Personal Data Administrator (« Administrator ») – means a Partner Restaurant as defined in the Regulations.
Internet service is a software developed by SAS Kali, operating under the https://societe-kali.fr/ brand and used by the Partner Restaurant through which the Customer can order the products and services offered by the Partner Restaurant.
Mobile application – a mobile application available for mobile phones and mobile devices. This is another form of Internet Service used to order goods and services in a Partner Restaurant.
Personal data – all information about an identified or identifiable natural person through one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person, including the device’s IP number, location data, internet identifier and information collected through cookies and other similar technology, as well as order data, on the basis of which you can determine the Customer’s preferences, their home address, and the like.
Recipient – means a natural or legal person, public authority, unit, or other entity to whom personal data is disclosed, whether or not it is a third party. However, public authorities that may receive personal data in the framework of a specific proceeding under Union or Member State law are not considered recipients; the processing of these data by those public authorities must comply with the applicable data protection rules according to the purposes of the processing.
Profiling – means any form of automated processing of personal data, which involves the use of personal data to evaluate certain personal factors of a natural person, in particular, to analyze or forecast aspects related to the effects of that natural person’s work, economic situation, health, personal preferences, interests, reliability, behavior, location or movement.
Regulations – regulations for the provision of electronic services on the Platform, pursuant to art. 8 of the Act on the provision of electronic services.
Processing – means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, arranging, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, disseminating or otherwise sharing, matching or combining, limiting, deleting or destroying.
GDPR – Regulation of the European Parliament and of the Council (EU) 2016/679 of April 7, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC.
Partner Restaurant – KHAVIPOL SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, GEN. FELICJANA SŁAWOJA SKŁADKOWSKIEGO 4, 02-497 WARSZAWA, PL, 5211200810.
Customer – is a natural person (including a consumer) who has full legal capacity, or a legal person or organizational unit with legal capacity. The Customer may be a natural person who is 13 years of age but under 18 years of age to the extent that he or she can acquire rights and incur obligations in accordance with the provisions of generally applicable law, i.e. in minor everyday matters of everyday life.
Order – within the meaning of this document is a legal act carried out using the Internet Service, during which the Customer expresses the will to purchase the ordered products and services in accordance with their description and price.
Consent of the data subject – means a voluntary, specific, conscious and unambiguous demonstration of will in the form of a declaration or a clear affirmative action through which the data subject allows the processing of personal data.
2. The purposes of processing personal data in connection with the use of the Internet Service and Mobile Application and legal basis for processing personal data.
- Handling the order placed via the order form on the Internet Service to purchase goods and services and the performance of the contract (Article 6 sec. (1) (b) of the GDPR).
- For the purpose of handling online payments for the ordered products via the Internet Service and Mobile Application (Article 6 sec. (1) (b) and (f) of the GDPR).
- For the purpose of marketing products and services of Partner Restaurants and Administrator (Article 6 sec. (1) (f) of the GDPR).
- For the purpose of running social networks (Article 6 sec. (1) (f) of the GDPR) .
- For statistical purposes (Article 6 sec. (1) (f) of the GDPR).
- For the purpose of potentially establishing and pursuing claims or defending against claims – the legal basis for processing is the Administrator’s legitimate interest (Article 6 sec. (1) (f) of the GDPR), consisting in the protection of its rights.
- For the purpose of fulfilling by the Administrator and the Processor of personal data the obligations imposed by law, e.g. the Accounting Act, Tax Law (Article 6 sec. (1) (c) of the GDPR).
- For the purpose of handling inquiries and complaints (Article 6 sec. (1) (f) of the GDPR).
RE: 1. Handling the order placed via the order form on the Internet Service to purchase goods and services.
The Administrator of data processed for this purpose is a PARTNER RESTAURANT .
In matters related to personal data processing, please contact the Partner Restaurant directly by e-mail.
