Privacy Policy of DISH

Section I General provisions

1 Data controller

1 Data controller

1.1 The controller within the meaning of the GDPR for the operation of this website is Hospitality Digital GmbH, Metro-Straße 1, 40235 Düsseldorf, Germany (“DISH”, “we” or “us”).

1.2 We are jointly responsible with our affiliates for certain processing activities in connection with the Services (“Services”). This is expressly stated in this Privacy Policy in each case.  Your personal data will only be processed by us and by the partner company responsible for the country of your place of business. You will find a list of our partner companies in the Annex.

1.3 You can contact our Data Protection Officer with questions about data protection at the following contact details: Hospitality Digital GmbH, Data Protection Officer, Metro-Straße 1, 40235 Düsseldorf, Germany, e-mail: privacy@hd.digital.

2 Definitions

2 Definitions

2.1 Terms used in this Privacy Policy shall have the same meaning as in our DISH General Terms of Use (“Terms of Use”), unless expressly provided otherwise in this Privacy Policy.

2.2 Insofar as terms have not been defined in this Privacy Policy or in the Terms of Use, the definitions of Article 4 GDPR shall apply.

Section II Individual processing

3 DISH website

3 DISH website

3.1 In principle, merely visiting the DISH website (but not using the DISH app) is possible without a user account. However, if you wish to use the full functionality of the DISH Platform, you need to register as a user as described in clause 6 of this Privacy Policy.

3.2 When you access and use our website, personal data is automatically collected via the end device you use when accessing the website (it may be, for example, your computer, your mobile phone or a comparable Internet-capable end device). Specifically, the following data are collected

(a) the IP address currently used by your end device,

(b) date and time the website was accessed,

(c) browser type and operating system of your end device;

(d) the source website from which you accessed our website and

(e) the sub-pages visited on our website.

3.3 The processing of the IP address of your end device is necessary for us to be able to provide you with the website and thus serves to ensure that the website functions properly. The processing of the other data mentioned in clause 3.2 of this Privacy Policy is carried out for the purposes of data security and the security of our IT systems as well as for the optimisation of our services and the improvement of our website. The data mentioned in clause 3.2 of this Privacy Policy is stored in a separate log file and is not linked to any other stored personal data. An evaluation, with the exception of for statistical purposes, and in anonymised form, is only carried out within the framework of this Privacy Policy. The data mentioned in clause 3.2 of this Privacy Policy will not be used for marketing or advertising purposes. The processing is carried out on the basis of Article 6(1)(f), first sentence, GDPR. The protection of our website and the optimisation of our services constitute a legitimate interest.

3.4 The data mentioned in clause 3.2 of this Privacy Policy will be stored until the purpose of the processing no longer applies. The data required for the provision of the website (your IP address) is deleted immediately after delivery of the respective website or sub-page. The erasure of the log files in which this data is stored is automated and usually occurs within seven (7) days after the creation of the log file. If the other data mentioned in clause 3.2 of this Privacy Policy is also processed by us for evaluation purposes, there will be no reference to the IP address, so that a personal reference can no longer be established for us.

4 Cookies

4 Cookies

4.1 General provisions

4.1.1 To make our services and our website as user-friendly as possible and to enable the use of certain functions of the website, we use cookies.

4.1.2 Cookies are, in a broader sense, all information that is stored by a website on your end device or in your browser and can be retrieved from the website. Any information can be stored in cookies, such as certain website settings selected by you, so that they are automatically recognised when you call up the next sub-page or visit the website again. Cookies may also contain a unique string of characters (identification number) that allows the browser to be identified when the website is accessed again. This may result in an association of the browser with information stored by the provider, such as in particular with a user account or sub-account to which you are logged in, a shopping basket or an automatically created usage profile.

4.1.3 Some of the cookies we use are deleted after the end of a session, i.e. after you close your browser (session cookies). Other cookies remain on your end device and enable us to recognise your browser the next time you visit our website (persistent cookies).

4.2 Technically necessary cookies

4.2.1 To enable the website to function properly, we use technically necessary cookies, for example to store language settings and login information. Technically necessary cookies are also used to store consent and objections for analysis and advertising cookies (see clause 4.3 of this Privacy Policy) and to store your consent as part of the “two-click solution” for social networks (clause 4.4 of this privacy policy).

