1. GENERAL
Here you will find: i) who processes personal data and their information and contacts; ii) when Apollo Group’s data protection terms apply; iii) what the processing relationships are.
1.1. Applicability. These Apollo Group and Apollo Group affiliated companies’ data protection terms (Apollo Group data protection terms) establish the general principles under which Apollo Group processes the personal data of individual customers and users. The data protection terms apply to all customers and users who purchase goods and products from Apollo Group affiliated companies, consume services, visit the websites, stores, cinemas, or restaurants of Apollo Group affiliated companies, or otherwise consume the products or services of Apollo Group affiliated companies.
1.2. About Us. Apollo Group OÜ (registration code 12383236, address Tartu mnt 80d Tallinn 10112) is the parent company of the Apollo Group. The group includes various entertainment and catering companies operating in the Baltics (Estonia, Latvia, and Lithuania): Apollo stores; Apollo cinemas in the Baltics; Blender cafes; Ice Cafe cafes; O’Learys restaurants in the Baltics; MySushi restaurants; Lido restaurants, IT solutions-oriented unit APL Digital Solutions OÜ, and additionally KFC branded restaurants in the Baltics and Finland, as well as Vapiano branded restaurants in the Baltics and Finland. You can find the list of Apollo Group affiliated companies here.
1.3. Apollo Club. Apollo Club is a loyalty program based on an ID card that offers registered members of Apollo Club discounts and experiences in Apollo stores, Apollo cinemas, O’Learys entertainment centers, IceCafes, and Blender juice bars, as well as Vapiano restaurants. You can find the list of companies offering Apollo Club here. The responsible processor of Apollo Club is Apollo Group OÜ. Joining Apollo Club is based on the data subject’s consent; other processing activities in Apollo Club may also take place on other grounds (offering club discounts and keeping track of collected products/amounts – based on the contract; club development based on legitimate interest). Companies offering Apollo Club may share data among themselves to offer Apollo Club discounts and services; conduct marketing and develop Apollo Club. These Apollo Group data protection terms apply to Apollo Club.
1.4. Processing Relationships. Apollo Group companies may provide services to each other and be in different processing relationships. In any case, Apollo Group companies comply with GDPR requirements, and in the case of authorized processing, a data processing agreement is concluded. Each Apollo Group company is the responsible processor when providing its main service (unless otherwise stated); for example, Apollo Kino is the responsible processor when selling cinema tickets, Apollo Stores is the responsible processor when selling products from Apollo Stores, each Apollo Group company is the responsible processor for its website, etc. The responsible processor for offering Apollo Club services is Apollo Group OÜ (other companies offering Apollo Club are authorized processors in the club for processing personal data).
1.5. Data Protection Terms. These Apollo Group data protection terms are the general personal data processing terms of Apollo Group companies. The Apollo Group data protection terms apply to the processing of Apollo Group companies to the maximum possible extent, but Apollo Group companies may have set special conditions in their privacy notices (found on the respective company’s website).
1.6. Contacts. For questions related to the processing of personal data by Apollo Group, you can contact any Apollo Group company at the contacts below or by email at andmekaitse@apollogroup.ee. Apollo Group OÜ, address Tartu mnt 80d Tallinn 10112, email address or andmekaitse@apollogroup.ee.
Contact details of Apollo Group affiliated companies:
1.6.1 Apollo Club –
1.6.2 Apollo stores –
1.6.3 Apollo cinemas –
1.6.4 Blender cafes and Ice Cafe cafes –
1.6.5 KFC branded restaurants –
1.6.6 O’Learys branded restaurants –
1.6.7 Vapiano branded restaurants –
1.6.8 APL Digital Solutions OÜ –
1.7. Other Websites and Social Media. The content behind the links on our websites or social media is regulated by the privacy terms of the respective service providers. We are not responsible for the content or activities of other websites. Personal data processing on different social media channels is also carried out according to the privacy terms of those platforms. In processing personal data on our social media platforms, we follow the privacy terms of the respective platform and these data protection terms.
