I. THE PURPOSE OF PRIVACY POLICY This Policy explains how we use and process your personal data in connection with your use of our Websites/Mobile applications, including placing your orders through the Websites/Mobile applications and by telephone, creating and operating your user account, as well as addressing your queries, complaints and suggestions, including those related to marketing information directed to you. In the Policy, you will also find information on your rights resulting from our processing of your personal data and on how you can exercise them.

II. DEFINITIONS Controller and/or We - AmRest d.o.o (limited liability company) with its registered seat in Zelengorska 1g , Belgrade, Serbia who operates following brand: KFC.
Personal data - information about a natural person identified or identifiable by one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, internet identifier and information collected via cookies and other similar technology.
Policy - this Privacy Policy.
GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Website - a website run by the Controller at kfc.rs
User and/or You – a natural person, visiting a given Website or using one or more services (including Mobile applications) or functionalities described in the Policy, whose personal data We process for at least one purpose indicated in the Policy.
Mobile application – KFC mobile and desktop applications developed by AmRest d.o.o

III. DATA PROCESSING IN CONNECTION WITH THE USE OF THE WEBSITE AND MOBILE APPLICATIONS In connection with Your use of the Website/Mobile application, We collect data to the extent necessary to provide individual services offered, as well as information about your activity on these channels. The detailed rules and purposes of processing personal data collected are described below. A. Using the Website/Mobile application We will process following personal data when you will use the Website/Mobile application:

• a) Technical Data- we may collect information about the device you use to access our Website/Mobile application, such as your device's IP address and operating system. Additionally, in the case of mobile devices, your device type, and mobile device's unique advertising identifier. Some technical information about the browser you are using will also be collected.
• b) Usage Data - this is data about your browsing activity on our Website e.g. information about the pages you visited and when, what items were clicked on a page, how much time was spent on a page, items You have added to the basket etc.;
• c) Location Data - Following applies when You will consent on location data. This is precise information related to your geography derived from your device’s IP address and/or localization functionality of Your device as well as manually entered details of Your address. This will reveal your precise geographic coordinates. This helps us to display ads that are relevant to your location e.g. if we’d like to show ads for people located in Poland only, or in order to show you the nearest restaurants locations;
• d) Ad Data: This is data about the online ads We have served, or attempted to serve to you e.g. how many times specific ad has been served to You, what page the ad appeared on, advertising ID (Unique user ID assigned to a mobile device (smartphone, tablet computer), or operating environment, browsers, application, to advertising services personalizing their offers) etc.
• e) User Data: following applies when You contact with Us in case of enquiry, complaint or suggestion via our Website’s / Mobile application’s contact form. We process Your name, surname, e-mail address and eventually any other personal information that You will freely provide to Us in the content of the communications.

Above personal data will be processed for the following purposes:

• a) In order to provide services by electronic means in terms of sharing the Website’s/Mobile’s application content with users – in that case, the legal basis for the processing relates to the necessity of processing in order to perform the contract (Article 6(1)(b) of GDPR);
• b) For analytical and statistical purposes – then the legal basis for the processing is our legitimate interest consisting in conducting analyzes of Your activity and preferences in order to improve the functionalities and services provided (Article 6(1)(b) of GDPR), in connection with Your consent to store and access to information collected on Your end device (so-called "cookie consent").
• c) In order to handle enquiries, complaints or suggestions – in that case, the legal basis for the processing of the above-mentioned data is the necessity to perform the contract (Article 6(1)(b) of GDPR) or our legitimate interest consisting in the ability to provide you with a response (Article 6(1)(f) of GDPR).
• d) if necessary, in order to potentially establish and assert claims or defend against claims – the legal basis for the processing relates to the Controller’s legitimate interest (Article 6(1)(f) of GDPR) consisting in protecting his rights;
• e) For the Controller’s and other entities’ marketing purposes, in particular related to the presentation of behavioral advertising – the rules of processing of personal data for marketing purposes are described in the MARKETING section below
• f) The users activity on the Website / Mobile application, including their personal data, is recorded in the system logs (a special computer software used to store a chronological record containing information about events and actions that relate to the IT system that is used to provide services by us. Information collected in the logs is processed primarily for the purpose of providing services. We also process it for technical and administrative purposes, to ensure the security of the IT system and its management, as well as for analytical and statistical purposes – in this case, the legal basis for the processing relates to the our legitimate interest (Article 6(1)(f) of GDPR).

B. Registration on the Website/Mobile applications In addition to the personal data indicated in point A above, We will process following personal data when You would like to create an account:

• o Name, email address and phone number
• o Your additional data which can be provide by You in the My Account tab, such as your picture - this data is voluntary, they are not necessary to create an account and can be deleted by You at any time.

