Version: 27.03.2025
With this privacy notice, the Aramark GmbH (Aramark or we) informs you about the nature, scope, and purpose of the processing of personal data (data) that takes place in connection with a purchase of Aramark goods in our smart store solution (S.Mart).
The entity responsible for the data processing activities described in this privacy notice is
Aramark GmbH
Amelia-Mary-Earhart-Str. 11 60549 Frankfurt am Main
Our Data Protection Officer can be reached via
Aramark GmbH
Data Protection Officer Amelia-Mary-Earhart-Str. 11 60549 Frankfurt am Main
datenschutzbeauftragter@aramark.de
In connection with the use of the S.Mart app and your purchases in the S.Mart, the following data may be processed:
User account data (e.g., username, e-mail address);
Purchase data (e.g., object of purchase, purchase amount);
Transaction data (e.g., transaction ID, date of transaction, card issuer, last four digits of PAN, terminal ID);
Loyalty program data (e.g., member ID, bonus points collected);
Device and meta data (e.g., IP address, device model, OS version);
Location data (only if explicit user opt-in given);
Push notification (in app) tokens (only if explicit user opt-in given); and
If you send us a message: the content of your individual request.
Separate from the above data, the following data is processed when you visit the S.Mart:
Visuals generated by the S.Mart’s ceiling camera system.
You are not obliged to provide us with any of this data. However, without this data, we will not be able to provide you with the S.Mart and S.Mart app and all their functions.
This section explains for what purposes and on what legal basis we process the data listed in the section “What personal data is collected?” in connection with the provision and use of the S.Mart and the S.Mart app:
We process your data primarily to provide you with the shopping experience at S.Mart:
In order to gain access to the S.Mart you generate an individual QR code with a unique identifier in the S.Mart app that is assigned specifically to you. This QR code must be scanned at the entrance of the S.Mart, whereupon the unique identifier assigned to you grants you one-time access to the S.Mart. This data processing in the context of granting access to the S.Mart is carried out on the basis of Art. 6 (1) letters b and f General Data Protection Regulation (GDPR) (performance of pre-contractual measures and fulfillment of contract; legitimate interest), as we process your data to start your shopping session in the S.Mart. Insofar as we process data on the legal basis of legitimate interest, this is to ensure the easiest possible access to the S.Mart, as well as to ensure that only authorized persons gain access to the S.Mart.
The purchase data is determined using either the barcodes or the Radio Frequency Identification (RFID) tags, which are attached to every item offered in the S.Mart. The tags are scanned in a special RFID area that you must pass through at the end of your S.Mart visit. Alternatively, the products’ barcodes can be scanned, either with the barcode scanner at the checkout or with the barcode scanner integrated in the S.Mart app. The purchase data collected in either of these ways is added to your virtual shopping cart in your S.Mart app, where it is combined with the further required billing details, as well as transmitted to our checkout terminal in the S.Mart itself. The now initiated billing process can be completed either at the terminal in the S.Mart or in the S.Mart app with your preferred payment method. If you participate in the SAP loyalty program, you also have the option of having any discounts or bonus points taken into account. As soon as the billing process is complete, you will receive a confirmation and
a purchase summary. The data processing in the context of the purchase of products is carried out on the basis of Art. 6 (1) letter b GDPR (performance of pre-contractual measures and fulfillment of contract), as we process your data for the purpose of settling your purchases, i.e. to conclude and fulfill the purchase contract between you and Aramark. For more information about the loyalty program and how your data is processed in this context, please refer to the privacy notices of the loyalty program provider and/or SAP.
We process the data otherwise captured with the S.Mart app, such as your email address or your transaction history, in order to conclude and fulfill the S.Mart app user agreement concluded with you (performance of pre-contractual measures and fulfillment of contract, Art. 6 (1) letter b GDPR), as we use this data to provide you with access to the S.Mart app and to make the individual functionalities of the S.Mart app available to you. Furthermore, in our legitimate interest in providing you and us with a stable and secure app, we process device and meta data such as your IP address and information on your operating system (legitimate interest, Art. 6 (1) letter f GDPR).
Further data in connection with the S.Mart shopping experience is only processed on the basis of your explicit consent (Art. 6 (1) letter a GDPR). This includes location data to customize your shopping experience with us (e.g., to show you only relevant promotions for the S.Mart location where you are) and push notification tokens to communicate with you via push notifications. You can revoke your consent at any time for the future in your device settings.
As described above in the section “What personal data is collected?”, we use cameras to learn more about our customers and their shopping experience in the S.Mart in an anonymized, aggregated form. The camera recordings are immediately obfuscated after they are generated in such a way that they can no longer be used to identify you. Only obfuscated camera recordings are temporarily (<100ms) stored for analysis purposes, as described in the following section, and then irreversibly deleted. At no point is the analysis data combined with other data about you; it is completely anonymous and aggregated statistics that cannot be traced back to you or other S.Mart customers. The statistics do not allow any conclusions to be drawn about your individual purchasing behavior. These anonymous, aggregated statistics are generated by us in our legitimate interest to understand sales trends, optimize inventory management and improve your overall shopping experience. The initial, temporary processing of personal data in the form of camera recordings of customers and the anonymization of these camera recordings is therefore carried out on the basis of Art. 6 (1) letter f GDPR (legitimate interest).
