In this Privacy Statement we describe the principles, according to which we, Restel Oy, collect, use, protect and disclose the personal data of our customers. Customers mean persons, who visit our restaurants, are in contact with us, visit our social media pages, create a customer account or use our Restis-, Burger King-, Taco Bell-, Rax- and Food&Events -applicatons.
Privacy Statements concerning our websites can be found from each website separately.
This Privacy Statement is not applicable to our franchising-entrepreneurs (Burger King Airport and Burger King Tallink Shuttle) or websites and applications managed by them. We kindly request you visit our franchising-entrepreneurs own Privacy Statements for information on how they use their customer's personal data.
Personal data is collected from you, when you provide your personal data or automatically when you use our services. If you are underage, we collect personal data from your legal guardian when handling a case that requires processing your personal data.
We have camera surveillance in our restaurants which collect records that contain photos, videos and times of visits. This processing of personal data is based on our legitimate interest to prevent and investigate crimes. You can find more information on this processing from our camera surveillance Privacy Statement.
When you take part in our contests or are otherwise in contact with our restaurant or customer service through a phone or an online service, we collect and process your contact details and the content of your contact to handle the matter. Customer feedback is also used to develop our business and to improve the quality of service. Personal data processed in the context of making a reservation can also include for example information of the legal guardian of an underage customer and the language used. We collect information on the use of an electronic customer feedback system, any reclamations and feedback you send, information on the restaurant and the visiting time connected to the feedback.
Any personal data processing in connection with contests, feedback, customer contacts and reclamations is based on our legitimate interest.
We process information on contest participants until we have performed the raffle and contacted the winners, after which the personal data is deleted. If you have consented to marketing in connection with partaking in a contest, your personal data will be processed for direct marketing purposes for the period during which your consent is in effect.
The retention period for customer feedback, reclamations and other customer contacts is two years, starting from the collecting of the personal data.
We manage community pages and communication services n Meta Platforms Ireland Limited (Meta) services Facebook and Instagram, and TikTok Technology Ireland Limited (TikTok) TikTok-service. We process personal data in these services as a joint controller with the providers of these social media services. In the forementioned services, the personal data we process are your username, profile picture and other personal data, that you have provided to the services, and which are publicly available inside the service. We also process the information in message conversations between you and us. We process personal data through social media services based on our legitimate interest. The retention periods of your personal data will depend on the retention policies of the social media service providers.
We don't transfer or combine sets of personal data processed in social media in our other information systems or registers without your consent. You can also contact us directly at https://www.restel.fi/anna-palautetta/ or leave an invitation for tender at: https://www.restel.fi/tarjouspyynto/.
You can read about the obligations between us and Meta regarding our joint controllership and our mutual arrangements regarding the community pages, communication services and tracking pixels from Meta's privacy policy: https://www.facebook.com/privacy/policy/.
You can read about the obligations between us and TikTok regarding our joint controllership and our mutual arrangements regarding the community pages from here: https://www.tiktok.com/legal/page/global/tiktok-analytics-joint-controller-addendum/en. You can also explore TikToks general privacy policy here: https://www.tiktok.com/legal/page/eea/privacy-policy/fi.
We process your customer account user profile information such as your name, date of birth, contact details, member number and information on saved payment method to manage your customership and to manage your orders based on the necessity of the performance of the contract between you and us. Date of birth is processed so we can consider the special obligations regarding the processing of personal data of underage data subjects, if needed. Basic information containing your name, date of birth, contact details and member number are processed for the duration of your active customership. In addition, we need your contact details, order information and payment information to be able to process orders and to process payments regarding our services. The basis for this processing is also the contract between you and us. Active users' order and payment information is anonymised five years after the collection of the data. We will delete your user account, when you decide to terminate your account or when you don't use your account for two years, in which case we consider that the customership has ended. In this case, we also delete the order information and payment information connected to your account.
We process information regarding the marketing permission you have granted, based on the legal obligation to verify that you have consented to such processing activities.