4.2.2 We use the following third-party providers for individual functions on our website:

(a) Medallia

We use Medallia for Digital Survey to collect user feedback from visitors to our websites who perform certain actions on our websites or visit them for a set minimum duration. Medallia for Digital processes the following categories of personal data on our behalf: a) customer ID associated with your customer account and participation in surveys (name, address, title, contact details); b) touchpoint information (transaction identifier, parts of the website visited); and c) IT information such as IP address and browser type. In the course of the processing carried out, it may still be necessary to transfer your personal data to countries that are not part of the European Union (EU) or the European Economic Area (EEA). Transfers to these “third countries” may concern the following categories of recipients: The third party provider that performs this processing on behalf of DISH: Medallia Inc., a US service provider located at 575 Market Street Suite 1850, San Francisco, CA 94105, United States of America (USA). The legal basis for the use of Medallia for Digital is Art. 6(1), lit. a, of GDPR (consent of the data subject). The aim of the survey is to use the information obtained to improve the quality of our services. We want to tailor our online range and services to our customers and provide them with a better user experience by identifying your needs. The duration of the retention period of the personal data collected is based on the following criteria: The data is stored to create a long-term survey and to monitor service development based on feedback from the survey. Data must be stored for as long as Medallia for Digital is active on our website. The storage period of the cookie is one year. You can withdraw your consent at any time with effect for the future. You can manage your privacy settings via the onsite button of our website.

The provider named in this clause 4.2.2 collects and processes the data on behalf of DISH (see also clause 13.1(a) ).

4.2.3 The legal basis for the processing of technically necessary cookies is Article 6(1) P. 1 (f), first sentence, GDPR; our legitimate interest is the functionality of our website. If you have concluded a contract with us for the use of the respective services, the legal basis is Article 6(1)P. 1(b), first sentence, GDPR.

4.3 Analytics and advertising cookies

4.3.1 We use analytics cookies that allow us to track your use of our website, such as from which third-party website you arrived to visit our website, which sub-pages of our website you visit and which links you clicked on and how often. We use the following analytics cookies:

(a) We use Adobe Analytics, a service provided by Adobe Systems Software Ireland Limited (4-6 Riverwalk Citywest Business Campus, Dublin 24, Republic of Ireland; “Adobe”). This service uses cookies which are stored on your end device and which enable an analysis of your website usage. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Adobe on servers in Ireland, where it will be anonymised and then transferred in anonymised form to servers in the United States for further processing. Adobe uses this information to evaluate your use of the website for us, to compile reports on website activity for us and to provide other services related to website activity and internet usage. If required by law or if third parties process this data on behalf of Adobe, this information may be transferred to third parties. In no case will your IP address be associated with any other data held by Adobe. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that in this case you may not be able to use the full functionality of this website. You can object to data processing by Adobe at any time with effect for the future. You can find out more about withdrawal at http://www.adobe.com/privacy/opt-out.html.

(b) We also use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; “Google”). Google Analytics also uses cookies. The information generated by the cookies about your use of this website is usually transferred to a Google server in the USA and stored there. However, your IP address will be shortened beforehand by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. On our behalf, Google will use this information to evaluate your use of the website, compile reports on website activity and provide other services relating to website activity and internet usage to us. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. You can prevent cookies from being stored by setting your browser software accordingly. You can also prevent the collection of data generated by the cookies and related to your use of the website (including your IP address) by Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de

The providers named in clause 4.3.1 collect and process the data on our behalf (see in this regard also clause 13.1(a)).

4.3.2 We also use third-party advertising cookies for advertising purposes. These cookies enable us to tailor advertising displayed in your browser to your interests based on your browsing behaviour. We use the following advertising cookies:

(a) We use Google AdWords in conjunction with Google Conversion Tracking, This is a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; “Google”). Google AdWords is used to display pages from DISH on Google in the advertising space. If you access our website via a Google ad, Google Adwords sets a cookie on your end device (“conversion cookie”). This cookie expires after 30 days. It is not used for personal identification. If the cookie has not expired when you visit certain pages, we and Google can see that someone has clicked on the ad and been redirected to our site. Each AdWords customer receives a different cookie. Cookies can therefore not be traced back via the websites of AdWords customers. The information collected by the conversion cookie is used to create conversion statistics for AdWords customers who have opted in to conversion tracking. AdWords customers see the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, we do not receive any information that could identify you personally. If you do not wish the tracking process to involve you, you can refuse the setting of a cookie required for this purpose - for example, with a browser setting that generally deactivates the automatic setting of cookies. You can also disable cookies by setting your browser to block cookies from the domain “googleadservices.com”.

