PRIVACY POLICY
THE FIVE GUYS GROUP

Five Guys Group's Privacy Policy includes the following sections:

FIVE GUYS CUSTOMER PRIVACY POLICY

INTRODUCTION

In this Customer Privacy Policy (Privacy Policy):

  • references to we, us or our means any subsidiaries and affiliated companies as amended from time to time of Five Guys Holding, Inc. and any of our Franchisee Restaurants in each case operating in countries outside the USA and Canada including: Belgium, Ireland, Italy, Luxemburg, the Netherlands, and Switzerland;
  • references to Franchisee Restaurants means any restaurants operated by a third party franchisee under the FIVE GUYS® Restaurant brand;
  • references to you or your means the person accessing and using the Website (as defined below) and/or otherwise visiting a FIVE GUYS® Restaurant;
  • references to the Websites mean the following websites found at (as amended from time to time): and includes the Five Guys app; and
  • references to FIVE GUYS® Restaurant means any restaurant for the operation of FIVE GUYS® fast casual restaurants which specialize in the sale of fresh made burgers, fries, and other accompaniments prepared in accordance with our Five Guys brand standards.

If you are a customer of Five Guys in the USA or Canada, this Privacy Policy will not apply to you. Please instead refer to our privacy notice at www.fiveguys.com.

PRIVACY POLICY

This Privacy Policy sets out the basis on which we collect and use personal information about you through your use of the Website and when you visit a FIVE GUYS® Restaurant.

This Privacy Policy describes:

  • who is responsible for the personal information that we collect about you;
  • the personal information we collect about you;
  • how we will use it;
  • who we may disclose it to; and
  • your rights and choices in relation to your personal information.

This is to make sure you have a full picture of how we collect and use your personal information.

In this Privacy Policy where we use the words personal information we use these words to describe information that is about you and is information which identifies you or them.

Our Website is not intended for children and we do not knowingly collect personal information relating to children.

You have the right to object to our use of your personal information in certain circumstances. A summary of your right to object (along with your other rights under data protection law) and details of who to contact if you want to exercise this right can be found at the How to Contact us section below. For further information on your rights see the Your rights section below.

WHO IS RESPONSIBLE FOR THE PERSONAL INFORMATION THAT WE COLLECT?

For the purpose of data protection law, we are the controller in respect of your personal information collected and used through your use of the Website and when you visit a FIVE GUYS® Restaurant. This is because we dictate the purpose for which your personal information is used and how we use your personal information.

WHAT PERSONAL INFORMATION DO WE HOLD ABOUT YOU?

We collect and use personal information about you in the course of providing the Website and when you visit a FIVE GUYS® Restaurant and you provide us with your personal information. We may also collect certain personal information from you via our Website or when you choose to interact with us.

Information that we hold about you

The information that we hold about you may include the following:

Type of Personal Information Examples
General
Contact information. Name, title, address, email address and telephone number.
Telephone recordings Recordings of telephone calls with our representatives and call centres.
Register to use our online services Username and account number for access to our Website.
Details of complaints and compliments you make Name, address, e-mail address or telephone number, details about the service you received/your experience.
Financial
Financial information and account details Details regarding products purchased, price, payment method and other financial account details.
Other
CCTV footage Images captured on CCTV if you visit a FIVE GUYS® Restaurant.
Photographs Images that you share with us via social media.
Customer satisfaction/feedback surveys Your views and opinions about your visit to a FIVE GUYS® Restaurant and your dining experience as well as your views about the Website.
Technical Information Technical Information from any device you use in our stores in Belgium and the Netherlands. We provide access to free Wi-Fi in our stores in Belgium and the Netherlands which is provided by a third party service provider, Purple Wifi Limited (CN 6444980) (Purple). When you use the Wi-Fi that is available in our stores Purple will collect your login details such as name, date of birth, mail address, MAC address, your network information which is information from your device such as your IP addresses, internet service providers, location information and device information. Purple will also use this information for its own purposes in accordance with its own privacy notice and will act as a controller of this personal information.

We also collect information from other third party sources and or publicly available sources such as:

  • Facebook;
  • Twitter;
  • Instagram;
  • LinkedIn; and
  • Snapchat.

We collect identity and contact information about you from the above, and any other available sources (as updated from time to time).

WHAT SPECIAL CATEGORIES OR SENSITIVE PERSONAL INFORMATION DO WE HOLD ABOUT YOU?

We may also collect certain sensitive personal information about you from you (including any special categories of personal data). This may include information concerning your health such as food allergies or intolerances which you provide to us. Where we do so we will rely on your explicit consent or we will notify you if we can rely on a different legal basis for processing this type of information.

INFORMATION ABOUT THIRD PARTIES

In the course of using the Website and when you visit a FIVE GUYS® Restaurant, you may provide us with personal information relating to third parties.

