Hamborgarabúlla Tómasar –
For TBJ APPLICATIONS
The Hamborgarabúlla Tómasar (TBJ HF.) and all Hamborgarabúlla Tómasar/Tommi’s Burger Joint franchisees (“TBJ Franchisee”) undertake to protect the privacy of their visitors and users. The following data protection declaration describes which data the Hamborgarabúlla Tómasar/Tommi’s Burger Joint (hereinafter referred to as “TBJ” or “we”) processes and how we use the relevant data to help our users and visitors use our customer application for mobile device users, via a web application on a website (e.g. Tommis.is and Bullan.is) or via an application on a “self-order kiosk” (the “Applications”) and our on-demand services ( collectively referred to as the “services”) to offer even greater benefits. Please read the following provisions carefully so that you become aware of our data protection declaration. Please note that TBJ involves MENU Technologies AG (“MENU”) as data processor as part of data processing and that it also processes your personal data for us as listed in this data protection declaration.
“User” refers to a person who uses the applications and / or has registered and registered with TBJ for the use or potential use of the service.
“Participating restaurant” refers to TBJ Franchisee. These are solely responsible for the catering and restaurant services.
TBJ never knowingly collects personal information from children under the age of 18. The applications are only intended for use by adults aged 18 and over. If you believe that your child under 18 years of age used the applications and thus provided us with personal data, please contact us at email@example.com. We will then endeavour to delete the application account and the corresponding personal data.
The responsibility for the processed personal data is TBJ
TBJ, participating restaurants and other companies (e.g. MENU) may be involved in the processing of data that are related to activities via the applications and / or in connection with the services described in the data protection declaration. TBJ, the participating restaurants and any other companies act for the purposes stated in this data protection declaration and comply with the applicable data protection laws. Responsible always remains TBJ.
We collect and process personal data in different ways. The personal data is voluntarily provided by the user in the course of creating and / or changing the user profile, when interacting with or using the applications and / or the services and by email communication with support or other employees. For users of the applications and / or services, this includes in particular the following information: name, email address, password (encrypted), restaurant orders, user agent when logging in, IP address, credit card information (will not be saved by TBJ or MENU; see paragraph 3.4 below, comments on orders, business e-mail address, home and / or delivery address, hosted persons, occasion, signature, possibly collected and / or redeemed points, type of bonus for redeeming points. The data of the participating restaurants include the name, address, email address, password (encrypted), telephone number, VAT, currency, tip (if any), contact person and bank details. If you place an order via an application on a “self-order kiosk” or web-application without having registered or logged in, the orders placed will be processed by us and the participating restaurant will only receive the data for order processing (including order, payment details and at store location). The receipts are saved on our servers, i.e. those of MENU. The payment information is processed by the payment processor. The payment process is authorized by the payment processor and confirmed back to us, i.e. MENU. When ordering from a “self-order kiosk” with a login (if any) – provided that personal data is being processed – no more data is processed than when ordering via the other applications.
In detail, your order triggers a process in the participating restaurant, which the participating restaurant, TBJ and its service provider MENU accordingly, using your personal data, e.g. your contact details, e.g. phone number and your order informed. When your order is ready to be picked up at the counter, you will be informed either via a push message (for orders placed via the mobile application) or via SMS message (for orders placed via the web application). If the restaurant you are visiting works with guest localization, your table number or your location in the participating restaurant will also be determined by means of table number entry (on the mobile and web application), placed transmitters or antennas (kiosks). In order to receive push messages, you must have push messages activated on your smartphone and to enable the determination of your location via transmitters or antennas you must have Bluetooth activated on your smartphone and give the application permission to determine your location. For orders that you place through the self-order kiosk, a puck may show you when your order is ready for collection at the counter or your order number is displayed on a screen. Your location can also be determined using a puck, which may be distributed to you at the self-order kiosk or at the counter or you may need to enter a number into the screen. You hereby authorize TBJ to disclose and process your orders, personal data and in particular your location data to participating restaurants. For delivery orders, your data will be processed for the execution of this delivery to the home or other delivery address you have provided. We can also process your personal data in order to send you coupons, which we generate in the back-end system and which we then send to you, for example, as push messages. You can redeem these coupons on the mobile application, on the web application on a website (e.g. Tommis.is and bullan.is) or via an application on a “self-order kiosk”.
