Privacy Policy of Hospitality Digital GmbH – DISH WEBSITE

We take the protection of our Users’ personal data seriously. The following Privacy Policy is therefore intended to inform you about the processing of your personal data in accordance with Regulation (EU) 2016/679 ("GDPR"). In particular, we explain which personal data we collect, for what purposes we process these personal data, which technologies we use, to whom we transfer personal data and what rights you are entitled to under the GDPR.

1. General Information

1.1 Controller within the meaning of the GDPR is the Hospitality Digital GmbH, Metro-Straße 1, 40235 Düsseldorf (“H.d“, “we“ or “us“). For certain processing activities in connection with the Services, our Affiliates act as the data controller jointly with us. You may find a list of our Affiliateshere. Your personal data will only be processed by the Affiliate which is located at your place of business.

1.2 If you have any questions regarding the protection of personal data, you may contact our Data Protection Officer using the following contact details: Hospitality Digital GmbH, Data Protection Officer, Metro-Straße 1, 40235 Düsseldorf, email: privacy@hd.digital. The contact details of our Affiliates’ data protection officers can be found here.

1.3 Terms used in this Privacy Policy have the same meaning as defined in our General Terms and Conditions, unless explicitly stated otherwise herein.

A. Processing of Personal Data on our Website

2. Automated Processing of Personal Data when Accessing our Website

2.1 When you access and use our website via your terminal device (this may be your computer, your mobile phone or a comparable internet-enabled terminal device), we process personal data automatically. This includes

• the IP address currently used by your terminal device,

• date and time when the website was accessed,

• the browser type and the operating system of your terminal device;

• the initial website from which you accessed our website and

• the sub-pages visited on our website.

2.2 Processing the IP address of your terminal device is necessary for us to make the website available to you and thus serves the functionality of the website. The processing of the other data mentioned in section 2.1 of this Privacy Policy takes place for the purposes of data security and the security of our IT systems as well as for the optimization of our services and for the improvement of our website. The data mentioned in section 2.1 of this Privacy Policy are stored in a separate log file and are not linked to any other stored personal data. An evaluation of these data, with the exception of statistical purposes and then generally in anonymous form, is only carried out within the scope of this Privacy Policy. The data mentioned in section 2.1 of this Privacy Policy will not be used for marketing or advertising purposes. The processing is carried out on the basis of Article 6 para. 1 sentence 1 letter f) GDPR. Protecting our website and optimizing our services is a legitimate interest on our part.

2.3 The data mentioned under 2.1 of this Privacy Policy will be stored until the purpose of the processing has ceased to apply. The data required for the provision of the website (your IP address) will be deleted after the end of the respective browser session, i.e. when you leave the website or close your browser. The deletion of the log files in which this data is stored is done automatically and usually within fourteen (14) days after creation of the log file. If the other data mentioned in section 2.1 of this Privacy Policy are also processed by us for evaluation purposes, this is done without reference to the IP address, so that we can no longer establish a personal reference.

3. Cookies

In order to make our services and our website as user-friendly as possible and to enable the use of certain functions of the website, we use so-called Cookies. These are small text files that are stored on your terminal device by your browser. A text file of this type contains a characteristic character string that allows the browser to be uniquely identified when the website is accessed again. For example, Cookies can be used to automatically recognize certain website settings you have selected for your next visit. Some of the Cookies we use are required in order to provide you with the website (technically necessary Cookies). Other Cookies are used to analyze your usage behavior (analysis Cookies) or for advertising purposes (advertising Cookies). Some of the Cookies we use are deleted after the end of a session, i.e. after closing your browser (session Cookies). Other Cookies remain on your terminal device and enable us to recognize your browser the next time you visit our website (persistent Cookies). You can set your browser in such a way that you are informed about the placing of Cookies and can decide individually about their acceptance or exclude the acceptance of Cookies for certain cases or generally. Please refer to your browser's help function for more information. Your browser also contains settings that prevent Cookies from being placed. As a user, you therefore have full control over the use of Cookies. By changing the settings in your browser, you can deactivate or restrict the transmission of cookies (and thus object to the creation of pseudonyms in accordance with § 15 Para. 3 TMG). Cookies that have already been saved can be deleted at any time. This can also be done automatically by setting your browser accordingly. Certain Cookies also offer further technical options (such as setting an "opt-out Cookie") in order to object to the use of the Cookie. Information on this can be found in the respective detailed description of the Cookie further down below. However, the functionality of our website may be limited if Cookies are prevented from being placed. In detail:

3.1 To enable the website to function properly, we use technically necessary Cookies, for example to store language settings and log-in information. The legal basis for the processing of technically necessary Cookies is Article 6 para. 1 sentence 1 letter f) GDPR. The functionality of our website is a legitimate interest.

