Personal data policy
On the processing of guest and supplier data
1. Data controller
DEJ is the data controller.
Halmtorvet 27E, Copenhagen V.
Tlf. +45 32128181
DEJ handles all personal data in accordance with applicable personal data law. DEJ concludes agreements with guests and suppliers on the delivery – purchase and sale – of various services and products.
When a guest orders and purchases one or more of DEJ’s services, and, in connection with this purchase, provides their personal data to DEJ, the guest/supplier also consents to the processing of their personal data by DEJ. The same applies in regard to any personal data provided to DEJ by suppliers in connection with the submission of offers or conclusion of agreements with DEJ.
2. DEJ’s collection of personal data
Personal data is collected by DEJ as follows:
When a guest – or a representative hereof – obtains an offer and/or purchases services/products offered by DEJ, or when suppliers provide offers or sell products or services to DEJ.
Through browser cookies on our websites.
In connection with the use of DEJ’s digital services.
From social media.
When suppliers conclude agreements with DEJ or provide offers to DEJ.
The collection and processing of personal data, cf. the above, will always be performed in accordance with applicable personal data legislation.
3. Data collected by DEJ
DEJ collects the following personal data:
Name, address, telephone number, e-mail address, date of birth and other common non-sensitive personal data.
Data from DEJ’s customer surveys and feedbacks.
Data from competitions conducted by DEJ.
Data from DEJ’s social media.
Data about the guest’s company and relevant contact persons.
Data about suppliers’ companies and data about relevant and key contact persons, including key accounts.
A guest/supplier can voluntarily provide DEJ with additional personal data that they deem important for DEJ’s servicing of them, or which they believe should be provided for safety/security reasons.
Examples of such data include:
Special food preferences
Other health or medical data
If a guest/customer/supplier voluntarily chooses to provide such data, DEJ perceives this as consent to register and store this sensitive data.
In addition to the data that DEJ receives directly from guests/suppliers, DEJ will in some cases collect or process additional data received by DEJ from third parties, e.g. a travel agency, another intermediary or an employee of the company at which the data subject is employed. In such cases, the applicable third party is obliged to inform the applicable guests/suppliers of DEJ’s terms and conditions, and DEJ’s personal data policy. It is also the applicable third party’s responsibility to ensure the required legal basis for the collection and processing of the applicable data, including collection of required consent for the processing of any sensitive data.
4. Payment with payment cards
DEJ uses DIBS www.dibs.dk (Nets), for redemption of payments with payment and credit cards in our restaurants. DIBS, QuickPay and DEJ are all approved and certified by Pengeinstitutternes Betalingssystem (www.pbs.dk).
In connection with orders and bookings, DEJ stores the data provided by the guest/supplier for a period of up to two years, after which the data is deleted. All financial data is by law currently stored for the current calendar year plus 5 years due to demands from our accounting department.
Besides processing the order, the data provided will only be used if, for example, a guest/supplier contacts DEJ with a question, or if there are errors in the order.
5. What is the purpose of the collection and processing?
DEJ solely collects personal data necessary to fulfill the agreements conducted with guests/customers/suppliers on the delivery of services, e.g. a table reservation at one of our restaurants or purchase/sale of products or services. The content of the individual agreement or the nature of the service determines, which personal data is collected and processed by DEJ, as well as the purpose of the collection.
The purpose of collection and processing of personal data will primarily be:
Processing of guest bookings and purchase of DEJ’s services.
Processing of suppliers’ offers and the sale of products and services.
Contact with the guest before, during and after their visit.
Fulfillment of the guest’s request for an offer or purchase of services.
Improvement and development of DEJ’s services.
Analysis of guest/supplier user behavior and marketing to these groups.
Adjustment of DEJ’s communication and marketing to guests/suppliers.
Administration of guests/suppliers relations with DEJ.
6. Legal basis for the processing
DEJ will typically process personal data because it is necessary to fulfill an agreement between DEJ and a guest/supplier. For example, this may involve functions, meetings, events or administration and fulfillment of cooperation and supplier agreements.
If, in connection with a visit at DEJ, a guest provides data about special personal preferences or considerations, e.g. health data, disability, religious belief or the like, DEJ only uses this data to ensure consideration of the guest’s/customer’s personal preferences, health, etc.
In some cases, DEJ receives personal data from a third party, e.g. a travel agency, an agent or the likes, including in connection with group bookings. In such cases, the applicable third party is required to inform the applicable guests/customers/suppliers of DEJ’s terms and conditions, and the contents of this personal data policy.
7. The data subject’s rights
Under the rules of the Personal Data Regulation, the data subjects (customers/suppliers) have various rights.
The data subject is entitled at all times to access the personal data processed by DEJ regarding the data subject.
The data subject is entitled at all times to demand the correction and updating of personal data possessed by DEJ regarding the data subject.
The data subject is entitled at all times to demand the deletion of personal data possessed by DEJ regarding the data subject. If the data subject requests deletion, all of the data that DEJ is not required by law to store will be deleted. In some cases, the deletion of the data subject’s data may mean that DEJ cannot fulfil concluded agreements or deliver certain services to the data subject. If some of the data possessed by DEJ regarding the data subject is provided on the basis of the data subject’s consent, the data subject is at all times entitled to withdraw this consent, whereby the data will be deleted or no longer be used by DEJ. This does not apply to data which DEJ is required by law to store.