Above personal data will be processed for the following purposes:

• a) In order to maintain and operate the user’s account on a given Website/Mobile application, according to the terms described in the regulations, the legal basis is the necessity to perform the contract concerning your account as well as to take actions upon your request (Article 6(1)(b) of GDPR), and in relation to the optional data – the legal basis for the processing relates to the consent (Article 6(1)(a) of GDPR);
• b) for analytical and statistical purposes, then the legal basis for the processing consisting in conducting analyzes of your activity and preferences in order to improve the functionalities and services provided, is the consent (Article 6 (1) (a) of the GDPR) expressed by you via the cookie banner in accordance with point, V below;
• c) if necessary, in order to potentially establish and assert claims or defend against claims –the legal basis for the processing relates to the Controller’s legitimate interest (Article 6(1)(f) of GDPR) consisting in protecting his rights;
• d) For the Controller’s and other entities’ marketing purposes, in particular related to the presentation of behavioral advertising – the rules of processing of personal data for marketing purposes are described in the MARKETING section below.

C. Placing orders In addition to the personal data indicated in point A above, we will process following personal data when you would like to place an order through the Website/Mobile application:

• a) Name, email address, phone number, delivery address, details of you order;
• b) Other data provided by you in connection to the order (if applicable).

Above personal data will be processed for the following purposes:

• a) to process your order, the legal basis for the processing is necessity to perform the contract and to take actions upon your request (Article 6(1)(b) of GDPR);
• b) for analytical and statistical purposes, then the legal basis for the processing consisting in conducting analyzes of Users' activity and preferences in order to improve the functionalities and services provided, is the consent (Article 6 (1) (a) of the GDPR) expressed by you via the cookie banner in accordance with point, V below;
• c) in order to comply with obligations imposed on us by the law, for example by the Accounting Act or tax regulations (e.g. issuing and storing invoices and accounting documents), we will be processing above personal data, as well as the user account data (if applicable ). The legal basis is the legal obligation imposed on us (Article 6(1)(c) of GDPR);
• d) For the Controller’s and other entities’ marketing purposes, in particular related to the presentation of behavioral advertising – the rules of processing of personal data for marketing purposes are described in the MARKETING section below.

In addition, We may process personal data relating to your order (including data provided in the enquiry, complaint or suggestion, if applicable), as well as user account data (if applicable) for the following purposes:

• a) if necessary, in order to establish and assert claims and defend against claims, the legal basis is our legitimate interest consisting in the ability to establish and assert our claims or to defend against such claims (Article 6(1)(f) of GDPR).
• b) in order to handle enquiries, complaints or suggestions, the legal basis for the processing of the abovementioned data relates to the necessity to perform the contract (Article 6(1)(b) of GDPR) or our legitimate interest consisting in the ability to provide you with a response (Article 6(1)(f) of GDPR).
• c) in order to examine your satisfaction and determine the quality of our services, the legal basis is our legitimate interest consisting in obtaining the relevant information in order to improve the quality of our products and services (Article 6(1)(f) of GDPR).

D. Marketing We will processes your personal data in order to implement marketing activities, which may consist of:

• a) displaying marketing content which is not adjusted to your preferences (contextual advertising);
• b) displaying marketing content which is adjusted to your preferences (behavioural advertising);
• c) carrying out other type of activities related to direct marketing of goods and services (such us sending commercial information by electronic means), including directing e-mail notifications about interesting offers or content that, in some cases may contain commercial information (newsletter service) as well as delivering push notifications.

Behavioural advertising
Analysis and creation of the profile for marketing purposes: In order to know your personal preferences and behaviours for the purpose of presenting you with information about products, novelties and promotions offered by us which, we consider, may be of interest to you and will be tailored to your needs, we will be creating your customer’s profile (profiling). In order to create it we or our trusted partners will be processing your personal data provided by you directly or resulting from your activities on the Website/Mobile application).

A list of our trusted partners, description of the tools they use, and links to their privacy policies is provided in point VI below.

The legal basis for the processing of the above-mentioned data is the legitimate interest consisting in our examining of your preferences and behaviours required to prepare and present you with information about our products, novelties and promotions which, we consider, may be of interest to you and will be tailored to your needs (profiling) as well as direct marketing of our products and services (Article 6(1)(f) of GDPR).