3.2 We use analysis Cookies that allow us to track your use of our website, e.g. which third-party website you came from, which sub-pages of our website you visit and which links you clicked on and how often. The data collected about you in this way is pseudonymised by us through technical precautions. After pseudonymization, direct assignment of the data to the User is no longer possible. The data will not be stored together with other personal data. The use of analysis Cookies serves to improve our website and the content offered there. By accepting our "Cookie banner", you consent to the processing of your personal data through analysis Cookies. These personal data are processed on the basis of Article 6 para. 1 sentence 1 letter a) GDPR. We use the following analysis Cookies:

• We use Adobe Analytics, a service of Adobe Systems Software Ireland Limited (4-6 Riverwalk Citywest Business Campus, Dublin 24, Republic of Ireland; "Adobe"). This service uses Cookies which are stored on your terminal device and which enable an analysis of your website usage. The information generated by the Cookie about your use of this website (including your IP address) will be transmitted to Adobe servers in Ireland, where it will be made anonymous and then transmitted to and stored on servers in the USA for further processing. Adobe uses this information to evaluate your use of the website for us, to compile reports on website activity for us and to provide other services relating to website and Internet use. Where required to do so by law, or where such information is processed on Adobe's behalf, such information may be transferred to third parties. Under no circumstances will your IP address be matched with other Adobe data. You may refuse the use of Cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. The data processing by Adobe can be contradicted at any time with effect for the future. You can find out more at http://www.adobe.com/privacy/opt-out.html.

• We also use Google Analytics, a web analysis service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). Google Analytics also uses Cookies. The information generated by the Cookies about your use of this website is usually transferred to a Google server in the USA and stored there. However, prior to that Google will shorten your IP address within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On our behalf, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide us with other services relating to website and Internet use. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data. You may refuse the use of Cookies by selecting the appropriate settings on your browser. You can also prevent Google from collecting the data generated by the Cookies and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en .

B. Processing of Personal Data when Registering for and when Using our Services

4. Registration for the Services

4.1 Accessing our website is initially possible without registering for our Services.

4.2 However, if you wish to use our Services (see in detail our General Terms and Conditions), registration is mandatory. Upon successful registration, an agreement regarding the use of our Services is concluded between you and H.d.

4.3 Please note that registration for our Services is only possible if you have an account on DISH, a platform provided by DISH Plus GmbH, Metro-Straße 1, 40235 Düsseldorf, Germany. You may find information on how DISH processes personal data in the privacy section under www.dish.co.

4.4 Once you have successfully registered on DISH, we will inform you regularly by email, via push notifications (DISH App) and/or SMS about current offers, products and promotions in accordance with the prerequisites of Article 7 Paragraph 3 of the German Unfair Competition Act. This marketing communication can also contain offers, products and promotions which have been made available to us by our marketing partners from the digitalization and catering industries. However, your email address, cell phone number or other personal data will not be transferred on to our marketing partners in this context. The personal data collected within the framework of the registration will only be used for the purpose of sending newsletters / push notifications to your email address and cell phone number /SMS and will only then be processed when you have given your consent to this data processing. Processing will be executed on the basis of Article 6 Paragraph 1 S. 1 Lit. a) GDPR.

4.5 You may object to your cell phone number and email address being utilized for the purposes set out in 4.4. at any time by using the respective unsubscribe function provided. There will not be any other costs for the revocation apart from the transmission costs according to the basic tariffs.

5. Use of the Services

5.1 We will process the personal data that you have provided during the registration process (see Section 4) and any further personal data that you might provide during the term of the contract (for example additional information on your business or the information when you have used the Software) in order to be able to offer the Services to you, especially to provide the Storage Space, the Software, the claiming services, the Sub-Domain and the Consulting Services as well as Additional Services. In case the customer decides to use the claiming service, H.d will transmit information about customer’s business local availability (i.e. details about the local and time-specific availability, e.g. company’s address and opening hours) to third-party providers which may publish this information (see in detail our General Terms and Conditions).

5.2 To provide the Consulting Services to you, the personal data that you have provided during the registration process (see Section 4) and any further personal data that you might provide during the term of the contract will be processed by our Affiliate based at your location of business (see Section 1.1). The Consulting Services include, inter alia, services regarding the initial setup of the Software, the best possible long-term use of the Software (e.g. which features to add) and how such use may improve your overall business situation. Consulting Services may further include the recommendation of additional tools and services to you which correspond to the Software.

5.3 We and our Affiliates also process your data in order to send you contract-related information by email, SMS or conventional mail or to contact you to arrange appointments for on-premises visits which are necessary to provide the Services, especially the Consulting Services (for example to help you with installing the Software).