1.8. Other Websites and Social Media. The content behind the links on our websites or social media is regulated by the privacy terms of the respective service providers. We are not responsible for the content or activities of other websites. Personal data processing on different social media channels is also carried out according to the privacy terms of those platforms. In processing personal data on our social media platforms, we follow the privacy terms of the respective platform and these data protection terms.
1.9. Cookies. Information on the use of cookies can be found through the cookie solution on the pages of Apollo Group companies.
General Principles. We and our partners follow the principles set out in GDPR (lawfulness, fairness, accuracy, transparency, purpose limitation, data minimization, storage limitation, reliability, and confidentiality, as well as data protection by design and by default) in processing personal data.
2. DEFINITIONS
2.1. Definitions. The terms related to personal data have the same meaning as defined in the EU General Data Protection Regulation 2016/679 (GDPR). To simplify the reading of Apollo Group data protection terms, we have provided the meanings of the most used terms under definitions. The respective terms are used in the text of the data protection terms in lowercase.
2.2. Data Subject (hereinafter also You) is a natural person whose personal data is processed by Apollo Group.
2.3. Personal Data is any information about You that allows identifying Your person. Apollo Group mostly collects personal data from You, based on Your relationship with Apollo Group or, for example, in the context of providing services to You or selling goods and products to You.
2.4. Responsible Processor is a legal entity that determines the purposes and means of processing personal data. See the processing relationships section 1.4.
Authorized Processor is a natural or legal person who processes personal data on behalf of Apollo Group as the responsible processor (primarily a partner, service provider) based on a contract concluded with Apollo Group. See the authorized processing section 9.2 for more details.
3. CATEGORIES OF DATA SUBJECTS
Here you will find whose personal data Apollo Group processes.
3.1. Categories of Data Subjects. Apollo Group primarily processes, but is not limited to, the personal data of the following data subjects:
3.1.1. Visitors and users of Apollo Group companies’ websites (e.g., users of the sales environment/e-store);
3.1.2. Users of services/products, i.e., individual customers;
3.1.3. Representatives of cooperation partners and clients who are individuals;
3.1.4. Applicants for employment at Apollo Group companies (see more details in section 5.4);
3.1.5. Employees of Apollo Group companies (information on the processing of personal data is provided internally to employees).
3.2. Processing of Children’s Data. When we process children’s data, we follow the wishes of the parent or guardian (e.g., consent to enroll the child in Apollo Club).
4. PROCESSED PERSONAL DATA
Here you can find what personal data Apollo Group processes.
4.1. Sources of personal data. We collect personal data from the following sources:
4.1.1. Personal data disclosed by the data subject – typically name, contact details, email address, or other personal data sent or made available to us by the data subject;
4.1.2. Personal data resulting from normal communication between us and the data subject, e.g., correspondence regarding services and products;
4.1.3. Personal data resulting from the consumption and use of services and product;
4.1.4. Personal data resulting from visiting and using our websites, such as customer account information when using the website or information received through cookies. Cookies are installed based on your choices;
4.1.5. From organizations offering Apollo Club membership within the scope of Club offering and development activities;
4.1.6. From Apollo Group companies in connection with providing and using services within the group;
4.1.7. From cooperation partners in connection with service provision and auxiliary services (e.g., know-your-customer service provider data for corporate clients; data from payment solution providers – e.g., payment success information);
4.1.8. Personal data we generate and combine (e.g., purchase history; correspondence in the context of customer relationships).