Marketing communication
We will be directing to you marketing messages about products, novelties and promotions offered through our communication channels (e.g. e-mail, SMS, WebPush, mobile push). The legal basis for the processing is the legitimate interest consisting in presenting you with information about our products, novelties and promotions which, we consider, may be of interest to you, as well as direct marketing of our products and services (Article 6(1)(f) of GDPR), in connection with Your consent to send you marketing information.

Social media
The Controller processes personal data of users visiting the Controller's social media profiles (Facebook, YouTube, Twitter, Instagram) or leaving information about the Controller's activity on other sites, e.g. Google opinions service.
This data is processed exclusively in connection with running of the profile, as well as in order to:

• a) inform users about the Controller's activity and promote various type of events, services and products. The legal basis for personal data processing by the Controller relates to the legitimate interest (Article 6(1)(f) of GDPR) consisting in the promotion of the own brand;
• b) examine our Customers' satisfaction and determine the quality of our services. The legal basis for the processing of the above-mentioned data relates to our legitimate interest consisting in obtaining the relevant information in order to improve the quality of our products and services (Article 6(1)(f) of GDPR);
• c) if necessary, in order to establish and assert claims and defend against claims, the legal basis is our legitimate interest consisting in the ability to establish and assert our claims or to defend against such claims (Article 6(1)(f) of GDPR).

In case of using our social media profiles, data may be transferred outside of the EEA, data may be transferred outside of the Serbia and EEA. Further information on that subject you will find on our privacy notices available on the relevant social media profiles.

IV. COOKIES AND SIMILAR TECHNOLOGY Cookies are small text files installed on the device of the User browsing the Website/Mobile application. Cookies collect information that facilitates the use of the above channels - e.g. by remembering the User's visits to the Website and the activities performed by the User. A detailed description of the cookies used is available in the cookie management tool (link available at the bottom part of the Website/Mobile application under 'Cookie Settings').
Below is a general description of the categories of these tools that we use:

• a) ESSENTIAL COOKIES - the Controller uses the so-called necessary cookies primarily to provide the User with services provided electronically and to improve the quality of these services. Our use of essential cookies is ISP-PP-13 Version 1.0 | 28.11.2022 5 necessary for the proper functioning of the Website/Mobile application. These files are installed in particular for the purpose of remembering login sessions or filling in forms, as well as for the purposes related to setting the privacy options.
• b) ANALYTICAL COOKIES - analytical cookies make it possible to check the number of visits and traffic sources on our Website/Mobile application. They help us find out which pages are more and less popular and understand how users navigate the page. This allows us to study statistics and improve the performance of our channels. The information these cookies collect is aggregated so it is not intended to identify you. If you do not allow these cookies, we will not know when you visited our Website/Mobile application;
• c) FUNCTIONAL COOKIES - Functional cookies remember and adapt the Website/Mobile application to your choices, such as language preferences. You can set your browser to block or alert you to essential and functional cookies, however doing so will result in some parts of the channel not working properly
• d) MARKETING - ADVERTISING COOKIES - marketing and advertising cookies allow you to adjust the displayed advertising content to your interests, not only on the Website/Mobile application, but also outside it. They can be installed by advertising partners through our Website/Mobile application. Based on the information from these cookies and activity on other websites, your interest profile is built. Marketing and advertising cookies do not directly store your personal data, but identify your internet browser and hardware. If you do not allow these cookies, we will still be able to show you advertisements, but they will not be tailored to your preferences.

V. MANAGING COOKIES SETTINGS The use of cookies to collect data through them, including access to data stored on the User's device, requires your consent. The Website/Mobile application receives consent from the User via the cookie banner. This consent may be withdrawn at any time according to the rules described below. Consent is not required for the necessary cookies, the use of which is necessary to provide a telecommunications service on the Website/Mobile application (data transmission to display content). In addition, to consenting to the installation of cookies via the cookie banner, you should keep the appropriate browser settings, allowing you to store cookies from the Website/Mobile application on your end device.

Withdrawal of consent to the collection of cookies on the Website/Mobile application is possible via the cookie banner. You can return to the banner by clicking on the button called "Manage cookies", which is available on every subpage of the Website/Mobile application. After the banner is displayed, you can withdraw your consent by clicking the "Manage cookies" button. Then you should move the slider next to the selected cookie category and press the "Save settings and close" button.

