Privacy Policy

Effective: 04.11.2021

1. Introduction

Website Privacy Notice

This Privacy Notice applies to the use of the website www.pizzahut.de as well as the ordering platform “TicTuk”.

Data Controller
The responsible data controller for any personal data collected and processed in connection with the use of the website www.pizzahut.de is ISH Germany GmbH ("ISH", "we" or "us"), Friedrichstraße 68, 10117 Berlin
Data Protection Officer
If you have any questions etc. about or in connection with this Privacy Notice or would like to complain about our handling of your personal data or exercise any of your rights (see 9. below), please contact us by using the above contact details or contact our data protection officer by using the following contact details:
E-Mail: email@iitr.de
Ordinary mail: IITR Datenschutz GmbH, Dr. Sebastian Kraska, Marienplatz 2, 80331 München
Data Subjects
This Privacy Notice applies to the collection and processing of personal data of users of the website www.pizzahut.de as well as the ordering platform “TicTuk”.
Categories of Data, Purposes of the Processing and Legal Basis
We collect and process your personal data only for the following purposes:

5.1 Website – To allow users to access and browse our website (it is technically required that we process certain data transmitted by the browser used to access and browse our website), and to register on our website.

5.2 General Communication – To communicate with users about accounts, etc. and to respond to customer services inquiries and requests for information.
5.3 Newsletter – To allow users to subscribe to our newsletter and provide users with newsletters.
5.4 Web analytics – To maintain, improve, and analyze the website, ads, and products and services offered and to create reports on website activity with the help of Google Analytics (with regard to the use of cookies see below under 10).
5.5 Service improvement – To maintain, improve and analyze our website, apps, ads, and products and services offered.
5.6 Online applications – To allow users to apply for jobs via an online form.
5.7 The Appendix Website Data and Cookies contains detailed information on:
- ● the categories of personal data we collect from you or from third parties (e.g., public authorities or public resources) in addition to other personal data that you actively provide to us (e.g., when you send an e-mail to us);
- ● the purposes for which we process these personal data; and
- ● the legal basis for the collection and processing of your personal data (unless otherwise provided, e.g., at the time we collect the data from you).
  Please note that we process your personal data for other purposes only if we are obligated to do so on the basis of legal requirements (e.g., transfer to courts or criminal prosecution authorities), if you have consented to the respective processing or if the processing is otherwise lawful under applicable law. If processing for another purpose takes place we may provide you with additional information.

6. Recipients and Categories of Recipients

Any access to your personal data at AmRest is restricted to those individuals that have a need to know in order to fulfill their job responsibilities.

AmRest may transfer your personal data for the respective purposes to the recipients and categories of recipients listed below – more details regarding the recipients and categories of recipients mentioned under 6.1 and 6.2 below can be found in the Appendix Website Data and Cookies.

6.1 Private third parties – Affiliated or unaffiliated private bodies other than us.
6.2 Data processors – Certain third parties, whether affiliated or unaffiliated, may receive your personal data to process such data on behalf of AmRest under appropriate instructions as necessary for the respective processing purposes. The data processors will be subject to

contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal data, and to process the personal data only as instructed.

TicTuk Technologies Ltd. processes your personal data as a processor for the purpose of processing an order via the “TicTuk” order platform.

6.3 Governmental authorities, courts, external advisors, and similar third parties that are public bodies as required or permitted by applicable law.

If we become involved with a merger or another situation involving the transfer of some or all of our business assets, we may share your information with business entities or people involved in the negotiation or transfer.

In addition, we may share information about you with other companies if you give us permission or direct us to share the information.

Cross-Border Data Transfer
Some of the recipients of your personal data will be located or may have relevant operations outside of your country and the EU, such as in the USA, where the data protection laws may provide a different level of protection compared to the laws in your jurisdiction and with regard to which an adequacy decision by the European Commission does not exist. Countries that currently are deemed to provide an adequate level of data protection from an European data protection law perspective include Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, the State of Israel, Isle of Man, Japan, Jersey, New Zealand and the Eastern Republic of Uruguay. With regard to data transfers to such recipients outside of the EU we provide appropriate safeguards, in particular, by way of entering into data transfer agreements adopted by the European Commission (e.g. Standard Contractual Clauses (2010/87/EU and/or 2004/915/EC)) with the recipients or taking other measures to provide an adequate level of data protection. A copy of the respective measure we have taken is available via our data protection officer (see Section 3 above).
Storage Period
Your personal data is stored by ISH and/or our service providers, to the extent necessary for the performance of our obligations and for the time necessary to achieve the purposes for which the personal data is collected, in accordance with applicable data protection laws. When ISH no longer needs to process your personal data, we will erase it from our systems and/or records and/or take steps to properly anonymize it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which ISH is subject. E.g., personal data contained in contracts, communications, and business letters may be subject to statutory retention requirements, which may require retention of up to 10 years. If applicable, any other personal data will in principle be deleted 5 years after the termination of the respective related contractual relationship between you and ISH, if applicable). For more detailed information regarding the actual storage periods please refer to the Appendix Website Data and Cookies.