4.2. Categories of personal data. Apollo Group processes your personal data only as needed and based on the purpose of processing. We always have a legal basis for processing. Need-based processing means, among other things, that from the categories below and data pieces within categories, only necessary data pieces are processed in a specific situation. We collect the following types of personal data:
4.2.1. General data – – name, personal ID code/date of birth, gender, phone number, email, delivery method choice, courier information, communication language, address, consent information (e.g., whether consent has been given for newsletter, cookies);
4.2.2. Communication data – communication with Apollo Group company (text messages, conversations, calls, social media comments, chat communication);
4.2.3. Service/product usage/provision related data– – generally service/product usage/purchase information, service/product name, content and amount (price), fact of entering into contract, contract information, technical information from service-related systems – e.g., e-shop);
4.2.4 Payment and payment behavior data – payment information (bank account number, owner information, payment information), payment and claim data collected during accounting;
4.2.5. Feedback, inquiries and complaints, and assessment– compliments, complaints, and feedback data submitted in satisfaction surveys;
4.2.6. Technical information collected in web environments, including websites – when making purchases online, technical information such as activity log, IP address, and cookie information is processed. Cookie usage is regulated in cookie usage terms and the cookie solution on the website;
4.2.7. Video recording information (if any) – when the Data Subject visits an Apollo Group company store, institution, or office;
4.2.8. Apollo Club usage information – name, email address, country, personal ID code, password, date of birth, gender, phone number, consent information, registered purchase history, registered purchase amounts, discount information, additional information provided by the data subject (e.g., allergens) (if any), tags assigned to the data subject (if any), Club account usage info, including technical. Apollo Club authorized processors only see necessary data to provide discounts and services chosen by the data subject.
Information for job applicants is presented in section 5.4.
See overview table of processing purposes, bases, and processed data in section 5.5. If you want more specific information about your personal data processing, contact us (see contacts in section 1.6).
5. PROCESSING PURPOSES AND BASES
Here you can find for what purposes and on what bases personal data is processed.
5.1. General purposes of personal data processing. Apollo Group processes your personal data in accordance with applicable legislation primarily for the following purposes:
5.1.1. To conclude and perform customer contracts, manage customer accounts, and communicate with the data subject;
5.1.2. To offer goods, products, and services to customers, including loyalty program service (regular customer program – Apollo Club);
5.1.3. To develop and analyze customer relationships;
5.1.4. To respond to data subject inquiries;
5.1.5. To offer services and products to the data subject;
5.1.6. To organize surveys and conduct drawings;
5.1.7. For direct marketing;
5.1.8. For service management and development;
5.1.9. To enable and improve website usage;
5.1.10. To compile statistics or reports;
5.1.11. To process legal claims;
5.1.12. To fulfill obligations arising from legislation;
5.1.13. Other purposes stated in Apollo Group’s data protection terms or otherwise communicated to the data subject.
5.2. New purpose. If personal data is processed for a new purpose compared to what it was originally collected for, or if processing is not based on the data subject’s consent, we carefully assess the permissibility of such new processing. To determine whether processing for the new purpose is compatible with the purpose for which the personal data was initially collected, we take into account, among other things: i) the relationship between the purposes for which the personal data was initially collected and the purposes of the intended further processing; ii) the context in which the personal data was collected, particularly the relationship between the data subject and us; iii) the categories of personal data; iv) the possible consequences of the intended further processing for data subjects; v) the use of appropriate safeguards.
5.3. Bases for personal data processing. Apollo Group companies always process personal data with a legal basis. We may use different processing bases. We use the following bases for processing:
5.3.1. Consent. Based on consent, we process personal data within the limits of the consent. Consent may be given by a clear action, e.g., checking a box or selecting a continue button. For example, we may use consent for the following processing operations: i) to inform you about product news, campaigns, and future events (newsletter; email address is processed; list of interests (if provided); fact of newsletter subscription); ii) to register you as an Apollo Club member (name, country, customer type, personal ID code, contact information); iii) to send you an SMS notification about order completion (e.g., when ordering food from Vapiano self-service checkout or Apollo Group order apps; phone number); iv) to perform other processing based on consent when consent has been requested. You can withdraw your given consent at any time, e.g., by contacting us using the contacts provided in section 1.6. If you do not wish to be on our newsletter list or receive notifications about products or services that might interest you, you can remove yourself from the target group at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
5.3.2. Fulfillment of contractual obligations. We may process personal data if it is necessary based on a contract concluded with you – i.e., personal data processing is necessary for the performance of a contract concluded with you or for taking pre-contractual measures at your request (for example, customer contract). This includes – customer identification to the extent required by due diligence (representative’s name, representation rights information, name, if necessary ID document information or strong authentication information); fulfillment of obligations to the customer regarding service provision (e.g., we use address or phone number for delivery; when offering discounts we may process purchase history or other prerequisite information for receiving the discount; order information in order app); for communicating with the customer (contact information) and ensuring customer payment obligation fulfillment (customer identification information, payment information). The purpose of personal data processing may be additionally specified in the specific Contract concluded with you.