Withdrawal of consent to the use of cookies is also possible through the browser settings. Detailed information on this can be found at the following links:

• o Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-deletemanage-cookies
• o Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
• o Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
• o Opera: https://help.opera.com/en/latest/web-preferences/#cookies
• o Safari: https://support.apple.com/kb/PH5042?locale=en-GB

The user may at any time verify the status of his current privacy settings for the browser used using the tools available at the following links:

• o https://www.youronlinechoices.com/uk/your-ad-choices
• o http://optout.aboutads.info/?c=2&lang=EN

Changing your browser settings may restrict the use of both essential and optional cookies. Please be advised, however, that this may significantly hinder or prevent the use of the Website/Mobile application.
Cookie Setting allows you also check the details of each cookie, including among others its name, duration, category and name of our Trusted Partner, where applicable.

VI. ANALYTICAL AND MARKETING TOOLS USED BY THE CONTROLLER We and our Trusted Partners use various solutions and tools applied for analytical and marketing purposes. Our partners may use cookies and similar technologies to collect or receive information from our website and other places on the Internet and use it to provide services measurement and targeting of advertising.

Trusted Partners are e-commerce and advertising companies and media houses and similar organizations operating on their behalf, with whom We cooperate or which are recommended by international industry organizations, such as IAB (Interactive Advertising Bureau) organization. The list of Trusted Partners can be found here and in the cookie settings – the usage of cookie settings has been described in point V. above.

For every ours brands following social media solutions are applicable – Social media plugins the Websites use social media plugins (Facebook, Google+, LinkedIn, Twitter). Plugins allow the user to share content published on the Website in the selected social network. The use of plugins on the Website allows a given social network to receive information about the user’s activity of the Website, which can be assigned to the user's profile created in a given social network. The Controller does not have the knowledge about the purpose and scope of data collection by social networks. Detailed information on this subject can be found under the following links:

• a. Facebook: https://www.facebook.com/policy.php
• b. Google: https://privacy.google.com/take-control.html?categories_activeEl=sign-in
• c. LinkedIn: https://www.linkedin.com/legal/privacy-policy
• d. Twitter: https://twitter.com/en/privacy

VII. PURPOSES AND LEGAL BASES OF OTHER PROCESSING CASES ELECTRONIC AND TRADITIONAL CORRESPONDENCE
If case of contacting the Controller through an electronic (example: e-mail, instant messaging) or traditional correspondence that is not related to the services provided on behalf of the sender or for another contract concluded with him, the personal data contained in this correspondence is processed only for the purpose of communication and resolving the matter to which the correspondence relates. The legal basis for the processing relates to the Controller’s legitimate interest (Article 6(1)(f) of GDPR) consisting in conducting correspondence directed to him in relation to his business activity.

The Controller only processes personal data relevant to the case, to which the correspondence relates. The entire correspondence is stored in a manner that ensures the security of the personal data (and other information) contained therein and is only disclosed to authorised persons.

TELEPHONE CONTACT
In case of contacting the Controller by phone, in matters not related to the concluded contract or rendered services, the Controller may request you to provide personal data only if it is necessary to handle the case related to the phone call. In that case, the legal basis relates to the Controller's legitimate interest (Article 6(1)(f) of GDPR) consisting in the necessity to solve the reported case related to his business activity.

VISUAL MONITORING
In order to ensure the safety of persons and property, the Controller uses visual monitoring on his premises and in the restaurants. Data collected in this way is not used for any other purpose. Personal data recorded in connection with the visual monitoring is processed for the purpose of ensuring the safety and order on the premises and potentially in order to defend against claims or their pursuit. The basis for the processing of personal data relates to the Controller’s legitimate interest (Article 6(1)(f) of GDPR) consisting in ensuring the safety of the persons remaining inside the buildings and on the premises managed by the Controller, including ensuring the safety of employees and guests, as well as of Controller's property and protection of his rights.

DATA COLLECTION IN CONNECTION WITH PROVISION OF SERVICES OR PERFORMANCE OF OTHER CONTRACTS
In case of collecting data for the purposes related to the conclusion or execution of a particular contract, the Controller transfers to the person, whose data is concerned, detailed information regarding this data processing at the time of the conclusion of the contract. The legal basis for data processing relates to the conclusion or execution of the contract (Article 6(1)(b) of GDPR).

DATA COLLECTION IN OTHER CASES
The Controller collects personal data in connection with the conducted activity also in other cases – e.g. during business meetings, industry events or through the exchange of business cards – for the purposes related to initiating and maintaining business contacts. In this case, the legal basis for the processing relates to the Controller’s legitimate interest (Article 6(1)(f) of GDPR) consisting in creating networks of contacts in connection with the conducted activity. Personal data collected in such cases is only processed for the purpose, for which it was collected and the Controller ensures its adequate protection. Personal data will be processed in the IT environment, which means that it may also be temporarily stored and processed in order to ensure the security and the proper functioning of IT systems, e.g. in connection with making backup copies, testing changes in IT systems, detecting irregularities or protecting against misuse and attacks.

