Information pursuant to Article 3 of the EU Data Act

1. Connected Products – Pre-contractual information pursuant to Article 3(2) of the Data Act

Products concerned: Adyen card payment terminals, managed network/end devices (collectively, the “Connected Products”).
When the Connected Products are used for their intended purpose, product data within the meaning of the Data Act is generated. Specifically, this comprises the following data:
 

1.1 Card payment terminals:

The card payment terminals are provided by the payment service provider Adyen, made available to the user by Gastronovi, and integrated into the infrastructure. A separate contractual relationship exists between the respective user and Adyen regarding the use of the terminals. To the best of Gastronovi’s knowledge, Adyen may, within the scope of this contract, collect and analyse its own data over which Gastronovi has no influence and to which it has no or only limited access. The information provided here relates exclusively to the product data for which Gastronovi acts as the data controller within the meaning of the Data Act. Payment data relating to card acceptance – in particular primary account numbers, PIN data and card verification numbers – is not processed by the service; it remains exclusively within the areas of responsibility of Adyen and the participating payment service providers. For Adyen, the information pages and contractual documents provided by Adyen shall apply.

1.1.1 Type, format and estimated scope of product data:

1.1.1.1 Transaction-related data (per payment): amount, currency, card type, authorisation status, PSP reference, terminal ID, CVM (e.g. PIN masked), time of payment, receipts (CustomerReceipt & CashierReceipt)

1.1.1.2 System/technical data: firmware version, terminal model, MAC address, battery level, location data (e.g. branch assignment), error status, update history

1.1.1.3 Via a terminal interface, Gastronovi can request aggregated data (total turnover, number of transactions) per terminal, operator and shift from Adyen. The potential data requests are listed at (https://docs.adyen.com/api-explorer/terminal-api/1/overview). Currently, no such requests are made without the customer’s instruction.

1.1.1.4 The product data is stored in JSON format.

1.1.1.5 The scope of transaction-related data is limited to the data mentioned above. The scope of aggregated data generated from the transaction-related data depends on the scope of the data request.

1.1.2 Information on continuous data generation:

1.1.2.1 No continuous / real-time data collection.

1.1.2.2 Data is generated and transmitted on an event-driven basis, e.g. upon: payment initiation/completion, terminal status messages, total queries by the POS system. There is no continuous data transmission in the background,

1.1.3 Storage locations and duration:

1.1.3.1 Transaction data is stored on the device. The device can be reset to factory settings (only by Adyen) and all data is deleted. Data is also stored in the Adyen cloud, to which the customer has direct access, and (to the extent set out in section 2 below) on Gastronovi’s servers for display and access via the POS software.

1.1.3.2 The retention period at Adyen is 7 years for transaction data and reports. A longer retention period is possible in the event of legal, tax or regulatory requirements (https://www.adyen.com/en_SG/privacy-policy/transaction)

1.1.3.3 The retention period at Gastronovi corresponds to the statutory retention periods.

1.1.4 Access options

1.1.4.1 The customer is granted direct access to the Adyen Customer Area (Dashboard) – a web-based management interface through which they can, amongst other things, view and download data stored on the server. There, they can: view transactions (including date, amount, payment method, status), retrieve receipts (CustomerReceipt & CashierReceipt), create and download reports, analyse totals and turnover (e.g. daily, weekly, monthly turnover), check terminal status and activity, start a remote session for the terminal and configure all terminal settings. The data is usually made available as .csv or .xlsx files or in other standard data formats and can be exported.

1.1.4.2 On the payment terminal itself, it is possible, amongst other things, to view the transaction history of the individual device since the last reset. Access to this is protected by a code, which the user can view in the POS software (Gastronovi Pay integration tile).

1.2 Network/Device Management:

Gastronovi’s local and mobile devices, as well as network devices, are managed using a device management system (‘GMS’) or network management system (‘NMS’) and transmit, amongst other things, system status and status data to the relevant management system of Gastronovi or the device manufacturer/supplier.

1.2.1 Type, format and estimated scope of product data:

1.2.1.1 The local or mobile end devices (PCs, laptops, tablets, smartphones) managed by the GMS collect and transmit the following data: device ID, serial number, manufacturer, model; operating system and version; hardware details (CPU, RAM, hard drives, peripherals) and performance metrics; installed software and versions; network data: IP address, MAC address, hostname; activity logs and event logs.

1.2.1.2 The network devices managed by an NMS (routers, switches, hubs, access points) collect and transmit the following data: device ID, serial number, manufacturer, model, operational statistics, history of connected devices, aggregated traffic information.

1.2.2 Information on continuous data generation:

1.2.2.1 The data is generated and recorded continuously.

1.2.3 Storage locations and duration:

1.2.3.1 Data relating to devices managed via the GMS is stored on the GMS provider’s servers. The duration of storage depends on the type of data: activity logs and hardware-specific performance metrics are stored by the GMS provider for up to 365 days, depending on the number of logs and the volume of data. Event logs (Windows Events) are retained for only a few hours by default and are cleared daily, provided that no specific alerting rules have been configured. Hardware and software information remains stored for as long as the relevant device is active in the console. As soon as a device is deleted, this data is usually removed immediately.

