PRIVACY POLICY

FIVE GUYS CUSTOMER PRIVACY POLICY

INTRODUCTION

In this Customer Privacy Policy (Privacy Policy):

  • references to we, us or our means any subsidiaries and affiliated companies as amended from time to time of Five Guys Holding, Inc. and any of our Franchisee Restaurants in each case operating in countries outside the USA and Canada including: Belgium, Ireland, Italy, Luxemburg, the Netherlands, Switzerland and Austria;
  • references to Franchisee Restaurants means any restaurants operated by a third party franchisee under the FIVE GUYS® Restaurant brand;
  • references to you or your means the person accessing and using the Website (as defined below) and/or otherwise visiting a FIVE GUYS® Restaurant;
  • references to the Websites mean the following websites found at (as amended from time to time):

    and includes the Five Guys app; and

  • references to FIVE GUYS® Restaurant means any restaurant for the operation of FIVE GUYS® fast casual restaurants which specialize in the sale of fresh made burgers, fries, and other accompaniments prepared in accordance with our Five Guys brand standards.

If you are a customer of Five Guys in the USA or Canada, this Privacy Policy will not apply to you. Please instead refer to our privacy notice at www.fiveguys.com.

PRIVACY POLICY

This Privacy Policy sets out the basis on which we collect and use personal information about you through your use of the Website and when you visit a FIVE GUYS® Restaurant.

This Privacy Policy describes:

  • who is responsible for the personal information that we collect about you;
  • the personal information we collect about you;
  • how we will use it;
  • who we may disclose it to; and
  • your rights and choices in relation to your personal information.

This is to make sure you have a full picture of how we collect and use your personal information.

In this Privacy Policy where we use the words personal information we use these words to describe information that is about you and is information which identifies you or them.

Our Website is not intended for children and we do not knowingly collect personal information relating to children.

You have the right to object to our use of your personal information in certain circumstances. A summary of your right to object (along with your other rights under data protection law) and details of who to contact if you want to exercise this right can be found at the How to Contact us section below. For further information on your rights see the Your rights section below.

WHO IS RESPONSIBLE FOR THE PERSONAL INFORMATION THAT WE COLLECT?

For the purpose of data protection law, we are the controller in respect of your personal information collected and used through your use of the Website and when you visit a FIVE GUYS® Restaurant. This is because we dictate the purpose for which your personal information is used and how we use your personal information.

WHAT PERSONAL INFORMATION DO WE HOLD ABOUT YOU?

We collect and use personal information about you in the course of providing the Website and when you visit a FIVE GUYS® Restaurant and you provide us with your personal information. We may also collect certain personal information from you via our Website or when you choose to interact with us.

Information that we hold about you

The information that we hold about you may include the following:

Type of Personal Information

Examples

General

Contact information.

Name, title, address, email address and telephone number.

Telephone recordings

Recordings of telephone calls with our representatives and call centres.

Register to use our online services

Username and account number for access to our Website.

Details of complaints and compliments you make

Name, address, e-mail address or telephone number, details about the service you received/your experience.

Financial

Financial information and account details

Details regarding products purchased, price, payment method and other financial account details.

Other

CCTV footage

Images captured on CCTV if you visit a FIVE GUYS® Restaurant.

Order data

Information regarding the online order(s) that you place with us through a Website (e.g. products that you order, date of order, delivery address, payment information).

Photographs

Images that you share with us via social media.

Customer satisfaction/feedback surveys

Your views and opinions about your visit to a FIVE GUYS® Restaurant and your dining experience as well as your views about the Website.

Technical Information

Technical Information from any device you use in our stores Belgium and the Netherlands.

We also collect information from other third party sources and or publicly available sources such as:

  • Facebook;
  • Twitter;
  • Instagram;
  • LinkedIn; and
  • Snapchat.

We collect identity and contact information about you from the above, and any other available sources (as updated from time to time).

WHAT SPECIAL CATEGORIES OR SENSITIVE PERSONAL INFORMATION DO WE HOLD ABOUT YOU?

We may also collect certain sensitive personal information about you from you (including any special categories of personal data). This may include information concerning your health such as food allergies or intolerances which you provide to us. Where we do so we will rely on your explicit consent or we will notify you if we can rely on a different legal basis for processing this type of information.

INFORMATION ABOUT THIRD PARTIES

In the course of using the Website and when you visit a FIVE GUYS® Restaurant, you may provide us with personal information relating to third parties.

We will use this personal information in accordance with this Privacy Policy. If you are providing personal information to us relating to a third party, you confirm that you have the consent of the third party to share such personal information with us and that you have made the information in this Privacy Policy available to the third party.

HOW DO WE USE THE PERSONAL INFORMATION WE COLLECT ABOUT YOU?

We use your personal information in connection with the provision of the Website; to supply our products to you when you visit a FIVE GUYS® Restaurant and/or when you have placed an online order with us through the Websites, and in order to execute such online order. In particular, your personal information may be used by us, our employees, service providers, and disclosed to third parties for the purposes set out in the table below. For each of these purposes, we have set out the legal basis on which we use your personal information. This is because under data protection law, we can only use your personal information if we have a legal basis to do so.

Examples of where we have a legal basis to process your personal information includes when:

  • we have your consent;
  • it is necessary to enter into or perform a contract we have with you (or to take steps at your request prior to entering into that contract);
  • it is necessary in order to protect your vital interests;
  • it is in our legitimate interests to process your personal information; or
  • the processing is necessary to comply with a legal duty.

We must tell you which legal basis we are relying on when we use your personal information. The legal basis we typically rely on and the main purposes for which we use your personal information are set out below.

Purpose

Legal Basis

To communicate with you and other individuals.

Legitimate interests. We require your personal information in order to enable us to manage and carry out our operations as a business.

Necessary to enter into or perform a contract we have with you.

To manage complaints, feedback and queries and provide customer support.

Legitimate interests. We require your personal information in order to enable us to manage and carry out our operations as a business.

To improve the quality of the Website and your dining experience.

Legitimate interests. We require your personal information to enhance, modify and personalise the Website and your dining experience for your benefit.

To perform any contract entered into with you to fulfil your orders for food and drink and the process payment for those orders.

Legitimate interests. We require your personal information in order to enable us to manage and carry out our operations as a business.

Necessary to enter into or perform a contract we have with you.

To comply with any legal or regulatory obligations (including in connection with a court order).

Necessary for compliance with a legal obligation to which we are subject.

To engage with you via social media.

Legitimate interests. We require your personal information in order to enable us to manage and carry out our operations as a business.

Consent.

To analyse and improve our products to evaluate and develop our business.

Legitimate interests. We require your personal information in order to enable us to manage and carry out our operations as a business.

To protect against fraud or other criminal activity, as well as dealing with Government authorities/law enforcement agencies.

Necessary for compliance with a legal obligation to which we are subject.

Legitimate interests. We require your personal information in order to enable us to manage and carry out our operations as a business.