5.4 The processing of personal data described in this Section 5 is necessary for the performance of the contract and in order to be able to provide the Services. The legal basis is Article 6 para. 1 sentence 1 letter b) GDPR.

6. Customer Analysis and Marketing

6.1 Our Affiliates will process the personal data that you have provided during the registration process (see Section 4) and any further personal data that you might provide during the term to check and verify whether you might already have an existing separate contractual relationship with such Affiliate (for example because you are a METRO/MAKRO customer, such contractual relationship being the “Affiliate Contract”).

6.2 In case of an existing Affiliate Contract, our Affiliate will process your personal data to update and enrich your existing customer master data and contact data to ensure data accuracy.

6.3 Our Affiliate will furthermore process your personal data to optimize the customer relationship with you in order to improve your customer experience. This may include recommendations on how the Services might, at best, integrate with other tools and services you make use of (for example modifications of your menu). For these purposes, our affiliate might merge data it has received under the Affiliate Contract with personal data received in connection with the Services.

6.4 We also use your personal data to analyze your usage of the Services (for example how often you log in to the Software). This enables us to determine which parts of the Services are of particular interest to you.

6.5 The processing of personal data described in this Section 6.1 – 6.4 is necessary (1) for the performance of the contract and in order to be able to provide the Services and (2) for the purposes of legitimate interest pursued by us and our Affiliates. The legal basis is Article 6 para. 1 sentence 1 letter b) GDPR as well as Article 6 para. 1 sentence 1 letter f) GDPR. The processing serves our legitimate interest to improve the service and to offer you the best possible customer experience.

6.6 Your personal data will only be used for direct marketing via email/sms or by other electronic means in case you have consented to such use. In this case the legal basis is Article 6 para. 1 sentence 1 letter a) GDPR.

C. Further Information Regarding the Processing

7. Joint Controllership

Together with our Affiliates we decided to jointly provide you with certain Services to facilitate and enhance your business (the responsible Affiliate is determined by the location of your business and can be found in the Annex to these Data Protection Notices). Therefore we are both responsible for the processing of your data describe further above. More information on our joint controllership can be found here.

8. Contact

You can contact us through various channels:

8.1 You can use the contact form on our website to contact us for a request. The personal data you enter in the contact form (your first and last name, your email address and details of the nature of your request are required) will only be processed for the purpose of responding to your enquiry and only if you have clicked on the "Send" button. Your IP address and the time of sending your request will also be stored. Processing is carried out on the basis of Article 6 para. 1 sentence 1 letter a) GDPR.

8.2 You can also contact us by telephone or email. In this respect, too, only the personal data required to respond to your enquiry will be processed. Processing is carried out on the basis of Article 6 para. 1 sentence 1 letter a) GDPR.

8.3 You can object to the storage of your data at any time, for example by email to privacy@hd.digital. In this case, however, further processing of your request is not possible. Furthermore, the revocation has no effect on the legality of the processing of your data until then.

9. Transfer of Personal Data to Third Parties

9.1 To process personal data, we use service providers with whom we have concluded an agreement for order processing in accordance with the legal requirements of Article 28 GDPR, provided that they act as processors. Such service providers support us, for example, in sending emails or in the technical operation and hosting of the website. These service providers can be based both inside and outside the European Union or the European Economic Area. Through contractual agreements with the service providers, we ensure that these personal data are processed in accordance with the requirements of the GDPR, even if the data processing takes place outside the European Union or the European Economic Area in countries where an appropriate level of data protection is otherwise not guaranteed and for which no adequacy decision of the European Commission exists. For further information on the existence of a European Commission adequacy decision and appropriate guarantees and to obtain a copy of these guarantees, please contact our Data Protection Officer at privacy@hd.digital.

9.2 In case we transfer our rights and obligations from the agreement of use with you to an Affiliate (for details, please see our relevant GTC), we will transfer to such Affiliate the information required for the further performance of the contract or, respectively, the exercise of legal rights and discharge of duties. The legal basis for this is Article 6(1))

9.3 If necessary to find out if the Software has been abused and a legal prosecution might be necessary or a legal obligation for disclosure exists, personal data are passed on to authorities (in particular prosecution authorities and tax authorities), our legal defense as well as, if necessary, to damaged third parties. A disclosure may also take place if this serves to enforce our General Terms and Conditions or other agreements or is required by a legal or official order or a court order. The legal basis for processing is Article. 6 para. 1 sentence 1 letter f) GDPR, for example if the disclosure is necessary for a legal dispute, or Article 6 para. 1 sentence 1 letter c) GDPR, insofar as a statutory obligation exists. The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.