5.3.3. Compliance with legal obligation. We may process personal data to fulfill legal obligations – i.e., if personal data processing is necessary for Apollo Group to comply with legal obligations. For example, obligations arise from legislation in processing payments or following anti-money laundering rules, fulfilling accounting requirements, fulfilling obligations arising from labor law, etc.
5.3.4. In exceptional cases, we may process personal data due to the vital interests of the data subject or based on compelling public interest.
5.3.5. Legitimate interest. We may use legitimate interest for managing or administering a company belonging to Apollo Group or to enable offering the best possible services or products in the market. Before using legitimate interest, we assess whether personal data processing is necessary for Apollo Group’s or a third party’s legitimate interest and whether it outweighs the data subject’s possible opposing interest. We use legitimate interest only in case of a positive legitimate interest assessment result. The data subject has the right to review the legitimate interest assessment related to them (for this, contact us using the contacts provided in section 1.6). We may use legitimate interest in the following situations:
(i) to ensure trustworthy customer relationships, which includes processing personal data for fraud prevention and KYC measures (person’s full name, personal ID code, identity verification control information, contract information, if necessary desired product/service information, verification information of respective info – e.g., success information of strong authentication/signature);
i) for managing and analyzing the customer base to improve service availability, selection, quality (including in Apollo Club offering) (general information, technical information, product/service usage information, payment information, feedback) and to make the best and more personalized offers to the customer with consent (customer identifier, information about customer’s service/product consumption);
(iii) for sending marketing offers if the person has previously purchased a similar product/service and if the person is always provided with an easy opt-out option from such communication (provided that described processing is allowed in the respective jurisdiction)(email address, name, customer services/products consumption information is processed);
(iv) for organizing campaigns (if not based on consent), including organizing personalized and targeted campaigns, conducting customer satisfaction surveys and measuring the effectiveness of marketing activities (depending on specific campaign/survey, but generally name, customer submitted information/reaction (e.g., like/share on social media or given feedback));
(v) for making recordings. We may record notices and orders given both in our premises and through means of communication (email, phone, etc.), as well as information and other operations we have performed, and if necessary use these recordings to prove orders or other operations;
(vi) for network, information and cyber security considerations, for example measures taken to fight piracy and ensure website security and to make and store backups (depending on situation, but generally log information, network identifier information, other technical information is processed);
(vii) organizational purposes. Primarily for financial management but also for service and product development and business planning and management and to transfer personal data within the group for internal administration purposes, including processing personal data of customers or employees (generally non-personalized financial data, but personalized information may also occur, e.g., employee names and positions);
(viii) business and product development and marketing activities, including within Apollo Club (except what’s based on consent) (generally non-personalized, but in development processing of personalized information may be necessary e.g., customer identifier, activities in service);
(ix) we may share personal data if we make a business transaction or negotiate about a business transaction that involves selling or transferring all our business or assets. These transactions may include any merger, financing, acquisition or bankruptcy transaction or proceeding (generally non-personalized, but employee and representative names, positions, remuneration models may be shared);
(x) for composing, submitting or defending legal claims (processed data depends on specific situation; generally name, circumstances of situation, but all necessary personal data may be processed);
(xi) if necessary, we also use data to send emergency notices regarding safety factors or recall programs issued by the manufacturer (name, fact of product/service purchase, email, notification);
(xii) we use surveillance cameras in our stores and restaurants. The purpose of using cameras and processing recordings is protection of employees, visitors and property of companies belonging to Apollo Group; ensuring security of property and persons; protection and submission of claims; resolution of complaints. Recordings are deleted no later than 30 days after recording space is filled (except if recordings are needed longer for protection of legal claims);
(xiii) In case the data subject has opted out of direct marketing offers, we store this information to avoid sending direct marketing offers.