We will use this personal information in accordance with this Privacy Policy. If you are providing personal information to us relating to a third party, you confirm that you have the consent of the third party to share such personal information with us and that you have made the information in this Privacy Policy available to the third party.

HOW DO WE USE THE PERSONAL INFORMATION WE COLLECT ABOUT YOU?

We use your personal information in connection with the provision of the Website and to supply our products to you when you visit a FIVE GUYS® Restaurant. In particular, your personal information may be used by us, our employees, service providers, and disclosed to third parties for the purposes set out in the table below. For each of these purposes, we have set out the legal basis on which we use your personal information. This is because under data protection law, we can only use your personal information if we have a legal basis to do so.

Examples of where we have a legal basis to process your personal information includes when:

  • we have your consent;
  • it is necessary to enter into or perform a contract we have with you (or to take steps at your request prior to entering into that contract);
  • it is necessary in order to protect your vital interests;
  • it is in our legitimate interests to process your personal information; or
  • the processing is necessary to comply with a legal duty.

We must tell you which legal basis we are relying on when we use your personal information. The legal basis we typically rely on and the main purposes for which we use your personal information are set out below.

Purpose Legal Basis
To communicate with you and other individuals. Legitimate interests. We require your personal information in order to enable us to manage and carry out our operations as a business.
Necessary to enter into or perform a contract we have with you.
To manage complaints, feedback and queries and provide customer support. Legitimate interests. We require your personal information in order to enable us to manage and carry out our operations as a business.
To improve the quality of the Website and your dining experience. Legitimate interests. We require your personal information to enhance, modify and personalise the Website and your dining experience for your benefit.
To perform any contract entered into with you to fulfil your orders for food and drink and the process payment for those orders. Legitimate interests. We require your personal information in order to enable us to manage and carry out our operations as a business.
Necessary to enter into or perform a contract we have with you.
To comply with any legal or regulatory obligations (including in connection with a court order). Necessary for compliance with a legal obligation to which we are subject.
To engage with you via social media. Legitimate interests. We require your personal information in order to enable us to manage and carry out our operations as a business.
Consent.
To analyse and improve our products to evaluate and develop our business. Legitimate interests. We require your personal information in order to enable us to manage and carry out our operations as a business.
To protect against fraud or other criminal activity, as well as dealing with Government authorities/law enforcement agencies. Necessary for compliance with a legal obligation to which we are subject.
Legitimate interests. We require your personal information in order to enable us to manage and carry out our operations as a business.
To provide you with access to free Wi-Fi in our stores. Legitimate Interests. We require your personal information in order to enable us to provide you with a convenient and pleasurable experience in our stores and to enable us to manage and carry out our operations as a business.

WHO MAY WE DISCLOSE YOUR PERSONAL INFORMATION TO?

We may share your personal information with:

Type of third party Examples
General
Our group companies Other companies and entities that are part of the Five Guys Group.
Our service providers Our business partners, suppliers and subcontractors for the performance of any contract we enter into with you for example:
  • our IT systems providers ComputerHulp;
  • our IT cloud services solution which is Microsoft's Office 365 OneDrive, Outlook, Word, Excel, PowerPoint, OneNote, SharePoint;
  • Purple Wifi Limited who provide the Wi-Fi services to Five Guys stores in the Netherlands and Belgium;
  • Food Alert Limited in relation to food safety consulting services;
  • Marketforce Information LLC in relation to information on customer experience in a FIVE GUYS® Restaurant;
  • members of TransPerfect Group in relation to translation services;
  • NCR Corporation in relation to point of sale solutions and consulting services;
  • NetDefender, LTD in relation to network consulting services;
  • Roofoods Ltd trading as Deliveroo in relation to delivery services; and
  • Takeaway.com European Operations B.V. trading as Thuisbezorgd in relation to delivery services.
A current list of these third party service providers with whom we share your personal information can be provided to you on application to the Legal Department at legal@fiveguys.nl.
Our professional advisers Including accountants, lawyers and other professional advisers that assist us in carrying out our business activities, a current list of these third parties can be provided to you on application to the Legal Department at legal@fiveguys.nl.
Our franchisees These are individuals or organisations who enter into an agreement with us to operate a FIVE GUYS® Restaurant under the Five Guys brand in various jurisdictions all over the world. Your personal information will not be shared with all of our franchisees but only those that are relevant to you.
Social media related parties We have different social media related parties for each area of the world in which we operate – your personal information may be shared with the social media related parties in our area but not all. A list of our current social media related parties and the countries in which they operate is set out below:
  • Quby, Bahrain
  • Qanect, Qatar
  • Toh, UAE
  • Smallfish, Italy
  • DBS, Saudi Arabia/Oman
  • Sociolocal, Ireland/Northern Ireland
  • Iris, Netherlands (through Sept 2018)
  • Sunshine and Sausages, Netherlands (Sept 2018 and beyond)
  • Helpern, UK
  • Dupont Lewis, France
  • Dupont, Spain

We may also disclose your personal information to other third parties, for example:

  • in the event that we sell or buy any business or assets we will disclose your personal information to the prospective seller or buyer of such business or assets;
  • if we or substantially all of our assets are acquired by a third party (or are subject to a reorganisation within our corporate group), personal information held by us will be one of the transferred assets; and
  • if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, or we are involved in any litigation with you.