The recipients of the data are, among others: entities providing the Administrator with support services in the field of business (e.g. specialized services related to the implementation of the order placed), providers of legal and advisory services and supporting the Administrator in order to pursue due claims (in particular legal and tax offices, debt collection companies) and entities authorized under the law.
Using the Website (including placing orders, presenting the offer) does not require creating a user account. The customer may use the option of placing an order without first creating an account on the Internet Service. The administrator collects user data to the extent necessary to provide services offered via the Internet Service or Mobile Application, as well as information about their activity in the Internet Service.
The Administrator processes the personal data of all persons using the Internet Service (including the IP address or other identifiers and information collected via cookies or other similar technologies), and also records the activity of Customers on the Internet Service in system logs (a special computer program used to store a chronological record containing information on events and activities related to the IT system used for the provision of services by the Administrator). The information collected in the logs is processed primarily for purposes related to the provision of services. The Administrator also processes this data for technical and administrative purposes, for the purposes of ensuring the security of the IT system and its management, as well as for analytical and statistical purposes.
In order to use the Internet Service features, it is required to provide personal data. Failure to provide this data makes it impossible to use the Internet Service, e.g. for the conclusion and performance of a contract.
Processing of data is necessary for the execution of the contract concluded by the Customer or Partner Restaurant or to take action at the request of these persons prior to the conclusion of the contract (Article 6 sec. (1) (b) of the GDPR). If you do not provide us with your data, we will not be able to process your order.
Your personal data provided in the order process will be processed for a period of 14 days from the date of completion of the order, and then until the limitation period for claims, counting from the date of order fulfillment. After this period, the data is processed only if and to the extent that it will be required by law. After the expiry of the processing period, the data is irreversibly deleted or anonymized.
RE: 2. For the purpose of handling online payments for the ordered products via the Internet Service and Mobile Application.
The Administrator of data processed for the purpose of execution of online payments is Partner Restaurant.
Personal data of customers using online payments are transferred to specialized companies dealing with online payments, such as STRIPE FRANCE, 10 BD HAUSSMANN 75009 PARIS, as well as to the company SAS Kali. When placing an order with the use of payment via the Internet, customers are each time informed by which entity the given payment is serviced.
The Internet Service provides customers with the payment service via the Internet for the ordered goods and services in Partner Restaurants.
The use of the online payment option is voluntary. Failure to provide personal data necessary to make an online payment disables the execution of such a transaction but does not exclude the possibility of using the website. Data processing is necessary for the performance of the contract concluded by the Customer or to take action at the request of the Customer prior to the conclusion of the contract. (Article 6 sec. (1) (b) of the GDPR).
The Customer may also use other forms of payment for the ordered goods and services, including cash payments and, depending on the offer of the Partner Restaurant, also via the payment terminal of the Partner Restaurant.
Personal data processed for the purpose of handling online payments may be additionally processed for other legally justified purposes of the administrator (Article 6 sec (1) (f) of the GDPR). These legitimate goals are as follows:
1. conducting analyzes of the activity and preferences of customers to improve the functionalities and services provided,
2. potential determination, pursuing, or defense against claims.
Your personal data provided in the ordering and payment process will be processed for the period required by law, in particular tax law, and then for the period of limitation of claims, counting from the date of order fulfillment and payment.
RE: 3. For the purpose of marketing products and services of Partner Restaurants and partners.
The Partner Restaurant is administrator: KHAVIPOL SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, GEN. FELICJANA SŁAWOJA SKŁADKOWSKIEGO 4, 02-497 WARSZAWA, PL, 5211200810.
Personal data is transferred for marketing purposes to the following recipients: SAS Kali. (in the scope of the implementation of the ordered marketing campaign), mobile phone operators, e-mail providers, online advertising agencies, etc.
The Customer must provide separate, explicit consent to the processing of their personal data for marketing purposes. Their consent is voluntary and does not affect the execution of the order or the use of the Internet Service.