(b) We use Facebook Pixel, a tool operated by Facebook Inc, 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are an EU resident, by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”), on our website for the analysis, optimisation and economic operation of the website. With the help of Facebook Pixel, Facebook can also determine the visitors to our website as the target group for the display of Facebook ads. Therefore, we use Facebook Pixel to display the Facebook ads we publish only to Facebook users who have shown interest in our website. This means that we use Facebook Pixel to ensure that our Facebook ads match the potential interest of users and do not bother them. We may also use Facebook Pixel to track the effectiveness of Facebook ads for statistical and market research purposes by looking at whether users have been redirected to our website after clicking on a Facebook ad (known as a “Conversion” or “User Interaction”). In this case, the legal basis of the processing is Article 6(1)(a), first sentence, GDPR. Facebook Pixel is used directly by Facebook when you visit our website and may set a cookie on your device. If you then log into Facebook or visit Facebook while logged in, your visit to our website will be recorded in your profile. The data collected about you is anonymous to us, so it does not give us any information about the identity of the users. However, Facebook stores and processes the data so there might be a connection to the respective user profile. This means that user profiles can be created from the processed data. Facebook processes the data in accordance with Facebook's privacy policy. For more information on how Facebook Pixel works and how Facebook ads are displayed, see Facebook's privacy policy: https://www.facebook.com/policy. You can opt out of the collection and use of your data by Facebook Pixel to display Facebook Ads. To set the types of ads you see on Facebook, you can visit the page set up by Facebook and follow the instructions about the settings for usage-based ads: https://www.facebook.com/adpreferences/ad_settings. The settings are platform-independent, i.e. they can be applied to all devices, such as desktop computers or mobile devices. You can also opt out of the use of cookies for tracking and advertising purposes: via the Network Advertising Initiative opt-out page http://optout.networkadvertising.org and additionally via the US website http://www.aboutads.info/choices or the European website http://www.youronlinechoices.com/uk/your-ad-choices/. You can manage your privacy settings via the onsite button of our website.

(c) Bing Ads

We use Bing Ads, a program from Microsoft Corporation (“Microsoft”) using Universal Event Tracking (UEN) to implement remarketing and completion tracking. With your consent, a cookie is set on your computer for this purpose if you have accessed our website via Bing or Yahoo. In this text file, information about the use of our website, i.e. the pages you visit, is stored by Bing Ads for 180 days and then deleted. This information includes the URL of the visited page, the URL of the referring page and your IP address. By using the remarketing function, we can provide you with offers tailored specifically to you in a subsequent search on one of the above-mentioned search engines. Using the Network Advertising Initiative (NAI) consumer opt-out page http://www.networkadvertising.org/choices/, you can check which of the participating sites set cookies in your browser and disable them. You can access Microsoft's privacy policy on the processing of collected data at the following link: https://privacy.microsoft.com/de-de/privacystatement/.

(d) Pinterest Ads

With your consent, we use the  “Pinterest Tag” of the company Pinterest Inc, 651 Brannan Street, San Francisco, CA, 94107, to serve user-based advertisements. The cookies enable Pinterest to recognise which ad has already been placed in your browser and whether you have accessed a website via a placed ad. The cookies do not collect any personal information and cannot be associated with any personal information. The processing of data by Pinterest is carried out within the framework of Pinterest's privacy policy. Accordingly, general guidance on the display of PinterestAds, in Pinterest's privacy policy: https://policy.pinterest.com/de/privacy-policy. You can object to the collection and use of your data by the Pinterest tag to display Pinterest ads. To set which types of advertisements Pinterest displays to you, you can go to the page set up by Pinterest and follow the instructions there on the settings for usage-based advertising: https://www.pinterest.com /settings/. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices.

