Privacy policy

For the processing of guest and supplier information for Norrlyst ApS

1. Data controller

Norrlyst ApS is the data controller.

Contact details:
Kompagnistræde 8
1208 København K
Tel. 61 42 95 81
E-mail: [email protected]

Norrlyst ApS consists of the following companies:

  • Norrlyst
  • Lille Norrlyst
  • Theo
  • Gemini
  • Odette
  • Search
  • Gabrielle

Hereinafter all companies will be referred to collectively as Norrlyst ApS

Norrlyst ApS handles all personal information in accordance with applicable personal data legislation. Norrlyst ApS enters into agreements with guests and suppliers for the supply – purchase and sale – of various services and products.

When a guest orders and purchases one or more of Norrlyst’s services, and as part of this provides his personal data to Norrlyst ApS, he simultaneously gives his consent to the guest’s / supplier’s personal data can be processed by Norrlyst ApS. The same applies to any personal data that suppliers to Norrlyst ApS provide to Norrlyst ApS in connection with the submission of offers or the conclusion of agreements with Norrlyst ApS.

2. Norrlyst’s collection of personal data

Personal data is collected by Norrlyst ApS in the following ways:
– When a guest – or a representative thereof – makes a table reservation, requests a quote for a company, event or other service, or when a supplier makes an offer or sells products or services to Norrlyst ApS.
– Through browser cookies on our websites.
– When purchasing gift vouchers via Norrlyst’s website.
– From social media.
– When suppliers enter into agreements with Norrlyst ApS or submit offers to Norrlyst ApS.

Collection and processing of personal data, as described above, will always be done in accordance with applicable personal data legislation.

3. Information collected by Norrlyst ApS

Norrlyst ApS collects the following personal data:
– Name, address, telephone number, email address, date of birth and other general non-personal information.
– Payment card details – for purchases of gift vouchers and tickets to events.
– Demographic information.
– Purchase history.
– Information from customer surveys and guest feedback.
– Information from any competitions held.
– Information from Norrlyst’s social media and other digital platforms belonging to Norrlyst ApS.
– Browser information.
– Information about the guest’s company and relevant contacts.
– Information on suppliers’ business and information on relevant contacts and key persons, including key accounts.

A guest/supplier may voluntarily and at his own choice provide Norrlyst ApS with additional personal data that he believes may be important for Norrlyst’s service to the guest/supplier, or that he believes should be provided for security reasons.

This may include information on:
– Handicap
– allergy
– Special food preferences
– Other health or medical information

If a guest/supplier voluntarily chooses to provide such information, Norrlyst ApS considers this as consent to register and store this sensitive information about the person concerned.

In addition to the information that Norrlyst ApS receives directly from guests/suppliers, Norrlyst ApS will in some cases obtain or process additional information that Norrlyst ApS has received from third parties, such as an intermediary or an employee of the company where the data subject is employed. Where this is the case, the third party in question is obliged to inform the guests/suppliers in question of Norrlyst ApS’ terms and conditions, as well as Norrlyst ApS’ personal data policy. It is also the responsibility of the third party concerned to ensure that there is the necessary legal basis for the collection and processing of the data in question, including obtaining any necessary consent for the processing of any sensitive data. For reservations and orders of services and products, Norrlyst ApS stores the information provided by the guest/supplier for up to 2 years, after which the information is deleted.

4. Payment by debit card

Norrlyst ApS uses DIBS (Nets) for payment with debit and credit cards in our restaurants. Norrlyst ApS uses DIBS and QuickPay to handle online purchases on our webshop, and we do not store information about payment methods, such as card numbers on payment cards, bank account numbers or the like. DIBS, QuickPay and Norrlyst ApS are approved and certified by the Payment System of Financial Institutions ( For bookings and reservations, Norrlyst ApS stores the information provided by the guest/supplier for up to 2 years, after which the information is deleted. Excluded from this is information on debit and credit cards, which is deleted after the current year +5 years.

Apart from handling the order, the information provided is only used if a guest/supplier, for example, asks questions or if there is an error in the order/payment.

5. What is the purpose of the collection and processing?

Norrlyst ApS only collects personal data that is necessary to fulfil the agreements entered into with guests/suppliers regarding the provision of services, e.g. a table reservation for one of Norrlyst’s restaurants or the purchase/sale of products or services. It is the content and nature of the individual agreement that determines which personal data Norrlyst ApS collects and processes, and which determines the purpose of the collection.
The purpose of collecting and processing personal data will primarily be:

– Processing of guests’ reservations and purchases of Norrlyst ApS’ services.
– Processing of suppliers’ offers and sales of products and services.
– Contact with the guest before, during and after their visit.
– Fulfilling the guest’s request for an offer or purchase of services.
– Improvement and development of Norrlyst ApS’ services.
– Adaptation of Norrlyst’s marketing and other communications.
– Analysis of the user behaviour of visitors/suppliers and marketing to them.
– Administration of guests/suppliers’ relationship with Norrlyst ApS.

