Protection of personal data


Protection of personal date

MEDUSA Restaurants, s.r.o. company as the program operator guarantees the security and protection of entrusted personal data in full compliance with Regulation of the European Parliament and Council No. (EU) 2016/679 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data, (hereinafter referred to as “GDPR”), with Act No. 122/2013 Coll. (after May 25, 2018, by Act No. 18/2018 Coll.) on the Protection of Personal Data and on amendments to certain laws, as amended (hereinafter referred to as “APPD”).

By providing your personal data by signing or submitting a completed sign-in form, MEDUSA Restaurants, s.r.o. company grants in accordance with § 11 of APPD (from 25.05.2018 within the meaning of Article 6, Section 1, Letter a) of GDPR) explicit consent to processing and storage of personal data in the extent covering sex, name and surname, telephone number, email, permanent residence, time data and method of participation in the loyalty program, as well as data on purchased products and time of each purchase (hereinafter referred to as “Personal data”).

Personal data are processed to ensure customer identification within the program for the purpose of providing the customer with benefits, verifying the eligibility of the customer to become a member of the program, issuing a MedusaCard, offering trade/ products or services, and providing discounts under the terms of the MedusaCard loyalty program, the management of the MedusaCard loyalty program database and the processing of statistics, including profiling (assigning information on customer’s behaviour and other personal data to his/her personal data for the purpose of analysis and prediction of behaviour and movement and adjustment of individual approach towards each customer [hereinafter referred to as “Profiling”]). Personal data are further evaluated to improve MEDUSA’s offer. Providing personal data in the given extent is a necessary condition for participation in the program, while personal data will be processed throughout the duration of the customer’s membership in the program; By losing authorization of MEDUSA Restaurants, s.r.o. company to process customer’s personal data, his/her participation in the program expires and relevant personal data will be deleted or blocked in accordance with generally binding legal regulations.

MEDUSA Restaurants, s.r.o. undertakes that, by applying the necessary security measures, the provided personal data will be protected against theft and possible misuse by unauthorized persons.

Your personal data may also be provided to the operators of the individual restaurants and operations of MEDUSA, depending on the particular restaurants and operations you visit. The circle of restaurants and operations of MEDUSA can be varied gradually, with up-to-date information about restaurants and other operations participating in the program to be found here.

By signing or submitting a completed sign-in form and providing contact details, you can also grant us permission to send you information about marketing activities of MEDUSA’s restaurant network, including sending information about organized events, products and other activities, as well as sending business announcements by electronic means, for an indefinite period. The customer grants this consent on a voluntary basis, while the customer has the full right to revoke this consent by sending an email, by technical means (“unsubscribe” link) or by a written statement delivered to MEDUSA Restaurants, s.r.o.

The MedusaCard holder is committed to maintaining the provided personal data in an up-to-date form and at the same time, he/she confirms the accuracy of all provided personal data. Every MedusaCard holder has the obligation to update changes in his/her personal data (name, address, email, telephone number) on his/her personal account on-line after signing in at or to inform about this change at


The protection of your personal data is governed by the provisions of European Parliament and Council Regulation (EU) 2016/679 on the Protection of natural persons regarding processing of personal data and on the free movement of such data (“GDPR”) and/or Act No. 122/2013 Coll. or Act No. 18/2018 Coll. on the Protection of personal data and on amendments to certain laws, as amended (hereinafter referred to as the “APPD”), while your rights are governed in particular by § 28 and following provisions of APPD (from 25.05.2018 in Article 5 and Articles 12 to 22 of GDPR).

The provision of your personal data is voluntary and MEDUSA Restaurants, s.r.o. as the operator (hereinafter referred to as the “Operator”) has no legal claim to obtain them. The provision of personal data with customer’s voluntary consent is a necessary condition for the customer’s participation in the program.

The operator may use the personal data provided in connection with your participation in the program for profiling that the operator implements in order to improve his/her services and adapt his/her offers to you as a particular customer. The operator shall never disclose data about your behaviour obtained through profiling nor shall he/she provide it to third parties other than his/her own processors (intermediaries) required to comply with the processing rules under these GBC (General Business Conditions) in the same manner as the operator.

Under the term profiling for the purposes of the program we understand automated or manual assignment of information about your behaviour as a customer to your personal data in order to create a person’s profile in interaction with the operator. For this purpose, the operator collects, processes and assigns to your personal data information about your visits in restaurants or other operations that are part of the program, about time and place of your visits and purchases, data about time and way of participating in the loyalty program as well as data about purchased products and the time of each purchase.

The result of creating your personal profile by the specified profiling method is the assignment of specific adjusted offers and information about the operator’s special offers to your profile which can then be sent as an electronic message or SMS. The result of profiling may also be the issue of extra special offers and discounts on products you normally buy, individual quantity discounts, provision of gifts, tailored products or services, and a special approach to you as a customer when approaching with offers (time, content, message frequency).

