• Menu

  • Restaurants

  • Contact

Burger King logo



The Policy explains how we process your personal data in connection with your use of our Website, including responding to your inquiries, complaints and suggestions, including marketing information directed to you. In the Policy, you will also find information on your rights resulting from our processing of your personal data and how you can exercise those rights.


Controller “we” or “our”–REX CONCEPTS BK ROMANIA S.R.L., with its registered office in Bucharest, Sector 1, 22 NICOLAE G. CARAMFIL Street, 1st floor, App. 103, recorded with the Bucharest Trade Register under no. J40/19697/2022, VAT Reg. No. RO46952905 the operator of the following brands in Romania: Popeyes

Personal Data – information about a natural person identified or identifiable based on one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity, including the device’s IP, location data, Internet ID and information collected through cookies and other similar technologies.

Data Protection Officer (DPO) - a person appointed by us with expert knowledge of the law and practices in the field of personal data protection in order to support internal compliance with the provisions of the GDPR and to support you in exercising your rights under the GDPR.

Policy – this Privacy Policy.

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Website – the internet website operated by our Processor at: www.burgerking.ro

Mobile Apps – mobile application operated by our Processor that are available on “App Store” and “Google Play” User or “you” – a natural person visiting a particular Website or using one or more services (including Mobile Apps) or functionalities described in this Policy, whose personal data we process for at least one purpose specified in this Policy.

III. DATA PROCESSING IN CONNECTION WITH USING A WEBSITE In connection with your use of a Website / mobile app, we collect data within the scope necessary to provide each of the services offered, including information on your activity in those channels. Specific principles and purposes governing the processing of the data collected are described below.

A. Using the Website and/or Mobile Apps

When you are using the Website and/or Mobile Apps, we will be processing the following personal data:

a) Technical data – we may collect information about the device you are using to access the Website, such as the device’s IP address and operating system. Additionally, for mobile devices, the device type, and its unique identifier for advertisers. Also, some technical information about the browser used by the User is collected.

b) Usage data – these include information about your website browsing activity, e.g., information about the pages you visit and when you do it, items you click on a page, time you spend visiting a page, items you add to the basket, etc.

c) Location data – this applies to a situation where the User consents to processing location data. This includes precise information related to the User’s geography, obtained based on the device’s IP and/or the User device’s location features, as well as the User’s address data entered manually. This way, the User’s precise geographic coordinates will be revealed. This helps us display advertising relevant to your location, e.g., if we wanted to display ads only for persons located in Romania or to show you the nearest restaurants.

d) Advertising data: This is the data related to online ads that we have displayed or attempted to display to you, e.g. how many times a specific ad was displayed to you, on what page was it displayed, the advertisement ID (a unique user ID assigned to a mobile device (smartphone, tablet) or operating environment, browser, app, used by advertising services to personalize offers), etc.

e) User data: the data indicated below concern a situation when the User is contacting us with enquiries, complains or suggestions via the contact form on the Website. We process the User’s name, surname, e-mail address and any other personal data the User voluntarily provides to us in the contents of the message.

Such personal data will be processed for the following purposes:

a) To provide electronic services within the scope of providing Users access to the contents of the Website – in such a case, the legal grounds for the processing is the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR).

b) For analytical and statistical purposes – in such a case, the legal grounds for the processing is our legitimate interest consisting in conducting analyses of the User’s activity and preferences in order to enhance functionality and the services provided (Article 6(1)(b) and (f) of the GDPR), in connection with the User’s consent for the storage of and access to information collected on the User’s end device (so-called cookie consent expressed in art. 6 (1)(a) of theGDPR).

c) For handling inquiries, complaints and suggestions – in such a case, the legal grounds for the processing of the above mentioned data is the necessity to perform the contract (Article 6(1)(b) of the GDPR) or our and yours legitimate interest consisting in us being able to respond to you (Article 6(1)(f) of the GDPR).

d) As necessary, in order to potentially establish, pursue or defend claims – the legal grounds for the processing is related to the Controller’s and yours legitimate interest (Article 6(1)(f) of the GDPR) consisting in the protection of their rights.

e) For the marketing purposes of the Controller and other entities, in particular those related to behavioral advertising presentation – the principles of personal data processing for marketing purposes are described in the MARKETING section below.

f) The Users’ activity on the Website, including their personal data, are registered in system logs (special computer software designed for storing chronological records containing information about events and actions concerning the information system through which our services are provided). The information collected in logs is processed mainly for the purposes of providing services. We also process this information for technical and administrative purposes, in order to ensure safety and security of our information system and management thereof, as well as for analytical and statistical purposes – in this case the legal grounds for the processing is related to our legitimate interest (Article 6(1)(f) of the GDPR).