SHARING WITH FRANCHISEES, THIRD PARTIES AND COMPANIES WITHIN THE FIVE GUYS GROUP

Where we act as an independent controller of your personal information we will use your personal information for our own purposes. Sometimes franchisees, third parties and other companies in the Five Guys group will act as controllers of your personal information that we collect. This is where they determine the purposes and means of processing your personal information. They will use your personal information for their own legitimate purposes as described in their respective privacy notices. Please refer to their individual privacy notices for full information about how they collect and process your personal information. The privacy notices for our other group companies can be accessed via the applicable Five Guys websites.

WHERE WILL WE TRANSFER YOUR PERSONAL INFORMATION?

We will process your personal information both within and outside the European Economic Area (EEA) (this includes Bahrain, Kuwait, Oman, Qatar, the United Arab Emirates, Hong Kong and the United States of America, as amended from time to time).

When we transfer personal information outside the EEA, we will implement appropriate and suitable safeguards to ensure that such data will be protected as required by applicable data protection law, for example we will seek to anonymise it. If we can't anonymise your personal information, we will take reasonable steps to ensure that your personal information is protected. To do this we may use a set of standard data protection clauses which have been approved by the European Commission in accordance with Article 46 of the GDPR. Where personal information is transferred to the United States we may also rely on the Privacy Shield. For further information as to the safeguards we implement and to obtain a copy please contact the Legal Department at legal@fiveguys.nl.

HOW LONG WILL WE KEEP YOUR PERSONAL INFORMATION?

We will retain your personal information for no longer than is necessary for the purposes for which the personal information are processed. The length of time we hold on to your personal information will vary according to what that information is and the reason for which it is being processed.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means. We also consider any applicable legal, regulatory, tax, accounting or other requirements which may specify how long we should retain your personal information for.

Subject to the above, personal information about our customers will be retained by us for seven years from, the date of your communication with us to allow us to:

  • respond to any queries or complaints you may have; and
  • fulfil our obligations to the relevant tax authorities depending on where you are resident and other relevant governing bodies.

For further information on our policy and how long we will keep your information for, please contact the Legal Department at legal@fiveguys.nl or by one of the other means of communication set out in the How to Contact Us section below.

DATA SECURITY

We have put in place appropriate security measures to seek to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Legal Department at legal@fiveguys.nl.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

YOUR RIGHTS

The rights below are rights that apply under the EU General Data Protection Regulation and so will predominantly apply if your personal data is used by an entity established in the EEA. Therefore, the rights may not apply to everyone who reads or receives this policy. The rights may only apply in certain circumstances and are subject to certain exemptions. Please see the table below for a summary of your rights. You can exercise these rights using the contact details below.

Summary of your rights
Right of access to your personal information You have the right to receive a copy of your personal information that we hold about you, subject to certain exemptions.
We may require further information in order to respond to your request (for instance, evidence of your identity and information to enable us to locate the specific personal information you require).
Right to rectify your personal information You have the right to ask us to correct your personal information that we hold where it is incorrect or incomplete.
Right to erasure of your personal information: You have the right to ask that your personal information be deleted in certain circumstances. For example:
  • where your personal information is no longer necessary in relation to the purposes for which they were collected or otherwise used;
  • if you withdraw your consent and there is no other legal ground for which we rely on for the continued use of your personal information;
  • if you object to the use of your personal information (as set out below);
  • if we have used your personal information unlawfully; or
  • if your personal information needs to be erased to comply with a legal obligation.
Right to restrict the use of your personal information You have the right to suspend our use of your personal information in certain circumstances. For example:
  • where you think your personal information is inaccurate and only for such period to enable us to verify the accuracy of your personal information;
  • the use of your personal information is unlawful and you oppose the erasure of your personal information and request that it is suspended instead;
  • we no longer need your personal information, but your personal information is required by you for the establishment, exercise or defence of legal claims; or
  • you have objected to the use of your personal information and we are verifying whether our grounds for the use of your personal information override your objection.
Right to data portability You have the right to obtain your personal information in a structured, commonly used and machine-readable format and for it to be transferred to another organisation, where it is technically feasible. The right only applies:
  • to personal information which you have provided to us;
  • where the use of your personal information is based on your consent or is necessary for the performance of a contract; and
  • when the use of your personal information is carried out by automated (i.e. electronic) means.
Right to object to the use of your personal information (including to object to direct marketing, automated decision making and profiling) You have the right to object to the use of your personal information in certain circumstances and subject to certain exemptions. Examples of this right include;
  • where you have grounds relating to your particular situation and we use your personal information for our legitimate interests (or those of a third party);
  • where we use your personal data to take a decision which is based solely on automated processing where that decision
  • produces a legal effect or otherwise significantly affects you; and
  • if you object to the use of your personal information for direct marketing purposes.
Right to withdraw consent You have the right to withdraw your consent at any time where we rely on consent to use your personal information.
Right to complain to the relevant data protection authority You have the right to complain to the relevant Data Protection Authority where you think we have not used your personal information in accordance with data protection law. This will depend on factors such as which FIVE GUYS® Restaurant you visited and the country in which it is located, where you work or reside, or where the infringement occurred. Please see the list of Data Protection Authorities set out in Annex 1 to this Notice for details of the Data Protection Authorities which may be relevant in the event that you have a complaint.