TBJ as the franchisor is the platform operator of the application and obtains your personal data, such as order data, telephone number, home and / or other delivery address, email address, and can use them for marketing purposes. The TBJ franchisees operate the TBJ platform in their restaurants and can view their order and payment details for their respective restaurants. As a technology supplier, MENU provides the application platform TBJ and can view your personal data. MENU provides TBJ within the application platform with functions that enable TBJ to communicate with you in a personalized form and to provide you with relevant information at the appropriate time.
In cases where you provide us with data on other persons within the legally permissible framework (such as when issuing a receipt), it is your responsibility to ensure that the personal data concerned and the further processing by us is in accordance with them and that the Data protection declaration complies with the applicable data protection laws. For example, you must inform the data subject and, if necessary, obtain their consent to the processing of their personal data for the purposes described in this data protection declaration.
Your personal data will be processed by MENU and saved by an external provider.
3. FOR WHAT PURPOSES WE PROCESS YOUR PERSONAL DATA?
3.1 TECHNICAL OPERATION AND FUNCTIONALITY OF THE WEBSITE AND APPLICATION
When you visit our website, e.g. to use our web application, our web administrators can store your personal data, including technical data, such as your IP address, the websites you visit, the internet browser you use, the one you used beforehand and subsequently visited websites and the duration of the visit / session, so that we can guarantee the proper functioning of our website. In certain cases, the browser can also query your current location to optimize your user experience. This technical data enables our web administrators to manage the website, for example by solving technical problems or improving access to certain areas of the website. This is how we ensure that you can (still) find the information provided on the website quickly and easily. If you visit our website, for example to use our web application, the data protection information for our website also comes https://tommis.is/cookie-policy/ to use.
If you use our mobile application or web application, we also process your personal data, including technical data, such as for example your IP address and your device type. We use this data to provide the services, to guarantee the functions of the application, to solve technical problems, to provide you with the correct and up-to-date version of the application and to further improve the functionality of the application.
Insofar as GDPR is applicable, the legal basis for the technical operation and functionality of the website and the application is Art. 6 Para. 1 lit. f GDPR (balancing interests, based on our legitimate interest in providing you with the functions of the website and the application) and Art. 6 Para. 1 lit. b GDPR (contract initiation and contract fulfillment).
3.2 CUSTOMER SERVICE
When you register as a user, we collect your name, your email address, your password, your IP address and your device type as well as your credit card number and the expiry date of the card (see above).
As far as GDPR is applicable, the legal basis for customer service is Art. 6 Para. 1 lit. f GDPR (balancing of interests, based on our legitimate interest in providing you with the services of our customer service) and Art. 6 Para. 1 lit. b GDPR (contract initiation and contract fulfillment).
3.3 AKTIVATION OF TBJ-APPLICATION
We collect and process location information, for example in participating restaurants or when you place an order via the applications, provided you have given us your prior consent. We use the relevant data to inform the relevant participating restaurant in which the respective order was placed so that the service staff can process the order accordingly.
Insofar as the GDPR is applicable, the legal basis for processing the location information is Art. 6 Para. 1 lit. b GDPR (contract initiation and contract fulfillment).
When you place an order via the application, we process in particular your first and / or last name, your order and your telephone number and forward it to the participating restaurant so that the service staff is able to process your order accordingly and notify you once your order is ready for pick-up. If one of our restaurants serves the orders to the table, the table number or your location is also determined so that the service staff can serve your order accordingly to your table. If you have placed an order for delivery, your home and / or delivery address will also be processed in order to be able to deliver. If you collect points with your order, we will credit it to the points account we hold for you. If you redeem points with an (award) order, we also book this redemption in the points account we hold for you.