If you send us an enquiry about our offer or a request for help with a problem related to the use of the S.Mart or the S.Mart app using the contact form in the S.Mart app (if available) or by email, we will process your data in order to answer your request, i.e. to be able to make you an offer or to help you with your problem (performance of pre- contractual measures and/or fulfillment of contract, Art. 6 (1) letter b GDPR).
Finally, we may process your data in order to fulfil our legal obligations or in cases where this should be necessary for the exercise, assertion or defense of legal claims, including the disclosure of your personal data to third parties, such as public authorities, law enforcement authorities, regulatory authorities and third parties involved in legal proceedings, in connection with an ongoing procedure or investigation (processing to fulfil a legal obligation, Art. 6 (1) letter c GDPR, or processing to protect the legitimate interests of the controller, Art. 6 (1) letter f GDPR).
To determine the purchase data with the help of RFID tags, we use the technology of our IT services partner payfree GmbH, Fürstenwall 172, 40217 Düsseldorf (Payfree) which processes your data in this context as our data processor within the meaning of Art. 4 (8) GDPR. The servers used by Payfree are located in Germany.
To process your payments, we work together with the payment service provider Adyen N.V., Simon Carmiggeltstraat 6-50, 1011 DJ, Amsterdam, the Netherlands (Adyen). We share certain purchase data (e.g., order ID, object of purchase, purchase amount) with Adyen to start the payment process and Adyen processes additional necessary payment data from you (e.g., card issuer, last four digits of PAN) as our data processor. Data storage by Adyen as our data processor takes place on servers in the European Economic Area (EEA); however, it cannot be ruled out that Adyen employees or Adyen sub-processors located outside the EEA, in countries whose laws do not guarantee an adequate level of data protection corresponding to that of the EEA, may access data. For these cases, we have obligated Adyen to take appropriate measures in accordance with the applicable data protection laws and to agree to the EU Standard Contractual Clauses with their respective sub-processors. For more information on how Adyen processes data when providing its services, please refer to Adyen’s privacy notice.
All other technology of the S.Mart and the S.Mart app is provided by our partner SAP SE, Dietmar-Hopp-Allee 16, 69190 Walldorf (SAP), which acts as our data processor in connection with the data processing activities described in this privacy notice. The servers used by SAP are located in the EEA or in other countries that guarantee an adequate level of data protection corresponding to that of the EEA.
If you would like further information regarding transfers of data to countries outside the EEA, please contact us at datenschutzbeauftragter@aramark.de.
We store your personal data for as long as is necessary for the purposes for which it was collected and for other permissible purposes (e.g., to comply with the regulatory requirements that apply to the storage of this data).
The retention and storage periods are based on business requirements and relevant laws. In particular, the statutory retention periods of six or eight years apply in accordance with the
provisions of Section 257 of the German Commercial Code and Section 147 of the German Fiscal Code. Please note that these periods may be extended if necessary (e.g., if we are required to do so by law or by regulatory authorities).
When the data is no longer needed, we will either permanently anonymize it or securely destroy it. We reserve the right to use anonymized data that can no longer be assigned to you for legitimate business purposes without separately notifying you.
As a data subject of our data processing, you have certain rights about which we inform you below:
Right to information: You have the right to request information about the personal data collected about you, as well as a copy of this data
Right to rectification: You have the right to request the completion or rectification of inaccurate personal data concerning you if it is incorrect or incomplete.
Right to erasure: If there are certain reasons (e.g. the data are no longer necessary for the purposes for which they were processed), you can request the erasure of your personal data
Withdrawal of consent: If we have obtained your consent to process your personal data in relation to a specific data processing operation, you can withdraw this consent for the future and prevent further data processing, provided that no other permission is relevant. This right of withdrawal does not apply to data that we process on other legal grounds. Your revocation does not affect the legality of the processing carried out on the basis of the consent until the revocation.
Right to restriction of processing: You may request the restriction of the processing of certain personal data for the duration of a complaint procedure or for specific other reasons.
Right to data portability: You can request that we electronically transfer your personal data that you have provided to us and which we still have stored to another controller
Right to lodge a complaint: You may also lodge a complaint with the competent data protection authority if you believe that the processing of your personal data violates data protection laws. Aramark is supervised by the following data protection authority:
Hessian Commissioner for Data Protection and Freedom of Information (HBDI) Gustav-Stresemann-Ring 1
65189 Wiesbaden
Phone: +49 611-1408-0
E-mail: DSB@datenschutz.hessen.de
Please note that there are exceptions to the above rights and that you may therefore not be able to exercise these rights comprehensively in every situation.
Aramark reserves the right to amend this privacy notice at any time and with future effect. It is therefore recommended that you read this privacy notice again at regular intervals.
***