HOW TO COMPLAIN

If you think there is a problem with how your personal information is being handled, please contact us by using the details set out in the How to Contact Us section below.

You also have a right to complain to the Data Protection Authority as specified in the table immediately above. Annex 1 attached to this Notice contains a list of all the Data Protection Authorities in the jurisdictions where Five Guys has its operations as at the date of this Policy. However, there may be other Data Protection Authorities that are relevant to you. Please get in touch using the How to Contact us section below if you require further information.

CHANGES TO OUR PRIVACY POLICY

We will review this Privacy Policy regularly and we reserve the right to make any changes at any time to take account of changes in our business activities and legal requirements and the manner in which we process personal information.

Any changes we make to this Privacy Policy in the future will be posted on the applicable Website.

HOW TO CONTACT US

If you have any questions regarding this Privacy Policy or the way we use your personal information (outside of the USA and Canada), you can contact us by e-mail to the Legal Department at legal@fiveguys.nl, or by mail to:

Attention: Legal Department
Piet Heinkade 55
1019GM Amsterdam, the Netherlands.

This Privacy Policy was last updated in August 2018.

Annex 1

(Data Protection Authorities (DPA))

Country DPA
Belgium Commision de la protection de la vie privée
Commissie voor de bescherming van de persoonlijke levenssfeer

Rue de la Presse 35 / Drukpersstraat 35
1000 Bruxelles / 1000 Brussel
Tel: +32 2 274 48 00
Fax: +32 2 274 48 35
E-mail: commission@privacycommission.be
Website: http://www.privacycommission.be/
France Commission Nationale de I'Informatique et deds Libertés – CNIL
8 Rue Vivienne, CS 30223
F-75002 Paris, Cedex 02
Tel: +33 1 53 73 22 22
Fax: +33 1 53 72 22 00
Website: http://www.cnil.fr/
Germany Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Husarenstraße 30
53117 Bonn
Tel: +49 228 997799 0; +49 228 81995 0
Fax: +49 228 997799 550; +49 228 81995 550
E-mail: poststelle@bfdi.bund.de/
Website: http://www.bfdi.bund.de/
Ireland Data Protection Commissioner
Canal House
Station Road
Portarlington
Co. Laois
Lo-Call: 1890 25 22 31
Tel: +353 57 868 4800
Fax: +353 57 868 4757
E-mail: info@dataprotection.ie
Website: http://www/dataprotection.ie/
Italy Garante per la protezione del dati personali
Piazza du Monste Citorio, 121
00186 Roma
Tel: +39 06 69677 1
Fax: +39 06 69677 785
E-mail: garante@garanteprivacy.it
Website: http:www.garanteprivacy.it/
Luxembourg Commission Nationale pour la Protection des Données
1, avenue du Rock 'n' Troll
L-4361 Esch-sur-Alzette
FIVE GUYS® – SECURITY BREACH, NOTIFICATION AND REPORTING POLICY – version 1.1 August 2018 11
Tel: +352 2610 60 1
Fax: +352 2610 60 29
E-mail: info@cnpd.lu
Website: http://www/cnpd.lu/
Netherlands Autoriteit Persoonsgegevens
Prins Clauslaan 60
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel: +31 70 888 8500
Fax: +31 70 888 8501
E-mail: info@autoriteitpersoonsgegevens.nl
Website: https://autoriteitpersoonsgegevens.nl//nl
Portugal Comissão Nacional de Protecção de Dados – CNPD
R. de São, Bento, 148-3o
1200-821 Lisboa
Tel: +351 21 392 84 00
Fax: +351 21 397 68 32
E-mail: geral@cnpd.pt
Website: http://www.cnpd./pt
Spain Agencia de Protección de Datos
C/Jorge Juan, 6
28001 Madrid
Tel: +34 91399 6200
Fax: +34 91455 5699
E-mail: internacional@agpd.es
Website: https://www.agpd.es/
Switzerland Data Protection and Information Commissioner of Switzerland
Eidgenössischer Datenschutz – und Öffentlichkeitsbeauftragter
Mr Adrian Lobsiger
Feldeggweg 1
3003 Bern
Tel: +41 58 462 43 95;
Fax: +41 58 462 99 96
E-mail: contact20@edoeb.admin.ch
UK The Information Commissioner's Office
Water Land, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel: +44 1625 545 745
E-mail: international.team@ico.org.uk
Website: https://ico.org.uk