Insofar as GDPR is applicable, the legal basis for processing the above-mentioned order data is Art. 6 Para. 1 lit. b GDPR (contract initiation and contract fulfillment).
3.4 PAYMENT PROCESSING
If you register as a user, your credit card data and data of other payment methods will be forwarded by MENU to a PCI-compliant payment processing provider and processed by the latter in order to process payments for orders placed by you via the applications. TBJ, TBJ Franchisee and MENU are allowed to transfer the credit card details or data of other payment methods you have registered to other PCI-compliant payment processors. TBJ, TBJ FN and MENU itself do not collect credit card information.
As far as the GDPR is applicable, the legal basis for payment processing is Art. 6 Para. 1 lit. b GDPR (contract initiation and contract fulfillment).
TBJ and TBJ Franchisee can use your contact information to send you general information about what’s new at TBJ. You can unsubscribe from these notifications at any time.
As far as GDPR is applicable, the legal basis for processing for marketing purposes is Art. 6 Para. 1 lit. f GDPR (balancing interests, based on the legitimate interest of the person responsible to advertise his services).
3.6 COMPILATION OF ADMINISTRATIVE AND STATISTICAL DATA
TBJ and MENU use your personal data in an anonymous and aggregated form to monitor exactly which functions of the service are used the most, to analyse usage patterns and to determine where they offer their services and where they should focus. You can provide this information to third parties for industry analysis and statistical purposes.
3.7 COOKIES / GOOGLE ANALYTICS
As far as GDPR is applicable, the legal basis for the processing of personal data using cookies is Art. 6 Para. 1 lit. f GDPR.
Most browsers can be set in the settings so that they no longer accept cookies or you will be notified when you receive a cookie. In most browsers you will find information on possible changes to your browser settings under the “Help” menu item. If you decide to deactivate and / or delete cookies in the future, you must take into account that some TBJ functions will then no longer be available to you.
As far as the GDPR is applicable, the legal basis for the processing of personal data using cookies is Art. 6 Para. 1 lit. f GDPR.
3.8 LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
As far as GDPR is applicable, the following applies:
Insofar as we obtain the data subject’s consent for the processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) as the legal basis for the processing of personal data.
When processing personal data, which is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR as the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
If processing is necessary to safeguard the legitimate interests of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 (1) lit. f GDPR as the legal basis for processing.
3.9 NO OBLIGATION TO PROVIDE PERSONAL DATA
You are not obliged to provide your personal data. Without your personal data, however, we cannot provide our special services to you, or only partially, through the applications.
4. RELEASE OF YOUR DATA BY US / TRANSMISSION IN THIRD COUNTRIES
We may use various third parties and external companies to enable or provide the services for us, process payments, provide customer support, provide location information to participating restaurants, provide marketing services, and provide website-related services (including maintenance services, database management, web analysis) and improving website functions) or to support us in analysing the use of our services. These third parties have access to your personal data and process it in order to fulfil the tasks mentioned for us. This is in particular MENU, which operates the application and services for us.
For this purpose, your personal data will be transmitted to and processed in countries other than Switzerland, including countries (such as the USA) that do not have data protection laws comparable to Switzerland. You hereby consent to the transfer and processing of your personal data to such countries, particularly to the United States. We transfer personal data to locations in countries outside the European Union (so-called third countries) so far
– it is required by law (e.g. tax reporting requirements),
– You have given your consent,
– this is legitimated by the legitimate interest under data protection law and there are no higher interests worthy of protection of the data subject that conflict with this or
– it is necessary to provide our services to you
These are in particular:
– PCI compliant payment processor for payment processing
– Hosting provider especially for hosting data and applications;
– Business Intelligence Provider
– communications service;
– Business applications for email communication.
