Privacy Policy
At the European Independent Purchasing Company Limited (“IPC EMEA”, “We”, “Our” or “Us”) We care about you and your privacy and We are transparent in the way We process your Personal Data.
When it comes to your Personal Data you are in control. We want to make sure that you understand why We ask you for some Personal Data, what We do with it, and the rights and choices you have over how We use your Personal Data. We also provide the contact details for our Data Protection Officer below.
This Privacy Notice explains how We process your Personal Data (including your Personal Data held on the “Extra” website at https://ipcemea.org/ (the “Website”)
Prior to using the Website and signing up to and accessing the secured part of the Website (“Secure Area”) it is important that you read through the information contained in this Privacy Policy. If you are a Subway® Franchisee, an employee of a Subway® Franchisee or an employee of IPC EMEA (collectively “Secure User(s)”), then by registering to use, accessing and using the Secure Area of the Website you are agreeing to the collection, use, storage and transfer of your Personal Data in accordance with this Privacy Policy.
1. Data Controller
The Website is owned and operated by the Independent Purchasing Company Limited trading as IPC EMEA who is registered in England and Wales under company number 04267249 whose registered office is at Rapid House, 40 Oxford Road, High Wycombe, Buckinghamshire, HP11 2EE, England and is registered with the Information Commissioner’s Office (“ICO”) under number Z9356412.
We are controllers in common with the Subway® Group as defined in section 11 “Who has access to your Personal Data?”
As controllers in common, both IPC EMEA and the Subway® Group access your personal data, however IPC EMEA and the Subway® Group process your personal data independently and for different purposes. We therefore recommend that you view the Subway® Group’s privacy statement for further information about how they process your personal data. This is available from
https://www.subway.com/en-US/Legal/PrivacyNotice. We are unable to assist with any queries in relation to how the Subway® Group processes personal data, any such queries should be directed to Subway® using the information provided on their website.
Please note that this Privacy Policy is only related to how IPC EMEA processes your Personal Data collected on the Website.
If you have any questions about Us or the way We process your Personal Data, please contact Our Support Desk, see section 18 “Contact Us”.
Definitions
Data Subject is any person whose Personal Data is being collected, held or processed.
Employee means any employee of Subway® Franchisees and the employees of IPC EMEA.
Personal Data means any information relating to an identified or identifiable natural person, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Store means the Subway® Franchisee’s store(s) located in the Territory.
Subway® Franchisee(s) are the franchisees who each operate a Subway® franchise business having entered into a franchise agreement with Subway International B.V.
Territory means Europe and the United Kingdom.
3. Our legal basis for collecting and processing your Personal Data
Data protection requires that all Personal Data be processed lawfully, fairly and transparently. A legal basis for processing must therefore be fulfilled before any organisation can process Personal Data. We use the following bases:
a. Contractual basis: We process your Personal Data where the processing is necessary for the performance of a contract, this includes the Member Terms and Conditions. For this reason, We may send you notifications or contact you regarding relevant provisions in relation to the contract between us. You are unable to opt out of having Personal Data processed by Us where We process your Personal Data on the basis of it being necessary for the performance of our contractual relationship.
b. Legitimate interest: We may collect, hold and process your Personal Data on the basis of legitimate interest where it is necessary for Us to fulfil Our needs as a business and to be able to provide you with Our services. We may also rely on this basis to process Personal Data where We believe that such processing is in your legitimate interest.
NOTE: If you do not want to be contacted on the above basis, you can opt-out at any time by contacting our Support Desk via email:
support@ipcemea.org
c. Vital interest: In certain limited circumstances We may use your Personal Data to contact you if We reasonably believe that there is any urgent safety or product issue that We need to communicate to you where there is no other applicable lawful basis.
d. Legal Obligation: On occasion it may be necessary to process your Personal Data in order to comply with Our own legal obligations such as complying with money laundering legislation, for financial reporting etc.
e. Consent: Where consent is relied upon you will be provided with enough information to enable you to make an informed decision on whether to provide or withhold consent prior to the processing activity taking place. You can request to cancel your access to the Secure Area at any time and for Your details and information to be deleted.
