1. Why do we process your personal data?
Personal data can be processed based on the Customer’s consent, an agreement concluded with Hesburger, our legal obligation or a legitimate interest.
We process personal data only to the extent that it is necessary for the following purposes of use:
- Managing and developing the customer relationship between Hesburger and the Customer.
- Processing and answering customer feedback (processing criterion: legitimate interest)
- Processing and answering credit requests or reclamations (processing criterion: legal obligation)
- Holding drawings and contests, delivering prizes and publishing the names of the winners in accordance with the contest rules (processing criterion: legitimate interest)
- The delivery and processing of orders placed at the online shop (processing criterion: legal obligation)
As a prerequisite for processing, a legitimate interest is based on the law and its application requires that the interests and rights of the data subject are taken into extremely precise consideration. Legitimate interest refers to processing, which is materially related to the operations of the controller, and which the Customer can reasonably assume to belong within the sphere of those operations.
2. What kind of data concerning me is collected and what are the sources of the data?
Data is collected directly from the Customer when the Customer contacts Hesburger, such as to give feedback or participate in a contest, or when the Customer places an order on the Hesburger web shop. This data includes the Customer’s name, address, email address, phone number, Hesburger Bonus Club member number, drawing and contest response information, permissions and consent, gift card recipient contact details and messages for the gift card recipient.
Data is also collected in connection with use of the service. When the Customer places an order on the Hesburger web shop, the Customer’s purchase data (e.g., order time and payment information) is stored in the register. User data, such as IP address, browser information and the time of use, is collected when using the Hesburger website.
3. Who processes personal data?
At Hesburger, personal data is processed by personnel whose job descriptions include the maintenance and management of the services in question. To process the matter, the data may be transferred within the Hesburger Group.
In processing personal data, we also use third-party services. We require the data to be used only to carry out the purposes of use described above.
Data is transferred to the following parties outside of Hesburger:
- Data is transferred to Hesburger franchisees engaged in Hesburger business operations. Such data includes customer feedback and credit requests. The full names and contact information of Hesburger franchisees are presented on the Hesburger web pages in connection with the details of each location.
- Data is transferred to service providers, which are responsible for the maintenance and development of Hesburger’s IT services.
- Data concerning the web shop is transferred to payment intermediation service providers and transport service providers.
- Data is transferred to law enforcement agencies and other authorities if this is necessary due to a law, regulation or legal request or for the investigation of a crime or the exercise or defence of a legal claim.
- Data is transferred to insurance companies for the processing of damage claims.
- Data can be transferred, in the event of a business acquisition or merger, to the purchaser of the business.
4. Data transfers to third countries, safeguard measures for the transfers
Hesburger uses subcontractors in the processing of personal data and in this context, data is also processed outside the European Union (EU) and the European Economic Area (EEA). If personal data is transferred outside the EU or the EEA, we ensure an adequate level of personal data protection, for example, by using standard contractual clauses approved by the European Commission.
5. Data protection
Hesburger employs technical and organisational measures to prevent the unauthorised use, transfer, deletion or other processing of personal data that may jeopardise data protection. The register is kept in electronic form. Use of the register, altering data and processing are only done using multilevel user identification by means of an encrypted application. Only appointed persons tasked with maintaining and managing the system are allowed to use the register. Register data is protected against being accessed from outside and use of the register is monitored.
6. How long is the data stored?
Data is stored as follows:
- Customer feedback and credit requests: Data is deleted one (1) year after the date on which the Customer submitted feedback. However, data may be stored for a longer period of time if there is a justifiable reason for doing so, such as customer credit given on the basis of customer feedback, compensation for damages, or any other legal reason.
- Drawing and contest participant information: The data is deleted when the winner has been contacted and the prizes have been awarded.
- Web shop personal data and transaction data: The data is stored for as long as is necessary, as stipulated in accounting and consumer protection legislation.
- Other Customer data: Data is stored for as long as it is necessary to process data for one of the above-mentioned purposes.
7. Joint controllership with Facebook
Through Facebook, Hesburger gains access to a registered Facebook user’s public data, such as data about the user name and profile picture. We process this data only for purposes of our own, such as telling you about new products and services and for marketing, receiving customer feedback, purchasing advertising from Facebook, and measuring the reach of advertisements.
8. Information about automatic decision-making (profiling)
Hesburger does not engage in any automatic decision-making, such as profiling, based on the Hesburger customer register.
9. Customer rights
The Customer may exercise the rights mentioned below by contacting Hesburger by mail or email.
Right of access
The Customer has the right to inspect their own data in the register.
Right to request correction of incorrect or incomplete data
The Customer has the right to request that incorrect or incomplete data be corrected.
Right to erasure
The Customer has the right to request that their personal data be deleted from the Bonus Club register ("Right to be forgotten"). At the Customer’s request, Hesburger shall make every effort to delete the data without undue delay, except in cases where there are legal reasons for denying the deletion of data.
Right to restrict and oppose processing
The Customer has the right to restrict and oppose the processing of their personal data. When the Customer has submitted a request, Hesburger may no longer process the Customer’s personal data, unless there is a legal reason for processing.
Right to transfer data from one system to another
The Customer has the right to receive their personal data in a structured and commonly used form, in which the customer is able to transfer the data to another controller.
10. Right to file a complaint
The Customer may file a complaint concerning the processing of personal data with the competent authority in their country of residence. Detailed information on National Data Protection Authorities can be found here: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.
11. Who is the controller of your personal data and where can you contact them?
The controller is Burger-In Oy.
Enquiries concerning the register may be made by post or email:
20100 Turku, Finland
Updated on 2 February 2021