Your Rights
If you have declared your consent for any personal data processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.
Pursuant to applicable data protection law you may have the right to: request access to your personal data, request rectification of your personal data; request erasure of your personal data, request restriction of processing of your personal data; request data portability, and object to the processing of your personal data. Please note that these aforementioned rights might be limited under the applicable national data protection law. For further information on these rights please refer to the Appendix Your Rights.
You also have the right to lodge a complaint with the competent data protection supervisory authority. To exercise your rights please contact us as stated in Section 2 above.
Cookies and similar technologies

10.1 Cookies. When you use our website, we may send one or more cookies – small text files containing a string of alphanumeric characters – to your device. We may use both session cookies and persistent cookies. A session cookie disappears after you close your browser. A persistent cookie remains after you close your browser and may be used by your browser on subsequent visits of our website. Your web browser may provide you with some options regarding cookies. Please note that if you delete, or choose not to accept, cookies, you may not be able to utilize the features of the services provided via our website to their fullest potential. We may use third party cookies in connection with the services provided via our website as well. For instance, we use Google Analytics to collect and process certain analytics data. We may not process or respond to web browsers' "do not track" signals or other similar transmissions that indicate a request to disable online tracking of users who visit our website or use the services provided via our website.
10.2 Clear GIFs/Web Beacons. Clear GIFs (also known as Web Beacons) are typically transparent very small graphic images (usually 1 pixel x 1 pixel) that are placed on a website that may be included on our services provided via our website and typically work in conjunction with cookies to identify our users and user behavior.
10.3 How we use cookies and similar technologies, in particular, for profiling. We may use cookies and automatically collected information to: (i) personalize our website and the services provided via our website, such as remembering your information so that you will not have to re-enter it during your use of, or the next time you use, our website and the services provided via our website; (ii) provide customized advertisements, content, and information on the basis of profiling; (iii) monitor and analyze the effectiveness of our website and the services provided via our website and third-party marketing activities on the basis of profiling; (iv) monitor aggregate site usage metrics such as total number of visitors and pages viewed; and (v) track your entries, submissions, and status in any promotions or other activities offered through our website and the services provided via our website (profiling). Tracking technology (profiling) also helps us

manage and improve the usability of the website, (i) detecting whether there has been any contact between your computer and us in the past and (ii) to identify the most popular sections of the website.

10.4 For detailed information regarding cookies and related data processing activities please refer to the Appendix Website Data and Cookies.

11. Changes to the Website Privacy Notice

This Privacy Notice may require an update from time to time – e.g. due to the implementation of new technologies or the introduction of new services. We reserve the right to change or supplement this Privacy Notice at any time. We will publish the changes on the website www.pizzahut.de and/or inform you accordingly (e.g., via email).

Appendix Your Rights

(a) Right of access: You may have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data. The access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed. However, this is not an absolute right and the interests of other individuals may restrict your right of access. The right of access is limited pursuant to the Federal Data Protection Act, e.g. it does not apply if the data (a) were recorded only because they may not be erased due to legal or statutory provisions on retention, or (b) only serve the purposes of monitoring data protection or safeguarding data, and providing information would require a disproportionate effort, and appropriate technical and organizational measures make processing for other purposes impossible.
You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.
(b) Right to rectification: You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
(c) Right to erasure ("right to be forgotten"): Under certain circumstances, you may have the right to obtain from us the erasure of personal data concerning you and we may be obliged to erase such personal data. Such right to erasure does not apply pursuant to the Federal Data Protection Act e.g. if in the case of a non-automated processing erasure would be impossible or would involve disproportionate effort due to the specific mode of storage and if your interest in erasure can be regarded as minimal. In such case, you may have the right to restriction of processing.
(d) Right to restriction of processing: Under certain circumstances, you may have the right to obtain from us restriction of processing your personal data. In this case, the respective data will be marked and may only be processed by us for certain purposes.
(e) Right to data portability: Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.

_______________________________________________________________________________

(f) Right to object: Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and we can be required to no longer process your personal data.

Moreover, if your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case your personal data will no longer be processed for such purposes by us.

Appendix Website Data and Cookies

Purposes of the Processing	Categories of Personal Data and Information on Cookies Used (if applicable)	Legal Basis for the Processing	Storage Period
Website To allow users to access and browse our website.	● IP address ● date and time of the access request ● time zone difference to Greenwich Mean Time (GMT) ● content of the request (specific page) ● access status/HTTP status code ● the data volume transferred ● website from which the access request is made ● browser (language and version of the browser software) ● type of device and operating system	Legitimate interests (Art. 6 (1) (f) GDPR): The processing of personal data your browser transmits to our server is technically required to let you access and browse the website. More information on the balancing test is available upon request.	For the time period during which users access and browse our website.