4. How we use your Personal Data
IPC EMEA may use your Personal Data for the following purposes (“
Purposes”):
Purposes
|
Lawful basis
|
To carry out obligations arising from any contract entered into between IPC EMEA and you
|
Contractual relationship
|
To use or permit selected third-parties (see section 11. Who has access to your Personal Data) to use your Personal Data to provide you with information which may be of interest
|
Legitimate interest
|
To carry out any obligation We have agreed with you
|
Contractual relationship
|
To seek your view or comments on the services IPC EMEA or any Affiliate provides
|
Consent
|
To notify you of any changes to Our services
|
Contractual relationship
Legitimate interest
|
To notify you about any changes in Our Website terms and conditions; Privacy Policy or other arrangements with you
|
Contractual relationship
|
To respond to your request or queries
|
Contractual relationship
Legitimate interest
|
To administer the Website and for internal operations including troubleshooting, data analysis testing research statistical and survey purposes (anonymised operations)
|
We do not consider this to be Personal Data
|
To improve the Website to ensure that the content is presented in the most effective manner for you
|
Contractual relationship
Legitimate interest
|
To allow you to participate in interactive features of Our services when you choose to do so
|
Legitimate interest
|
To keep Our Website safe and secure
|
Contractual relationship
Legitimate interest
|
To make suggestions and recommendations to you and other users of the Website about goods or services that may interest you or them
|
Legitimate interest
|
To contact you about any IPC EMEA governance activity such as but not limited to elections, voting
|
Contractual relationship
Legitimate interest
|
To send you information that may be of your interest
|
Legitimate interest
|
To send you information about our new deals and/or services
|
Contractual relationship
Legitimate interest
|
To provide you information about suppliers or distributors
|
Contractual relationship
Legitimate interest
|
To help you to buy new products and/or services at better prices
|
Contractual relationship
Legitimate interest
|
Manage your relationship with distributors and suppliers
|
Contractual relationship
Legitimate interest
|
We may use and analyse the information We collect so that We can manage, administer, support, improve and develop Our business.
|
Contractual relationship
Legitimate interest
|
We may collect use and analyse your Personal Data for surveys and/or research orientated to improve the services provided by Us.
|
Legitimate interest
|
We may use your Personal Data to send you direct marketing communications
|
Consent
|
To comply with statutory requirements and/or requirements of local authorities in relation to the services We provide to you
|
Legal Obligation
|
To communicate any potential health and safety issues relating to the goods and/or services supplied to you
|
Vital interests
|
IPC EMEA obtains information about you when:
- You access and/or register on the Website
- You contact Support Desk/TechNet either by email or by phone
- Subway® Group send Us your details because you have become a Subway® Franchisee in the Territory
- Are an Employee and either the Subway® Franchisee provided Us with your details, or you contacted Us directly
- Provide Us with your Personal Data for the Purpose of entering into a contractual relationship with Us.
6. Personal Data We collect
IPC EMEA collects and process the following Personal Data:
- Information you or a third-party provide to Us, including; name, surname, address, telephone number, mobile number, personal email address, date of birth (if required)
- Store and/or commercial details which may be Personal Data, including store number, address, phone number, email where such information may identify a Data Subject e.g. johnsmith@abc.com
- Details regarding the contracts and arrangements you have entered into with suppliers and/or distributors sourced by IPC EMEA, including but not limited to commercial details such as but not limited to deals with services providers and trading history where such information may identify a Data Subject
- When you contact Us through Support Desk regarding any query or complaint, We may keep a record of that correspondence. Please do not supply any additional Personal Data unless We prompt you to do so. We will never ask for your bank account details or passwords to the Secure Area of the Website. We shall not be responsible for any information that you voluntarily send Us without being required to do so.
Information We collect about you:
Each time you visit the Website We will automatically collect the following information:
- Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet; your login information; browser type and version; time zone setting; browser plug-in types and versions; operating system and platform;
- Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from the Website (including date and time), products you viewed or searched for’, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call Our Support Desk
- Data on visits and the visitors to the Website. We track visitors using ‘cookies’ (see our Cookie Policy for more details)
- Are an Employee and either the Subway® Franchisee provided Us with your details, or you contacted Us directly
- Your views and opinions. From time to time We may carry out market research or surveys, unless you are advised to the contrary any answers to market research surveys that you give will be anonymised. Participation in research is entirely voluntary.