(e) Adform A/S:

Our advertising service provider PREX Programmatic Exchange GmbH&Co KG is responsible for data collection in online advertising. The tracking system of the following service provider is used: Adform A/S, Widersgade 10B, sal 1, 1408, DK-1408 Copenhagen Denmark, German branch: Großer Burstah 50-52, D-20457 Hamburg. The system is used on our websites for the following purposes: (i) By means of tracking, contacts that users have with advertisements on other websites (visual contacts and clicks on advertising banners) are put in relation to subsequent interactions on our website. The data collected is statistically analysed in order to be able to optimise the performance of the media campaigns. All usage data collected is stored using a pseudonym. The data collected is not used to personally identify visitors to our website and is not merged with personal data about the bearer of the pseudonym. (ii) Control of user-based online advertising (“retargeting”). The service provider collects and processes your usage behaviour pseudonymously on websites operated by us. This data is used to retarget users with targeted advertising according to their usage behaviour after visiting our websites. These advertisements also take place outside of our websites. With your consent, the third-party cookies described on the following page are used to collect data: https://site.adform.com/privacy-center/adform-cookies/..

4.3.3 We take technical precautions to pseudonymise the data collected about you through analysis and/or advertising cookies. After pseudonymisation, the data can no longer possible be directly associated to the user.

4.3.4 By clicking on “accept” in our “cookie banner”, you consent to the processing of your personal data using analytics and advertising cookies for the above purposes. The processing of this personal data takes place on the basis of Article 6(1)(a), first sentence, GDPR.

5 Social Media

5 Social Media

5.1 We use “social plugins” from the following social networks:

(a) Facebook; Instagram (Operator: Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA and Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland);

(b) Twitter (Operator: Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA);

(c) YouTube (Operator: Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).

5.2 To protect your personal data and privacy, we use the  “Two-click solution”, which ensures that the data transfer via the social plugins to the corresponding social network operator only takes place after prior activation of the social plugin by you. Social plugins are initially deactivated and do not automatically establish a connection with the social networks operators. If you enable one of these plugins, you consent to your personal data described in this section being transferred to the social network. In this case, the transfer of personal data is based on Article 6(1)(a), first sentence, GDPR.

The further processing of personal data by the social network operator is subject to its data protection provisions, which is made available by the operator under its own responsibility.

5.3 Our website also contains simple links to Facebook, Instagram, Youtube and Twitter. In this case, data is only transmitted to the aforementioned social networks if the corresponding icon button (e.g. the “f” from Facebook or the bird symbol from Twitter) is clicked. When you click on such a button, a page of the corresponding social network opens.

6 Registration on the DISH platform

6 Registration on the DISH platform

6.1 If you wish to use the full range of functions of the DISH platform and access the services of third-party providers (see our Terms of Use in detail), registration as a user is necessary. Registration requires the completion of a registration form. The registration form shows you which personal data is mandatory to register and which personal data are optional.

6.2 After clicking on the “Register now” button, you will receive an e-mail or SMS from us with a code to the e-mail address or mobile phone number you have provided. To confirm the registration, you must enter the code given in this message into the registration form and confirm it. Your IP address and the time of the registration confirmation are then stored; this serves the legitimate interest of preventing or detecting misuse and therefore the legal basis is Article 6(1)(f), first sentence, GDPR.

6.3 You can autonomously manage your user account. You can therefore change the data you provided during registration at any time in the “Profile” area. By default, your user profile is visible to other DISH users. Other users can therefore find it via the search function of the DISH platform by searching for publicly available profile information. Other users can also see which events offered via the DISH platform you have registered for. Through the management option of the user account, you can choose at any time whether and to what extent your user profile should remain visible to other users of the DISH platform. The decision about what information you want to share with other users on your profile page is therefore entirely yours. You can set your profile page to “Private” at any time, so that other users cannot find you in the search and also do not receive any other information.

