Personal Data Processing Policy of OiO
The present personal data processing policy is developed in accordance with the EU Regulation (EC) 2016/679 of the European Parliament and the Council of 27 April 2016, entered into force on May 25th 2018.
The EU Regulation 2016/679 and the personal data processing policy of OIO only applies to the processing of personal data relating to natural persons, excluding legal persons.
1) Controller
The controller is the limited liability company LT Food & Beverage SARL, established and having its registered office in L-1343 Luxembourg, 48, Montée de Clausen, represented by its currently acting manager (hereinafter referred to as “OiO”).
Within OiO, Mr. Leonardo de Paoli (info@oio.lu) has been appointed Data Protection Officer and deals in particular with the implementation of the personal data processing policy.
2) Collection and processing of personal data (PD), means of processing and purpose of processing
a) If you are entering into a contractual relationship with OiO, the following PD will always be collected:
-
Name
-
Surname
-
Private and professional address
-
E-mail address
-
Phone and mobile phone number
b) According to the nature of the contractual relationship, the following PD may be collected by OiO:
-
Date of birth
-
Personal status
-
Allergies
-
and every information necessary for the fulfillment of the contractual obligations of OiO
We are collecting and processing this data in order:
-
To help us identify you as our client and to provide you with information,
-
To communicate with you,
-
To ensure the follow-up of bookings and orders (gift-vouchers, cooking classes, etc.),
-
To ensure the management of customer files,
-
To cope with administrative and organisational requirements, e.g. processing of claims, control of accounting information and credit card payments, fraud detection, etc.,
-
To issue our invoices, and in order
-
If need be, to ensure our debt recovery.
The data is used by OiO, its associates and employees in the context of the contractual relationship you entered into with OiO.
Depending on the nature of the contractual relationship you maintain with OiO, your PD may however be passed in particular to subcontractors (especially in the context of the management of reservations through online booking services and the management of OiO’s payment services), suppliers, public authorities, and to any other person whose collaboration may be necessary and/or helpful in order to fulfil OiO’s contractual and legal obligations.
3) Location of data storage
Your identification data (name, surname, if necessary, e-mail address, telephone number) will be stored in the client inventory of OIO.
Your PD relating to your contractual relationship with OIO (in particular your identification data and your orders’ details) will be stored particularly, entirely or partially, in a computer file, but can also be stored, entirely or partially, in a paper file.
4) Duration of the data processing
OiO will store your PD for the full duration of the contractual relationship, increased by the duration during which OiO may be held liable or as long as it may be required by any other legal or regulatory obligation or as long as the storage may be required in the purposes for purposes of proof in the context of litigation.
5) Your rights
a) Right of information
You have the right to know who is processing your data and why and for which purpose it is processed.
In case of a security breach resulting in an infringement of PD that may lead to a significant risk for your rights and freedoms, the controller is obliged to inform you without undue delay.
b) Right of access
Upon request, the controller is obliged to communicate the entirety of the PD relating to you.
c) Right to rectification
You have the right to request the controller to rectify your PD.
d) Right to erasure (‘right to be forgotten’)
If there are no longer legitimate grounds for the processing of the PD, the controller is obliged to erase your PD upon your request without delay within a reasonable period of time.
e) Right to data portability
You have the right to receive the data you have provided to OIO in a structured, commonly used and machine-readable format and the right to transmit those data to a third party, provided that the processing is carried out by automated means and based on your consent or on a contract between you and OIO.
f) Right to object
You have the right to object at any time to processing of your PD for the future. Your objection only applies for the future without any retroactive effect. In case of opposition, your PD will immediately be deleted.
However, your right to object shall not apply when the processing is expressly laid down by law.
g) Right to restriction of processing
You have the right to request the restriction of processing of your PD:
-
If you contest the accuracy of a personal data, for a period enabling the controller to verify the accuracy of the personal data,
-
If the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead,
-
If you require the data for the establishment, exercise or defense of legal claims.
When processing has been restricted, your PD shall no longer be processed.
h) Right to complain
You have the right to exercise your rights before the controller.
If your complaint remained unanswered, you have the right to lodge a complaint with the CNPD (www.cnpd.lu).
Furthermore, you have the right to seize a court.
The present personal data processing policy may be modified at any time and may never be deemed a client’s vested right.
DATA PROTECTION NOTICE FOR VIDEO SURVEILLANCE
LT Food & Beverage S.à r.l. (hereinafter referred to as the “Company”, or “OiO”, or “we”), is committed to the protection of your personal data in accordance with data protection legislation, especially the General Data Protection Regulation EU 2016/679 (the GDPR).
This Data Protection Notice is intended to inform the Company, directors, partners, employees of, as well as any other workers, contractors, consultants, or other self-employed individuals performing work or providing services to or on behalf of the Company and clients/visitors of its premises (“you”) on the use of a video surveillance system (the “video surveillance system”), how long we keep data, what rights you have and how you can exercise them.