DATA PROTECTION POLICY

1. PURPOSE AND SCOPE OF THE POLICY
1.1 This Policy deals with the roles and responsibilities of the Five Guys Group with regard to the processing of Personal Data and has been prepared to help the Five Guys Group comply with its obligations under the General Data Protection Regulations (GDPR).
1.2 This Policy only applies to the entities in the Five Guys Group that are incorporated outside of the USA and Canada. If you work for a Five Guys Group entity in the USA or Canada, you must refer to the data protection policy that has been prepared for these specific entities. These can be accessed at www.fiveguys.com.
1.3 This Policy applies to all Personal Data Processed by the Five Guys Group, including hard copy and electronic records.
1.4 This Policy applies to all individuals working within the Five Guys Group, including directors, employees, consultants, contractors, casual and agency workers (referred to together in this Policy as Personnel).
1.5 All those to whom this Policy applies are referred to as you and your in this Policy and references to we, us or our refers to the Five Guys Group.
1.6 We process Personal Data about employees, potential employees and former employees, contractors, franchisees, individuals employed by suppliers, customers and professional advisers such as legal advisers.
1.7 The Five Guys Group is responsible for ensuring that we comply with the GDPR. Protecting the confidentiality and integrity of Personal Data is a responsibility that we take seriously at all times. A description of the data protection principles to help safeguard Personal Data under the GDPR is set out in paragraph 3 below.
1.8 It is important for you to familiarise yourself with and comply with this Policy, to help ensure that all processing of Personal Data by or on behalf of the Five Guys Group is carried out in accordance with the GDPR.
1.9 This Policy forms part of the Five Guys Group Information Governance Framework. The Framework includes a number of additional policies and procedures, which Personnel should familiarise themselves with. Details of the Information Governance Framework can be found in Appendix 1.
1.10 This Policy does not form part of any employee’s contract of employment and it may be amended at any time.
1.11 It is important that you take responsibility for ensuring that you act in accordance with this Policy. Any breach of this Policy by you will be taken seriously and may result in disciplinary action. It may also result in us breaching the GDPR or other legal requirements.
1.12 All Departmental Heads within the Five Guys Group a list can be requested by contacting the Legal Department at legal@fiveguys.nl. The Department Head will be responsible for ensuring allPersonnel comply with this Policy and need to implement appropriate practices, processes, controls and training to ensure such compliance.
1.13 Any questions about the operation of this Policy or any concerns that the Policy has not been followed should be referred in the first instance to the Legal Department, who can be contacted at legal@fiveguys.nl.
2. DEFINITIONS
2.1 In this Policy, the following words have the meanings set out below:
  Data Controller – means the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. For example, each Five Guys Group company will be the Data Controller of the Personal Data about its employees.
  Data Processors – means an organisation that processes Personal Data on behalf of a Data Controller in accordance with the Data Controller's instructions. The Five Guys Group may use a Data Processor to Process Personal Data on its behalf, for example TMF Netherlands B.V. who provide payroll and human resources services to us.
  Five Guys Group means FGE International B.V., a private limited liability company, incorporated under the laws of the Netherlands, having its office address at Piet Heinkade 55, 1019 GM Amsterdam, The Netherlands and registered with the Trade Register under number 61334790, together with its subsidiaries, parent and its affiliated entities (collectively, Five Guys). More information on the Five Guys Group can be found at www.fiveguys.com.
  Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. For example, sending an e-mail containing Personal Data of a Five Guys Group employee, including their remuneration details, to a third party that is not entitled to see it. Please see the Security Breach Notification and Reporting Policy for further details.
  Data Subject means a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
  Personal Data means any information about an individual which identifies them. A person does not need to be named in a document for the document to include Personal Data. If it is obvious from the document who the information relates to, this is enough to constitute Personal Data. Similarly, if it is obvious who the document is about when it is used in conjunction with other information held, this will also be enough to constitute Personal Data. Personal Data might include: a name; e-mail address; date of birth; an ID number; location data, an online identifier; or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, or an opinion about an individual.
  Process(ing) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  Special Category Personal Data means Personal Data revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.
  Website means the websites found at:
3. DATA PROTECTION PRINCIPLES
3.1 Anyone using Personal Data must do so in accordance with the principles set out in the GDPR. Those principles state that Personal Data must be:
  3.1.1 Processed fairly, lawfully and transparently;
  3.1.2 collected for specified, explicit and legitimate purposes and not used in a manner which is incompatible with those purposes;
  3.1.3 adequate, relevant and not excessive;
  3.1.4 accurate and, where necessary, up to date;
  3.1.5 kept for no longer than is necessary; and
  3.1.6 used in a way which ensures the Personal Data is kept secure.