Information we receive from other sources:
- This is information IPC EMEA may receive about you if you use Our Affiliates (meaning any person, partnership, joint venture, company, corporation, subsidiary or other form of enterprise, domestic or foreign, directly or indirectly controlling, or controlled by or under common control of Us) Websites or the Websites of IPC EMEA’s service providers.
- We may receive information about you from Subway® Group (defined below in section 11. “Who has access to your Personal Data?”)
- We may receive Personal Data from a Subway® Franchisee or a Development Agent (“DA”) when they contact Us.
7. Third party links
The Website may include links to other websites, these third-party links are not owned, managed or controlled by IPC EMEA and they have not been reviewed by IPC EMEA. The information in these other third-party links are not Our responsibility, therefore We advise you to read the third-party’s terms and conditions and privacy notice on their websites (when you first access them and at regular intervals thereafter). We cannot accept any liability for the contents of any third-party websites.
8. Anonymous information that We collect
We may use and share aggregate information relating to groups of customers, without identifying individuals, to learn more about your behaviour and find ways of enhancing Our service. We consider that this type of information is not included in the definition ‘Personal Data’ because the individuals are not traceable, and any personal details are kept.
9. Minors
The Secure Area is for Secure Users only and is not designed or intended to collect Personal Data from users below the minimum employment age in the Territory. IPC EMEA does not knowingly collect Personal Data from anyone below the minimum employment age.
If you believe a user below the minimum employment age has provided IPC EMEA with Personal Data without consent, please contact Our Support Desk. Details are set out below in section 18 “Contact Us”.
10. Where We store your Personal Data
The Personal Data that We collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) as long as it is in a country which has been assessed by the European Commission and/or ICO as ensuring an adequate level of protection for Personal Data.
We may store and process your Personal Data through third parties that We use to operate the services that We provide.
Personal Data may also be processed by staff operating outside the EEA who work for IPC EMEA, its Affiliates or the Subway® Group. This would include staff who, for example, are engaged in the provision of support services, prior to any transfer of Personal Data to or from IPC EMEA to any third party, they will take all reasonable steps to ensure that such parties have adequate security protections in place for the protection and secure transmission and storage of any Personal Data including but not limited to being certified under the EU-US privacy shield for parties situated in the United States of America. Where third parties are not situated within the EEA, IPC EMEA will check their procedures, safeguards and security measures to ensure they are adequate pursuant to the data protection legislation before transferring and/or exporting any Personal Data to them; such transfer or processing shall be made in accordance with the standard contractual clauses or such alternative transfer mechanism as permitted in the laws of the Territory.
IPC EMEA will take all reasonable steps necessary to ensure that Personal Data is treated securely and in accordance with this Privacy Policy and as permitted by data protection legislation and related legislation
11. Who has access to your Personal Data?
We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes other than as set out in the “Purposes” section of the table above, unless We have your prior consent.
We may pass your information to Our third-party Affiliates, the Subway® Group and Our processors as detailed below.
Subway® Group comprises the following affiliated entities: Franchise World Headquarters, LLC (“FWH”), SFAFTBV-EUROPE and Subway IP Inc. FWH is licensed to use the SUBWAY® trademark. FWH Technologies, LLC (“FWHT”), the owner and licensor of the Subway POS™ software, which has been approved for use in Subway® restaurants worldwide. The Subway® franchisors: Doctor’s Associates Inc. (“DAI”); Subway® International B.V. (“SIBV”); Subway Systems Australia Pty Ltd (“SSA”); Subway Franchise Systems of Canada, Ltd. (“SFSC”); Subway Partners Colombia C.V. (“SPCCV”); Subway Systems do Brasil Ltda. (“SSB”); Sandwich and Salad Franchises of South Africa Pty Ltd. (“SSFSA”); Subway Systems India Private Limited (“SSIPL”); and Subway Restaurant Management (Shanghai) Co. Ltd. (“SRMS”). The Subway® advertising affiliates: Subway Franchisee Advertising Fund Trust, Ltd. (“SFAFT”); Subway Franchisee Advertising Fund Trust, B.V. (“SFAFT BV”); Subway Franchisee Advertising Fund of Australia Pty. Ltd. (“SFAFA”); Subway Franchisee Canadian Advertising Trust (“SFCAT”); Subway Systems do Brasil Ltda. (“SSB”); Subway Partners Colombia C.V. (“SPCCV”); Subway International B.V. (“SIBV”) (Taiwan Branch); and Sandwich and Salad Franchises of South Africa Pty Ltd. (“SSFSA”), administers national and local advertising funds and activity for Subway® restaurants and Subway® franchisees worldwide. Subway® Loyalty Affiliate.
