WHITBREAD GROUP RESTAURANTS PRIVACY NOTICE FOR UK
This notice describes how Whitbread Group Plc, trading under the brands Beefeater, Beefeater Grill, Whitbread Inns, Table Table, Brewers Fayre, Cookhouse and Pub, and Bar + Block(referred to as "Whitbread") processes your personal data, as a controller. Our address is Whitbread Court, Houghton Hall Business Park, Porz Avenue, DUNSTABLE, Bedfordshire, LU5 5XE, United Kingdom. Please see "How do I get in touch with you" (please scroll down) below for contact details for specific matters.
You have the right to object to some of the processing which Whitbread carries out. More information about your rights and how to exercise them is set out in the section headed "Your rights"
This notice applies to:
- Callers and
- Other customers.
And anyone contacting, visiting or using our:
- Customer Relations Team and
- Restaurants and other premises.
Summary of the purposes for processing your personal data and the legal basis for doing so:
- We process personal data to make, amend and administer table bookings, provide restaurant services, process and store payment details, provide other products and services and administer your membership of our loyalty schemes in accordance with our contracts. We also deal with enquires, gather customer feedback, undertake market research and direct marketing (including analysis to create profiles), in our legitimate interests to promote our business and improve our service and delivery.
- When booking with us, we don't ask for accessibility, dietary, health or other sensitive personal data. If you (or someone on your behalf) do provide such information to us, please be aware we may need to ask for your explicit consent. In some cases, it may be permissible for us to have such data as it is in your vital interests that we do so.
- On our websites we use third party marketing and analytical cookies plus similar technologies are included in our marketing emails, as explained in our Cookie Notice below. You can reject and block cookies in your browser settings.
- When you post on social media about our business, we may use your contact details to respond to any complaints or comments, on the legal basis of our legitimate interests.
- In our legitimate interests, we also prevent and detect crime as well as protect our business and premises.
- In order to fulfil the above purposes:
- we disclose your personal data to payment providers, technology providers, insurers, and other specialist professional and technical service providers and advisers, to manage your bookings, arrange payments, and provide services.
- we may transfer your personal data outside the European Economic Area (the EU Member States plus Iceland, Lichtenstein and Norway) and, where we do this, we will use safeguards to protect your data.
- We keep your data to enable us to fulfil our contract with you or to provide services, where required by law, to respond to a question or complaint, to obey rules about keeping records, to uphold or protect contractual or legal rights or where it is in your or another party's vital interests or our legitimate interests. Where we process personal data on the basis of your consent, we will retain it for as long as required for the specified purpose. We also keep your data in line with any statutory limitation periods and for tax, legal or regulatory purposes.
- Any consent(s) you give us may be withdrawn at any time.
- You have an absolute right to object to direct marketing (and any profiling for the purposes of direct marketing) at any time.
- You also have the qualified right to:
- request access, rectify, and erase your personal data
- object to processing for any purpose where we rely on our legitimate interests as the legal basis
- restrict processing and
- supply or transfer your personal data in a portable format.
Where you exercise any of your rights, we will process your personal data to comply with your request in accordance with our legal obligations.
You have the right to lodge a complaint with a data protection supervisory authority of the EU Member State in which you are resident, work or in which your complaint arises. In the UK, the supervisory authority is the Information Commissioner. Details of EU all supervisory authorities can be found at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.
We may provide additional information during the booking process and other points at which we collect your personal data.
If you wish to exercise your rights, please visit our Contact Us page using the below link:
Personal information we collect
We collect personal information when you book with us or request or use our services. This includes restaurant visits, using our websites or apps, or corresponding with us. We may also receive personal data about you from another source. This includes:
- Personal Identifiers- title,name, marital status, postal and email addresses, postcode, IP addresses and contact telephone numbers. We may also collect the names of those who are part of a group booking where necessary, and the age of children e.g. for birthday parties;
- Business-to-Business Information- for corporate customers and corporate business contacts: job title, business address and business email address;
- Transaction Information- payment, reservation and booking details, including meals & beverages and
- Customer special requests and feedback including complaints - via call centres, emails and online free text fields.