To provide you with access to free Wi-Fi in our stores.

Legitimate Interests. We require your personal information in order to enable us to provide you with a convenient and pleasurable experience in our stores and to enable us to manage and carry out our operations as a business.

WHO MAY WE DISCLOSE YOUR PERSONAL INFORMATION TO?

We may share your personal information with:

Type of third party

Examples

General

Our group companies

Other companies and entities that are part of the Five Guys Group.

Our service providers

Our business partners, suppliers and sub-contractors for the performance of any contract we enter into with you for example:

  • our IT systems providers ComputerHulp;
  • our IT cloud services solution which is Microsoft's Office 365 OneDrive, Outlook, Word, Excel, PowerPoint, OneNote, SharePoint;
  • Food Alert Limited in relation to food safety consulting services;
  • Marketforce Information LLC in relation to information on customer experience in a FIVE GUYS® Restaurant;
  • members of TransPerfect Group in relation to translation services;
  • NCR Corporation in relation to point of sale solutions and consulting services;
  • NetDefender, LTD in relation to network consulting services;
  • Food and beverage delivery services, including the suppliers: Roofoods Ltd (Deliveroo), Takeaway.com European Operations B.V. (Thuisbezorgd), UberEats,
  • Lineten Limited, in relation to executing orders made on, and managing the order webpage as part of, the Websites
  • Stripe Inc, with respect to executing and processing payment when an order is placed through the Websites
  • Checkmate.com Inc., to connect ordering on the Websites, to external delivery services

A current list of these third party service providers with whom we share your personal information can be provided to you on application to the Legal Department at legal@fiveguys.nl.

Our professional advisers

Including accountants, lawyers and other professional advisers that assist us in carrying out our business activities, a current list of these third parties can be provided to you on application to the Legal Department at legal@fiveguys.nl.

Our franchisees

These are individuals or organisations who enter into an agreement with us to operate a FIVE GUYS® Restaurant under the Five Guys brand in various jurisdictions all over the world. Your personal information will not be shared with all of our franchisees but only those that are relevant to you.

Social media related parties

We have different social media related parties for each area of the world in which we operate – your personal information may be shared with the social media related parties in our area but not all. A list of our current social media related parties and the countries in which they operate is set out below:

  • Quby, Bahrain
  • Qanect, Qatar
  • Toh, UAE
  • Smallfish, Italy
  • DBS, Saudi Arabia/Oman
  • Sociolocal, Ireland/Northern Ireland
  • Iris, Netherlands (through Sept 2018)
  • Sunshine and Sausages, Netherlands (Sept 2018 and beyond)
  • Helpern, UK
  • Dupont Lewis, France
  • Dupont, Spain

We may also disclose your personal information to other third parties, for example:

  • in the event that we sell or buy any business or assets we will disclose your personal information to the prospective seller or buyer of such business or assets;
  • if we or substantially all of our assets are acquired by a third party (or are subject to a reorganisation within our corporate group), personal information held by us will be one of the transferred assets; and
  • if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, or we are involved in any litigation with you.

SHARING WITH FRANCHISEES, THIRD PARTIES AND COMPANIES WITHIN THE FIVE GUYS GROUP

Where we act as an independent controller of your personal information we will use your personal information for our own purposes. Sometimes franchisees, third parties and other companies in the Five Guys group will act as controllers of your personal information that we collect. This is where they determine the purposes and means of processing your personal information. They will use your personal information for their own legitimate purposes as described in their respective privacy notices. Please refer to their individual privacy notices for full information about how they collect and process your personal information. The privacy notices for our other group companies can be accessed via the applicable Five Guys websites.

WHERE WILL WE TRANSFER YOUR PERSONAL INFORMATION?

We will process your personal information both within and outside the European Economic Area (EEA) (this includes Bahrain, Kuwait, Oman, Qatar, the United Arab Emirates, Hong Kong and the United States of America, as amended from time to time).

When we transfer personal information outside the EEA, we will implement appropriate and suitable safeguards to ensure that such data will be protected as required by applicable data protection law, for example we will seek to anonymise it. If we can't anonymise your personal information, we will take reasonable steps to ensure that your personal information is protected. To do this we may use a set of standard data protection clauses which have been approved by the European Commission in accordance with Article 46 of the GDPR. For further information as to the safeguards we implement and to obtain a copy please contact the Legal Department at legal@fiveguys.nl.

HOW LONG WILL WE KEEP YOUR PERSONAL INFORMATION?

We will retain your personal information for no longer than is necessary for the purposes for which the personal information are processed. The length of time we hold on to your personal information will vary according to what that information is and the reason for which it is being processed.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means. We also consider any applicable legal, regulatory, tax, accounting or other requirements which may specify how long we should retain your personal information for.

Subject to the above, personal information about our customers will be retained by us for seven years from, the date of your communication with us to allow us to:

  • respond to any queries or complaints you may have; and
  • fulfil our obligations to the relevant tax authorities depending on where you are resident and other relevant governing bodies.

For further information on our policy and how long we will keep your information for, please contact the Legal Department at legal@fiveguys.nl or by one of the other means of communication set out in the How to Contact Us section below.

DATA SECURITY

We have put in place appropriate security measures to seek to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Legal Department at legal@fiveguys.nl.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

YOUR RIGHTS

The rights below are rights that apply under the EU General Data Protection Regulation and so will predominantly apply if your personal data is used by an entity established in the EEA. Therefore, the rights may not apply to everyone who reads or receives this policy. The rights may only apply in certain circumstances and are subject to certain exemptions. Please see the table below for a summary of your rights. You can exercise these rights using the contact details below.

Summary of your rights

Right of access to your personal information

You have the right to receive a copy of your personal information that we hold about you, subject to certain exemptions.

We may require further information in order to respond to your request (for instance, evidence of your identity and information to enable us to locate the specific personal information you require).

Right to rectify your personal information

You have the right to ask us to correct your personal information that we hold where it is incorrect or incomplete.

Right to erasure of your personal information:

You have the right to ask that your personal information be deleted in certain circumstances. For example:

  • where your personal information is no longer necessary in relation to the purposes for which they were collected or otherwise used;
  • if you withdraw your consent and there is no other legal ground for which we rely on for the continued use of your personal information;
  • if you object to the use of your personal information (as set out below);
  • if we have used your personal information unlawfully; or
  • if your personal information needs to be erased to comply with a legal obligation.

Right to restrict the use of your personal information

You have the right to suspend our use of your personal information in certain circumstances. For example:

  • where you think your personal information is inaccurate and only for such period to enable us to verify the accuracy of your personal information;
  • the use of your personal information is unlawful and you oppose the erasure of your personal information and request that it is suspended instead;
  • we no longer need your personal information, but your personal information is required by you for the establishment, exercise or defence of legal claims; or
  • you have objected to the use of your personal information and we are verifying whether our grounds for the use of your personal information override your objection.