The Administrator processes the personal data of the Customers of the Internet Service to carry out marketing activities, which may include:
a. displaying to the Customer marketing content that is tailored to his preferences (contextual advertising), including in the form of web banners, advertising texts, or « Push » functionality;
b. displaying marketing content to the Customer that is tailored to his preferences (behavioral advertising), including in the form of web banners, advertising texts, or « Push » functionality;
c. sending e-mail notifications about interesting offers or content, which in some cases contain commercial information (newsletter service);
d. sending SMS notifications about interesting offers or content, which in some cases contain commercial information (newsletter service).
To carry out marketing activities, the Administrator and Processor uses profiling in some cases. This means that thanks to automatic data processing, the Administrator and Processor assesses selected factors relating to natural persons to analyze their behavior, create a forecast for the future, or invite them to use products and services again.
RE: a) Contextual advertising
The Administrator processes the Customers’ personal data for marketing purposes in connection with targeting contextual advertising (i.e. advertising that matches the Customer’s preferences) to Customers. The processing of personal data for this purpose takes place in connection with the implementation of the legitimate interest of the Administrator (Article 6 sec. (1) (f) of the GDPR) consisting in promoting their brand.
RE: b) Behavioral advertising
The Administrator or Processors (entities from the marketing industry) process Customers’ personal data, including personal data collected via cookies and other similar technologies for marketing purposes, in connection with targeting behavioral advertising to the Customers (i.e. advertising tailored to the Customer’s preferences). The processing of personal data for this purpose also includes Customer profiling.
RE: c) Newsletter
The Administrator provides the newsletter service for persons who provided their e-mail address for this purpose. Providing data is required to provide the newsletter service, and failure to do so results in the inability to send it.
RE: d) Direct marketing
The Customer’s personal data may also be used by the Administrator to direct marketing content to them through various channels, i.e. via e-mail, MMS / SMS. Such actions are taken by the Administrator only if the Customer has consented in this regard. The expressed consent may be withdrawn by the Customer at any time, which will not affect the lawfulness of the processing carried out by the Administrator prior to its withdrawal.
Your personal data held for the purposes of marketing the products and services of Partner Restaurants will be processed until the consent is withdrawn.
RE: 4 Social Media
The Partner Restaurant and Social Network Administrator are administrators of data processed for this purpose.
The recipients of the data are, among others: entities providing ICT services to the Administrator, e.g. e-mail, hosting, social network administrators, etc.
The Administrator processes the personal data of Customers visiting the Administrator’s profiles in social media (Facebook, YouTube, Instagram, LinkedIn, Twitter). These data are processed only in connection with managing the profile, including informing Customers about the Administrator’s activity and promoting various types of events, services, and products. The legal basis for the processing of personal data by the Administrator for this purpose is its legitimate interest (Article 6 sec. (1) (f) of the GDPR), consisting of promoting its brand and maintaining relations with customers.
Adding posts and other activities on social networks is voluntary, and the Administrator is not responsible for the posted entries.
Your personal data provided in social media will be processed until the post is deleted or until such deletion is requested.
RE: 5 Statistical purposes
The administrator of data processed for this purpose may be Partner Restaurant or SAS Kali. The legal basis for the processing consisting in conducting analyzes of Users’ activity, as well as their preferences in order to improve the functionalities and services provided, in this case, is the consent expressed by you via the cookie banner. Your personal data kept for statistical purposes will be processed until the consent is withdrawn or the Administrator’s legitimate interest exists, but not longer than for a period of 5 years.
RE: 6 For the purpose of potentially establishing and pursuing claims or defending against claims – the legal basis for processing is the Administrator’s legitimate interest consisting in the protection of its rights.
The legal basis for processing is the Administrator’s legitimate interest consisting in the protection of its rights.
Your personal data kept for the purposes of protecting the rights of the Administrator will be processed until the expiry of the deadline related to the claim under the law.