1.2.3.2 Data from network devices managed via an NMS is transferred to the network management systems of the respective manufacturers/providers (e.g. UniFi Network, Cambium Networks, Teltonika) and stored on their servers. The scope and retention period are determined by the specifications of the respective manufacturers, from whom the relevant information is available.

1.2.4 Access options

1.2.4.1 The data can usually be exported from the relevant services (see Section 2) as .csv or .xlsx files or in other standard data formats.

2. Connected Services – Pre-contractual information pursuant to Section 3(3) of the Data Act

Services concerned: Cloud-based POS software – Gastronovi Office, Controller App, Monitoring System gn UEM (“Connected Services”). 
Connected Services consist, on the one hand, of the cloud-based POS software Gastronovi Office, including associated modules and apps. When this service is used, Gastronovi receives certain product data from the connected payment terminals. In addition, service data relating to the POS service is generated, such as session and access logs, configuration and rights management events, and version and update information.
The Controller App and the Monitoring System receive the data specified in section 1.2 from the connected products. In addition, service data relating to the POS service is generated, such as session and access logs, configuration and rights management events, and version and update information.
The network management systems of the manufacturers/providers are not operated or directly offered by Gastronovi. The respective providers/manufacturers therefore remain responsible for the mandatory information under the Data Act.

2.1 POS software

2.1.1 Product data

2.1.1.1 The POS software receives success or error messages relating to payment transactions from the connected payment terminals. 
2.1.1.2 For details regarding the type, scope, frequency, access/retrieval, storage and retention, see section 1.1.1 above.

2.1.2 Related service data

2.1.2.1 When using the POS software, so-called client logs are created, which record the following event-related data regarding the use of the software and the client used for this purpose: loading of the application, including information on local device settings, browser error messages, notifications regarding print jobs (provided this is explicitly activated on the device), notifications regarding EC terminal transactions, forced reloading of the application, activation of the till’s offline mode, and connection establishment to the local controller (information regarding the operating system and Java version of the system on which the local controller is running). 
2.1.2.1 The service data is stored in a log database on the POS software server. As soon as the log database storage becomes full, the oldest log is deleted. When this occurs depends on the volume of incoming data/logs. Currently, the retention period is approximately 50 days.
2.1.2.3 Access to service data generated as part of the service can be obtained by submitting a request to Gastronovi support.
 

2.2 Network/Endpoint Management

2.2.1 Product Data

2.2.1.1 The network/endpoint management applications (NMS or GMS) receive the product data described in section 1.2 above from the connected network/endpoint devices. 
2.2.1.2 For details regarding the nature, scope, frequency, access/retrieval, storage and retention of data, please also refer to section 1.2 above.
 

2.2.2 Related service data

2.2.2.1 When using network/end-device management, the following data is generated/recorded: access logs, connection history, events. 
2.2.2.2 Service data is collected and stored on an event-by-event basis.
2.2.2.3 Depending on the system, service data is stored for between 24 hours and 10 years or overwritten.
2.2.2.4 The data can generally be exported as .csv or .xlsx files or in other standard data formats
 

3. Use by Gastronovi

Gastronovi is entitled, on the basis of and in accordance with the contractual agreements set out in the General Terms and Conditions (in particular clauses 1.9 and 7 of the General Terms and Conditions), to use the product and service data, as well as any data derived therefrom, for its own business purposes. This includes, in particular, the collection, extraction, storage, organisation, consolidation, evaluation, modification, enrichment, aggregation and, where necessary, anonymisation of the data, as well as its use in connection with the offering, provision, operation, security, further development, improvement or commercial exploitation of Gastronovi’s services, products, systems, processes or business models. Such use also includes analysis, statistics, optimisation, development, testing, training and other business purposes, as well as the use of insights and work results derived therefrom. Mandatory legal restrictions remain unaffected.

4. Disclosure and use by third parties

4.1 We do not intend to authorise the use of product and service data by third parties for purposes agreed with the user, unless the user submits a specific request to that effect in individual cases.

4.2 Users may request that readily available service data be made available to third parties in accordance with the Data Act, in particular Article 5. To do so, a corresponding request must be sent by email to privacy@gastronovi.com. A request to cease disclosure may be made in the same manner. Once disclosure has ceased, data flows will be terminated. Data already provided remains unaffected, unless statutory rights provide otherwise.

5. Right to lodge a complaint

Without prejudice to other rights, a complaint may be lodged with the competent national authority under Article 37 of the Data Act if pre-contractual information obligations have not been fulfilled or access to data has been unjustifiably restricted. The contact details of the competent authority will be added as soon as national jurisdiction is published.

6. Trade secrets, payment data demarcation and third-party rights

The product and service data do not constitute trade secrets of Gastronovi.

7. Term of the contract and consequences of termination

The term of the contract for the Connected Services and the conditions for termination are set out in the relevant contractual agreements and, in particular, in Gastronovi’s Terms and Conditions (see www.gastronovi.com/agb under 2.13). If the contract ends or the right of use ceases, the collection and provision of data for the service will cease.