Right to data portability

You have the right to obtain your personal information in a structured, commonly used and machine-readable format and for it to be transferred to another organisation, where it is technically feasible. The right only applies:

  • to personal information which you have provided to us;
  • where the use of your personal information is based on your consent or is necessary for the performance of a contract; and
  • when the use of your personal information is carried out by automated (i.e. electronic) means.

Right to object to the use of your personal information (including to object to direct marketing, automated decision making and profiling)

You have the right to object to the use of your personal information in certain circumstances and subject to certain exemptions. Examples of this right include;

  • where you have grounds relating to your particular situation and we use your personal information for our legitimate interests (or those of a third party);
  • where we use your personal data to take a decision which is based solely on automated processing where that decision produces a legal effect or otherwise significantly affects you; and
  • if you object to the use of your personal information for direct marketing purposes.

Right to withdraw consent

You have the right to withdraw your consent at any time where we rely on consent to use your personal information.

Right to complain to the relevant data protection authority

You have the right to complain to the relevant Data Protection Authority where you think we have not used your personal information in accordance with data protection law. This will depend on factors such as which FIVE GUYS® Restaurant you visited and the country in which it is located, where you work or reside, or where the infringement occurred. Please see the list of Data Protection Authorities set out in Annex 1 to this Notice for details of the Data Protection Authorities which may be relevant in the event that you have a complaint.

HOW TO COMPLAIN

If you think there is a problem with how your personal information is being handled, please contact us by using the details set out in the How to Contact Us section below.

You also have a right to complain to the Data Protection Authority as specified in the table immediately above. Annex 1 attached to this Notice contains a list of all the Data Protection Authorities in the jurisdictions where Five Guys has its operations as at the date of this Policy. However, there may be other Data Protection Authorities that are relevant to you. Please get in touch using the How to Contact us section below if you require further information.

CHANGES TO OUR PRIVACY POLICY

We will review this Privacy Policy regularly and we reserve the right to make any changes at any time to take account of changes in our business activities and legal requirements and the manner in which we process personal information.

Any changes we make to this Privacy Policy in the future will be posted on the applicable Website.

HOW TO CONTACT US

If you have any questions regarding this Privacy Policy or the way we use your personal information (outside of the USA and Canada), you can contact us by e-mail to the Legal Department at legal@fiveguys.nl, or by mail to:

Attention: Legal Department
Piet Heinkade 55
1019GM Amsterdam, the Netherlands.

This Privacy Policy was last updated in August 2020.

Annex 1

(Data Protection Authorities (DPA))

Country

DPA

Belgium

Commision de la protection de la vie privée

Commissie voor de bescherming van de persoonlijke levenssfeer

Rue de la Presse 35 / Drukpersstraat 35
1000 Bruxelles / 1000 Brussel
Tel: +32 2 274 48 00
Fax: +32 2 274 48 35
E-mail: commission@privacycommission.be
Website: http://www.privacycommission.be/

France

Commission Nationale de I'Informatique et deds Libertés – CNIL

8 Rue Vivienne, CS 30223
F-75002 Paris, Cedex 02
Tel: +33 1 53 73 22 22
Fax: +33 1 53 72 22 00
Website: http://www.cnil.fr/

Germany

Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit

Husarenstraße 30
53117 Bonn
Tel: +49 228 997799 0; +49 228 81995 0
Fax: +49 228 997799 550; +49 228 81995 550
E-mail: poststelle@bfdi.bund.de/
Website: http://www.bfdi.bund.de/

Ireland

Data Protection Commissioner

Canal House
Station Road
Portarlington
Co. Laois
Lo-Call: 1890 25 22 31
Tel: +353 57 868 4800
Fax: +353 57 868 4757
E-mail: info@dataprotection.ie
Website: http://www/dataprotection.ie/

Italy

Garante per la protezione del dati personali

Piazza du Monste Citorio, 121
00186 Roma
Tel: +39 06 69677 1
Fax: +39 06 69677 785
E-mail: garante@garanteprivacy.it
Website: http:www.garanteprivacy.it/

Luxembourg

Commission Nationale pour la Protection des Données

1, avenue du Rock 'n' Troll
L-4361 Esch-sur-Alzette
Tel: +352 2610 60 1
Fax: +352 2610 60 29
E-mail: info@cnpd.lu
Website: http://www/cnpd.lu/

Netherlands

Autoriteit Persoonsgegevens

Prins Clauslaan 60
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel: +31 70 888 8500
Fax: +31 70 888 8501
E-mail: info@autoriteitpersoonsgegevens.nl
Website: https://autoriteitpersoonsgegevens.nl//nl

Portugal

Comissão Nacional de Protecção de Dados – CNPD

R. de São, Bento, 148-3°
1200-821 Lisboa
Tel: +351 21 392 84 00
Fax: +351 21 397 68 32
E-mail: geral@cnpd.pt
Website: http://www.cnpd./pt

Spain

Agencia de Protección de Datos

C/Jorge Juan, 6
28001 Madrid
Tel: +34 91399 6200
Fax: +34 91455 5699
E-mail: internacional@agpd.es
Website: https://www.agpd.es/

Switzerland

Data Protection and Information Commissioner of Switzerland
Eidgenössischer Datenschutz – und Öffentlichkeitsbeauftragter
Mr Adrian Lobsiger
Feldeggweg 1
3003 Bern
Tel: +41 58 462 43 95;
Fax: +41 58 462 99 96
E-mail: contact20@edoeb.admin.ch

UK

The Information Commissioner's Office

Water Land, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel: +44 1625 545 745
E-mail: international.team@ico.org.uk
Website: https://ico.org.uk

FIVE GUYS SUPPLIER PRIVACY POLICY

INTRODUCTION

In this Supplier Privacy Policy (Privacy Policy):

  • References to we, us or our means the Five Guys entity that engages you for the supply of goods or services (and this will be set out in your supply contract that you have with us) (Five Guys). The Five Guys entity will be a subsidiary or affiliated company, as amended from time to time, of Five Guys Holding, Inc. operating outside the USA and Canada in: Belgium, Ireland, Italy, Luxemburg, the Netherlands, and Switzerland. You can obtain further information on our subsidiary or affiliated companies by getting in touch via the How to Contact Us section below.
  • References to you or your means any individual who supplies us with goods or services or is otherwise engaged or employed by one of our Suppliers.
  • References to Supplier means any organisation that supplies goods or services to us.
  • If you are a supplier of Five Guys in the USA or Canada, this Privacy Policy will not apply to you. Please instead refer to our privacy notice at www.fiveguys.com.

PRIVACY POLICY

This Privacy Policy (together with your terms of engagement or contract with us, and any other documents referred to in your terms of engagement or contract with us), sets out the basis on which we collect and use personal information about you when you or a Supplier supply us with goods or services.

This Privacy Policy describes:

  • who is responsible for the personal information that we collect about you;
  • the personal information we collect about you;
  • how we will use it;
  • who we may disclose it to; and
  • your rights and choices in relation to your personal information.

