On the processing of guest and supplier data
- Data controller
Madklubben is the data controller.
Østergade 22, 3. 1100 København K.
Tlf. +45 33 32 32 34
Madklubben consists of the following companies:
Madklubben Bistro ApS
Madklubben Steak ApS
Madklubben Vesterbro ApS
Madklubben Frederiksberg ApS
Madklubben Aarhus ApS
Madklubben Østerbro ApS
Madklubben Værnedamsvej ApS
Bistro Royal ApS
Steak Royal ApS
Restaurant Frank ApS
Madklubben Nørrebro ApS
Gran Torino Pizza ApS
Alabama Social ApS
From here on collectively referred to as Madklubben.
Madklubben handles all personal data in accordance with applicable personal data law. Madklubben concludes agreements with guests and suppliers on the delivery – purchase and sale – of various services and products.
When a guest orders and purchases one or more of Madklubben’s services, and, in connection with this purchase, provides their personal data to Madklubben, the guest/supplier also consents to the processing of their personal data by Madklubben. The same applies in regard to any personal data provided to Madklubben by suppliers in connection with the submission of offers or conclusion of agreements with Madklubben.
- Madklubben’s collection of personal data
Personal data is collected by Madklubben as follows:
- When a guest – or a representative hereof – obtains an offer and/or purchases services/products offered by Madklubben, or when suppliers provide offers or sell products or services to Madklubben.
- Through browser cookies on our websites.
- In connection with the use of Madklubben’s digital services.
- Through purchasing gift certificates to Madklubben via our website.
- From social media.
- When suppliers conclude agreements with Madklubben or provide offers to Madklubben.
The collection and processing of personal data, cf. the above, will always be performed in accordance with applicable personal data legislation.
- Data collected by Madklubben
Madklubben collects the following personal data:
- Name, address, telephone number, e-mail address, date of birth and other common non-sensitive personal data.
- Payment card data – in connection with the purchase of gift certificates and tickets for events.
- Demographic data.
- Purchase history.
- Data from Madklubben’s customer surveys and feedbacks.
- Data from competitions conducted by Madklubben.
- Data from Madklubben’s social media.
- Browser data.
- Data about the guest’s company and relevant contact persons.
- Data about suppliers’ companies and data about relevant and key contact persons, including key accounts.
A guest/supplier can voluntarily provide Madklubben with additional personal data that they deem important for Madklubben’s servicing of them, or which they believe should be provided for safety/security reasons.
Examples of such data include:
- Special food preferences
- Other health or medical data
If a guest/customer/supplier voluntarily chooses to provide such data, Madklubben perceives this as consent to register and store this sensitive data.
In addition to the data that Madklubben receives directly from guests/suppliers, Madklubben will in some cases collect or process additional data received by Madklubben from third parties, e.g. a travel agency, another intermediary or an employee of the company at which the data subject is employed. In such cases, the applicable third party is obliged to inform the applicable guests/suppliers of Madklubben’s terms and conditions, and Madklubben’s personal data policy. It is also the applicable third party’s responsibility to ensure the required legal basis for the collection and processing of the applicable data, including collection of required consent for the processing of any sensitive data.
- Payment with payment cards
Madklubben uses DIBS www.dibs.dk(Nets), for redemption of payments with payment and credit cards in our restaurants. Madklubben uses QuickPay for the online payment on our webshop, and do not keep any information regarding payments such as credit card number or bank account. DIBS, QuickPay and Madklubben are all approved and certified by Pengeinstitutternes Betalingssystem (www.pbs.dk).
In connection with orders and bookings, Madklubben stores the data provided by the guest/supplier for a period of up to two years, after which the data is deleted. All financial data is by law currently stored for the current calendar year plus 5 years due to demands from our accounting department.
Besides processing the order, the data provided will only be used if, for example, a guest/supplier contacts Madklubben with a question, or if there are errors in the order.
- What is the purpose of the collection and processing?
Madklubben solely collects personal data necessary to fulfill the agreements conducted with guests/customers/suppliers on the delivery of services, e.g. a table reservation at one of our restaurants or purchase/sale of products or services. The content of the individual agreement or the nature of the service determines, which personal data is collected and processed by Madklubben, as well as the purpose of the collection.
The purpose of collection and processing of personal data will primarily be:
- Processing of guest bookings and purchase of Madklubben’s services.
- Processing of suppliers’ offers and the sale of products and services.
- Contact with the guest before, during and after their visit.
- Fulfillment of the guest’s request for an offer or purchase of services.
- Improvement and development of Madklubben’s services.
- Analysis of guest/supplier user behavior and marketing to these groups.