6. Grounds – the legal basis – for the processing

Norrlyst ApS will most often process personal data because it is necessary to fulfil an agreement with Norrlyst ApS to which a guest or a supplier is a party. For example, this may be in connection with the organisation of a company, an event, the running of meetings or the handling and fulfilment of cooperation and supplier agreements.

If a guest in connection with a visit to Norrlyst ApS discloses special personal preferences or considerations, including for example health information, disability, religious beliefs or the like, Norrlyst ApS will use the information only to ensure that this is taken into account.

In some situations, Norrlyst ApS receives personal data from third parties, such as a travel agency, an agent or similar, including in connection with group bookings. When this happens, the third party in question is required to inform the guests/suppliers in question of Norrlyst’s terms and conditions and the content of this personal data policy.

7. Rights of the data subject

Under the rules of the GDPR, data subjects (guests/suppliers) have the following rights:

– A data subject has the right at any time to obtain information about which personal data Norrlyst ApS processes about the data subject.
– A data subject shall have the right to rectify and update the personal data Norrlyst ApS holds concerning him or her at any time.
– A data subject shall have the right at any time to erase the personal data that Norrlyst ApS holds concerning him or her. If a data subject requests deletion, all data that Norrlyst ApS is not required by law to store will be deleted. Deletion of the data subject’s data may in some cases mean that Norrlyst ApS cannot fulfil any agreements entered into or provide certain services to the data subject. If any of the data held by Norrlyst ApS about the data subject has been given on the basis of the data subject’s consent, the data subject shall have the right to withdraw the consent at any time, which shall mean that the data will be deleted or will no longer be used by Norrlyst ApS.

However, the possibility to request erasure etc. may be limited for reasons of protection of privacy of other persons, trade secrets and intellectual property rights.

The data subject may, at any time, request in writing that Norrlyst ApS obtain an overview and a copy of the personal data concerning the data subject that Norrlyst ApS holds. A written request must be signed by the data subject and contain his or her name, address, telephone number and e-mail address.

The data subject may also contact Norrlyst ApS if the data subject believes that his or her personal data is being processed unlawfully or in breach of any other legal obligation, such as the agreement/contract that the data subject has with Norrlyst ApS. Written request should be sent to Norrlyst ApS, see contact information above under point 1. Norrlyst ApS will as far as possible within 1 month after receipt of the data subject’s written request send it to the data subject’s postal address.

If the data subject requests the rectification and/or erasure of his or her personal data, Norrlyst ApS will assess whether the conditions for the request are met, in which case Norrlyst ApS will carry out the rectification or erasure as soon as possible. The data subject will at all times receive a reply to the request within 1 month of receipt. Norrlyst ApS reserves the right to refuse requests that have the nature of harassing repetition, that require disproportionate technical measures, that affect the protection of other data subjects’ personal data or in other situations where it would be disproportionately resource-intensive or very complicated to comply with the request.

8. Security and sharing of personal data

Norrlyst ApS protects the data subject’s personal data and has established guidelines to protect the data subject’s personal data from unauthorised disclosure and from unauthorised access or knowledge.

Only those persons employed by Norrlyst ApS who, by virtue of their job function, have a need for the registered personal data, have access to it. Norrlyst ApS continuously checks that there is no unauthorised access to the registered personal data.

In the event of a security breach where there is a high risk of misuse of the data subjects’ personal data, Norrlyst ApS will notify the data subjects of the security breach as soon as possible. Norrlyst’s security procedures are continuously reviewed and updated in line with technological developments. Norrlyst ApS uses a number of external suppliers of IT services, IT systems, payment solutions, etc. Norrlyst ApS enters into ongoing data processing agreements with all suppliers, thereby ensuring that external data processors maintain a necessary and high level of protection with regard to the personal data of data subjects.

Norrlyst ApS shares data subjects’ personal data internally within the group among Norrlyst’s restaurants. The purpose is to provide the guest with the best service, regardless of which department of Norrlyst ApS the guest uses.
Norrlyst ApS deletes your personal data when Norrlyst’s legal obligation ceases or when the purpose of collecting and processing the data no longer exists. As a general rule, financial data are stored for 5 years and other data for 2 years from the last visit.

9. cookies

Norrlyst ApS uses cookies. Further information on Norrlyst’s cookie policy can be obtained from our website.

10. Complaint

Complaints about Norrlyst’s processing of personal data can be made to

Data Protection Authority
Borgergade 28, 5
1300 Copenhagen K
Telephone: 33 19 32 00
E-mail: [email protected]

11. Update

This document will be updated regularly and at least once a year.

The document was last updated on May 8, 2023.