3.2 We are responsible for ensuring that we comply with the principles set out above and we must be able to demonstrate the steps that we have taken to comply. This is known as the accountability principle under the GDPR.
3.3 We describe how you can help us satisfy these principles by setting out some practical examples in paragraphs 4 to 9 below.
4. FAIR AND LAWFUL PROCESSING
4.1 Personal Data must be Processed fairly, lawfully and in a transparent manner in relation to the Data Subject.
4.2 You may only Process Personal Data on the basis of one or more of the legal bases set out in the GDPR. The list below identifies the legal bases which are most likely to apply to the Five Guys Group:
  4.2.1 the Data Subject has given consent;
  4.2.2 the Processing is necessary for the performance of a contract with the Data Subject;
  4.2.3 the Processing is necessary to meet our legal obligations;
  4.2.4 the Processing is necessary to protect the Data Subject's vital interests; for example where the subject of the Personal Data is physically or legally incapable of giving consent (this is intended to cover matters of life and death); or
  4.2.5 to pursue our legitimate interests, except where the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects.
4.3 Special Category Personal Data must be treated more carefully by us so, where you wish to Process Special Category Personal Data, you must also be able to justify the Processing under a list of narrower legal bases. These include when:
  4.3.1 the Data Subject has given explicit consent;
  4.3.2 the Processing is necessary for the purpose of carrying out the obligations or exercising our legal rights in the field of employment;
  4.3.3 the Processing is necessary to protect the vital interests of an individual where the subject of the Personal Data is physically or legally incapable of giving consent (this is intended to cover matters of life and death);
  4.3.4 Personal Data is manifestly made public;
  4.3.5 the Processing is necessary for the establishment, exercise or defence of legal claims; or
  4.3.6 the Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee and medical diagnosis. This legal basis will only apply if the Processing is carried out by, or under the responsibility, of a person subject to a legal or professional duty of confidence (for instance, a doctor).
4.4 You must identify and document the legal ground being relied on for each Processing activity. If you are in any doubt about which legal basis applies to the Processing, please contact the Legal Department, via e-mail at legal@fiveguys.nl for further advice and guidance.
4.5 The GDPR requires Data Controllers to provide detailed, specific information to Data Subjects about how their Personal Data is used. Such information must be provided through appropriate Privacy Notices, which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them.
4.6 The Five Guys Group has adopted and maintains Privacy Notices for employees, franchisees, customers and suppliers. The Privacy Notices set out the legal basis on which the Five Guys Group relies to process the Personal Data for the purposes identified in the Privacy Notices. For a copy of our Privacy Notices, please contact the Legal Department at legal@fiveguys.nl.
4.7 You should check that the way you are using Personal Data is covered by the purposes detailed in the Privacy Notice. If it is not, you should refer to the Legal Department, via e-mail at legal@fiveguys.nl who will then consider the Processing and will take the appropriate action, which may include carrying out a Data Protection Impact Assessment (DPIA) and / or updating the relevant Privacy Notice.
5. SPECIFIED PURPOSE
5.1 Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.
5.2 You should not use Personal Data for new, different or incompatible purposes from those purposes disclosed when the Personal Data was first obtained. If it becomes necessary for us to use or disclose the Personal Data for any purpose that is additional to or different from the originally specified purpose (i.e. to change the purpose for which the Personal Data is Processed), the Data Subject must be informed of the new purpose before any new processing occurs. Consent may also need to be obtained from the Data Subject to the proposed new use of their Personal Data.
5.3 If you plan to use Personal Data for any new purposes, you should contact the Legal Department, via e-mail at legal@fiveguys.nl for further advice and guidance.
6. DATA MINIMISATION
6.1 Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.
6.2 Personal Data should only be collected to the extent that it is required for the specific purpose(s) notified to the Data Subject. Any Personal Data which is not necessary for that purpose should not be collected by Personnel in the first place.
6.3 You may only Process Personal Data if and when the performance of your job duties requires it. You should not Process Personal Data for any reason unrelated to your job duties.
6.4 You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Five Guys Group data retention policy. For further information on this policy, please see section 8 below.
7. ACCURACY
7.1 Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
7.2 You will ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards.
7.3 Where appropriate, you should assess the accuracy of Personal Data at the time of collection from sources other than the individual to whom the Personal Data relates.
7.4 You must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
7.5 Any challenges to the accuracy of the Personal Data by the Data Subject should be processed and carefully considered in line with paragraph 12 of this Policy.
7.6 Where Personal Data is duplicated and held separately at different departments, locations or different systems; please ensure that all updates or amendments to Personal Data are communicated to all parties and departments holding copies of the Personal Data and all systems holding the Personal Data are updated. Please communicate any updates or amendments to the Legal Department at legal@gfiveguys.nl.