RE: 7. For the purpose of fulfilling by the Administrator and the Processor of personal data the obligations imposed by law, e.g. the Accounting Act, Tax Law.
Your personal data which are kept for the purpose of fulfilling by the Administrator and the Processor of personal data the obligations imposed by law will be processed for the period in which the law requires the storage of documentation and compliance with the obligations arising from them.
RE: 8. For the purpose of handling inquiries and complaints.
The legal basis for the processing of the above-mentioned data is our legitimate interest in the possibility of establishing and pursuing claims or defending against such claims.
Your personal data kept for the purpose of handling inquiries and complaints will be processed for the period specified by law.
3. Cookies and similar technology
The administrator of data processed through cookies, depending on the purpose, may be the Partner Restaurant or SAS KALI based in Marseille as a processor.
The recipients of the data are, among others: entities providing ICT services to the Administrator, e.g. e-mail, hosting, etc.
Cookies are small text files installed on the device of the Customer browsing the Internet Service. Cookies collect information that facilitates the use of the website – e.g. by remembering the Customer’s visits to the Internet Service and the activities performed by them.
The Administrator informs that cookies are harmless to the computer or other device of the Customer and his data. The Administrator also informs that it is possible to configure the web browser or Mobile Application in such a way that it does not allow cookies to be saved on the computer or other device of the Customer.
However, before the Customer decides to change the default browser settings, he should remember that many cookies increase the convenience of using the Internet Service. Disabling cookies may affect the appearance and functioning of the Internet Service.
The Administrator informs that it is also possible to delete cookies after the end of a given session while using the Internet Service.
The information contained in the system logs in connection with the general principles of making connections on the Internet is used by the hosting company operating the Internet Service only for technical and statistical purposes.
3.1. Service cookies and similar technologies
Cookies used for this purpose include:
– cookies with data entered by the Customer (session ID) for the duration of the session (user input cookies) – the data administrator is SAS KALI based in Marseille;
– authentication cookies used for services that require authentication for the duration of the session (authentication cookies) – the data administrator is SAS KALI based in Marseille;
– cookies used to ensure security e.g. used to detect fraud in the field of authentication (user-centric security cookies) – the data administrator is SAS KALI based in Marseille;
– multimedia player session cookies (e.g. flash player cookies), for the duration of the session (multimedia player session cookies) – the data administrator is SAS KALI based in Marseille;
– persistent cookies used to personalize the Customer interface for the duration of the session or a little longer (user interface customization cookies) – the data administrator is a Partner Restaurant;
– cookies used to monitor website traffic, i.e. data analytics – the data administrator is a Partner Restaurant.
3.2. “Marketing” cookies
3.3. Push technology
The Administrator uses the so-called Push technology, which enables to send notifications to the customer, including in connection with directing advertising to the Customer. For this purpose, the Administrator stores information or gains access to information already stored in the Customer’s telecommunications end device (computer, telephone, tablet, etc.).
In addition to accepting the installation of cookies via the cookie banner, the Customer should keep the appropriate browser settings that allow cookies from the Website to be stored on the Customer’s end device.