We process customer account information and usage information from our services and applications to personalise marketing and to inform you about our products and services, contests, offerings, campaigns or special events, which may interest you. In addition, we use the personal data to inform you about the products and services of our partners. Your order history is available for you to use, so you can see your previous orders and easily order products and services you liked. We also use the personal data to target customer benefits and for the general development of our services based on the consumer behaviour data. We will process the data for five years based on our legitimate interest.
We perform electronic direct marketing through email and by text messages based on your consent. You can check your communications settings and instructions on how to change the settings from the profile section of the application you are using. If you have consented to electronic direct marketing, you can withdraw your consent from the applications direct marketing permissions settings or by using the withdrawal link found in the direct marketing messages sent to you at any time. Personal data regarding the receivers of marketing or other communications are processed for marketing purposes so long as the consent given to such purposes is valid or until it is apparent, that the personal data is no longer up to date, meaning the communications do not find you anymore.
We collect information using Meta-pixel to measure the effectiveness of marketing, for example to follow, how many people have downloaded and opened the application because of our Meta marketing campaign. Meta-pixel is categorised in the application as a marketing measurement cookie. The legal basis for processing this collected personal data is our legitimate interest. We keep Meta's application event data for the measurement of the effectiveness of marketing for 180 days.
You can use our applications without signing in or creating a user account. In this case, we process your order and payment information for five years from the collection of the personal data. We also process data about your location so we can show the closest restaurants and their distance from you. Location data is processed when the application is opened. Location data is not saved. In most devices and operating systems, you can withdraw your consent to the processing of location data in the device or browser settings.
To enable the technical functionality of the application, cookies are used. These kinds of functionalities include the measurement of your screen size, shopping cart data and sign-in data, which require processing data about the device and its technical identifiers. Technical identifiers include, for example, IP-address, operating system, device type and settings, device identifier (UDID or MEID), identifier for advertisement (for example IDFA or IFA) or equivalent identifier, user identifier or webpage or application from which you entered the application.
We use data gathered with application cookies and equivalent tracking technologies to develop and better our services, which we perform with data regarding the usage of the application and analytics based on purchased products and data regarding from application error notifications. The processing is based on our legitimate interest. We keep analytics data connected to Google Analytics user identifiers and cookies for 14 months. Application error notification-related data is kept for 90 days.
We use cookies and equivalent tracking technologies, which are tiny text files saved to the user's device. Cookies are used based on your consent and it is possible to turn them off from the application's Privacy-settings management. Managing cookie preferences does not require signing-in to the application; and cookies are used on your device based on your preferences, excluding strictly necessary cookies. By using cookies, we can for example make sure that our services are functioning in the way they should, we can develop and maintain them and measure the effectiveness of marketing. Cookies are used to collect and process personal data, which is described under Service personalising and marketing and Applications.
To follow the effectiveness of marketing, we use Facebook-tracking pixel in our applications. The pixel is used to collect information that allows us to follow the effectiveness of a marketing campaign through the actions the user makes, based on the advertisement. With the pixel, we collect information regarding your activities on other websites, applications or in social media, such as information if you have downloaded the application based on marketing campaign on social media. We are not able connect Facebook's data to your user data, such as your user profile. We process personal data as a joint controller with Facebook. Facebook saves data and can use it to its' own advertisement purposes. More information about Facebook's data protection policies on Facebook's website: https://www.facebook.com/about/privacy.
To develop the applications and to fix errors we collect information about the usage of the services, such as the pages you have visited in our applications and error messages connected to the application. In our applications, we use Google Inc.'s (Google) Google Analytics tool for website analytics, which allows us to collect analytics on the usage of the application. Information gathered using Google Analytics' cookies are transferred and stored as a rule to Googles servers in the United States. We use Google Analytics 4 version, which does not collect or store website visitors IP-addresses. Information on the usage of the application is used to analyse the usage of the website, to produce use information reports and to develop the website. You can block the collection of analytics cookies from the applications data privacy settings. You can get familiar with Googles data privacy policy here: https://www.google.com/intl/fi/policies/privacy/.
