Our client - as part of a chain - operates fast-food restaurants.
The task was to provide them with data protection compliance that takes into account their vast customer base, the operation of a CCTV surveillance system, the characteristics of each restaurant and the central data protection provisions of the network.
To carry out the project, we first had to conduct a comprehensive data protection audit, which firstly meant recording information on the camera system in each restaurant, how many cameras were there, what the angle of view of each camera had, which cameras made recordings, which ones only transmitted live images, who had access to the recordings, how long the data was kept, and what physical security measures were used to store the data.
We inspected the electronic devices and applications that process customer data and paper-based records (guest book, guest accident report, etc.).
We then inspected practices for storing employee data, examined the available data processing notices and warnings in restaurants, and interviewed the managers of each unit and the company's central management.
It was also necessary to assess the status of data processing regarding home deliveries and the customer marketing and market research database.
In the legal part of the project, the necessary documentation was grouped into four categories. In the first category, we prepared notices of information for guests; in the second, we prepared notices of information for employees; and in the third category, we prepared documents and policies to deal with potential data breaches.
Finally, we focused on preparing the files that were part of the internal documentation, such as the privacy policy or the so-called "balance of interests" tests.
Considering that the data protection and data processing compliance of an organisation can only be complete if its data protection obligations in its capacity as a data controller or data processor are implemented into practice, and all the members of the organisation concerned carry out their daily work being aware of it and in adherence to it, we concluded our work with internal training, including sensitisation, orientation and legal training.