6.4 You have the option to upload your METRO-/MAKRO customer card number on the DISH platform if you are a METRO-/MAKRO customer. If you provide us with this customer card number, we will transmit the information as to whether you use a particular digital tool to the METRO-/MAKRO corporation with which you are a customer. An overview of the METRO-/MAKRO companies is attached in this document. The METRO-/ MAKRO Company will use this information to assist you in using the digital tool at your request and to improve your customer experience and customer service. We do not send any data to METRO-/ MAKRO companies of which you are not a customer. Information on how your METRO-/ MAKRO company processes personal data is available in the privacy policy of the respective company. The transfer of your personal data in this respect takes place on the basis of Article 6(1)(a), first sentence, GDPR.

6.5 If you have been contacted by a sales representative who has recorded your data, the final registration will be made via a call centre.

6.6 The legal basis for the collection and processing of data for the administration of the user account is Article 6(1)(b), first sentence, GDPR.

7 Use of the DISH account

7 Use of the DISH account

7.1 If you have created a user account and use the DISH Platform, we also collect, process and store the following data in connection with your user account:

(a) Information about which digital tools of which providers you use and which goods and services you have purchased through DISH;

(b) Information on which events you have registered for and which events you have participated in.

7.2 We also process your data in order to send you information relevant to the contract (notifications) by e-mail, SMS or by post. When using the DISH app (see clause 9 of this Privacy Policy), the application separately asks for permissions when using(a) iOS: Contacts, photos and camera; (b) when using Android: Contacts, camera, memory and SMS phone status.

7.3 To be able to offer you the advisory services, the personal data that you provide during registration for our services (see clause 5 of this Privacy Policy) as well as during use will be processed by our partner companies at their place of business (see clause 1.2 of this Privacy Policy). Advisory services include, but are not limited to, services regarding the set-up of the software, how to best use the software (e.g. how to use additional features) and how the software fits into your business concept.

7.4 The processing of data in connection with your user account serves to implement the user agreement between you and DISH. The legal basis is Article 6(1)(b), first sentence, GDPR. We also use this data to perform analyses of your usage behaviour. This allows us to determine, for example, which services or events are particularly interesting for you. The analysis of your usage behaviour may result in you receiving personalised advertising messages from us, provided you have given your consent to this or this is permitted under the statutory provisions (see clause 10 of this Privacy Policy). This serves to improve our offer. The legal basis in this regard is Article 6(1)(f), first sentence, GDPR.

7.5 The data collected in connection with your user account will be stored by us until the user agreement between you and us has been terminated (see our Terms of Use for details). After termination of the user agreement, your customer account will be automatically deleted. Insofar as we under a statutory obligation to retain certain data collected in connection with your user account even after the termination of the user agreement, we will only erase this data once the retention periods have expired.

8 Individual functions of the DISH platform and digital tools

8 Individual functions of the DISH platform and digital tools

8.1 You can publish posts in forums via the DISH platform. These posts can be viewed by all users. In addition, there is the option of publishing contributions in groups that are open only to a certain group of users. In this case, your posts will only be visible to these users. The legal basis for the processing is Article 6(1)(f), first sentence, GDPR.

8.2 If you use digital tools which involve marketing via third-party platforms or which otherwise involve the transfer of data to other platforms, directories or loyalty programmes, we will transfer the relevant data to the respective providers. As described in the Terms of Use, this may include, but is not limited to, your restaurant details and contact details. The details on the data in question are available in the respective digital tool. The legal basis for the processing is Article 6(1)(f), first sentence, GDPR.

8.3 For the invitation to selected events, we use the platform “Eventbrite”, operated by Eventbrite, Inc., a company based in Delaware, 155 5th Street, Floor 7, San Francisco, CA 94103, USA. For more information on Eventbrite, please visit www.eventbrite.com. Information on how Eventbrite processes personal data is contained in Eventbrite's privacy policy. In other respects, only provide information on where and when an event takes place. Registration then takes place on the website of the respective organiser. The legal basis for this transfer to Eventbrite is Article 6(1)(b), first sentence, GDPR.

8.4 If you accept payments within the scope of using the DISH digital tools and use the services of an online payment service provider for this purpose, a proof-of-identity verification in accordance with the German Money Laundering Act (GwG) is required (KYC process). For this purpose, we collect further information and forward it to the payment user’s service provider. This collection of this data is statutorily required for the activation of the payment service. The legal basis is therefore Article 6(1)(c), first sentence, GDPR.