Detailed information can be found:
a. Internet Explorer:
b. Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
c. Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
d. Opera: http://help.opera.com/Windows/12.10/pl/cookies.html
e. Safari: https://support.apple.com/kb/PH5042?locale=en-GB
4. Personal data processing rights
Data subjects have the following rights:
1. the right to information about the processing of personal data - on this basis, the Administrator provides information on the processing of data to the person submitting the request, including, in particular, the purposes and legal grounds for processing, the scope of the data held, entities to which they are disclosed, and the planned date of data deletion;
2. the right to obtain a copy of the data - on this basis, the Administrator provides a copy of the processed data concerning the person submitting the request;
3. the right to rectify - the Administrator is obliged to remove any inconsistencies or errors in the processed personal data and to supplement them if they are incomplete;
4. the right to delete data - on this basis, one can request the deletion of data, the processing of which is no longer necessary to achieve any of the purposes for which it was collected , if there is no other basis for the Administrator to process this data if an objection is raised to the processing of personal data by the Administrator due to the specific situation of the data subject, and the Administrator has no grounds to process this data that would override the objection if an objection is raised by a person whose data is processed for marketing purposes if the personal data was processed unlawfully;
5. the right to limit processing - if such a request is made, the Administrator ceases to perform operations on personal data – except for operations for which the data subject has consented – and their storage, in accordance with the adopted retention rules or until the reasons for limiting data processing ceases to exist (e.g. a decision of the supervisory authority will be issued authorizing further processing of the data). Such a request is granted, for example, if the data subject questions the correctness of the processing of this data, if the processing is unlawful, but the data subject will object to their deletion, requesting instead to limit the processing of this data, if the Administrator no longer needs personal data of a given person to achieve their goals, but they are needed by the person to whom they relate to establish, assert or defend rights if an objection to the processing of personal data has been raised due to their specific situation, the processing of personal data is limited until it is determined whether the Administrator’s goals override the grounds for objection;
6. the right to transfer data - on this basis – to the extent that the data is processed in connection with the concluded contract or consent – the Administrator issues to the authorized entity data provided by the data subject in a format that can be read by a computer. It is also possible to request that this data be sent to another entity – provided, that there are technical possibilities in this regard, both on the part of the Administrator and that other entity;
7. the right to object to data processing for marketing purposes - the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify such objection;. In actual practice, each person may withdraw consent to the processing of data for marketing purposes on the terms set out in this document;
8. the right to object to other purposes of data processing - the data subject may at any time object to the processing of personal data, which takes place based on the legitimate interest of the Administrator (e.g. for analytical or statistical purposes or reasons related to the protection of property); objection in this respect should be reasoned;
9. the right to withdraw consent - if the data is processed based on consent, the data subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out before the consent was withdrawn.
10. the right to file a complaint - if it is found that the processing of personal data violates the applicable regulations on the protection of personal data, the data subject may submit a complaint to the President of the Personal Data Protection Office competent for his usual place of residence, place of work or the place of the alleged violation of personal data.
5. Reporting requests related to the exercising of rights
The application regarding the exercise of the rights of data subjects may be submitted in any form to the appropriate Data Administrator due to the purpose of processing. They will be considered immediately, but not later than within one month from the date of receipt.
Applications should be sent to the e-mail address: firstname.lastname@example.org.
If the Administrator is unable to identify the applying person based on the submitted application, he will ask the applicant for additional information.
The application may be submitted in person or through a power attorney.
The reply to the application should be given within one month of its receipt. If it is necessary to extend this period by a maximum of another two months – the Administrator will inform the applicant about the reasons for the delay.
The answer is provided via traditional mail unless the application was submitted by e-mail or an electronic response was requested. Upon the data subject’s request, the information may be provided orally, provided that the identity of the data subject is confirmed by other means.
6. Data transfer outside the European Economic Area
The level of personal data protection outside the European Economic Area (EEA) differs from the one provided by European law. For this reason, the Administrator transfers personal data outside the EEA only when necessary, with an adequate level of protection, primarily through:
– cooperation with entities processing personal data in countries for which a relevant decision of the European Commission has been issued;
– use of standard contractual clauses issued by the European Commission;
– application of binding corporate rules approved by the competent supervisory authority.
7. Personal data security
The Administrator and Processor conduct risk analysis on an ongoing basis to ensure that personal data is safely processed, ensuring, above all, that only authorized persons have access to the data and only to the extent that it is necessary due to the tasks they perform. The Administrator makes sure that all operations on personal data are recorded and performed only by authorized employees and associates.
The Administrator and Processor take all necessary steps to ensure that their subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on behalf of the Administrator or Processor.
The policy is verified on an ongoing basis and updated if necessary. The current version of the Policy has been adopted and is effective from April 21, 2021.