8. KEPT FOR NO LONGER THAN IS NECESSARY
8.1 Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the Personal Data is Processed.
8.2 This means you must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which it was originally collected, including for the purpose of satisfying any legal, accounting or reporting requirements.
8.3 Data Subjects should be informed of the period for which their Personal Data is stored and how that period is determined. This is communicated to them at a high level in the relevant Privacy Notice at section 4.6. For further information on retention periods, please contact the Legal Department at legal@fiveguys.nl.
9. SECURITY
9.1 Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction, damage, access, use or disclosure.
9.2 We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption and pseudonymisation where FIVE GUYS® – DATA PROTECTION POLICY – version 1.1 [August 2018] 7 applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data.
9.3 You are responsible for protecting the Personal Data we hold. You must follow the procedures we set out to protect the Personal Data we hold from unlawful or unauthorised Processing and against the accidental loss of, destruction or damage to that Personal Data. You must exercise particular care in protecting Special Category Personal Data from unauthorised or unlawful Processing and against accidental loss, destruction, damage, access, use or disclosure of such Special Category Personal Data.
9.4 You must maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
  9.4.1 confidentiality means that only people who have a need to know and are authorised to use the Personal Data can access it;
  9.4.2 integrity means that Personal Data is accurate and suitable for the purpose for which it is Processed; and
  9.4.3 availability means that authorised users are able to access the Personal Data when they need it for authorised purposes.
9.5 You must comply with all applicable aspects of our internal compliance polices which you received when you became an employee or are otherwise engaged with us and which have been made available to you (e.g. as laid down in the Five Guys' Group employee handbook, the Website, Five Guys internal SharePoint). Copies of these policies can be obtained from the Legal Department at legal@fiveguys.nl. You should not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain to protect Personal Data.
9.6 You may only transfer or allow access to Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested. Please see section 16 for further details on the relevant requirements.
9.7 All Personnel who Process Personal Data must carry out appropriate training.
10. PERSONAL DATA BREACHES
10.1 The GDPR requires Data Controllers to notify certain Personal Data Breaches to the applicable regulator and, in certain instances, the Data Subject.
10.2 You must comply with the Security Breach Notification and Reporting Policy if you become aware of or suspect that a Personal Data Breach has occurred.
11. TRANSFER OF PERSONAL DATA OUTSIDE OF THE EEA
11.1 The GDPR restricts transfers of Personal Data to countries outside the EEA in order to ensure that the level of protection afforded to individuals by the GDPR is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that Personal Data in or to a different country.
11.2 Personal Data should not be transferred outside of the EEA, including being accessed outside of the EEA, unless this has first been discussed with the Legal Department so that appropriate procedures can be implemented.
12. RIGHTS OF DATA SUBJECTS
12.1 Data Subjects have rights when it comes to how we Process their Personal Data. These include rights to:
  12.1.1 withdraw consent to Processing at any time;
  12.1.2 receive certain information about the Data Controller’s Processing activities;
  12.1.3 request for access to their Personal Data that we hold (referred to as a Subject Access Request or SAR);
  12.1.4 object to our use of their Personal Data for direct marketing purposes;
  12.1.5 request for erasure of Personal Data, if it is no longer necessary in relation to the purposes for which it was collected or Processed;
  12.1.6 to rectify inaccurate data or to complete incomplete data;
  12.1.7 restrict Processing in specific circumstances;
  12.1.8 object to Processing which has been justified on the basis of our legitimate interests or in the public interest;
  12.1.9 request a copy of an agreement under which Personal Data is transferred outside of the EEA;
  12.1.10 object to decisions based solely on automated decision making, including profiling;
  12.1.11 prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
  12.1.12 be notified of a Personal Data Breach which is likely to result in high risk to the Data Subject's rights and freedoms;
  12.1.13 make a complaint to the supervisory authority; and
  12.1.14 in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine readable format (referred to as data portability).
12.2 You must immediately forward any Data Subject request you receive to the Legal Department and your local regional managers in the country in which you work who will consider the request, consulting with the appropriate Five Guys team if necessary and prepare an appropriate response.
13. ACCOUNTABILITY
13.1 The Data Controller is responsible for, and must be able to demonstrate, compliance with the data protection principles. In practice this means that the Five Guys Group needs to be proactive and organised about its approach to data protection and evidencing the steps that have been taken to comply.
13.2 You must keep and maintain accurate corporate records reflecting our Processing including records of Data Subjects' Consents and procedures for obtaining Consents.
14. PRIVACY BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENT (DPIA)