Example: If you, as a customer, visit the KUBU restaurant, which is part of MEDUSA and participates in the program, and you use your MedusaCard during payment to collect points, based on this information, we will know that you may be interested in Italian cuisine. We can decide to email you a reminder that you can use the MedusaCard to try another MEDUSA restaurant that serves Italian cuisine at an advantageous price, for example Primi. Alternatively, we may send you a discount coupon applicable to other visits or an email with culinary information. In case you reject marketing communications at or after registration, we will not send you messages or coupons.

You have the right to information about your personal data that is processed, including confirmation of whether and how personal data about your person is being processed; in a generally understandable form, information on the processing of personal data in the information system and on the process of processing and evaluating the operator’s automated decision-making operations; write-off, repair of your personal data kept in the program’s information system; in a generally understandable form, accurate information about the source from which the operator has obtained your personal data for processing; blocking your personal data due to revocation of consent prior to its expiration; the right to restrict the processing of personal data about you if it is being processed improperly or it is out of date; the right to transfer your personal data to another operator at your request; and the right to delete your personal data if the purpose of processing is lost within the meaning of Art. 17 of GDPR. When processing your personal data for the purposes of direct marketing and/or profiling, you have the right to object any time to the processing of personal data relating to you for the purposes of such marketing, including profiling to the extent that it relates to such direct marketing. You have the right to object at any time for reasons related to your particular situation to the processing of personal data that relates to you and is exercised pursuant to Article 6, Section 1, Letter e) or f) of GDPR (if processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority entrusted to the operator or where it is necessary for the legitimate interests pursued by the operator or a third party), including objections to profiling based on stated provisions. The operator may not further process personal data unless he/she demonstrates the necessary legitimate reasons for processing that outweigh your interests, rights and freedoms as the person concerned, or reasons for proving, applying or defending legal claims.

You have the right to have your operator, in case of a decision that is based solely on automated processing including profiling and which has legal effects that concern you or similarly significantly affect you, at your request, separately and manually (in the presence of an authorized person within the meaning of APPD) review such a decision; you have the right to express you opinion toward such a decision and to challenge such a decision and to information about the result of the review of such a decision without undue delay.

The personal data you provide to the operator through the registration form must be true. In case of its change, you are obliged to inform the operator immediately of its change.

In case of outdated personal data provided by you after the fulfilment of the purpose stated in the General Business Terms and Conditions, following the objection to the processing of personal data or in case of cancellation of the membership in the program, your personal data will be deleted.

Based on a written request, you have the right to request from the operator, in a generally understandable form, a list of your personal data that is being processed, correction or deletion of your incorrect, incomplete or outdated personal data which is being processed.

You have the right to withdraw your consent to the processing of personal data at any time by written notice sent to the operator’s address or by e-mail sent to, without this affecting the lawfulness of the processing based on the consent granted prior to its withdrawal.

In case the operator loses totally or partially the right to process your personal data during your participation in the program, except for the processing of personal data for the purposes of direct marketing (sending of advertising emails), the operator may not further process the data about you which are necessary for participation in the program and your participation in the program must be cancelled.

You have the right to file a complaint about the operator’s procedure to the Supervisory Authority, the Office for the Protection of Personal Data of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27.

General information about the processing of personal data:

a) identity and contact details of the operator: MEDUSA Restaurants, s. r. o., with registered seat at: Einsteinova 23, 851 01 Bratislava, Company registration number 35 849 592, registered in the Commercial Register of the District Court Bratislava I, Section Sro, insert number 27956/B

b) contact responsible person

c) processing purposes for which personal data is intended: identity verification, customer program database management and provision of customer benefits, communication security, profiling

d) legal basis of processing: consent of the person concerned under Art. 6, Section 1, Letter a) GDPR or § 11 of APPD.

e) recipients or categories of recipients of personal data: personal data are supposed to be passed on to third parties in the following categories: operators of restaurants and operations of MEDUSA

f) the retention period of personal data (criteria for its determination): during the period of membership in the customer program

g) information on whether the provision of personal data is a legal or contractual requirement: the provision and processing of personal data is a necessary condition of membership in the customer program and the provision of customer benefits by the operator; failure to process personal data will lead to the termination of membership in the customer program

h) the existence of automated decision-making including profiling: the personal data provided can be used for automated sending of e-mail messages to the person concerned unless the person concerned rejects such sending (direct marketing); the personal data provided may be used, in particular, to issue of extra special offers and discounts relating to the products normally purchased by the person concerned, individual quantitative discounts, the provision of gifts, tailored products or services, customization of the advertisement sent to the person concerned (see above).

i) Transfer of personal data to countries outside the European Union: not expected