We use third party services to enable our operations. These third parties process personal data on our behalf and according to our instructions for the purposes communicated in this Privacy Statement. We use services offered by third parties to fulfill orders, to manage and maintain information systems, to perform campaigns, contests and draws, to perform opinion- and market research and to personalise Restels customer experience.
Personal data relating to your customership is disclosed between companies inside Restel-group when you use the same user profile to buy services from different group companies. Restel group companies include Restel Oy, Restel Fast Food Oy, Restel Ravintolat Oy, Restel Mexican Food Oy, Bastion Catering Oy, Restel Casual Oy CPR Finland Oy and Hangon makaronitehdas Oy.
We might need to disclose your personal data on some occasions to outside organisations, for example to fulfill a legal obligation or request by authority.
We maintain community pages and communication services in social media. In these cases, we act as a joint controller with the providers of social media services.
Restel works with worldwide organisations (Taco Bell & Burger King), which means that cross-border business processes, management systems and technical systems are in use.
Because of the technical implementation of personal data processing, some personal data may be in the servers and processing systems of external sub-processors, from which they are remotely accessed using technical access connections. Personal data is transferred to the United States.
In all situations, the condition for disclosure and transfer of personal data is that organisations receiving and processing the data have entered into a contract with Restel to ensure the lawful processing of personal data. Data is transferred using suitable transfer mechanisms, such as standard contractual clauses adopted by the European Commission, which ensure adequate level of data protection in the destination country.
We are committed to using appropriate measures to keep your personal data safe. Our technical, administrative, and physical processes are planned to prevent accidental, unlawful or unauthorised loss, access, disclosure, use, alteration or destruction of personal data.
Databases related to the register are protected with firewalls, passwords, and other technical measures to prevent data breaches by outside actors. Databases and their backups are stored in locked premises.
Only specified Restel personnel and organisations working on behalf of Restel have access the personal data contained in the register with personal access permission granted by the controller.
We do not use your personal data or profiling to make automatic decisions that would produce legal effects or otherwise significantly affect you.
You have several rights regarding the processing of your personal data and below you can find more information. Using your rights is in principle without a charge. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either refuse to act on the request or charge a reasonable fee. In this situation we will inform you about the fee when handling your request.
You can file a request concerning your data protection rights by filling in a form here or by being in contact with the Data Protection Officer, whose contact details can be found in the beginning of this Privacy Statement.
Below you can find a more specific description about what kind of rights you have and how to use them.
You have the right to access the personal data we process or receive confirmation that we do not process your personal data. If the personal data we process is in your opinion incorrect, inaccurate or incomplete, you can request the rectification of your personal data from us.
In some situations, you have the right to have your personal data deleted. We will also delete your personal data if the processing is based on your consent and you withdraw your consent or if you object to the processing of your personal data and the processing does not have another basis.
In some situations, you have the right to temporarily restrict the processing of your personal data. Restricting the processing temporarily means that we keep your personal data but will not delete or otherwise process it. If, for example, you need your personal data to establish a legal claim, you can demand that we restrict the processing of your personal data.
In some situations, you have the right to object the personal data processing. You can for example at any time object to the processing we perform for direct marketing purposes, which means we can no longer process your personal data for such a purpose. In addition, you can at any time based on your specific situation object to the processing we are performing based on our legitimate interests.
When we are processing personal data based on your consent or based on contract between you and us and you have provided the personal data to us yourself, you have the right to request transmission of your personal data. We will provide you with the personal data in a machine-readable form, so you can retain the personal data yourself or transmit that personal data to another controller (such as another service provider). Where technically feasible, we will also transmit your personal data directly to another controller based on your request.
You have the right to lodge a complaint with a supervisory authority regarding the processing of your personal data. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman: https://tietosuoja.fi/en/home.
If you decide to withdraw your consent, we will stop processing personal data that has been based on this consent. In specific situations, for example the law may require us to still retain some personal data, even if they were originally collected based on your consent. Withdrawing consent does not affect the lawfulness of the processing that we have performed before the withdrawal of your consent.
| 20.05.2024 | Updated and clarified purposes and legal bases for processing, personal data categories processed, recipients of personal data and retention periods. Added description about processing of personal data in social media services. |