5.4. Job application. For concluding an employment contract, taking preliminary measures and fulfilling legitimate interest, we may process the data of persons applying to companies in Apollo Group. Generally, we process the following personal data of candidates: name, personal ID code, contact information (phone number, email, address), information presented in CV, including education, qualifications, permit information (if appropriate), references, previous experience, suitability tests (if appropriate), background check (if appropriate), information made public by the candidate (e.g., on social media). We may use recruitment service providers and software in the recruitment process. We only use service providers who ensure a high level of data protection. If the job candidate is not selected, we may keep the collected personal data to make a new job offer to the job candidate when a suitable position becomes vacant (processing basis legitimate interest).
5.5. Personal data processing table. An overview of the most important personal data processing related to service/product offering can be found here. For a precise overview of our personal data processing, read these data protection terms completely.
6. CAMERAS (VIDEO SURVEILLANCE)
Here you will find how we use cameras.
6.1. Purpose of Camera Use. Cameras (video surveillance) are located on the premises of Apollo Group companies (e.g., stores, cinemas, restaurants). We use camera recordings for the purpose of protecting individuals and property, defending and proving legal claims, and verifying actions and activities.
6.2. Retention of Recordings. Camera recordings are generally retained for 30 days. If necessary, for example, in the case of legal claims, recordings are kept longer.
6.3. Access to Video Footage and Recordings. Access to all video recordings is restricted to individuals who have the right to view the recordings based on their job duties. Recordings may be made available to law enforcement authorities if there is a legal basis for doing so.
6.4. Information on the Responsible Processor. The responsible processor for video recordings is the Apollo Group company and Apollo Group OÜ, to which the camera belongs or on whose premises the camera is installed.
7. SECURITY MEASURES
Here you will find how we ensure the security of personal data.
7.1. Security Measures. Apollo Group implements necessary organizational, physical, and IT security measures to protect your personal data from any misuse, unauthorized access, disclosure, alteration, or destruction. Access to your personal data is granted only to authorized individuals and our authorized processors. An encrypted data communication channel with banks ensures the security of the purchaser’s personal data and bank details. In the event of a personal data breach, we will take all necessary measures to mitigate the consequences and manage relevant risks in the future. All data on the websites, e-shops, and maintenance databases of Apollo Group companies are encrypted as necessary and treated as confidential information.
7.2. Incidents. We record all personal data breaches and notify the Data Protection Inspectorate and data subjects as required by law.
8. PROFILE ANALYSIS, DIRECT MARKETING, SURVEYS
8.1. Profiling and automated decisions. Apollo Group may conduct profile analysis of your personal data to better understand your expectations and consequently offer better products and services by enabling more precise targeting of direct marketing. Profile analysis does not create legal consequences or other significant impact for you. Apollo Group does not conduct profiling or automated decisions in the sense of GDPR Article 22 (i.e., with significant impact). If we start using profiling or automated decisions with significant impact – we will inform data subjects and ensure the possibility to exercise other related GDPR rights.
8.2. Marketing and surveys. Apollo Group may use your personal data to send you information about special offers, campaigns, and conduct customer surveys, such as satisfaction surveys. If you no longer wish to receive direct offers, you have the right to opt out of marketing messages at any time. For Apollo Club and newsletters, you can use the opt-out command in your Club account or in the newsletter.
9. TRANSFER OF PERSONAL DATA
9.1. Use of cooperation partners. We may share your personal data with third-party service providers whom we use to provide our services or for other business needs. We only use cooperation partners who follow GDPR requirements. In the case of processors, we have concluded data processing agreements.
9.2. Authorized processing. Apollo Group companies may use service providers who are authorized processors in selling goods, providing services, and organizing their work. These authorized processors include service providers who offer:
9.2.1. IT support services (server space, development and support services – all personal data may be processed);
9.2.2. Analytics and advertising services (generally non-personalized information; but for cookie information according to choices made in cookie solution; generally email, name, person’s consent information/legitimate interest information);
9.2.3. Customer support services (information provided in communication);
9.2.4. Invoice delivery services (email, information on invoice);
9.2.5. Recruitment services (see section 5.4);
9.2.6. Business software and customer management software (generally general information, accounting information which may contain name and payment data, product information, cost, transaction time; and general information about our cooperation partners);
9.2.7. Logistics and postal services (depending on chosen delivery method – name, address/phone/email; package number);
9.2.8. Marketing services (campaigns/draws, analytics, email sending service providers, SEO – generally contacts, customer status fact; service/product usage information, technical information).