To protect your personal data, we have agreed the EU standard contractual clauses with the recipients of your data abroad.
TBJ discloses your personal data to the extent legally required or necessary for the establishment, exercise and defence of legal claims and legal procedures and, in an emergency, also data relating to security.
In addition, we transmit your personal data via the cash register system to the participating restaurant in which you would like to place an order.
5. YOUR RIGHTS
As a user, you have a right to information about your personal account. This also applies to information that you have provided to us with regard to orders placed via the application. You can exercise your rights under applicable data protection laws, such as: a. enforce the right to request the correction or deletion of your personal data or to object to the processing of your personal data at any time by sending us an email at firstname.lastname@example.org or contacting us at the address given in section 10. A copy of your ID card or passport must be enclosed for clear identification.
As far as GDPR is applicable, the following applies: According to Article 15 GDPR, every data subject has a right to information. According to Article 16 GDPR, the data subject can request the correction of incorrect personal data. According to Article 17 GDPR, the data subject has the right to erasure or, according to Article 18, the right to restrict processing. Likewise, the person concerned can object to the processing of personal data relating to them under the conditions of Article 21 GDPR. According to Article 20 GDPR, the data subject has the right to data portability. Sections 34 and 35 BDSG also apply to the right to information and the right to erasure in Germany. To exercise these rights, you can contact the following office: TBJ HF. Kringlan 4-12, 103 Reykjavík, Iceland
You have the right to withdraw your declaration of consent under data protection law at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal. In addition, you have a right to lodge a complaint with the competent data protection supervisory authority in accordance with Article 77 GDPR in conjunction with Section 19 BDSG.
TBJ reserves the right to charge reasonable processing fees for providing relevant information in the event of unsubstantiated or excessive requests.
You can also change your personal data via your TBJ account and revoke the consent you have given.
6. Automated decision in individual cases including profiling
As far as GDPR is applicable, the following applies: In connection with the provision of our services, you will not be subject to a decision based on automated processing in accordance with Article 22 GDPR. If we use such procedures in individual cases, you will be informed about them and your associated rights within the framework of the legal requirements.
Some of your data is processed automatically in order to evaluate certain personal aspects (profiling). In particular, their order behaviour for the promotion of products is analysed.
7. DATA STORAGE
Unless otherwise stated in this data protection declaration, we store your data until you delete your TBJ account. If you would like to delete your TBJ account or request that we no longer use your data in the future to provide services to you, please contact us at email@example.com.
If these are not necessary to comply with legal obligations or to settle disputes, we will delete your personal data after deleting your account.
TBJ has taken appropriate technical and organizational security measures against the loss or unlawful processing of your personal data. For this purpose, your personal data will be securely stored in our database, i.e. the database of MENU. We use industry-standard, economically appropriate security measures, such as firewalls and SSL (Secure Socket Layers), and also physically secure the locations where the data is stored.
As effective as our security measures are, no security system is infallible. We cannot guarantee the security of our database, nor can we guarantee that the information you provide will not be intercepted when it is transmitted to us over the Internet. The transfer of your data to TBJ is always at your own risk. We recommend that you do not disclose your password to anyone.
10. CONTACT INFORMATION
TBJ HF., Kringlan 4-12, 103 Reykjavík, Iceland Info@tommis.is
11. Information about your right to object in accordance with Article 21 GDPR
11.1 Right to object on a case-by-case basis
As far as GDPR is applicable, the following applies: You have the right, for reasons that arise from your particular situation, at any time against the processing of your personal data, which is based on Article 6 (1) lit. e (data processing in the public interest) or lit. f (data processing based on a balance of interests), to object; this also applies to profiling based on these provisions.
If you file an objection, we will no longer process your personal data. Something else only applies if we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms or if the processing serves to assert, exercise or defend legal claims.
11.2 Recipient of an objection
The objection can be made informally with the subject “objection” stating your name, address and date of birth and should be addressed to: firstname.lastname@example.org