This is to make sure you have a full picture of how we collect and use your personal information.

In this Privacy Policy where we use the words personal information we use these words to describe information that is about you and is information which identifies you.

You have the right to object to our use of your personal information in certain circumstances. A summary of your right to object (along with your other rights under data protection law) and details of who to contact if you want to exercise this right can be found at the How to Contact us section below. For further information on your rights see the Your rights section below.

WHO IS RESPONSIBLE FOR THE PERSONAL INFORMATION THAT WE COLLECT?

For the purpose of data protection law, we are the data controller in respect of your personal information collected and used in connection with the provision by you or the Supplier of goods or services. This is because we dictate the purpose for which your personal information is used and how we use your personal information.

WHAT PERSONAL INFORMATION DO WE HOLD ABOUT YOU?

In the course of the receipt by us of goods and services from you or the Supplier we collect and use personal information about you.

Information that we hold about you

The information that we hold about you may include the following:

Type of Personal Information

Examples

General

Contact information.

Name, address, email address, telephone number and job title.

Communications between you and Five Guys.

Communications between you and Five Guys in relation to the goods or services supplied to us and the respective obligations of the parties to the contract.

Details of your expertise.

Details relating to your skills and expertise, previous work experience and qualifications and details included in any pitch or tender response that you or the Supplier submit to us.

Telephone recordings.

Recordings of telephone calls with our representatives and call centres.

Photographs and video recordings.

Images (including photographs and pictures) or video recordings created in connection with our activities, as well as CCTV recordings captured by equipment on our premises.

Financial

Financial information and account details

Bank account number, or other financial account number and account details in order that we can make payments to you pursuant to the terms of the contract between you and Five Guys.

We also collect information from other third party and publicly available sources such as Facebook, Instagram, LinkedIn, Snapchat or Twitter (or any other equivalent sources).

WHAT SENSITIVE PERSONAL INFORMATION DO WE HOLD ABOUT YOU?

We may also collect certain sensitive personal information from you (including any special categories of personal data). Where we do so we will rely on your explicit consent or we will notify you if we can rely on a different legal basis for processing this type of information.

INFORMATION ABOUT THIRD PARTIES

In the course of the provision of goods or services to us you may provide us with personal information relating to third parties such as your subcontractors.

We will use this personal information in accordance with this Privacy Policy. If you are providing personal information to us relating to a third party, you confirm that you have the consent of the third party to share such personal information with us and that you have made the information in this Privacy Policy available to the third party.

HOW DO WE USE THE PERSONAL INFORMATION WE COLLECT ABOUT YOU?

We use your personal information for a variety of different purposes during the course of your provision of goods or services to us. In particular, your personal information may be used by us, our employees, service providers, and disclosed to third parties for the purposes set out in the table below. For each of these purposes, we have set out the legal basis upon which we rely in order to use your personal information. This is because, under data protection law, we can only use your personal information if we have a legal basis to do so.

Examples of where we have a legal basis to process your personal information, includes when:

  • we have your consent;
  • it is necessary to enter into or perform a contract we have with you (or to take steps at your request prior to entering into that contract);
  • it is necessary in order to protect your vital interests;
  • it is in our legitimate interests to process your personal information; or
  • the processing is necessary to comply with a legal duty.

We must tell you which legal basis we are relying on when we use your personal information. The legal basis we rely on is set out below together with the purposes that we use your personal information for.

Purpose

Legal Basis

To communicate with you in relation to our dealings with you.

Legitimate interests: We require your personal information in order to enable us to purchase the goods or services we need for the purposes of furthering our business.

Performance of a contract we have with you. This will only be applicable if you are a sole trader who is providing us with goods or services.

To make payments to you.

Legitimate interests: It is in our legitimate interest to comply with the terms of a contract we have in place with you or a Supplier.

Performance of a contract we have with you. This will only be applicable if you are a sole trader who is providing us with goods or services.

Necessary for compliance with a legal obligation to which we are subject.

To assess any tender response and decide whether your response is sufficient.

Legitimate interests: We require your personal information in order to process and assess your tender response to provide services to us and to enable us to manage and carry out our operations as a business.

Necessary to enter into or perform a contract we have with you. This will only be applicable if you are a sole trader.

To carry out our obligations arising from our contract with you or the Supplier.

Legitimate interests: It is in our legitimate interest to comply with the terms of a contract we have in place with you or a Supplier.

Performance of a contract we have with you. This will only be applicable if you are a sole trader.

To manage any service or quality related issues, complaints, feedback and queries in relation to the supply of goods or services in accordance with the terms of the supply contract.

Legitimate interests: We require your personal information in order to ensure the goods or services we receive are fit for purpose and meet the needs of our organisation.

Performance of a contract we have with you. This will only be applicable if you are a sole trader.

To comply with any legal or regulatory obligations (including in connection with a court order).

Necessary for compliance with a legal obligation to which we are subject.

CCTV recordings captured by equipment on our premises to manage any complaints that you may have or that we may have in relation to your performance of the supplier contract.

Legitimate interests: We require your personal information in order to manage your work activities.

To maintain internal compliance and audit records.

Legitimate interests. We require your personal information in order to ensure we manage and carry out our business operations in the best interests of our shareholders and customers.

WHO MAY WE DISCLOSE YOUR PERSONAL INFORMATION TO?

You agree that we may share your personal information with:

Type of third party

Examples

General

Our group companies

Other companies and entities that are part of the Five Guys Group.

Our service providers

Our business partners, suppliers and sub-contractors for the performance of any contract we enter into with you for example:

  • our IT systems providers ComputerHulp,
  • our IT cloud service solution which is Microsoft's Office 365 OneDrive, Outlook, Word, Excel, PowerPoint, OneNote, SharePoint;
  • members of Transperfect Translations International Inc. in relation to translation services;
  • Food Alert Limited;
  • Marketforce Information LLC; and
  • NCR Corporation in relation to our point of sale solutions.

A current list of these third party service providers with whom we share your personal information can be provided to you on application to the Legal Department at legal@fiveguys.nl.

Our professional advisers

Including accountants, lawyers and other professional advisers that assist us in carrying out our business activities, a current list of these third parties can be provided to you on application to the Legal Department at legal@fiveguys.nl.

Government authorities and third parties involved in court action

External agencies and organisations (including the police and other law enforcement agencies) for the purpose of complying with applicable legal and regulatory obligations. For a full list of third parties with whom your particular personal information may be shared, please contact the Legal Department at legal@fiveguys.nl.

Our franchisees

These are individuals or organisations who enter into an agreement with us to operate a restaurant under the Five Guys brand in various jurisdictions worldwide. Your personal information will not be shared with all of our franchisees but only those that are relevant to you.