9.3 Other processors. Personal data may also be transferred to:
9.3.1. Authorized official and supervisory authorities entitled to receive data, e.g., Consumer Protection and Technical Regulatory Authority;
9.3.2. Other authorized government agencies entitled to receive data, such as investigative authorities, law enforcement agencies. For such requests, we consider the content and legitimacy of the request and transfer the minimum necessary data;
9.3.3. Payment solution service providers, financial service providers and financial institutions (data related to payments; or chosen financial service e.g., hire purchase; debt collection service providers – payment information, general information, debt information);
9.3.4. Legal and financial consultants and other consultants (depending on the situation, all personal data may be processed);
9.3.5. Data exchange with group companies within the group for providing and using services (depending on need, all personal data may be processed, see also section 5.5);
9.3.6. Parties to a (potential) transaction and transaction advisors – if an Apollo Group company is involved in a merger, acquisition, or sale or purchase of assets, personal data may be transferred and received to the extent necessary for carrying out and advising on the respective transaction. In such case, the legal basis for processing is legitimate interest.
If you want additional information about cooperation partners and authorized processors in use, write to us at the contacts in section 1.6.
10. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
10.1. As a general rule, we do not transfer personal data outside the European Union or European Economic Area. If we transfer personal data outside the European Union or European Economic Area, we do so only in compliance with data protection legislation requirements.
10.2. Transfer outside the EEA. Apollo Group companies or our cooperation partners may, if necessary, use international service providers or cooperation partners from third countries in processing personal data. Third countries are considered countries outside the European Union or European Economic Area. In such cases, an appropriate transfer basis from GDPR Chapter 5 is used. Generally, in such situations, we use EU standard contractual clauses for data processing. EU standard clause texts can be found here. The data subject has the right to see the standard clauses used for processing concerning their personal data (if any); for this, write to us at the contacts in section 1.6.
The EU-US Data Privacy Framework list can be found here.
The European Commission has recognized adequate protection for countries found here.
11. YOUR RIGHTS REGARDING PERSONAL DATA PROCESSING
11.1. Reviewing, accessing, and copying personal data. You can review your collected personal data at any time in your Apollo Club or respective Apollo Group company account. You can also request access to personal data collected by Apollo Group and request a copy of personal data collected about you.
11.2. Modifying and correcting personal data. You have the right to modify and correct your collected personal data at any time. Your contact information is automatically updated according to new contact details you provide to Apollo Group company or Apollo Club.
11.3. Data portability. You have the right and ability to download your personal data from your Apollo Club account and transfer it independently to another data processor. The right to portability extends only to certain types of personal data, e.g., it does not extend to personal data created by Apollo Group’s analysis results; however, it does extend to personal data directly provided by you to us.
11.4. Restriction of processing. In cases arising from GDPR, you have the right to request restriction of your personal data processing, for example, during the time we verify the accuracy of your personal data.
11.5. Deletion of personal data. You have the right to request deletion of your personal data at any time, except when there is a legal basis for further processing of personal data, such as a legal obligation. Along with data deletion, all personal discounts provided to you will end.
11.6. Right to object. You have the right to object to personal data processing, e.g., when we process your data based on legitimate interest.
11.7. Rights related to consent. You have the right to withdraw your consent for personal data processing at any time at https://www.apolloklubi.ee/ or cancel newsletter subscription through the link provided in the newsletter or by contacting Apollo Group customer support at info@apollo.ee.
11.8. Rights related to legitimate interest. When we process your personal data based on legitimate interest, you have the right to see the legitimate interest assessment conducted related to your personal data processing. For this, contact us using the contacts in section 1.6. You also have the right to object to processing based on legitimate interest.