Website - Registration	● Name ● email address ● telephone number ● password ● address	Contract performance (Art. 6 (1) (b) GDPR): The processing of personal data is required to provide you with a user account pursuant to our terms of use.	During the term of the contract.
General Communication To communicate with users about accounts, etc. and to respond to customer services inquiries and requests for information.	● first name ● last name ● email address ● telephone number	Legitimate interests (Art. 6 (1) (f) GDPR): The processing of personal data is necessary to answer the respective request of the user which otherwise cannot be fulfilled. Therefore, the processing is justified on the basis of legitimate interests. More information on the balancing test is available upon request.	During term of the contract, duration purpose processing. or for of the of
Newsletters To allow users to subscribe to our newsletter and provide users with newsletters.	● first name ● last name ● email address	Consent (Art. 6 (1) (a) GDPR) is the legal basis for the processing of personal data for the purpose of personalizing and sending emails to subscribers of the personalized newsletters about initiatives, announcements and product offers based on account info and activity (profiling).	As long as the consent is given and not revoked and 6 months after revocation.
Web analytics (profiling) with Google Analytics To create reports on website activity with the help of Google Analytics provided by Google, Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the United States. Google will use this information on behalf of the operator of this website for the purpose of profiling by evaluating your use of the website, compiling reports on website activity for the website operator and providing the website operator with other services relating to website activity and internet usage.	IP address (truncated) is collected and processed with Google Analytics. The IP address is truncated as IP-anonymization is activated on this website, your IP address will be truncated within the area of Member States of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional cases the whole IP address will be first transferred to a Google server in the USA and truncated there. The IP-address, that your browser conveys within the scope of Google Analytics, will not be associated with any other data held by Google. The following third party cookies are used in connection with Google Analytics: ● __utma ● __utmb	Consent (Art. 6 (1) (a) GDPR) is the legal basis for the deployment of cookies on the device used by the website user to access this website and also for the related collection and processing of personal data.	For the time period during which users access and browse our website.

For more information on how Google uses your data when you use this website please visit: https://www.google.com/intl/en/policies/privacy/partners /	● __utmc ● __utmt ● __utmt_b ● __utmz ● __utmx_FT ● __ga You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also opt-out from being tracked by Google Analytics with effect for the future by downloading and installing Google Analytics Opt-out Browser Add-on for your current web browser: https://tools.google.com/dlpage/gaoptout?hl=en-G B
Service improvement To maintain, improve and analyze our website, apps, ads, and products and services offered.	● Data collected as set out in above rows in relation to use of the website, communications, newsletters and web analytics	Legitimate interests (Art. 6 (1) (f) GDPR): The processing of personal data is necessary to maintain, improve and analyze our services which otherwise cannot be fulfilled. Therefore, the processing is justified on the basis of legitimate interests. More information on the balancing test is available upon request.	For the time period during which users access and browse our website.
Order via the ordering platform “TicTuk” For the purpose of processing an order via the ordering platform “TicTuk”.	● Current Delivery Type ● Last Address ● User ( Email address, Phone Number, Name) Optional Cookies: ● _dd_s (Data Dog session tracking) ● Facebook & Google Analytics Cookies)	The processing of user data, last address and type of delivery is necessary for the execution and processing of an order via the "TicTuk" order portal (Art. 6 Para. 1 lit. b GDPR). The processing of optional cookies takes place exclusively in the case and on the basis of a given consent (Art. 6 Para. 1 lit. a GDPR).	Your personal data is stored by the Restaurant and/or our service providers, to the extent necessary for the performance of our obligations and for the time necessary to achieve the purposes for which the personal data is collected, in accordance with applicable data protection laws. When the Restaurant no longer needs to process your personal data, we will erase it from

			our systems and/or records and/or take steps to properly anonymize it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which the Restaurant is subject. E.g., personal data contained contracts, communications, and business letters may be subject to statutory retention requirements, which may require retention of up to 10 years. If applicable, any other personal data will in principle be deleted 5 years after the termination of the respective related contractual relationship between you and the Restaurant, if applicable). in
Online applications To allow users to apply for jobs via an online form.	● first name ● last name ● address (street, number, zip code, city, country) ● email address ● mobile phone number ● birthdate ● telephone number	Processing is necessary for the hiring decisions / necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (i.e. employment contract) (Sec. 26 German Federal Data Protection Act / Art. 6 (1) (b) GDPR). To the extent you have consented to the transfer of your application to other companies of the ISH	During the recruitment period of the position and up to 6 months after application process.

● education (school, university, apprenticeship, professional experience)

● competencies ● résumé

Germany GmbH group of companies, the legal basis is consent (Art. 6 (1) (a) / Sec. 26 (2) German Federal Data Protection Act, respectively 9 (2) (a) GDPR / Sec. 26 (3) German Federal Data Protection Act).