We may also disclose your personal information to other third parties, for example:

  • in the event that we sell or buy any business or assets we will disclose your personal information to the prospective seller or buyer of such business or assets;
  • if we or substantially all of our assets are acquired by a third party (or are subject to a reorganisation within our corporate group), personal information held by us will be one of the transferred assets; and
  • if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, or we are involved in any litigation with you.

WHERE WILL WE TRANSFER YOUR PERSONAL INFORMATION?

We will process your personal information both within and outside the European Economic Area (EEA) (this includes Bahrain, Kuwait, Oman, Qatar, the United Arab Emirates, Hong Kong and the United States of America, as amended from time to time).

When we transfer personal information outside the EEA, we will implement appropriate and suitable safeguards to ensure that such data will be protected as required by applicable data protection law, for example we will seek to anonymise it. If we can't anonymise your personal information, we will take reasonable steps to ensure that your personal information is protected. To do this we may use a set of standard data protection clauses which have been approved by the European Commission in accordance with Article 46 of the GDPR. For further information as to the safeguards we implement and to obtain a copy please contact the Legal Department at legal@fiveguys.nl.

HOW LONG WILL WE KEEP YOUR PERSONAL INFORMATION?

We will retain your personal information for no longer than is necessary for the purposes for which the personal information are processed. The length of time we hold on to your personal information will vary according to what that information is and the reason for which it is being processed.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means. We also consider any applicable legal, regulatory, tax, accounting or other requirements which may specify how long we should retain your personal information for.

Subject to the above, we will keep your personal information for the duration of our contract with you or the Supplier and for a period of seven years after that contract is terminated.

If you or the Supplier submits a tender response to us and this is unsuccessful we will only retain your personal information for such period as is in our reasonable business interests from the date that you or the Supplier are notified that the submission was unsuccessful. For further information on our policy and how long we will keep your personal information for, please contact the Legal Department at legal@fiveguys.nl or by one of the other means of communication set out in the How to Contact Us section below.

DATA SECURITY

We have put in place appropriate security measures to seek to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Legal Department at legal@fiveguys.nl.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

YOUR RIGHTS

The rights below are rights that apply under the EU General Data Protection Regulation and so will predominantly apply if your personal data is used by an entity established in the EEA. Therefore, the rights may not apply to everyone who reads or receives this policy. The rights may only apply in certain circumstances and are subject to certain exemptions. Please see the table below for a summary of your rights. You can exercise these rights using the contact details below.

Summary of your rights

Right of access to your personal information

You have the right to receive a copy of your personal information that we hold about you, subject to certain exemptions.

We may require further information in order to respond to your request (for instance, evidence of your identity and information to enable us to locate the specific personal information you require).

Right to rectify your personal information

You have the right to ask us to correct your personal information that we hold where it is incorrect or incomplete.

Right to erasure of your personal information:

You have the right to ask that your personal information be deleted in certain circumstances. For example:

  • where your personal information is no longer necessary in relation to the purposes for which they were collected or otherwise used;
  • if you withdraw your consent and there is no other legal ground for which we rely on for the continued use of your personal information;
  • if you object to the use of your personal information (as set out below);
  • if we have used your personal information unlawfully; or
  • if your personal information needs to be erased to comply with a legal obligation.

Right to restrict the use of your personal information

You have the right to suspend our use of your personal information in certain circumstances. For example:

  • where you think your personal information is inaccurate and only for such period to enable us to verify the accuracy of your personal information;
  • the use of your personal information is unlawful and you oppose the erasure of your personal information and request that it is suspended instead;
  • we no longer need your personal information, but your personal information is required by you for the establishment, exercise or defence of legal claims; or
  • you have objected to the use of your personal information and we are verifying whether our grounds for the use of your personal information override your objection.

Right to data portability

You have the right to obtain your personal information in a structured, commonly used and machine-readable format and for it to be transferred to another organisation, where it is technically feasible. The right only applies:

  • to personal information which you have provided to us;
  • where the use of your personal information is based on your consent or is necessary for the performance of a contract; and
  • when the use of your personal information is carried out by automated (i.e. electronic) means.

Right to object to the use of your personal information (including to object to direct marketing, automated decision making and profiling)

You have the right to object to the use of your personal information in certain circumstances and subject to certain exemptions. Examples of this right include;

  • where you have grounds relating to your particular situation and we use your personal information for our legitimate interests (or those of a third party);
  • where we use your personal data to take a decision which is based solely on automated processing where that decision produces a legal effect or otherwise significantly affects you; and
  • if you object to the use of your personal information for direct marketing purposes.

Right to withdraw consent

You have the right to withdraw your consent at any time where we rely on consent to use your personal information.

Right to complain to the relevant data protection authority

You have the right to complain to the relevant Data Protection Authority, where you think we have not used your personal information in accordance with data protection law. This will depend on factors such as which Five Guys entity you are dealing with and the country in which it is located, where you reside or where the infringement occurred. Please see the list of Data Protection Authorities set out in Annex 1 to this Notice for details of the .Data Protection Authorities which may be relevant in the event that you have a complaint.

HOW TO COMPLAIN

If you think there is a problem with how your personal information is being handled, please contact us by using the details set out in the How to Contact Us section below.

You also have a right to complain to the Data Protection Authority in either the place you work, the place you live or the place the infringement occurred. Annex 1 attached to this Notice contains a list of all the Data Protection Authorities in the jurisdictions where Five Guys has its operations as at the date of this Policy. However, there may be other Data Protection Authorities that are relevant to you. Please get in touch using the How to Contact us section below if you require further information.

CHANGES TO OUR PRIVACY POLICY

We will review this Privacy Policy regularly and we reserve the right to make any changes at any time to take account of changes in our business activities and legal requirements and the manner in which we process personal information.

Any changes we make to this Privacy Policy in the future will be posted on the “Five Guys Patty Press” and, where appropriate, we will give you reasonable advance notice of any changes to you by email.

HOW TO CONTACT US

If you have any questions regarding this Privacy Policy or the way we use your personal information (outside of the USA and Canada), you can contact us by e-mail to the Legal Department at legal@fiveguys.nl, or by mail to:

Attention: Legal Department
Piet Heinkade 55
1019GM Amsterdam, the Netherlands.

This Privacy Policy was last updated in August 2018.