However, the option of withdrawing consent, requesting deletion, etc. may be limited as regards the protection of the privacy of others, trade secrets and intellectual property rights, and, for example, for the purpose of asserting potential legal claims.
The data subject may at all times request in writing that DEJ provides an overview and a copy of the personal data possessed by DEJ regarding the data subject. A written request to this effect must be signed by the data subject and include the data subject’s name, address, telephone number and e-mail address.
The data subject may also contact DEJ if the data subject believes that their personal data is being processed in violation of the law or in violation of other legal obligations, e.g. this agreement/contract between the data subject and DEJ. This written request must be sent to DEJ, see contact data in section 1 above. After receipt of the data subject’s written request, DEJ will, as far as possible, send this data to the data subject’s mail address within one month.
If the data subject requests correction and/or deletion of their personal data, DEJ will assess whether the conditions for the request are met, and, if so, DEJ will perform changes or deletion as quickly as possible.
DEJ reserves the right to reject requests which are of a harassing repetitive nature, which require disproportionate technical measures which impact the protection of other data subjects’ personal data, or in other situations where it would be disproportionately resource-demanding or highly complicated to accommodate the request.
8. Security and sharing of personal data
DEJ protects the data subject’s personal data and has established guidelines protecting the data subject’s personal data from unauthorized disclosure and preventing unauthorized parties from gaining access to, or knowledge of, this data.
Only the employees at DEJ who require the data subject’s personal data in connection with their job function have access to this data. DEJ performs continuous monitoring to prevent any unauthorized accessing of the data subjects’ personal data.
In the event of a security breach where there is a high risk of abuse of the data subjects’ personal data, including, for example, identity theft, financial loss, damage to reputation or other forms of misuse, DEJ will notify the data subjects of the security breach as quickly as possible. DEJ’s security procedures are continuously reviewed and updated in relation to technological developments.
DEJ utilizes a number of external suppliers of IT services, IT systems, payment solutions, etc. DEJ regularly concludes data processor agreements with all of DEJ’s suppliers, ensuring that external data processors maintain a required and high level of protection of the data subjects’ personal data.
DEJ shares and transfers the data subjects’ personal data internally in the restaurant group. The purpose of this sharing is to give the guest the best possible service, regardless of the restaurant with which the guest is in contact.
DEJ deletes your personal data when DEJ’s legal obligation ceases, or when the purpose of collecting and processing the data is no longer present. As a general rule, financial data is stored for the current calendar year + five years, and other data for two years after the last visit.
When you visit our website (www.dej-cph.dk) information about you is gathered in order to adapt and improve our content. If you don’t want your information to be gathered, you should delete your cookies. (see guide) and refrain from further use of our website. Below we have elaborated on the kind of information we gather, the purpose of said information and the third parties, which have access to it.
Our website uses “cookies”, which are small text files that automatically saves to your computer, smart phone or similar device with the purpose of being able to recognize said device, remember certain settings and conduct statistics. Cookies do not contain damaging code such as virus etc.
It is possible to delete or block cookies. Se a how-to-guide here: http://minecookies.org/cookiehandtering. If you delete or block cookies, you may risk that the website doesn’t function optimally and that there may be content you cannot access.
Our website contains cookies from third parties, which may to a varying degree include:
Google Analytics (website analysis and optimization)
easyTableBooking Danmark (table reservations)
Facebook (social media)
Instagram (social media)
When you use our website we gather and process a range of personal data. For example, this occurs by simply navigating our different pages or if you “like” a blog post.
We typically gather and process the following types of information: A unique ID and technical information about your computer, tablet or smart phone, your IP address, geographical location and information about the pages you visit (interests). To the extent of which you provide explicit consent and enter the information yourself we will also process information such as: Name, phone number, e-mail, address and/or payment information. This will typically be the case when making a table reservation.
Cookies are necessary to make the website function optimally. Cookies on this site are mainly used to measure traffic and optimize the content of our pages. Furthermore, the information is used to register your purchases and payments as well as to make us able to deliver the services you request.
Using Google Analytics, we monitor:
Demography including age and sex
Interests including associated categories and market segments
Geography including language and location
Website behavior including returning visitors, frequency, timeliness and engagement
Technology including browser, operating system and service provider
Smartphone/Tablet including maker and model
The information is stored for the amount of time allowed by current legislation and we delete it when it’s no longer necessary to us. If you “like” our blog posts that data will be stored indefinitely. Data gathered through Google Analytics will be stored for 2 years.
Redistribution of information
Information about your use of our website, the pages you visit, your geographical location, sex, age segment etc. is redistributed to third parties to the extent that this information is known to us. You can see a list of the third parties in question in the paragraph regarding ”Cookies” above. The information is solely used for statistics and analysis.
10. Acces and Complaints
You have the right to be informed about the personal information we process about you. You may also object to the processing of your information at any time. If the information we process about you is wrong have the right to have it corrected or deleted. If this is the case you can reach us through firstname.lastname@example.org. Should you want to complain about our processing of your personal data you also have the option to contact The Danish Data Protection Agency
Changes and adjustments to this policy will be added on a continuous basis. This document has been updated on May 13th 2019.