banner, you should keep the appropriate browser settings, allowing you to store cookies from the Website on your end device.

Withdrawal of consent to the collection of cookies on the Website is possible via the cookie banner. You can return to the banner by clicking on the button called "Manage cookies", which is available on every subpage of the Website. After the banner is displayed, you can withdraw your consent by clicking the "Manage cookies" button. Then you should move the slider next to the selected cookie category and press the "Save settings and close" button.

Withdrawal of consent to the use of cookies is also possible through the browser settings. Detailed information on this can be found at the following links:

• Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-delete-manage-cookies
• Mozilla Firefox: https://support.mozilla.org/pl/kb/ciasteczka
• Google Chrome: https://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
• Opera: https://help.opera.com/Windows/12.10/pl/cookies.html
• Safari: https://support.apple.com/kb/PH5042?locale=en-GB

The user may at any time verify the status of his current privacy settings for the browser used using the tools available at the following links:

https://www.youronlinechoices.com/pl/twojewybory

https://optout.aboutads.info/?c=2&lang=EN

Changing your browser settings may restrict the use of both essential and optional cookies. Please be advised, however, that this may significantly hinder or prevent the use of the Website.

VI. RETENTION SCHEDULE OF PERSONAL DATA

As a rule, the data is processed for the duration of the service, until the consent is withdrawn or an effective objection to data processing is raised in cases where the legal basis for data processing is the legitimate interest of the Controller.

The data processing period may be extended if the processing is necessary to establish and pursue any claims or defend against claims, and after that time only if and to the extent that it will be required by law. After the expiry of the processing period, the data is irreversibly deleted or anonymized.

Details about retention schedule can be obtained from contact point specified in point IX below.

VII. RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA

You have the right to: access the data and request rectification, deletion, processing restrictions, the right to transfer data and the right to object to data processing.

If you wish to exercise any of the rights set out above, please use contact details provided in point IX below. Please note that:

a) You will not have to pay a fee to access your personal data (or to exercise any of the other rights), however, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances;

b) We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response;

c) We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated;

d) In certain circumstances we may need to limit the scope of fulfilment of the data subject’s rights request e.g. where a request is made to delete data that has to be retained for legal or regulatory reasons, or where fulfilling the request may expose the personal data of another data subject.

You have the right to make a complaint at any time to the Local Supervisory Authority. We would, however, appreciate the chance to deal with your concerns before you approach the Local Supervisory Authority so we encourage you to contact us in the first instance.

VIII. SHARING OF PERSONAL DATA

Your personal data is transferred to entities providing services to us, such as suppliers of IT systems and IT services, suppliers responsible for the provision of website hosting, entities providing administrative support and entities related to us, including companies from our capital group for the management of intragroup processes.

Where we do share your data with 3rd parties or other AmRest entities, the shared data will be limited to that which is required by the 3rd party or other AmRest entity to provide the required processing. In such cases your personal data is safeguarded by Data Processing Agreements, committing outsourced service providers to process your personal data for specified purposes and in accordance with our instructions, comply with the GDPR and apply appropriate security measures to protect your personal information in line with our internal policies. All transfers outside of the EEA made to countries which are considered by the European Commission to not provide an adequate level of protection of personal information are safeguarded with agreement based on Standard Contractual Clauses approved by the European Commission.

More details about sharing data can be obtained from contact point specified in point IX below.

IX. CONTACT DETAILS

Contact with the Controller is possible via the e-mail address gdpr.amrestholdings@amrest.eu or by post AmRest Holdings SE, Paseo de La Castellana 163, 28046, Madrid, Spain.

X. CHANGES TO THE PRIVACY POLICY

The policy is verified on an ongoing basis and updated if necessary.

 

_{ISP-PP-2
Version 2.0 | 16.12.2021}