Annex 1

(Data Protection Authorities (DPA))

Country

DPA

Belgium

Commision de la protection de la vie privée

Commissie voor de bescherming van de persoonlijke levenssfeer

Rue de la Presse 35 / Drukpersstraat 35
1000 Bruxelles / 1000 Brussel
Tel: +32 2 274 48 00
Fax: +32 2 274 48 35
E-mail: commission@privacycommission.be
Website: http://www.privacycommission.be/

France

Commission Nationale de I'Informatique et deds Libertés – CNIL

8 Rue Vivienne, CS 30223
F-75002 Paris, Cedex 02
Tel: +33 1 53 73 22 22
Fax: +33 1 53 72 22 00
Website: http://www.cnil.fr/

Germany

Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit

Husarenstraße 30
53117 Bonn
Tel: +49 228 997799 0; +49 228 81995 0
Fax: +49 228 997799 550; +49 228 81995 550
E-mail: poststelle@bfdi.bund.de/
Website: http://www.bfdi.bund.de/

Ireland

Data Protection Commissioner

Canal House
Station Road
Portarlington
Co. Laois
Lo-Call: 1890 25 22 31
Tel: +353 57 868 4800
Fax: +353 57 868 4757
E-mail: info@dataprotection.ie
Website: http://www/dataprotection.ie/

Italy

Garante per la protezione del dati personali

Piazza du Monste Citorio, 121
00186 Roma
Tel: +39 06 69677 1
Fax: +39 06 69677 785
E-mail: garante@garanteprivacy.it
Website: http:www.garanteprivacy.it/

Luxembourg

Commission Nationale pour la Protection des Données

1, avenue du Rock 'n' Troll
L-4361 Esch-sur-Alzette
Tel: +352 2610 60 1
Fax: +352 2610 60 29
E-mail: info@cnpd.lu
Website: http://www/cnpd.lu/

Netherlands

Autoriteit Persoonsgegevens

Prins Clauslaan 60
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel: +31 70 888 8500
Fax: +31 70 888 8501
E-mail: info@autoriteitpersoonsgegevens.nl
Website: https://autoriteitpersoonsgegevens.nl//nl

Portugal

Comissão Nacional de Protecção de Dados – CNPD

R. de São, Bento, 148-3°
1200-821 Lisboa
Tel: +351 21 392 84 00
Fax: +351 21 397 68 32
E-mail: geral@cnpd.pt
Website: http://www.cnpd./pt

Spain

Agencia de Protección de Datos

C/Jorge Juan, 6
28001 Madrid
Tel: +34 91399 6200
Fax: +34 91455 5699
E-mail: internacional@agpd.es
Website: https://www.agpd.es/

Switzerland

Data Protection and Information Commissioner of Switzerland
Eidgenössischer Datenschutz – und Öffentlichkeitsbeauftragter
Mr Adrian Lobsiger
Feldeggweg 1
3003 Bern
Tel: +41 58 462 43 95;
Fax: +41 58 462 99 96
E-mail: contact20@edoeb.admin.ch

UK

The Information Commissioner's Office

Water Land, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel: +44 1625 545 745
E-mail: international.team@ico.org.uk
Website: https://ico.org.uk

DATA PROTECTION POLICY
THE FIVE GUYS GROUP

Document Control

Document Description

The Five Guys Group Data Protection Policy

Version

2.0

Date Created

May 2018

Status

Final

Document Owner

Authorisation

Name

Signature

Date

Prepared By:

Checked By

Version Control

Version number

Date

Author

Reason for New Version

1.0

May 2018

Initial draft

1.1

July 2018

Revised draft

1.2

3 August 2018

Revised draft

1.3

22 August 2018

Final draft

Date last reviewed: August 2018
Date of next review: August 2019

  1. PURPOSE AND SCOPE OF THE POLICY

    1. This Policy deals with the roles and responsibilities of the Five Guys Group with regard to the processing of Personal Data and has been prepared to help the Five Guys Group comply with its obligations under the General Data Protection Regulations (GDPR).
    2. If you work for a Five Guys Group entity in the USA or Canada, you must refer to the data protection policy that has been prepared for these specific entities. These can be accessed at www.fiveguys.com.
    3. This Policy applies to all Personal Data Processed by the Five Guys Group, including hard copy and electronic records.
    4. This Policy applies to all individuals working within the Five Guys Group, including directors, employees, consultants, contractors, casual and agency workers (referred to together in this Policy as Personnel).
    5. All those to whom this Policy applies are referred to as you and your in this Policy and references to we, us or our refers to the Five Guys Group.
    6. We process Personal Data about employees, potential employees and former employees, contractors, franchisees, individuals employed by suppliers, customers and professional advisers such as legal advisers.
    7. The Five Guys Group is responsible for ensuring that we comply with the GDPR. Protecting the confidentiality and integrity of Personal Data is a responsibility that we take seriously at all times. A description of the data protection principles to help safeguard Personal Data under the GDPR is set out in paragraph 3 below.
    8. It is important for you to familiarise yourself with and comply with this Policy, to help ensure that all processing of Personal Data by or on behalf of the Five Guys Group is carried out in accordance with the GDPR.
    9. This Policy forms part of the Five Guys Group Information Governance Framework. The Framework includes a number of additional policies and procedures, which Personnel should familiarise themselves with. Details of the Information Governance Framework can be found in Appendix 1.
    10. This Policy does not form part of any employee’s contract of employment and it may be amended at any time.
    11. It is important that you take responsibility for ensuring that you act in accordance with this Policy. Any breach of this Policy by you will be taken seriously and may result in disciplinary action. It may also result in us breaching the GDPR or other legal requirements.
    12. The Department Head will be responsible for ensuring all Personnel comply with this Policy and need to implement appropriate practices, processes, controls and training to ensure such compliance. A list of the Departmental Heads can be requested by contacting the Legal Department at legal@fiveguys.nl.
    13. Any questions about the operation of this Policy or any concerns that the Policy has not been followed should be referred in the first instance to the Legal Department, who can be contacted at legal@fiveguys.nl.
  2. DEFINITIONS

    1. In this Policy, the following words have the meanings set out below:

      Data Controller – means the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. For example, each Five Guys Group company will be the Data Controller of the Personal Data about its employees.

      Data Processors – means an organisation that processes Personal Data on behalf of a Data Controller in accordance with the Data Controller's instructions. The Five Guys Group may use a Data Processor to Process Personal Data on its behalf, for example TMF Netherlands B.V. who provide payroll and human resources services to us.

      Five Guys Group means FGE International B.V., a private limited liability company, incorporated under the laws of the Netherlands, having its office address at Piet Heinkade 55, 1019 GM Amsterdam, The Netherlands and registered with the Trade Register under number 61334790, together with its subsidiaries, parent and its affiliated entities (collectively, Five Guys). More information on the Five Guys Group can be requested by contacting the Legal Department at legal@fiveguys.nl.

      Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. For example, sending an e-mail containing Personal Data of a Five Guys Group employee, including their remuneration details, to a third party that is not entitled to see it. Please see the Security Breach Notification and Reporting Policy for further details.

      Data Subject means a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

      Personal Data means any information about an individual which identifies them. A person does not need to be named in a document for the document to include Personal Data. If it is obvious from the document who the information relates to, this is enough to constitute Personal Data. Similarly, if it is obvious who the document is about when it is used in conjunction with other information held, this will also be enough to constitute Personal Data. Personal Data might include: a name; e-mail address; date of birth; an ID number; location data, an online identifier; or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, or an opinion about an individual.

      Process(ing) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

      Special Category Personal Data means Personal Data revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.