- Adjustment of Madklubben’s communication and marketing to guests/suppliers.
- Administration of guests/suppliers relations with Madklubben.
- Legal basis for the processing
Madklubben will typically process personal data because it is necessary to fulfill an agreement between Madklubben and a guest/supplier. For example, this may involve functions, meetings, events or administration and fulfillment of cooperation and supplier agreements.
If, in connection with a visit at Madklubben, a guest provides data about special personal preferences or considerations, e.g. health data, disability, religious belief or the like, Madklubben only uses this data to ensure consideration of the guest’s/customer’s personal preferences, health, etc.
In some cases, Madklubben receives personal data from a third party, e.g. a travel agency, an agent or the likes, including in connection with group bookings. In such cases, the applicable third party is required to inform the applicable guests/customers/suppliers of Madklubben’s terms and conditions, and the contents of this personal data policy.
- The data subject’s rights
Under the rules of the Personal Data Regulation, the data subjects (customers/suppliers) have various rights.
- The data subject is entitled at all times to access the personal data processed by Madklubben regarding the data subject.
- The data subject is entitled at all times to demand the correction and updating of personal data possessed by Madklubben regarding the data subject.
- The data subject is entitled at all times to demand the deletion of personal data possessed by Madklubben regarding the data subject. If the data subject requests deletion, all of the data that Madklubben is not required by law to store will be deleted. In some cases, the deletion of the data subject’s data may mean that Madklubben cannot fulfil concluded agreements or deliver certain services to the data subject. If some of the data possessed by Madklubben regarding the data subject is provided on the basis of the data subject’s consent, the data subject is at all times entitled to withdraw this consent, whereby the data will be deleted or no longer be used by Madklubben. This does not apply to data which Madklubben is required by law to store.
However, the option of withdrawing consent, requesting deletion, etc. may be limited as regards the protection of the privacy of others, trade secrets and intellectual property rights, and, for example, for the purpose of asserting potential legal claims.
The data subject may at all times request in writing that Madklubben provides an overview and a copy of the personal data possessed by Madklubben regarding the data subject. A written request to this effect must be signed by the data subject and include the data subject’s name, address, telephone number and e-mail address.
The data subject may also contact Madklubben if the data subject believes that their personal data is being processed in violation of the law or in violation of other legal obligations, e.g. this agreement/contract between the data subject and Madklubben. This written request must be sent to Madklubben, see contact data in section 1 above. After receipt of the data subject’s written request, Madklubben will, as far as possible, send this data to the data subject’s mail address within one month.
If the data subject requests correction and/or deletion of their personal data, Madklubben will assess whether the conditions for the request are met, and, if so, Madklubben will perform changes or deletion as quickly as possible.
Madklubben reserves the right to reject requests which are of a harassing repetitive nature, which require disproportionate technical measures which impact the protection of other data subjects’ personal data, or in other situations where it would be disproportionately resource-demanding or highly complicated to accommodate the request.
- Security and sharing of personal data
Madklubben protects the data subject’s personal data and has established guidelines protecting the data subject’s personal data from unauthorized disclosure and preventing unauthorized parties from gaining access to, or knowledge of, this data.
Only the employees at Madklubben who require the data subject’s personal data in connection with their job function have access to this data. Madklubben performs continuous monitoring to prevent any unauthorized accessing of the data subjects’ personal data.
In the event of a security breach where there is a high risk of abuse of the data subjects’ personal data, including, for example, identity theft, financial loss, damage to reputation or other forms of misuse, Madklubben will notify the data subjects of the security breach as quickly as possible. Madklubben’s security procedures are continuously reviewed and updated in relation to technological developments.
Madklubben utilizes a number of external suppliers of IT services, IT systems, payment solutions, etc. Madklubben regularly concludes data processor agreements with all of Madklubben’s suppliers, ensuring that external data processors maintain a required and high level of protection of the data subjects’ personal data.
Madklubben shares and transfers the data subjects’ personal data internally in the restaurant group. The purpose of this sharing is to give the guest the best possible service, regardless of the restaurant with which the guest is in contact.
Madklubben deletes your personal data when Madklubben’s legal obligation ceases, or when the purpose of collecting and processing the data is no longer present. As a general rule, financial data is stored for the current calendar year + five years, and other data for two years after the last visit.
Complaints regarding Madklubben’s processing of personal data can be directed to the Danish Data Protection Agency, BORGERGADE 28, 5, DK-1300 COPENHAGEN K, DENMARK, TELEPHONE (+45) 3319 3200. E-MAIL: email@example.com
Changes and adjustments to this policy will be added on a continuous basis. This document has been updated on May 24th2018.