B. Marketing

We will process your personal data in order to perform expected by you marketing activities that may consist in:

a) displaying marketing content that is not User-specific (contextual advertising);

b) displaying marketing content tailored to your preferences (behavioral advertising);

c) other activities related to the direct marketing of goods and services (such as submitting commercial information by electronic means), including directing e-mail notifications about interesting offers or content, which in some cases may contain commercial information (newsletter service), as well as sending push notifications.

We will take all actions based on your consent (Article 6(1)(a) of the GDPR) or in connection with the need to perform the contract between us (Article 6(1)(b) of the GDPR) or sometimes based on legitimate interest (Article 6(1)(f) of the GDPR as we will detail below.

Behavioral advertising

Analysis and profiling for marketing purposes: In order to understand your personal preferences and behavior to provide you with information about our products, news and special offers that in our opinion might be interesting for you and will be tailored to your needs, with your express consent, we will create your customer profile (profiling). In order to create one, we or our trusted partners will process your personal data provided by you directly or as a result of your activity on the Website.

Our trusted partners are listed in Chapter  IV below.

The legal grounds for the processing of the above mentioned data is the legitimate interest consisting in surveying your preferences and behavior necessary to prepare and provide to you information about our products, news and special offers that in our opinion might be interesting for you and will be tailored to your needs (profiling), as well as direct marketing of our products and services (Article 6(1)(f) of the GDPR).

Marketing communications

We will be sending you marketing communications about products, news and special offers via our communication channels (e.g. e-mail, SMS, WebPush, mobile push). The legal grounds for the processing is the legitimate interest consisting in providing you with information about our products, news and special offers that in our opinion might be interesting for you, as well as direct marketing of our products and services (Article 6(1)(f) of the GDPR), in connection with your consent to receive marketing information (Article 6(1)(a) of the GDPR).

Social media

We may process personal data of Users visiting our social media profiles (Facebook, YouTube, Twitter, Instagram) or leaving information about our business in other services, such as Google reviews. This data is processed only for the purposes of maintaining the profile, as well as:

a) to inform Users about our business and promote events, services and products of various kinds. The legal grounds for the processing is our legitimate interest (Article 6(1)(f) of the GDPR) consisting in promoting our own brand;

b) to survey our Customers’ satisfaction and determine the quality of our services. The legal grounds for the processing of the above mentioned data is related to our legitimate interest consisting in obtaining suitable information in order to improve the quality of our products and services (Article 6(1)(f) of the GDPR);

c) to handle inquiries, complaints or suggestions related to using our social media;

d) as necessary, in order to establish, pursue and defend claims, the legal grounds is our legitimate interest consisting in allowing us to establish, pursue or defend claims (Article 6(1)(f) of the GDPR).

If you are using our social media profiles, the data may be transferred outside the EEA. In this case, the data will be duly protected based on appropriate safeguards resulting from the GDPR, Chapter V. Further information on this topic can be found in our privacy notices available in the relevant social media profiles.


We and our Trusted Partners use various solutions and tools for analytical and marketing purposes. Our partners may use cookies and similar technologies to collect or receive information from our website and other online locations and use them for providing measurement services and advertisement targeting.