Third parties that we receive personal data from may include:
- Corporate customers;
- Comparison and review websites;
- Social networks;
- Market researchers;
- Marketing service providers and advertising technology providers;
- Government and law enforcement agencies;
- Other licensees in accordance with licensing requirements;
- Other restaurant providers and other organisations as part of their contingency plans; and
- Other companies in the Whitbread Group, including but not limited to Premier Inn Hotels Limited.
How do we use your information, and what is the legal basis for this use?
- To fulfil a contract, or take steps linked to a contract. This is relevant when you want to make a reservation with us; or receive other products and services from us such as meals and includes:
- making, amending or administering your table bookings and meal orders;
- providing products and services requested by you;
- verifying your identity;
- processing payments;
- to administer your membership of our loyalty schemes;
- communicating with you;
- providing customer services, including managing complaints; and
- alerting you by text, email or phone in the event of an unplanned incident, as a result of which we have to make alternative arrangements under our contract (or where we believe it is in your vital interests).
If the information we request is not provided, we may not be able to enter into or comply with a contract or our legal obligations.
- In our legitimate interests regarding the conduct of our business, in particular:
Ensuring customer satisfaction, maintaining goodwill and dispute resolution
- we provide technical support and investigate and process any complaints about our website or our products or services, and to maintain appropriate records for internal administrative purposes. We reserve the right to request evidence to support any claims or complaints.
To protect our business and prevent fraud
- monitor, test and control the performance and security of our systems, networks, processes and premises to prevent and detect fraud and protect our business; and
- if you provide a credit or debit card as payment, third parties check the validity of your bank account or card details in order to prevent fraud.
For business performance and improvement
- monitor and record CCTV, call centre communications, including incoming and outgoing calls and emails for staff training, quality improvement purposes and establishing facts and
- analyse transactions to enable us to improve our services and products and plan for our business.
Safety & Security of our Customers and Employees
- to protect premises and for security purposes including information recorded from CCTV;
- to monitor food safety and hygiene;
- to obtain statements from witnesses to accidents and other incidents; and
- for the detection and prevention of crime.
Developing and Marketing Products and Services
- for raising brand awareness;
- to understand you better as a customer by analysing your transactions and other information you provide to us or which we learn through your interactions with us;
- for marketing (including creating profiles), competitions and promotions by post, email, text and push notification where permitted to do so by law;
- we may use your data to provide personalised promotional offers to you;
- we may also use your data to provide you with personalised promotional offers on selected partner websites (for example, you might see an advertisement for our products on a partner site such as Facebook and Google);
- we also share some of your information with marketing service and ad technology providers and digital marketing networks, such as Facebook, Google and Adobe, to present advertisements that might interest you.
For example, we may transfer information about you to such providers so that they may recognize your devices and deliver interest-based content and advertisements to you. The information may include your name, email, device ID, or other identifier in encrypted form. The providers may process the information in hashed form. These providers may collect additional information from you, such as your IP address and information about your browser or operating system; may combine information about you with information from other companies in data sharing cooperatives in which we participate; and may place or recognize their own unique cookie on your browser. These cookies may contain demographic or other data in de-identified form;
- for monitoring the use of our websites and apps in order to improve their performance and optimise our media spend;
- we use personal data of some individuals to invite them to provide feedback or take part in market research; and
- where you are a member of our loyalty schemes (and your preferences permit us to) we send you emails including offers tailored to your perceived preferences and we record emails that seem to be of interest to you. Based on your purchase history and membership card usage some members may be offered additional loyalty points.
Legal and Regulatory purposes
- in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with claims, legal process or litigation);
- to comply with health and safety legislation, including accounting for the number of individuals on our premises and logging accidents;
- to prevent, investigate and/or reportsuspected fraud, terrorism, security incidents or other crime, in accordance with applicable law; and
- to anonymise personal data when we no longer need to process it.
Where we have relied on legitimate interests as the lawful basis for processing, we have carried out a balancing test. For details of these email email@example.com.