Third Party Service Providers working on Our behalf: We may pass your information to Our third-party service providers, agents, subcontractors and other associated organisations for the purpose of completing tasks and providing services to you on Our behalf. We eventually may change services provider, but We will notify you, if required. If you need a full detail of the sub-processors, please send an email to
support@ipcemea.org
In addition to the specific disclosures of Personal Data set out in this Privacy Policy, We may disclose your Personal Data where such disclosure is necessary for compliance with a legal obligation or where we are compelled to do so by a regulator or other competent authority.
12. Retention of Personal Data
We will only retain your Personal Data as long as is deemed necessary for the Purposes for which it was collected and to comply with applicable laws or regulations and your consent.
To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the Purposes for which We process your Personal Data and whether We can achieve those purposes through other means, and the applicable legal requirements. We may retain your basic information for longer periods if so required by law.
13. Security Precautions
IPC EMEA has appropriate technical and organisational measures in place to protect against the loss, misuse and alteration of the Personal Data under its control. Unfortunately, the transmission of information via the internet is not completely secure. Although IPC EMEA does its best to protect your Personal Data, We cannot guarantee the security of your data transmitted to the Website; any transmission is at your own risk. Once We have received your information, We will use strict procedures and security features to try to prevent unauthorised access. It is your responsibility to keep your password confidential. If you believe that your password has been compromised then you should contact Our Support Desk immediately on
support@ipcemea.org
14. What to do if you have a concern or complaint about Our use of your Personal Data
We strive to act in accordance with all relevant data protection legislation, at all times.
If you have a concern or complaint about Our collection or processing of your personal information, then please contact the Support Desk at
support@ipcemea.org
If you are not satisfied with how IPC EMEA deals with your query/complaint or believe We are processing your Personal Data not in accordance with the Data Protection Legislation you can complain to the Information Commissioners Office (ICO).
You have the right to make a complaint to the data protection regulator in your country.
15. How can you access and update your Information
The accuracy of your information is important to Us. If any of the information We hold becomes inaccurate or out of date, please contact Our Support Desk. If you wish to cancel your access to the Secure Area of the Website, please contact Our Support Desk at
support@ipcemea.org. For more details please go to section 18 “Contact Us”
16. Your rights
A summary of your rights under the GDPR are as follows:
- The right to insist that companies who hold your data are transparent about how they use your personal information, and fair in the way they process and use it.
- The right to access your personal information.
- The right to insist that companies correct any mistakes in the information they hold.
- The right to erase or delete your Personal Data in certain situations.
- The right to receive a copy of your Personal Data held by a company, in certain situations.
- The right to opt-out of direct marketing.
- The right to object to automated decision processes which significantly affect or disadvantage you, in certain circumstances.
- The right to object to continued processing of your personal information, in certain circumstances.
- The right to restrict the way that companies process your personal information, in certain circumstances.
- The right to portability
For a full explanation of your data rights, go to:
UK -
www.ico.org.uk
Republic of Ireland –
www.dataprotection.ie
17. Changes to Our Privacy Policy
This Privacy Policy may be reviewed by IPC EMEA from time to time, and IPC EMEA shall be entitled to amend this without notice to you. You are advised to review this Privacy Policy regularly.
18. Contact Us
All comments, queries and requests relating to Our use of your Personal Data are welcomed, please send an email to Support Desk
support@ipcemea.org or you can email our Data Protection Office at
gdpr.enquiries@ipcemea.org
19.Jurisdiction
The terms of this Privacy Policy are governed by the Laws of England and Wales and are subject to the exclusive jurisdiction of the English Courts.
Updated February 2020