Trusted Partners are e-commerce and advertisement companies, as well as media houses and other similar organizations acting on their behalf, with which we collaborate or which are recommended by international industry organizations, such as IAB (Interactive Advertising Bureau). Trusted Partner List:

  • Braze: https://www.braze.com/company/legal/privacy

  • Amplitude: https://amplitude.com/privacy

  • mParticle: https://www.mparticle.com/privacypolicy/

  • Voucherify: https://www.voucherify.io/legal/privacy-policy-v1-5

For each our brand, the following social media solutions apply – social media plug-ins of the Website use social media plug-ins (Facebook, Google+, LinkedIn, Twitter). Plug-ins allow users to share content published on the Website in the selected social network. The use of plug-ins on the Website allows the social network to obtain information about the user’s activity on the Website, which may be assigned to the user’s profile created in that social network. The Controller has no knowledge about the purpose and scope of data collection performed by the social networks. You can find more information under the following links:

a. Facebook: https://www.facebook.com/privacy/explanation  b. Youtube / Google: https://policies.google.com/privacy  c. LinkedIn: https://pl.linkedin.com/legal/privacy-policy d. Twitter: https://twitter.com/en/privacy e. Instagram: https://privacycenter.instagram.com/policy/ f. TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/pl-PL 



If you would like to contact us by electronic means (e.g. e-mail, instant messaging) or traditional mail not related to the services provided on behalf of the sender or in connection with another contract concluded with the sender, the personal data included in such communication is processed only for the purposes of this communication and addressing the issue raised in the communication. The legal grounds for the processing is related to the Controller’s and yours legitimate interest (Article 6(1)(f) of the GDPR) consisting in handling communication directed to the Controller in connection with their business activity.

We will only process personal data relevant to the issue raised in the communication. The entire communication is stored in a manner ensuring security of personal data (and other information) contained therein and is shared only with authorized persons.


If you contact the Controller by telephone, in a matter not related to the contract concluded or services provided, the Controller may ask you to provide personal data only if this is necessary to handle the issue raised in the phone call. In such a case, the legal grounds refers to the Controller’s and yours legitimate interest (Article 6(1)(f) of the GDPR) consisting in the necessity to resolve the reported by you issue related to the Controller’s business activity.


In order to ensure safety and security of persons and property, the Controller uses visual monitoring in their premises and in restaurants. Data collected this way is not used for any other purposes. Personal data registered in connection with visual monitoring is processed to ensure safety, security and order on the premises and, potentially, to defend or pursue claims. The grounds for personal data processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in ensuring safety and security of persons in the buildings and within the area under the Controller’s management, including ensuring safety of employees and visitors, as well as the Controller’s property and to protect their rights.


In the case of collecting data for the purposes related to the conclusion or performance of a particular contract, the Controller provides the data subject detailed information on such data processing at the moment of concluding the contract. The legal grounds for the data processing is related with the conclusion or performance of a contract (Article 6(1)(b) of the GDPR).


The Controller collects personal data in connection with the Controller’s business also in other cases – e.g. during business meetings, industry events or by exchanging visit cards – for the purposes related with initiating and maintaining business contacts. In such a case, the legal grounds for data processing are related to the Controller’s legitimate interest and persons directly providing their personal data to the Controller(Article 6(1)(f) of the GDPR) consisting in creating a contact network related to their business activity. Personal data collected in such cases is processed only for the purpose they were collected for and the Controller is responsible for its appropriate protection.

Personal data will be processed in an IT environment, which means it may be temporarily stored and processed to ensure safety, security and proper functioning of information systems, e.g. in connection with creating back-ups, testing changes in IT systems, detecting irregularities or protection against misuse and attacks.


The period of processing personal data by the Controller depends on the type of service provided and the purpose of processing. As a general rule, data is processed for the period of providing a service, until consent is revoked or until an effective objection to the personal data processing is raised – where the legal grounds for personal data processing is the Controller’s legitimate interest.

The period for data processing may be extended if processing is necessary for the establishment, exercise or defense of potential claims, and after that period – only if and as required by law. At the end of the processing period, data is irreversibly deleted or efficiently anonymized.

For detailed information on the data storage schedule, reach out to the point of contact indicated under Chapter XI below.