11.9. Rights related to automated decisions. Apollo Group companies do not use profiling or automated decisions that would correspond to GDPR Article 22 (unless specifically stated in the company’s privacy notice). If we start using automated decisions or profiling in the sense of GDPR Art. 22 that has legal consequences or significant impact, we will notify you and enable related rights for the data subject – in which case the data subject has the right to object at any time to processing of personal data concerning them based on automated decisions and profile analysis, and request human intervention, based on their specific situation. The data subject may also request explanation about the logic of automated decision-making.
11.10. Compensation for damages. You have the right to claim compensation for damages caused by violation of personal data processing requirements.
11.11. Exercise of data subject rights. Note that rights related to personal data are not absolute. We will fulfill your request if the prerequisites for using the respective right are met. We may also require your identification before responding to you. This is to ensure personal data security and not disclose personal data to the wrong person. This means you will be required to submit a digitally signed request or if that’s not possible, present an identification document along with possible identity verification via video link (or other means if sufficient certainty of identity is ensured). We may limit actions related to your rights to protect other persons’ rights (e.g., if your personal data is connected to other persons’ data, we may make such data unreadable or remove it before giving you access or a copy). You can see, modify and supplement your personal data at any time on the Apollo Club website or Apollo Group companies’ websites in the “My Account” area (where enabled)
Reviewing personal data https://apollogroup.ee/en/apollo-club-personal-data-request/
Deleting personal data https://apollogroup.ee/en/apollo-club-personal-data-deletion-request/
In all above cases, you can also contact or the respective Apollo Group company at the above email address.
11.12. Responding to requests. Apollo Group will respond to your requests at the first opportunity, but no later than one (1) month after receiving the request. Apollo Group has the right to extend the deadline for responding to the request by two (2) months due to the complexity and time-consuming nature of fulfilling the request.
11.13. Handling complaints. If you have questions regarding Apollo Group’s data protection terms or you find that an Apollo Group company violates your rights in processing personal data, you have the right to contact the respective Apollo Group company at the above contacts at any time; Apollo Group’s data protection specialist at email address , the Data Protection Inspectorate (www.aki.ee) or court. Data subjects from other EEA countries can submit complaints to their country of residence’s supervisory authority. Contact information for other EU data protection supervisory authorities can be found here https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.
12. RETENTION AND DELETION OF PERSONAL DATA
12.1. Retention. Apollo Group retains your personal data as long as it is necessary to achieve the purpose of processing your personal data or until the deadlines arising from legal acts are met. Specifically:
12.1.1. Personal data provided based on consent is generally retained until the consent is withdrawn (e.g., you unsubscribe from the newsletter); if you have given consent to use your phone number for notifications about food preparation in our self-service checkouts, your phone number will be deleted from the self-service checkout system within 48 hours at the latest.
12.1.2. The basic personal data of a regular customer (i.e., Apollo Club member) (full name, contact details, fact of Club membership status) is retained for 3 years from the last use of the customer account and then automatically deleted; purchase history is retained for 3 years (this is related to enabling discounts); if the customer requests the deletion of their data, which Apollo Group does not need due to law or overriding legitimate interest, the respective personal data will be deleted as soon as possible after receiving the deletion request.
12.1.3. In the case of mandatory processing arising from the law, the respective personal data is processed for the period specified in the law, e.g., accounting data for 7 years, employment contract data for 10 years.
If you want more detailed information about the retention of your personal data, write to us at
12.2. Deletion. Personal data whose retention period has expired will be destroyed or anonymized using best practices.
13. CHANGES TO DATA PROTECTION TERMS
13.1. Changes. By using our website or filling out the application to create a customer account, you have read and acknowledged these principles and terms. Apollo Group reserves the right to change and supplement these data protection terms at any time to comply with applicable laws and the principles and objectives of Apollo Group. We will notify you of changes to the data protection terms on our websites and, if possible, via email.
13.2. Data Protection Contact. For any questions or concerns regarding the processing of personal data, please contact us at
Previous versions of these data protection terms: 15-03-2023_eng.pdf