- Where you give us consent:
- we will send you emails, texts and push notifications (including newsletters) in relation to products and services provided by us, or by our named affiliates and carefully selected partners;
- when you use our websites or apps, we place cookies and use similar technologies on your computer, mobile or other device and we use such technologies such as pixel tags and web beacons in marketing emails and communications (also see our Cookie Notice);
- to participate in competitions we run and, if you win,to use your information for promotional purposes;
- we will process health information, such as dietary, accessibility, and allergy information you or a party on your behalf provides to us (we may also be able to do this where it is in your vital interests);and
- on other occasions where we ask you for consent, we will use the personal data for the purpose which we explain at that time.
You have the right to withdraw consent at any time.
- For purposes which are required by law:
- in response to requests by government, law enforcement authorities, or intelligence services and court orders;
- if required to comply with health and safety legislation to which we are subject;
- we may be required to share information with other licensees in accordance with local licensing requirements; and
- responding to a rights request under data protection legislation.
- To protect your vital interests or those of another person:
- disclosing your personal data to the emergency services where we believe it is necessary to protect your vital interests or the vital interest of another person; and
- where you (or a person acting on your behalf) provide us with dietary or other personal health data such as allergies.
Other recipients that we disclose, transfer or share your personal data with:
We will share your personal data with Premier Inn Hotels Limited (and its franchisees) and other companies in the Whitbread Group for administering hotel and restaurant services & products. Details of the Whitbread group can be found on our corporate website at www.whitbread.co.uk.
For some activities Whitbread uses third party service providers. Your personal data will be disclosed to such organisations where this is necessary to provide a service to you, or where it is in our legitimate interests. For example, we use third parties to:
- administer bookings;
- provide Wifi;
- undertake customer feedback surveys;
- provide analytics;
- send promotional offers;
- provide personalised advertisements;
- provide insurance;
- provide IT development, support, maintenance and hosting, including the provision of applications and website hosting;
- process payments to enable you to pay by credit or debit card; and
- provide CCTV systems and maintenance.
Personal data may be shared with regulators, government authorities and/or law enforcement officials for the prevention or detection of crime, if required by law or if required for a legal or contractual claim or regulatory purposes.
We disclose your personal data to payment providers, technology providers, insurers, and other specialist professional and technical advisers, to manage your bookings, arrange payments, and provide services.
With your consent, we will also disclose your personal data to Ombudsman services and Citizens' Advice.
Restructure and sale
We may restructure our internal group of companies so that different group companies run our restaurants and related services. If this happens we will let you know and your data may be shared with such company and processed as set out in this notice.
In the event that the business is sold or integrated with another business, your details may be disclosed to our advisers and any prospective purchaser's adviser and will be passed to the new owners of the business.
Sometimes we may need to send or store your data outside of the European Economic Area (the EU plus Iceland, Lichtenstein and Norway) (‘EEA'). For example, to follow your instructions, comply with a legal duty or to work with or receive services from our service providers who we use to help run your accounts and our services.
If we do transfer information outside of the EEA, we will make sure that it is protected by using one of these safeguards:
- Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA. Some countries have been deemed adequate by the EU.
- Put in place a contract with the recipient that means they must protect it to the same standards as the EEA or use other mechanisms and measures to achieve adequate protection. We also may use the Standard Contractual Clauses published by the EU.
- Transfer it to organisations that are part of Privacy Shield. This is a framework that sets privacy standards for data sent between EU countries and the US. It makes sure those standards are similar to what is used within the EEA.
- Binding corporate rules. These are internal rules adopted by group companies to allow international transfers of personal data to entities within the same corporate group located in countries which do not provide an adequate level of protection.
For some of our service providers in the US, we rely on Privacy Shield. For example, the party who helps us with our customer feedback surveys. We rely on contractual measures for a small number of our suppliers who have or use offices outside the EEA and who have restricted access to some data to provide us with IT services including development, testing, support and maintenance. For further details on the mechanisms used please contact firstname.lastname@example.org.
What rights do I have?
Withdrawing consent or otherwise objecting to direct marketing
Wherever we rely on your consent, you will always be able to withdraw that consent. We will continue to process your personal data for other purposes on a different lawful basis (other than consent) where that applies.
In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests. You have an absolute right to opt-out of direct marketing, and any profiling we carry out for direct marketing, at any time. You can do this by clicking on the 'unsubscribe' link located in the footer of every marketing email or text.