You have the right to: access the data and request its rectification, erasure, restriction of processing, the right to data portability and the right to object to processing of the data. To exercise any of your rights, use the contact details specified in Chapter XIII below. You should be aware that:

a) accessing personal data (or exercising any of the remaining rights) does not entail any fees, however we may charge you a reasonable fee if your request is expressly unjustified, repeated or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

b) We may be forced to request certain information from you to help us confirm your identity and provide you with the right to access your personal data (or to exercise any other rights you may have). This is a security measure to ensure that no personal data is disclosed to a person who is not authorized to obtain such data. We may also contact the User to ask them for further information in relation to their request in order to speed up our response.

c) We do our best to respond to all reasonable requests within one month. In rare cases, when the request is particularly complex or several requests were placed, this may take longer than a month. In such a case, we will notify you and will keep you updated

d) In certain circumstances, we may be forced to limit the extent, to which the data subject’s request is satisfied, e.g. in case of a request for erasure of data that needs to be retained on legal or regulatory grounds, or when satisfying the request may expose another data subject’s personal data.

You have the right to submit a complaint to the competent supervisory authority at any time. However, we would be grateful for the opportunity to address your concerns before you reach out to the competent supervisory authority, so we encourage you to contact us first.

If you want to revoke your consent or change the form of marketing communication, you can do it at any time. Remember, however, that the right to withdraw your consent does not affect the lawfulness of the processing that was carried out on the basis of consent given before its withdrawal. Depending on the option you choose, we may contact you by electronic means, e.g. by e-mail or through telecommunication devices, e.g. short text messages (“SMS”) or multi-media messages (“MMS”). The easiest way to revoke your consent or introduce changes is by writing to the following addresses:


DPO - iod@m3mcom.pl


Providing us with your personal data is required in order to use a given Website’s and Mobile Apps functionalities, e.g. to use the contact form on the Website. If you fail to provide the data, we will be unable to provide you with the full extent of such functionality, e.g. we will be unable to handle your inquiry, complaints or suggestion from the contact form.


Your personal data is transferred to our service providers, such as vendors of information systems and IT services providing administrative support, marketing agencies and media houses, courier companies, accounting and administrative service providers, entities running customer satisfaction surveys on our behalf, organizations supporting us in customer service (e.g. call centers). We may also share personal data with entities authorized under applicable law, as well as entities related to us, such as companies from our capital group. Your personal data may also be made available to entities participatingin the process of responding to your questions, doubts or complaints arising from the provision of services by us or our business partners. In this case, these entities will become a separate administrator, along with all rights and obligations, of your personal data. In some situations, data may also be shared in relation to potential business transactions, e.g. when restructuring our business or acquiring or selling any of our business or assets we may share personal data with a potential buyer or seller.

When sharing personal data with third parties, the shared data shall be limited to the scope required by the third party in order to ensure the necessary processing. In such cases, your personal data is protected under Data Processing Agreements requiring third party service providers to process your personal data for specific purposes and according to our instructions, comply with GDPR and use appropriate personal data protection safety measures in accordance with our internal policies. All transfers outside the EEA to countries that have not been deemed by the European Commission to provide an adequate level of personal data protection are secured with an agreement based on standard contractual clauses approved by the European Commission.

We may share your personal Data within the Restaurant Brand International group which includes its affiliates or subsidiaries. The RBI group to whom we transmit this data are not authorized to use or share them for other purposes or in any manner other than those provided for in this privacy policy.

We may also share information without it directly identifying you, such as anonymous aggregated statistics relating to your use of our online services. We may also combine information about you with information about other customers and share it in such a way that it cannot be associated with a particular customer.

For detailed information on data sharing, reach out to the contact point indicated under section XI below.


We will not be making any decisions concerning the User that would be based solely on automated processing of their data and cause legal consequences for them or otherwise affect them in a similar manner.


We have appointed a Data Protection Officer who is available in all cases related to our processing of your personal data and exercising rights related to our processing of your personal data.

Our Data Protection Officer may be contacted by:

a) e-mailing them at: Iod@m3mcom.pl

b) sending a letter (preferably labeled “c/o: data protection officer”) atREX CONCEPTS BK ROMANIA S.R.L., with its registered office in Bucharest, Sector 1, 22 NICOLAE G. CARAMFIL Street, 1st floor, App. 103


The Policy is verified on an ongoing basis and updated as needed. The current version of the Policy has been approved and is applicable as of 14.11.2023.

Click here to download Privacy Policy