      Website means the websites found at:

  3. DATA PROTECTION PRINCIPLES

    1. Anyone using Personal Data must do so in accordance with the principles set out in the GDPR. Those principles state that Personal Data must be:
      1. Processed fairly, lawfully and transparently;
      2. collected for specified, explicit and legitimate purposes and not used in a manner which is incompatible with those purposes;
      3. adequate, relevant and not excessive;
      4. accurate and, where necessary, up to date;
      5. kept for no longer than is necessary; and
      6. used in a way which ensures the Personal Data is kept secure.
    2. We are responsible for ensuring that we comply with the principles set out above and we must be able to demonstrate the steps that we have taken to comply. This is known as the accountability principle under the GDPR.
    3. We describe how you can help us satisfy these principles by setting out some practical examples in paragraphs 4 to 9 below.
  4. FAIR AND LAWFUL PROCESSING

    1. Personal Data must be Processed fairly, lawfully and in a transparent manner in relation to the Data Subject.
    2. You may only Process Personal Data on the basis of one or more of the legal bases set out in the GDPR. The list below identifies the legal bases which are most likely to apply to the Five Guys Group:
      1. the Data Subject has given consent;
      2. the Processing is necessary for the performance of a contract with the Data Subject;
      3. the Processing is necessary to meet our legal obligations;
      4. the Processing is necessary to protect the Data Subject's vital interests; for example where the subject of the Personal Data is physically or legally incapable of giving consent (this is intended to cover matters of life and death); or
      5. to pursue our legitimate interests, except where the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects.
    3. Special Category Personal Data must be treated more carefully by us so, where you wish to Process Special Category Personal Data, you must also be able to justify the Processing under a list of narrower legal bases. These include when:
      1. the Data Subject has given explicit consent;
      2. the Processing is necessary for the purpose of carrying out the obligations or exercising our legal rights in the field of employment;
      3. the Processing is necessary to protect the vital interests of an individual where the subject of the Personal Data is physically or legally incapable of giving consent (this is intended to cover matters of life and death);
      4. Personal Data is manifestly made public;
      5. the Processing is necessary for the establishment, exercise or defence of legal claims; or
      6. the Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee and medical diagnosis. This legal basis will only apply if the Processing is carried out by, or under the responsibility, of a person subject to a legal or professional duty of confidence (for instance, a doctor).
    4. You must identify and document the legal ground being relied on for each Processing activity. If you are in any doubt about which legal basis applies to the Processing, please contact the Legal Department, via e-mail at legal@fiveguys.nl for further advice and guidance.
    5. The GDPR requires Data Controllers to provide detailed, specific information to Data Subjects about how their Personal Data is used. Such information must be provided through appropriate Privacy Notices, which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them.
    6. The Five Guys Group has adopted and maintains Privacy Notices for employees, franchisees, customers and suppliers. The Privacy Notices set out the legal basis on which the Five Guys Group relies to process the Personal Data for the purposes identified in the Privacy Notices. For a copy of our Privacy Notices, please contact the Legal Department at legal@fiveguys.nl.
    7. You should check that the way you are using Personal Data is covered by the purposes detailed in the Privacy Notice. If it is not, you should refer to the Legal Department, via e-mail at legal@fiveguys.nl who will then consider the Processing and will take the appropriate action, which may include carrying out a Data Protection Impact Assessment (DPIA) and / or updating the relevant Privacy Notice.
  5. SPECIFIED PURPOSE

    1. Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.
    2. You should not use Personal Data for new, different or incompatible purposes from those purposes disclosed when the Personal Data was first obtained. If it becomes necessary for us to use or disclose the Personal Data for any purpose that is additional to or different from the originally specified purpose (i.e. to change the purpose for which the Personal Data is Processed), the Data Subject must be informed of the new purpose before any new processing occurs. Consent may also need to be obtained from the Data Subject to the proposed new use of their Personal Data.
    3. If you plan to use Personal Data for any new purposes, you should contact the Legal Department, via e-mail at legal@fiveguys.nl for further advice and guidance.
  6. DATA MINIMISATION

    1. Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.
    2. Personal Data should only be collected to the extent that it is required for the specific purpose(s) notified to the Data Subject. Any Personal Data which is not necessary for that purpose should not be collected by Personnel in the first place.
    3. You may only Process Personal Data if and when the performance of your job duties requires it. You should not Process Personal Data for any reason unrelated to your job duties.
    4. You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Five Guys Group data retention policy. For further information on this policy, please see section 8 below.
  7. ACCURACY

    1. Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
    2. You will ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards.
    3. Where appropriate, you should assess the accuracy of Personal Data at the time of collection from sources other than the individual to whom the Personal Data relates.
    4. You must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
    5. Any challenges to the accuracy of the Personal Data by the Data Subject should be processed and carefully considered in line with paragraph 12 of this Policy.
    6. Where Personal Data is duplicated and held separately at different departments, locations or different systems; please ensure that all updates or amendments to Personal Data are communicated to all parties and departments holding copies of the Personal Data and all systems holding the Personal Data are updated. Please communicate any updates or amendments to the Legal Department at legal@gfiveguys.nl.
  8. KEPT FOR NO LONGER THAN IS NECESSARY

    1. Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the Personal Data is Processed.
    2. This means you must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which it was originally collected, including for the purpose of satisfying any legal, accounting or reporting requirements.
    3. Data Subjects should be informed of the period for which their Personal Data is stored and how that period is determined. This is communicated to them at a high level in the relevant Privacy Notice at section 4.6. For further information on retention periods, please contact the Legal Department at legal@fiveguys.nl.
  9. SECURITY

    1. Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction, damage, access, use or disclosure.
    2. We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption and pseudonymisation where applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data.
    3. You are responsible for protecting the Personal Data we hold. You must follow the procedures we set out to protect the Personal Data we hold from unlawful or unauthorised Processing and against the accidental loss of, destruction or damage to that Personal Data. You must exercise particular care in protecting Special Category Personal Data from unauthorised or unlawful Processing and against accidental loss, destruction, damage, access, use or disclosure of such Special Category Personal Data.
    4. You must maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
      1. confidentiality means that only people who have a need to know and are authorised to use the Personal Data can access it;
      2. integrity means that Personal Data is accurate and suitable for the purpose for which it is Processed; and
      3. availability means that authorised users are able to access the Personal Data when they need it for authorised purposes.
    5. You must comply with all applicable aspects of our internal compliance polices which you received when you became an employee or are otherwise engaged with us and which have been made available to you (e.g. as laid down in the Five Guys' Group employee handbook, the Website, Five Guys internal SharePoint). Copies of these policies can be obtained from the Legal Department at legal@fiveguys.nl. You should not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain to protect Personal Data.
    6. You may only transfer or allow access to Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested. Please see section 16 for further details on the relevant requirements.
    7. All Personnel who Process Personal Data must carry out appropriate training.
  10. PERSONAL DATA BREACHES

