Last updated on 26/03/2024
As part of its provision of the Application and/or the website accessible at https://o-tacos.com/fr/ (hereinafter referred to as "the Website") to Users and/or connection to the Application and/or the Website and/or use thereof by the User, O'TACOS HOLDING INTERNATIONAL (a simplified joint stock company with capital of 1.000 euros, whose registered office is at Cap Sud, 106, avenue Max Dormoy, 92120 MONTROUGE, registered in the NANTERRE Trade and Companies Register under number 819 957 101) and O'TACOS CORPORATION, (a simplified joint stock company with capital of 1.000,000, whose registered office is at Cap Sud, 106, avenue Max Dormoy, 92120 MONTROUGE, registered with the Nanterre Trade and Companies Register under number 809 849 615) collect and process the User's personal data. O'TACOS HOLDING INTERNATIONAL and O'TACOS CORPORATION (hereinafter collectively referred to as "O'TACOS" or "we") act in this capacity as data controllers within the meaning of the General Data Protection Regulation (GDPR)1 .
The purpose of this personal data protection policy is to inform you of the methods of collecting, processing, using, sharing and protecting your personal data via the Application and/or the Website, the purposes for which it is used, and the rights you have with regard to said data.
WHEN YOU CREATE A PERSONAL ACCOUNT ON THE APPLICATION OR WEBSITE, WHEN YOU CONNECT TO THE APPLICATION OR WEBSITE AND WHEN YOU USE IT, YOU ACCEPT THAT YOUR PERSONAL DATA MAY BE COLLECTED AND PROCESSED IN ACCORDANCE WITH THE PROVISIONS OF THIS PERSONAL DATA PROTECTION POLICY. IF YOU DO NOT CONSENT TO THE TERMS OF THIS POLICY, YOU MUST NOT CREATE AN ACCOUNT ON THE APPLICATION AND/OR WEBSITE, OR USE THEM.
This personal data protection policy is governed by French law. Notwithstanding the foregoing, if the User is a consumer and his/her habitual residence is located in a European Union country other than France, the mandatory provisions of the User's country of residence will apply.
In the event of any dispute relating to this policy, the French courts shall have jurisdiction. Notwithstanding the foregoing, if the User is a consumer and his/her habitual residence is located in a European Union country other than France, the mandatory provisions of the User's country of residence will apply.
In the event that a legislative or regulatory amendment or a court ruling invalidates a clause of this personal data protection policy, the other clauses shall remain valid.
We may make changes to this personal data protection policy, in particular to comply with any changes in legislation, regulations, case law or technology. The version that can be consulted on the Application and the Website is the current version; the date of its update will be clearly identified at the top of the personal data protection policy.
Personal data (hereinafter referred to as "Personal Data") is any information relating directly or indirectly to an identified or identifiable natural person (surname, first name, telephone number, location data, etc.).
O'TACOS implements all of its Personal Data Processing in accordance with the relevant rules, and in particular:
General Regulation on the Protection of Personal Data n°2016/679 which came into force on 25 May 2018, as well as,
French Data Protection Act no. 78-17 of 6 January 1978, as amended.
The Processing of Personal Data carried out as part of the operation of the Website and the Application complies with the principles of fairness, legality and transparency. O'TACOS undertakes to provide clear, complete and easily accessible information on how such processing is carried out.