9 Use of the services of third-party providers

9 Use of the services of third-party providers

9.1 If you register for one of the digital tools available on the DISH Platform or obtain a good or service, we have to forward your personal data required for the performance of the contract with the third-party provider to the respective third-party provider. The legal basis for this transfer is Article 6(1)(b), first sentence, GDPR. For the further processing of personal data by the provider, the third-party provider’s privacy policy applies.

9.2 When you visit the DISH Platform as a registered user and your login is active, we share your User ID, which we assign internally, with certain third parties. This allows them to display personalised notices to you on the DISH platform through “inline frames” or “advertising containers”. These personalised notices can, for example, receive information about digital tools that you already use or draw your attention to digital tools that are of interest to you. The recommendations are based in part on your previous usage behaviour on the DISH platform.

9.3 You can also use the access data for your DISH user account (mobile phone number and password) to log in to digital tools you use (single sign-on), although single sign-on is not available for every digital tool offered by third-party providers. Single sign-on avoids having to choose separate access data for each individual digital tool. The third-party provider of the digital tool receives from DISH only the data required to provide the single sign-on. DISH does not receive any other information from the third-party provider about how you use the digital tool. Similarly, DISH's third-party provider does not receive any information about how you use DISH.

9.4 DISH does not receive any information about the content and extent of your use of third-party services. However, DISH will know if you are using a particular third-party service. We need this information to be able to send you recommendations on other services that may be of interest to you, for example because they have similar or complementary functions to the service you are using. This serves our legitimate interest in improving the user experience and offering you services that are suitable for you. The legal basis in this regard is Article 6(1)(f) GDPR.

9.5 Some third-party providers do not offer their services directly on the DISH platform. In this case, however, you have the option of providing your contact information on the DISH Platform, which will then be passed on by DISH to the respective third-party provider. This only happens with your consent. The transfer of your personal data takes place on the basis of Article 6(1)(a), first sentence, GDPR.

10 DISH App

10 DISH App

10.1 By downloading the DISH App from the respective app store to your mobile device, no personal data is yet collected by DISH or transmitted from the respective App Store to DISH prior to use. When you download the DISH App from an App Store, the relevant app store operator collects information, in particular your user name, your e-mail address, the customer data for your account, the time of download, any payment information and the individual identifiers of your end device. The relevant app store operator is responsible for the processing of this data. In this respect, only the privacy policy for the use of the relevant app store, and available there, applies.

10.2 Regardless of whether you log in to the country-specific functions of the DISH App with your customer data, certain data must be collected when you use the DISH App so that it is technically possible for you to use the DISH App. This concerns the following data or data processing activities:

The language set on the device. This data is processed for the App language preselection and country selection in the App.

The processing of this data is carried out on the legal basis of Article 6(1)(b), first sentence, GDPR to enable you to use the DISH App in accordance with the contract.

10.3 If you have given your consent through the corresponding setting of the DISH App or through the system settings of your end device, the DISH App accesses the following data to be able to display or optimise individual services of the DISH App (e.g. camera-based scanning of cards):

(a) Camera data (for scanning barcodes and adding images to profile pictures, adding establishment graphics)

(b) Images from your end device's photo gallery (to add images to profile pictures, add establishment graphics)

(c) Phone contacts from your address book (to add members of your team to your DISH team).

10.4 With your consent, we can additionally send you individual messages to the lock screen (push notifications). In this context, we will use the device ID to be able to send the notifications.

10.5 You are not obliged to give your consent. Without consent, you will not be able to use any features of the DISH App that require access to this data.

10.6 The legal basis of the processing pursuant to clauses 9.3 and 9.4 is Article 6(1)(a), first sentence, GDPR. You can withdraw your consent at any time by making the appropriate settings in the app or in the system settings of your end device.

10.7 Your device ID is only used as long as the DISH app is in use. Your country selection is only stored locally on your end device for as long as you have the DISH app installed. The system language retrieved by us for the country preselection is not saved.

