Re: Who decides
Who decides if and how they will contact you regarding the order? [The restaurant]
Who decides if they will retain your data for future orders? [The restaurant]
So the relationship is, as my friend thinks, that of data controller to data controller. JE have made it clear that your data will be passed to a third-party, who will be responsible for that COPY of your data (which in fact probably isn't retained for longer than necessary to process the order but in theory it could be). Just Eat continue to be responsible for their copy of your data (which includes many additional details not supplied to the restaurant such as stored payment details) because they need it to process further orders from you, quite possibly from other restaurants. The key item is that you have made a legal contract with the restaurant and not with JE, and that JE tell you that the restaurant can choose how to use the personal data they are supplied with.
Just Eat can ask a restaurant to delete a Just Eat's customer data or change it.. Only an individual can request changes to, or deletion, of their data (all or in part) and then only if it is inaccurate. This will change under GPDR, and under GPDR JE will have to make it clearer about who is responsible for the data. However as the law stands I can ask JE to delete my inaccurate data. However if they are not directly responsible for the maintenance of data by the third-party, and everything on their website suggests they think they are not (and that was presumably written by lawyers with a very good understanding of data protection) then I think they would be telling me that I need to contact the restaurant directly rather than JE asking them to change the data.
My friend thinks that the balance here is a fine one, and thinks that it would take a test case to establish a precedent (which probably won't happen as GPDR closes up a lot of the ambiguities that have plagued the DPA); however her opinion is that there is sufficient wiggle room in the relationship for JE to be able to successfully argue that they are not the data controller for the restricted copy of the data supplied to the restaurant under the act as it stands.
On the subject as a whole, she thinks that JE will not be brought to book in any case, as even if it were proven that they were the data controller, the Terms and Conditions imposed on restaurants that sign up with JE contain sufficient strictures on compliance with the handling of personal data that they would be judged to have shown due diligence. Again this may well change under GPDR; I merely asked her how she thought the position stands at the moment.