The scope of the use and management of the Website and the Application leads O'TACOS to carry out the Processing of Personal Data detailed in the table below:
|
Purpose of processing |
Personal data transmitted to O'TACOS |
Legal basis for processing personal data |
How long we keep your personal data |
|
Management of initial contact requests from users of the Website |
Last name, First name, Email, Address |
Legitimate interest of O'TACOS |
Retention for a period of 3 years after the last contact from the user of the Website |
|
Management of customer account creation via the Application |
Name, First name, E-mail, Sex, Date of birth, Postal address, Country of location, Your O'TACOS product preference(s), Your favourite O'TACOS restaurant(s) |
Consent to use the Application |
Retention for a period of 3 years after the last order placed via the Application |
|
Loyalty programme management via the Application |
Name, First name, E-mail, Sex, Date of birth, Postal address, Country of location, Your favourite O'TACOS product(s), Your favourite O'TACOS restaurant(s), Photo of student card if applicable |
The User's consent to join the O'TACOS loyalty programme |
Retention for a period of 3 years from the last use of loyalty points on the Application |
|
Managing customer payments via the Application |
Surname, First Name, E-mail, Restaurants where the User has placed orders, Products ordered |
Contractual performance between O'TACOS and the User of the Application |
Retention for a period of 10 years from the date of issue of the invoices |
|
Click and Collect service management via the Application |
Name, First name, E-mail, Sex, Date of birth, Postal address, Country of location, Your favourite O'TACOS product(s), Your favourite O'TACOS restaurant(s), Photo of student card if applicable |
Contractual performance between O'TACOS and the User of the Application |
Retention for a period of 3 years from the last order placed by the User of the Application |
|
O'TACOS Customer Service Management |
Last name, First name, Order reference, IBAN |
Legitimate interest of O'TACOS |
Retention for the duration of the start and end of the resolution of the User's dispute In the event of litigation, retention during all phases of litigation, then deletion once all avenues of appeal have been exhausted. |
|
Management of satisfaction surveys via O'TACOS restaurants |
Last name, First name, E-mail, Age, Date of birth, Postcode, Sex |
Legitimate interest of O'TACOS |
Retention for as long as necessary to achieve the purpose of the survey |
|
Newsletter management via the Application and/or the Website |
Last name, First name, E-mail, Sex, Date of birth, Postal address, Country of location, Your favourite O'TACOS product(s), Your favourite O'TACOS restaurant(s), Photo of student card if applicable |
The User's consent to receive newsletters and promotional offers |
Retention for a period of 3 years after the last interaction of the User of the Application and/or the Website with an interest in O'TACOS products. |
|
Managing the recruitment of new O'TACOS franchised restaurants via the Website |
Surname, First name, E-mail, Postal address, Telephone number, Date of birth, Professional life, CV, Proof of bank account status, Identity document |
Pre-contractual and contractual performance of O'TACOS and the franchised restaurant |
Retention for a period of 10 years after termination of the franchise agreement If the profile is not selected for the opening of the new franchised restaurant, retention for a period of 6 months |
|
Management of processing and responses to requests for individual rights via the Website and/or the Application |
Last name, First name, E-mail |
Legal obligation of O'TACOS |
Retention for a period of 10 years from the closure of the individual entitlement request |
|
Management of activity and traffic on the Website and Application |
Mobile IP address, Type of Internet browser, Operating system, IOS of the mobile or tablet, Connection URL including associated date and time, Content accessible via the Application and the Website. |
Legitimate interests of OTACOS |
Storage for a maximum of 13 months |
|
Management of dual authentication on the Application |
Email address |
Legitimate interest of O'TACOS |
Retention for the time of Customer authentication |
O'TACOS may store your personal data and pass them on to subcontractors for the following purposes:
Management of the hosting of the Website and the Application,
Management of the Click and Collect service via the Application,
Online payment management via the Application,
Management of satisfaction surveys via O'TACOS restaurants,
O'TACOS customer service management,
Managing the recruitment of new O'TACOS franchised restaurants,
The management of newsletters and promotional offers via the Website and/or the Application,
Management of IT resources and maintenance of the Website and the Application.
In this context, O'TACOS undertakes to check that they comply with the rules on the protection of Personal Data, and to implement a dedicated contractual framework, under the conditions required by the aforementioned rules.
O'TACOS may also submit certain information to authorised persons and entities internally (company employees, management and agents) and externally, in particular to third parties authorised by virtue of legal, administrative or judicial prerogatives.
O'TACOS may transfer your Personal Data outside the European Union if you agree to your data being used for statistical purposes, audience measurement to improve our services and to send you newsletters and promotional offers.
Nevertheless, in the event of data being transferred outside the European Union, O'TACOS will apply the regulatory framework necessary and appropriate to the situation of the said Transfer, ensuring:
Personal Data is transferred to an adequate country with an adequate level of protection, or,
Signing the Standard Contractual Clauses (SCC) proposed by the European Commission or,
Any other guarantee considered appropriate within the meaning of Article 46 of the RGPD.
Within all the countries in which O’TACOS provides its products and services (France, Italy, Belgium, Spain, Luxembourg, Netherlands, Germany, Switzerland), minors under the age of 16 may not create an account on the Application and the Website. Minors over the age of 16 may create their own account on the Application and the Website.
In the event that a parent or guardian with parental authority becomes aware that their child has provided us with Personal Data without their consent, we invite them to contact us in accordance with the procedures set out in Article 10 of this personal data protection policy.
We will take the necessary steps to remove this information from our database in accordance with applicable regulations.
O'TACOS undertakes to take all necessary precautions to ensure the security of your Personal Data.
To this end, O'TACOS undertakes to apply all the technical and organisational Measures within the meaning of Article 32 of the RGPD, which will ensure the confidentiality, integrity and availability of Personal Data, and thus a sufficient level of protection of the latter.
O'TACOS and its employees have been trained and made aware of the protection of Personal Data, including the consideration and application of the said measures.