11 Newsletter and Push Marketing

11 Newsletter and Push Marketing

11.1 Once you have registered on DISH, we will inform you on a regular basis about current offers, products and promotions by e-mail, push notifications (DISH App) and/or SMS under the conditions of §7(3) UWG. These marketing communications may also include offers, products and promotions provided to us by our marketing partners in the digital and hospitality industries. However, your e-mail address, mobile phone number or other personal data will not be passed on to our marketing partners in this context. The personal data collected during registration will only be used and processed for the purpose of sending newsletters/push notifications to your e-mail address and mobile phone number/SMS.

11.2 Links in our emails contain tracking information that allows us to determine which links were of particular interest to you and when you clicked on them. The following data is stored via the tracking link: E-mail address, newsletter, link, date and time of opening, as well as click behavior on the website. This serves our legitimate interest in improving our advertising products. The processing of your personal data for these purposes is based on Article 6(1)(f), first sentence, GDPR.

11.3 Where personal data is otherwise processed for direct marketing purposes, you have the right to object to such processing, including profiling, insofar as it relates to such direct marketing. You can notify the objection in particular as follows:

(a) You can object to the use of your mobile phone number and e-mail address at any time by using the unsubscribe function indicated in each case.

(b) If you no longer wish to receive push notifications via the DISH app, you can change this in the general settings of the DISH app.

(c) If you no longer wish to receive SMS notifications, please send an email to privacy@hd.digital.

No costs are incurred for the objection other than, if applicable, the transmission costs according to the basic rates.

12 Payments

12 Payments

12.1 Payments can be made via prepayment, credit card (Visa, MasterCard, American Express), Maestro, SOFORT Überweisung, direct debit and PayPal.

12.2 When a payment is made to DISH using other payment methods, the data required for the payment, i.e. payment recipient, amount, purpose of use, transaction number and, if applicable, delivery address are transmitted to the payment service provider you have chosen.  The same applies if a third-party provider offers services on the DISH Platform for a fee and the payment is not processed directly via the provider but via the DISH Platform. The legal basis for this transfer is Article 6(1)(b) GDPR.

12.3 The following payment service providers are currently used for payment processing on the DISH platform:

(a) PayPal (Europe) S.à r.l. et Cie, S.C.A., with registered office at 22-24 Boulevard Royal, L-2449 Luxembourg,

(b) Lemon Way, a French SAS (simplified joint stock company) with registered office at 8 rue du Sentier, 75002 Paris, France,

(c) PayU, MIH PayU B.V. ( PayU ) with registered office at Symphony Offices, Gustav Mahlerplein 5, 1082 MS Amsterdam, The Netherlands,

(d) Iyzico, a PayU subsidiary, iyzi Ödeme ve Elektronik Para Hizmetleri A.Ş. with registered office in Burhaniye Mah. Atilla Sokak 7, Üsküdar Istanbul, Turkey,

(e) Braintree, PayPAL (Europe) S.á r.l. et Cie, S.C.A., with registered office in
22-24 Boulevard Royal, L-2449 Luxembourg,

(f) Stripe, Stripe Payments Europe, Limited, with registered office at North Wall Quay 1, 662880 Dublin, Ireland.

12.4 The payment service providers collect further data such as cardholder, credit card number, expiry date and CVC number directly from you. The respective payment service provider is responsible controller for the processing of this data. In this respect, only the privacy policy of the respective payment service provider applies, which you can access at the respective payment service provider.

13 Contact

13 Contact

13.1 You can contact us in various ways:

(a) You can use the contact form on our website to contact us for an enquiry. The personal data you enter in the contact form (your first and last name, your e-mail address and information on the nature of your request are required fields) will only be processed for the purpose of answering your request and only if you have clicked on the “Send” button. Your IP address and the time at which your request was sent is also stored.

(b) You can also contact us by telephone or e-mail. In this respect, too, only the personal data required to answer to your enquiry will be processed.

13.2 The processing serves our legitimate interest in being able to communicate with you. The legal basis for the processing is therefore Article 6(1)(f), first sentence, GDPR. If you contact us for the purpose of concluding a contract or in connection with an existing contract, the processing is carried out on the basis of Article 6(1)(b), first sentence, GDPR; if we are under a statutory obligation to answer, on the basis of Article 6(1)(c), first sentence, GDPR.