14.1 We are required to implement privacy by design measures when Processing Personal Data by implementing appropriate technical and organisational measures (like pseudonymisation) in an effective manner, to ensure compliance with data protection principles.
14.2 Privacy by design means that, for example, when considering new purposes for Processing Personal Data or implementing new technology, you need to consider the impact the Processing will have on Data Subjects for the whole lifecycle of the Processing (i.e. from start to finish of the Processing of the Personal Data).
14.3 You must assess what privacy by design measures can be implemented on all programs / systems / processes that Process Personal Data by taking into account the following:
  14.3.1 the state of the art;
  14.3.2 the cost of implementation;
  14.3.3 the nature, scope, context and purposes of Processing; and
  14.3.4 the risks of varying likelihood and severity for rights and freedoms of Data Subjects posed by the Processing.
14.4 Data Controllers must also conduct DPIAs in respect of high risk Processing. Some examples of high risk Processing include: systematic and extensive profiling with significant effects on data subjects; when Processing biometric data; or data matching by combining, comparing or matching Personal Data obtained from multiple sources.
14.5 You should conduct (and document) a DPIA (and discuss your findings with the Legal Department and your local regional manager) when implementing major systems or business change programs involving the Processing of Personal Data including:
  14.5.1 use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
  14.5.2 automated Processing including profiling and automated decision making;
  14.5.3 large scale Processing of Special Category Personal Data;
  14.5.4 Processing biometric or genetic data;
  14.5.5 carrying out data matching using Personal Data obtained from multiple sources;
  14.5.6 tracking a Data Subject's geolocation or behaviour, including but not limited to the online environment; and
  14.5.7 large scale, systematic monitoring of a publicly accessible area.
14.6 If you believe you should conduct a DPIA, you should contact the Legal Department and your local regional manager for further advice and guidance.
15. DIRECT MARKETING
15.1 In addition to the GDPR there are other rules and privacy laws that apply to direct marketing. These are complex and vary depending on the method of marketing (for example, marketing by email) and the type of recipient (for example, private individuals or corporate subscribers).
15.2 If you plan to undertake direct marketing you should contact the Legal Department and your local regional manager for further advice and guidance.
16. SHARING PERSONAL DATA
16.1 Generally, we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.
16.2 You may only share the Personal Data we hold with another employee, agent or representative of our group if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions as detailed in section 11.
16.3 If you plan to share Personal Data with a third party, you are expected to have evaluated that the third party applies appropriate technical and organisation security measures to protect the Personal Data, prior to any sharing taking place.
16.4 In addition, before sharing any Personal Data with a third party please contact the Legal Department for further advice and guidance.
17. COMPLAINTS
17.1 Complaints from Data Subjects should be dealt with as follows:
  17.1.1 if the Data Subject is an employee of Five Guys Group, please refer the complaint to hrinternational@fiveguys.nl;
  17.1.2 if the Data Subject is a customer, please refer the complaint to privacy@fiveguys.com; and
  17.1.3 for all other complaints concerning Personal Data, please refer to the Legal Department at legal@fiveguys.nl.
17.2 If the complaint relates to a Personal Data Breach, please refer to the Security Breach Notification and Reporting Policy.
18. CONSEQUENCES OF FAILING TO COMPLY WITH THIS POLICY
18.1 Any failures to comply with this Policy may be treated as a disciplinary matter and following an investigation, may be regarded as misconduct leading to disciplinary action, up to and including dismissal, as per the Five Guys Group's disciplinary policy which is covered in the Five Guys' Group employee handbook. In certain circumstances, misuse of Personal Data will constitute a criminal offence.
19. REVIEW AND CHANGES TO THE POLICY
19.1 The Legal Department shall have overall responsibility for reviewing this Data Protection Policy to ensure that it meets legal requirements and reflects best practice. The Data Protection Policy will be reviewed annually or more often if deemed necessary by the Legal Department.
19.2 Any updates to this Data Protection Policy will be uploaded to the Website. It is your responsibility to check back regularly to obtain the latest copy of this Data Protection Policy.
19.3 This Data Protection Policy does not override any applicable national data privacy laws and regulations in countries where the Five Guys Group operates. Certain countries may have localised variances to this Data Protection Policy which are available upon request to the Legal Department by email to legal@fiveguys.nl.

APPENDIX 1

INFORMATION GOVERNANCE FRAMEWORK

An Information Governance Framework establishes the Five Guys Group's approach to handling and protecting the data it Processes, known as information governance. The Framework is made up of policies, procedures and guidance documents to help Personnel comply with our regulatory and legal obligations to protect Personal Data, both electronic and paper.

The documents that form part of the Five Guys Group's Information Governance Framework include:

  • Data Protection Policy
  • Security Breach Notification and Reporting Policy
  • Privacy Policy – employee, customer, supplier and franchisee
  • Intra Group Data Sharing Agreement