CUSTOMER REGISTER: PRIVACY POLICY

”Burgersatu Ltd” which manages Kivihovi, is part of the Hesburger Group and it processes personal data in accordance with the Hesburger Group’s general Customer register’s Privacy policy.

The Hesburger Group is committed to protecting the privacy of its customers. In this privacy policy, we will explain how Burger-In Oy and other companies belonging to the Hesburger Group within the EU and the EEA (hereinafter referred to as “Hesburger” or “we”/”us”) process the personal data of their customers (hereinafter referred to as the “Customer”/”Customers”).  Personal data is data on the basis of which the Customer can be identified, such as their name and telephone number.

1.  Why do we process your personal data?

We process personal data, for example, when we receive customer feedback from the Customer or the Customer makes a purchase at the Hesburger online shop. We describe the personal data processing of our Bonus Club Customers in a separate privacy policy (the “Bonus Club Privacy Policy”), which you can read either via your Hesburger app or in the Bonus Club section of the Hesburger web pages.

Personal data can be processed based on the Customer’s consent, an agreement concluded with Hesburger, our legal obligation or a legitimate interest.

We process personal data only to the extent that it is necessary for the following purposes of use:

  • Managing and developing the customer relationship between Hesburger and the Customer.
    • Processing and answering customer feedback (processing criterion: legitimate interest)
    • Processing and answering credit requests or reclamations (processing criterion: legal obligation)
  • Holding drawings and contests, delivering prizes and publishing the names of the winners in accordance with the contest rules (processing criterion: legitimate interest)
  • The delivery and processing of orders placed at the online shop (processing criterion: legal obligation)
  • Web page development, use analysis and the targeting of marketing (processing criterion: consent). You can learn more about the cookies used by Hesburger under our “Cookie Policy”: https://www.hesburger.com/cookie-policy

As a prerequisite for processing, a legitimate interest is based on the law and its application requires that the interests and rights of the data subject are taken into extremely precise consideration. Legitimate interest refers to processing, which is materially related to the operations of the controller, and which the Customer can reasonably assume to belong within the sphere of those operations.

Personal data may only be processed for specifically prescribed purposes. On the basis of personal data provided by the Customer, the Customer may not be, for example, solicited with direct marketing without the express consent of the Customer, nor may their personal data be processed in any way that violates the terms of this privacy policy. 

2. What kind of data concerning me is collected and what are the sources of the data?

Data is collected directly from the Customer when the Customer contacts Hesburger, such as to give feedback or participate in a contest, or when the Customer places an order on the Hesburger web shop. This data includes the Customer’s name, address, email address, phone number, Hesburger Bonus Club member number, drawing and contest response information, permissions and consent, gift card recipient contact details and messages for the gift card recipient.

Data is also collected in connection with use of the service. When the Customer places an order on the Hesburger web shop, the Customer’s purchase data (e.g., order time and payment information) is stored in the register. User data, such as IP address, browser information and the time of use, is collected when using the Hesburger website.

3.  Who processes personal data?

At Hesburger, personal data is processed by personnel whose job descriptions include the maintenance and management of the services in question. To process the matter, the data may be transferred within the Hesburger Group.

In processing personal data, we also use third-party services. We require the data to be used only to carry out the purposes of use described above.

Data is transferred to the following parties outside of Hesburger:

  • Data is transferred to Hesburger franchisees engaged in Hesburger business operations. Such data includes customer feedback and credit requests. The full names and contact information of Hesburger franchisees are presented on the Hesburger web pages in connection with the details of each location.
  • Data is transferred to service providers, which are responsible for the maintenance and development of Hesburger’s IT services.
  • Data concerning the web shop is transferred to payment intermediation service providers and transport service providers.
  • Data is transferred to law enforcement agencies and other authorities if this is necessary due to a law, regulation or legal request or for the investigation of a crime or the exercise or defence of a legal claim.
  • Data is transferred to insurance companies for the processing of damage claims.
  • Data can be transferred, in the event of a business acquisition or merger, to the purchaser of the business.

4.  Data transfers to third countries, safeguard measures for the transfers

Hesburger uses subcontractors in the processing of personal data and in this context, data is also processed outside the European Union (EU) and the European Economic Area (EEA). If personal data is transferred outside the EU or the EEA, we ensure an adequate level of personal data protection, for example, by using standard contractual clauses approved by the European Commission.

5.  Data protection

Hesburger employs technical and organisational measures to prevent the unauthorised use, transfer, deletion or other processing of personal data that may jeopardise data protection. The register is kept in electronic form. Use of the register, altering data and processing are only done using multilevel user identification by means of an encrypted application. Only appointed persons tasked with maintaining and managing the system are allowed to use the register. Register data is protected against being accessed from outside and use of the register is monitored.

6.  How long is the data stored?

Data is stored as follows:

  • Customer feedback and credit requests: Data is deleted one (1) year after the date on which the Customer submitted feedback. However, data may be stored for a longer period of time if there is a justifiable reason for doing so, such as customer credit given on the basis of customer feedback, compensation for damages, or any other legal reason.
  • Drawing and contest participant information: The data is deleted when the winner has been contacted and the prizes have been awarded.
  • Web shop personal data and transaction data: The data is stored for as long as is necessary, as stipulated in accounting and consumer protection legislation.
  • Website data: The particulars of cookie retention periods are available in our separate “Cookie Policy”.
  • Other Customer data: Data is stored for as long as it is necessary to process data for one of the above-mentioned purposes.

7.  Joint controllership with Facebook

When Hesburger maintains social networking pages on Facebook, Hesburger and Facebook Ireland Limited are joint controllers of the user data for the Hesburger pages. Facebook processes personal data in accordance with the privacy policy of its own, available at www.facebook.com/privacy/. Facebook is primarily responsible for compliance with data protection legislation and the fulfilment of data security and the rights of those registered with its services. Hesburger processes data based on legitimate interest.

Through Facebook, Hesburger gains access to a registered Facebook user’s public data, such as data about the user name and profile picture. We process this data only for purposes of our own, such as telling you about new products and services and for marketing, receiving customer feedback, purchasing advertising from Facebook, and measuring the reach of advertisements.

8.  Information about automatic decision-making (profiling)

Hesburger does not engage in any automatic decision-making, such as profiling, based on the Hesburger customer register.

9.  Customer rights

The Customer may exercise the rights mentioned below by contacting Hesburger by mail or email.

Right of access

The Customer has the right to inspect their own data in the register.

Right to request correction of incorrect or incomplete data

The Customer has the right to request that incorrect or incomplete data be corrected.

Right to erasure

The Customer has the right to request that their personal data be deleted from the Bonus Club register ("Right to be forgotten"). At the Customer’s request, Hesburger shall make every effort to delete the data without undue delay, except in cases where there are legal reasons for denying the deletion of data. 

Right to restrict and oppose processing

The Customer has the right to restrict and oppose the processing of their personal data. When the Customer has submitted a request, Hesburger may no longer process the Customer’s personal data, unless there is a legal reason for processing.

Right to transfer data from one system to another

The Customer has the right to receive their personal data in a structured and commonly used form, in which the customer is able to transfer the data to another controller.

10.  Right to file a complaint

The Customer may file a complaint concerning the processing of personal data with the competent authority in their country of residence. Detailed information on National Data Protection Authorities can be found here: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080

11. Who is the controller of your personal data and where can you contact them?

The controller is Burger-In Oy. Enquiries concerning the register may be made by post or email:

Burger-In Oy
Linnankatu 34
20100 Turku, Finland

privacy@hesburger.fi

Updated on 2 February 2021