Section III Miscellaneous

14 Recipients of personal data

14 Recipients of personal data

14.1 In addition to the transfers described elsewhere in this Privacy Policy, the following transfers also take place:

(a) We use Service Providers for the processing of personal data with whom we have concluded a commissioned data processing agreement in accordance with the legal requirements of Article 28 GDPR, insofar as they act as processors. Such Service Providers support us, for example, in sending e-mails or in the technical operation and hosting of the website. 

(b) If it is necessary to clarify an abuse of the DISH Platform, for which legal prosecution is necessary or a legal obligation to disclose applies, personal data will be forwarded to authorities (in particular law enforcement agencies and tax authorities), our legal defence and, if applicable, to injured third parties. Disclosure may also occur when necessary to enforce our Terms of Use or other agreements or as required by law, governmental order or court order. The legal basis for the processing is Article 6(1)(f), first sentence, GDPR, for example if the disclosure is necessary for legal proceedings, or Article 6(1)(c), first sentence, GDPR, if there is a statutory obligation or one issued by an official authority. 

(c) We may also involve external advisors such as lawyers (see in this respect letter (b)) or tax advisors and provide them with the data necessary for the advisory services; the legal basis in this case is (unless letter (b) provides otherwise) Article 6(1)(f), first sentence, GDPR, whereby our legitimate interest is to use the advisory services that are necessary for the management of the company.

14.2 The recipients may be located both within and outside the European Union or the European Economic Area. We ensure through contractual agreements with the Service Providers that they process the personal data in accordance with the requirements of the GDPR, even if the data processing takes place outside the European Union or the European Economic Area in countries in which an adequate level of data protection is not otherwise guaranteed and for which no adequacy decision of the European Commission exists. For more information about the existence of a European Commission adequacy decision and adequate safeguards, and to obtain a copy of these safeguards, you can contact our Data Protection Officer at privacy@hd.digital. 

15 Storage period

15 Storage period

Unless more specific information is provided elsewhere in this Privacy Policy, your personal data will be stored until the purpose for storing it no longer applies. Data may also be stored for as long as necessary for the establishment or defence of legal claims (i.e. in particular until the expiry of the limitation period, which is usually three years from the end of the calendar year in which any legal claim arose in accordance with Section 199 of the German Civil Code (BGB)) or for as long as there is a statutory obligation to retain data (in particular in accordance with commercial or tax law provisions).

16 Data security

16 Data security

We use technical and organisational measures to ensure that users' personal data is protected against loss, incorrect modification or unauthorised access by third parties. To ensure secure data transmission, this is carried out exclusively by means of Transport Layer Security (TLS).

17 Your rights

17 Your rights

17.1 As a data subject within the meaning of the GDPR, you are entitled to the following rights under the legal conditions: 

(a) The right to obtain information about the data processing as well as a copy of the processed data (right of access, Article 15 GDPR),

(b) the right to request the rectification of inaccurate data or the completion of incomplete data (right to rectification, Article 16 GDPR),

(c) the right to request the erasure of personal data (right to erasure, Article 17 GDPR),

(d) the right to request the restriction of data processing (also referred to as blocking) (right to restriction of processing, Article 18 GDPR),

(e) the right to obtain personal data in a structured, commonly used and machine-readable format and to request the transfer of such data to another controller (right to data portability, Article 20 GDPR),

(f) the right to receive information on the essential aspects of joint controllers’ arrangement, which sets out the roles and responsibilities of each controller with regard to the processing of personal data, as well as the mechanisms and procedures for exercising data subjects' rights (Article 26(2) GDPR),

(g) the right to withdraw consent given at any time in order to stop data processing based on your consent. The withdrawal does not affect the lawfulness of the processing based on the consent prior to the withdrawal (right of withdrawal, Article 7 GDPR), as well as

(h) the right to object to certain data processing operations (Article 21 GDPR).

17.2 To exercise your rights, you can contact us or our Data Protection Officer at privacy@hd.digital. 

17.3 You also have the right to contact our Data Protection Officer with any other concerns regarding the processing of your personal data (Article 38(4) GDPR) or to lodge a complaint with a supervisory authority if you believe that the data processing is in breach of the GDPR (right to lodge a complaint with a supervisory authority, Article 77 GDPR).

Annex Partner companies