VIII. RETENTION SCHEDULE OF PERSONAL DATA The period of data processing by the Controller depends on the type of service provided and the processing’s purpose. As a rule, data is processed for the duration of the service or order fulfilment, until the given consent has been withdrawn or the effective objection to data processing has been expressed, in cases where the legal basis for data processing relates to the Controller’s legitimate interest.

The period of data processing may be extended in case the processing is necessary to establish and assert possible claims or defend against claims and, after this time, only in case and to the extent required by the law. At the end of the processing period, data is irreversibly deleted or anonymised.
Details about retention schedule can be obtained from contact point specified in point XIV below.

IX. RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA You have the right to: access the data and request rectification, deletion, processing restrictions, the right to transfer data and the right to object to data processing. If you wish to exercise any of the rights set out above, please use contact details provided in point XIV below. Please note that:

• a) You will not have to pay a fee to access your personal data (or to exercise any of the other rights), however, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances;
• b) We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response;
• c) We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated;
• d) In certain circumstances we may need to limit the scope of fulfilment of the data subject’s rights request e.g. where a request is made to delete data that has to be retained for legal or regulatory reasons, or where fulfilling the request may expose the personal data of another data subject.

You have the right to make a complaint at any time to the Local Supervisory Authority. We would, however, appreciate the chance to deal with your concerns before you approach the Local Supervisory Authority so we encourage you to contact us in the first instance.

If you would like to withdraw the consent or change the form of marketing communication, you can execute it at any time. Depending on the option you selected, we may contact you through the electronic means, e.g. by e-mail, or via telecommunication devices, e.g. Short Messaging Service (“SMS”) or Multimedia Messaging Service (“MMS”). The easiest way to withdraw the consent or make changes is by logging in and changing the setting directly in your account or writing to us at the following e-mail address: AmRest Customer Care: info-rs@amrest.eu.

X. DO YOU HAVE TO PROVIDE US WITH YOUR PERSONAL DATA? It is required that you provide us with your personal data in order to use the functionalities of a given Website/ Mobile application, e.g. to conclude and perform a contract concerning the user's account, order a meal or use the contact form on a given Website / Mobile application. If you do not provide this information, we will not be able to fully allow you the use of the given functionality, e.g. we will not be able to set up and maintain your user account, fulfil your order or handle your enquiry, complaint or suggestion from the contact form.

XI. SHARING OF PERSONAL DATA Your personal data is transferred to entities providing services to us, such as suppliers of IT systems and IT services entities providing administrative support, marketing agencies and media houses, delivery companies, entities providing accounting and administrative services, entities conducting customer satisfaction surveys on our behalf, entities supporting us in customer service (e.g. call centres). We can also share personal data with entities related to us, including companies from our capital group. In certain situations data can also be shared in relation to potential business transactions for example if we restructure our business or if we buy or sell any business or assets we may share your data with the prospective buyer or seller.

Where we do share your data with 3rd parties or other AmRest entities, the shared data will be limited to that which is required by the 3rd party or other AmRest entity to provide the required processing. In such cases your personal data is safeguarded by Data Processing Agreements, committing outsourced service providers to process your personal data for specified purposes and in accordance with our instructions, comply with the GDPR and apply appropriate security measures to protect your personal information in line with our internal policies. All transfers outside of the EEA, all transfers outside of the EEA or Serbia made to countries which are considered by the European Commission to not provide an adequate level of protection of personal information are safeguarded with agreement based on Standard Contractual Clauses approved by the European Commission and implemented accordingly by Serbian government.

More details about sharing data can be obtained from contact point specified in point XIV below.

XII. USE OF AUTOMATED DECISION-MAKING We will not be taking any decisions about you that would be solely based on the automated processing of your data and that would create legal consequences for you or otherwise significantly affect you in a similar manner.

XII. CONTACT DETAILS We have appointed a Data Protection Officer whom you can contact in all matters related to our processing of your personal data as well as exercising your rights related to our processing of your personal data.

The Data Protection Officer can be contacted by:

• a) sending us an e-mail to the address: privacy.serbia@amrest.eu;
• b) calling at the number: +381 11 785 84 84;
• c) sending a letter (best if marked for the attention of: “Data Protection Officer”) to the address: AmRest d.o.o, Zelengorska 1g , Belgrade, Serbia.

XIV. CHANGES TO THE PRIVACY POLICY The policy is verified on an ongoing basis and updated if necessary.
The current version of the Policy has been adopted and has been in force since 2022-11-28.