WHO IS THE CONTROLLER OF YOUR PERSONAL DATA?
The Company is responsible, as a controller, for collecting and processing your personal data under the video surveillance system, determining the purposes of means of such processing.
WHAT PERSONAL DATA DO WE PROCESS?
We collect and use your image when you enter or circulate in the areas covered by our video surveillance system (the “premises”). Pictograms are displayed at the entrance of, and around the premises. The data we collect include the following categories of data:
- images caught on cameras installed in monitored premises indicated by pictograms (no sound is recorded and video is recorded only outside of operating hours of the restaurant),
- dates and hours of recordings.
WHY DO WE PROCESS YOUR PERSONAL DATA (PURPOSE AND LEGAL BASIS)?
We collect and use your personal data for the following purposes:
- to control access to and to ensure the security of the premises, the safety of the Company staff and visitors, as well as property, assets and information located or stored in the premises;
- to prevent, detect, and if necessary, investigate unauthorised access, including unauthorised access to secure premise. Whilst our video surveillance system is used to control access and secure monitored areas, it contributes to the prevention of potential danger for our employees’ or visitors’ health and safety (in case of e.g. fire, accident or physical assault) and to the protection of our assets (including against theft of equipment or assets). The video surveillance system is not used for purposes that are incompatible with those detailed above. Where allowed by law, the video surveillance system may be used as an investigative tool or to obtain evidence in internal investigations or disciplinary procedures, including in case of a security incident. We collect your personal data to pursue the Company’s legitimate interests (art. 6.1f GDPR), including access control, security of premises, safety of staff and visitors, protection of our interest and rights in the event of investigated, suspected or actual violations or criminal offences.
Where applied to the Company’s staff, video surveillance systems comply with article L. 261- 1 of the Luxembourg Labour Code.
WHO CAN ACCESS YOUR PERSONAL DATA?
In order to fulfil the aforementioned purposes, your personal data can be accessed by our management, and HR (as required).
We may also communicate your personal data to:
- service providers/vendors (such as a contracted security company) that perform services on our behalf,
- the Police, law enforcement or other government and regulatory bodies or agencies, upon request and to the extent permitted by law.
WHERE DO WE TRANSFER YOUR PERSONAL DATA?
We may transfer and maintain your personal data covered by this Data Protection Notice on servers or databases outside the European Union/European Economic Area (“EU/EEA”). Data protection law does not allow organisations to transfer personal data outside the EU/EEA, except where they can ensure this will be appropriately protected. In any instances where we transfer personal data outside the EEA, we will ensure this in compliance with one of the safeguards set out in data protection law (e.g., risk assessed standard contractual clauses approved by the European Commission as per art. 46 GDPR) in order to ensure that data is protected.
SECURITY OF YOUR PERSONAL DATA.
The processing of your personal data is carried out through IT, electronic and manual tools, with logics strictly related to the aforementioned purposes and, in any event, in compliance with the appropriate technical and organisational measures required by law to ensure a level of security that is adequate to the risk, in order to avoid unauthorised loss or access to your data.
HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We will retain your personal data for 8 days from their recording, except in the event of an incident or legal proceedings. At the end of that period, your personal data being processed, your personal data will be deleted or destroyed.
WHAT ARE YOU RIGHTS REGARDING YOUR PERSONAL DATA?
In accordance with applicable data protection law (and subject to conditions and restrictions set forth therein), you may exercise at any time in respect of us, the following rights in relation to your personal data:
- right to access, which enables you to obtain from us confirmation on whether your personal data is being processed or not and, if so, obtain access to such data; we process a large quantity of information, and can thus request, in accordance with GDPR, that before the information is provided, you specify the transaction, information or processing activities to which your request relates;
- right to rectification, which enables you to obtain from us the correction and/or integration of any of your personal data that are incorrect and/or incomplete; and
In certain limited cases (in which case we will analyse whether the conditions for the exercise of such rights are fulfilled, in line with the GDPR), you may exercise the following rights in relation to your personal data:
- right to erasure: which enables you, in specific cases provided for by art. 17 GDPR, to obtain from us the erasure of your personal data;
- right to restriction of processing: which enables you, in the specific cases provided for by art. 18 of the GDPR, to restrict the processing of your personal data by us;
- right to object: which enables you to object to the processing of your personal data when certain conditions are met.
To exercise any of these rights, you may contact us by email info@oio.lu
You have the right to lodge a formal complaint with the Commission nationale pour la protection des données (CNPD).
CHANGES TO THIS DATA PROTECTION NOTICE FOR VIDEO SURVEILLANCE
Changes may occur in the way we process personal data. In case these changes oblige us to update this Data Protection Notice for Video Surveillance, we will clearly communicate it to you via appropriate means. You may request a copy of this privacy notice from us. Should you wish to do so, please contact info@oio.lu.
Luxembourg, March 1, 2021