10. Deletion of Personal Data

The personal data collected in connection with the Services will be stored by us until the contract between you and us is terminated (see our General Terms and Conditions in detail). After termination of the contract your customer account and all relating personal data will be deleted. If we are legally obliged to keep certain personal data collected in connection with the Services even after termination of the contract, we will delete this data as soon as the retention periods have expired.

11. Data Security

We use technical and organizational measures to ensure that User‘s personal data are protected against loss, incorrect changes or unauthorized access by third parties. To ensure secure data transmission, the transmission of data is done exclusively via “Secure Socket Layer (SSL)”.

12. Your Rights

As a data subject within the meaning of the GDPR, you are entitled to the following rights:

• The right to obtain information on data processing and a copy of the data processed (right of access, Article 15 GDPR),

• the right to request the rectification of inaccurate data or the completion of incomplete data (right of rectification, Article 16 GDPR),

• the right to request the deletion of personal data and, if the personal data have been published, the information to other data controllers on the request for deletion (right of erasure, Article 17 GDPR),

• the right to request the restriction of data processing (right to restriction of processing, Art. 18 GDPR),

• the right to receive personal data in a structured, commonly used and machine-readable format and to request the transfer of such data to another controller (right to data portability, Article 20 GDPR),

• the right to object to data processing in order to prevent it (right of objection, Article 21 GDPR),

• the right to obtain information about the essential aspects of the joint data controllership agreement where roles and responsibilities of each joint Data Controller regarding the processing of personal data and the mechanisms and procedures for the exercise of the data subjects rights in terms of data protection are regulated (Article 26 para.2 GDPR),

• the right to withdraw your consent at any time in order to prevent the processing of data based on your consent. The withdrawal has no influence on the legality of the processing on the basis of the consent before the withdrawal (right of revocation, Article 7 GDPR) as well as

• the right to object to certain data processing measures (Article 21 GDPR).

You also have the right to lodge a complaint with a supervisory authority if you believe that data processing infringes the GDPR (right of appeal to a supervisory authority, Article 77 GDPR).

Status: November 2019


Cooperation Partner / Partenaire de coopération / Samenwerkingspartner / Socio de cooperación / Suradnički partner / Együttműködési partner / Partner di cooperazione / Partner współpracy / Партнер по сотрудничеству / İşbirliği Ortağı / Партнер співробітництва / Parceiro de Cooperação / Partner pro spolupráci / Kooperations Partner

Austria

Belgium

Croatia

Czech Republic

METRO Cash & Carry Österreich GmbH

MAKRO Cash & Carry Belgium NV

METRO C&C Zagreb d.o.o.

MAKRO Cash & Carry CR s.r.o.

Metro Platz 1

Nijverheidsstraat 70

Jankomir 31

Jeremiásova 7/1249

2331 Vösendorf

2160 Wommelgem

10090 Zagreb - Susedgrad

15500 Praha 5

Austria

Belgium

Croatia

Czech Republic

France

Germany

Hungary

Italy

METRO Cash & Carry France SAS

METRO Deutschland GmbH

METRO Kereskedelmi Kft.

METRO Italia Cash and Carry S.p.A.

5 rue des Grands Prés

Metro-Straße 8

Budapark, Keleti 3

Via XXV Aprile, 25

92024 Nanterre Cedex

40235 Düsseldorf

2041 Budaörs

20097 San Donato

Milanese

France

Germany

Hungary

Italy

Netherlands

Poland

Portugal

Romania

MAKRO Cash & Carry Nederland B.V.

MAKRO Cash and Carry Polska S.A.

MAKRO Cash & Carry Portugal, S.A.

METRO Cash & Carry Romania srl

Spaklerweg 50-52

Al. Krakowska 61

Rua Quinta do Paizinho, 1

51 N Theodor Pallady Blvd

1096 BA Amsterdam

02-183 Warszawa

Portela de Carnaxide

Building C6, Frame A, Sector 3

2794-066 Carnaxide

Bucharest

Netherlands

Poland

Portugal

Romania

Russia

Slovakia

Spain

Turkey

METRO Cash & Carry OOO

METRO Cash & Carry Slovakia, s.r.o.

MAKRO España

METRO Grosmarket Bakirköy Alisveris

Leningradskoye Shosse, 71 G, bld 2

Senecká cesta 1881

Paseo Imperial, 40

Hizmetleri Ticaret Sirketi Ltd. Sti.

125445 Moscow

900 28 Ivanka Pri Dunaji

28005 Madrid

Kocman Caddesi

34540 Günesli-Bakirköy (Istanbul)

Russia

Slovakia

Spain

Turkey

Ukraine

METRO C&C Ukraine Ltd.

43, Petra Grygorenka Street

02140 Kiev

Ukraine