    1. The GDPR requires Data Controllers to notify certain Personal Data Breaches to the applicable regulator and, in certain instances, the Data Subject.
    2. You must comply with the Security Breach Notification and Reporting Policy if you become aware of or suspect that a Personal Data Breach has occurred.
  11. TRANSFER OF PERSONAL DATA OUTSIDE OF THE EEA

    1. The GDPR restricts transfers of Personal Data to countries outside the EEA in order to ensure that the level of protection afforded to individuals by the GDPR is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that Personal Data in or to a different country.
    2. Personal Data should not be transferred outside of the EEA, including being accessed outside of the EEA, unless this has first been discussed with the Legal Department so that appropriate procedures can be implemented.
  12. RIGHTS OF DATA SUBJECTS

    1. Data Subjects have rights when it comes to how we Process their Personal Data. These include rights to:
      1. withdraw consent to Processing at any time;
      2. receive certain information about the Data Controller’s Processing activities;
      3. request for access to their Personal Data that we hold (referred to as a Subject Access Request or SAR);
      4. object to our use of their Personal Data for direct marketing purposes;
      5. request for erasure of Personal Data, if it is no longer necessary in relation to the purposes for which it was collected or Processed;
      6. to rectify inaccurate data or to complete incomplete data;
      7. restrict Processing in specific circumstances;
      8. object to Processing which has been justified on the basis of our legitimate interests or in the public interest;
      9. request a copy of an agreement under which Personal Data is transferred outside of the EEA;
      10. object to decisions based solely on automated decision making, including profiling;
      11. prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
      12. be notified of a Personal Data Breach which is likely to result in high risk to the Data Subject's rights and freedoms;
      13. make a complaint to the supervisory authority; and
      14. in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine readable format (referred to as data portability).
    2. You must immediately forward any Data Subject request you receive to the Legal Department and your local regional managers in the country in which you work who will consider the request, consulting with the appropriate Five Guys team if necessary and prepare an appropriate response.
  13. ACCOUNTABILITY

    1. The Data Controller is responsible for, and must be able to demonstrate, compliance with the data protection principles. In practice this means that the Five Guys Group needs to be proactive and organised about its approach to data protection and evidencing the steps that have been taken to comply.
    2. You must keep and maintain accurate corporate records reflecting our Processing including records of Data Subjects' Consents and procedures for obtaining Consents.
  14. PRIVACY BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENT (DPIA)

    1. We are required to implement privacy by design measures when Processing Personal Data by implementing appropriate technical and organisational measures (like pseudonymisation) in an effective manner, to ensure compliance with data protection principles.
    2. Privacy by design means that, for example, when considering new purposes for Processing Personal Data or implementing new technology, you need to consider the impact the Processing will have on Data Subjects for the whole lifecycle of the Processing (i.e. from start to finish of the Processing of the Personal Data).
    3. You must assess what privacy by design measures can be implemented on all programs / systems / processes that Process Personal Data by taking into account the following:
      1. the state of the art;
      2. the cost of implementation;
      3. the nature, scope, context and purposes of Processing; and
      4. the risks of varying likelihood and severity for rights and freedoms of Data Subjects posed by the Processing.
    4. Data Controllers must also conduct DPIAs in respect of high risk Processing. Some examples of high risk Processing include: systematic and extensive profiling with significant effects on data subjects; when Processing biometric data; or data matching by combining, comparing or matching Personal Data obtained from multiple sources.
    5. You should conduct (and document) a DPIA (and discuss your findings with the Legal Department and your local regional manager) when implementing major systems or business change programs involving the Processing of Personal Data including:
      1. use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
      2. automated Processing including profiling and automated decision making;
      3. large scale Processing of Special Category Personal Data;
      4. Processing biometric or genetic data;
      5. carrying out data matching using Personal Data obtained from multiple sources;
      6. tracking a Data Subject's geolocation or behaviour, including but not limited to the online environment; and
      7. large scale, systematic monitoring of a publicly accessible area.
    6. If you believe you should conduct a DPIA, you should contact the Legal Department and your local regional manager for further advice and guidance.
  15. DIRECT MARKETING

    1. In addition to the GDPR there are other rules and privacy laws that apply to direct marketing. These are complex and vary depending on the method of marketing (for example, marketing by email) and the type of recipient (for example, private individuals or corporate subscribers).
    2. If you plan to undertake direct marketing you should contact the Legal Department and your local regional manager for further advice and guidance.
  16. SHARING PERSONAL DATA

    1. Generally, we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.
    2. You may only share the Personal Data we hold with another employee, agent or representative of our group if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions as detailed in section 11.
    3. If you plan to share Personal Data with a third party, you are expected to have evaluated that the third party applies appropriate technical and organisation security measures to protect the Personal Data, prior to any sharing taking place.
    4. In addition, before sharing any Personal Data with a third party please contact the Legal Department for further advice and guidance.
  17. COMPLAINTS

    1. Complaints from Data Subjects should be dealt with as follows:
      1. if the Data Subject is an employee of Five Guys Group, please refer the complaint to hrinternational@fiveguys.nl;
      2. if the Data Subject is a customer, please refer the complaint to privacy@fiveguys.com; and
      3. for all other complaints concerning Personal Data, please refer to the Legal Department at legal@fiveguys.nl.
    2. If the complaint relates to a Personal Data Breach, please refer to the Security Breach Notification and Reporting Policy.
  18. CONSEQUENCES OF FAILING TO COMPLY WITH THIS POLICY

    1. Any failures to comply with this Policy may be treated as a disciplinary matter and following an investigation, may be regarded as misconduct leading to disciplinary action, up to and including dismissal, as per the Five Guys Group's disciplinary policy which is covered in the Five Guys' Group employee handbook. In certain circumstances, misuse of Personal Data will constitute a criminal offence.
  19. REVIEW AND CHANGES TO THE POLICY

    1. The Legal Department shall have overall responsibility for reviewing this Data Protection Policy to ensure that it meets legal requirements and reflects best practice. The Data Protection Policy will be reviewed annually or more often if deemed necessary by the Legal Department.
    2. Any updates to this Data Protection Policy will be uploaded to the Website. It is your responsibility to check back regularly to obtain the latest copy of this Data Protection Policy.
    3. This Data Protection Policy does not override any applicable national data privacy laws and regulations in countries where the Five Guys Group operates. Certain countries may have localised variances to this Data Protection Policy which are available upon request to the Legal Department by email to legal@fiveguys.nl.

APPENDIX 1

INFORMATION GOVERNANCE FRAMEWORK

An Information Governance Framework establishes the Five Guys Group's approach to handling and protecting the data it Processes, known as information governance. The Framework is made up of policies, procedures and guidance documents to help Personnel comply with our regulatory and legal obligations to protect Personal Data, both electronic and paper.

The documents that form part of the Five Guys Group's Information Governance Framework include:

  • Data Protection Policy
  • Security Breach Notification and Reporting Policy
  • Privacy Policy – employee, customer, supplier and franchisee
  • Intra Group Data Sharing Agreement