In the event of a breach of your Personal Data, i.e. if the Personal Data for which we are responsible suffers a security incident that results in a breach of its confidentiality, availability or integrity, we will notify the Commission Nationale de l'Informatique et des Libertés (CNIL), as well as any competent national supervisory authority, where applicable, under the conditions prescribed by the applicable regulations.
You have the right to request, at any time, the exercise of your individual rights, and to request the following rights:
The right to request access to the data:
O’TACOS allows you to know the list of your personal data processed within the framework of the processing purposes of the present Policy, and to have them in a clear and understandable format through an access rights report that will list all the processed data.
The right to request rectification of data:
O'TACOS allows you to request the modification of your personal data processed in the context of the processing purposes of the present Policy, especially in the case where any personal data is incomplete or incorrect in the O'TACOS information system. You will receive confirmation and proof of successful rectification as part of your request.
The right to request the deletion of data:
O'TACOS allows you to request the deletion of all your personal data that are processed for the purposes set out in the present Policy, especially when your Personal Data are no longer required for these purposes, when you have objected to the execution of data processing without O’TACOS being able to retain the data for a legitimate or compelling reason, when you have withdrawn your consent to processing on this legal basis, when O'TACOS is required to apply retention periods stipulated by a legal or regulatory obligation. The execution of deletion actions will be documented by O'TACOS through any evidence attesting the permanent deletion of data, as part of your request.
• The right to limit the processing of personal data:
O'TACOS allows you to request the limitation of the processing of your personal data for the purposes set in the present Policy, Especially when you have previously contested the accuracy of your personal data, when processing is unlawful and you decide to limit processing instead of deletion, when O'TACOS no longer has a need to process your personal data but they may be useful for the establishment, exercise or defense of legal claims, or when you exercise your right to object to the processing and your request is being considered.
The right to object:
O'TACOS allows you to oppose to the processing of your personal data, especially when O’TACOS processes your personal data for the purposes of prospecting and direct marketing activities (including profiling) or due to any reason demonstrating the absence of legitimate and compelling justification by O'TACOS (including the need to contest, exercise or defend legal rights). The execution of interruption actions will be documented by O'TACOS through any evidence attesting the definitive cessation of treatment, as part of your request.
The right to withdraw your consent:
O'TACOS allows you to withdraw your consent to the processing of your personal data at any time when the processing is executed on this legal basis. The processing of your request will be documented by O'TACOS and will be accompanied by any evidence attesting to the removal of your consent in the designated databases.
The right to portability of your personal data:
O'TACOS allows you to request a list of your personal data processed for the purposes of the present Policy, and to initiate a data portability action with another organization in a clear and understandable format through a portability report listing all processed data.
The right to determine the fate of your personal data in the case of its disappearance:
O'TACOS allows you to provide your instructions regarding the processing of your personal data processed for the purposes of the present Policy, in the event of your death or disappearance. All your directives will be recorded by our services upon their receipt.
You may exercise these rights by contacting us through the following channels:
*By post:
O'TACOS CORPORATION
CAP SUD - 106 avenue Marx Dormoy
92120 MONTROUGE
O'TACOS HOLDING INTERNATIONAL
CAP SUD - 106 avenue Marx Dormoy
92120 MONTROUGE
*By e-mail:
[email protected], specifying "personal data" in the subject line of your email.
O'TACOS may, in certain cases necessary for your identification, make the implementation and processing of your request conditional upon the transmission of valid proof of identity.
O'TACOS undertakes to process any request concerning the exercise of your individual rights within thirty (30) days of receipt; this period may be extended to sixty (60) additional days in the event of complexity in the investigation of the request in particular. In this case, O'TACOS undertakes to keep you informed and to follow up the said requests.
If you believe that the processing of your Personal Data constitutes a breach of the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, your place of work or the place where the breach occurred. The supervisory authorities are as follows:
For Belgium: https://www.autoriteprotectiondonnees.be/
For Germany: https://www.bfdi.bund.de/DE/Home/home_node.html
For Luxembourg: https://cnpd.public.lu/fr.html
For the Netherlands: https://www.autoriteitpersoonsgegevens.nl/
For Spain: https://www.aepd.es/es
For Italy: https://www.garanteprivacy.it/
For Switzerland: https://www.edoeb.admin.ch/edoeb/fr/home.html
You may also lodge a complaint with the Commission nationale de l'informatique et des libertés (CNIL) in France, by post at the following address CNIL - Service des plaintes, 3, place de Fontenoy -TSA 80715 -75334 PARIS CEDEX 07 Or online: https://www.cnil.fr/fr/cnil-direct/question/844 or https://www.cnil.fr/fr/plaintes.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.