Where you have a relationship with another organisation, such as a social media platform like Facebook, we may ask them to send marketing to you. If you object to receiving marketing from us we will stop marketing to you. However, please contact the organisation directly if you want to withdraw your consent to such organisation marketing to you.
Other qualified rights
- You have the right to know whether or not we process information about you and to access that information.
- You have the right to update, correct and complete any information we hold about you which is inaccurate or incomplete.
- You have the right to obtain the personal data you provide to us for a contract or with your consent in a commonly used, structured, and machine-readable format, and to ask us to share (port) this personal data to another controller.
- You have the right to ask that we erase or restrict (stop active) processing of your personal data.
- In addition, you can object to the processing where the lawful basis is our legitimate interests.
These rights may be limited, for example if fulfilling your request would reveal personal data about another person or you ask us to erase information which we are required by law to keep. Where you object to us processing personal information, we may have a compelling justification for processing it. Relevant exemptions are also included within the data protection laws that apply in the UK. We will inform you of relevant exemptions we rely upon when responding to any request you make.
To exercise any of these rights, you can get in touch with us using the details set out below. If you have concerns, you have the right to complain to the data protection supervisory authority of the EU Member State in which you are resident, work or in which your complaint arises. In the UK, the supervisory authority is the Information Commissioner. Details of all EU supervisory authorities can be found at:
How long will you retain my personal data?
We keep your data to enable us to fulfil our contract with you or to provide services, where required by law, to respond to a question or complaint, to obey rules about keeping records, to uphold or protect contractual or legal rights or where it is in your or another party's vital interests or in our legitimate interests. Where we process personal data on the basis of your consent, we will retain it only for as long as required for the specified purpose. We also keep your data in line with any statutory limitation periods and for tax, legal or regulatory purposes.
The period for which we will retain your personal data depends on the purposes for which we are processing it and where the same personal data is processed for two or more purposes, we will retain it for the longest period. For example, we retain:
- CCTV recording for up to 31 days;
- for up to 1 year incoming and outgoing voice recordings (although we will keep a record of any consent you give us during a call for as long as we rely on it as the lawful basis for processing);
- until a period of 3 years has elapsed since your last interaction with us, personal data we process for marketing (including profiling) purposes, unless you ask us to stop sending electronic direct marketing, in which case we will act on your request, and then keep a record of your request indefinitely;
- for 3 years in the case of accident report forms (or for accidents relating to a child, for 3 years after the child's 18th birthday); and
- financial information for a period of 7 years for accounting, business reporting, analysis and audit purposes.
In any of the cases mentioned above, we may retain the personal data for longer, if it is required for the purposes of any internal or external investigation or litigation. In these cases, it may be retained until the matter is resolved. We may keep your data for longer in line with any limitation periods, or if we cannot delete it, e.g. for tax, legal or regulatory reasons.
You have the qualified right to request deletion of your personal data at any time, or we may choose or be obliged to erase your personal data earlier, for example, if we no longer need to process it.
Cookies and other similar technologies we use
Information about the first and third parties cookies and other technologies we use is available in section below called Cookie Notice.
How do I get in touch with you?
General data protection queries
If you have any queries about the way we process your personal data. You can get in touch at email@example.com.
Exercise of rights
If you have any queries about or want to exercise any of your rights please see the "Contact Us" page on our website.
Booking and general enquiries
For any queries relating to your booking please contact the restaurant.
This Privacy Notice was last updated on the 24th May 2018, Any changes to this Privacy Notice will be communicated on our website.
Whitbread Group Plc respects your data and your privacy is important to us. For more information on how we use and protect data please see our Privacy Notice[link].
Whitbread Group Plc is a controller of personal data. Our address is Whitbread Court, Houghton Hall Business Park, Porz Avenue, Dunstable, Bedfordshire, LU5 5XE.
If you have any queries in relation to data protection, please email us at firstname.lastname@example.org.
What is a cookie and what do they do?
For instance, cookies may store information about how the site is used, which can be used for maintenance and improvement. They simply log numbers and provide grouped information about site navigation – this tells us if people can find what they want.
‘Session' cookies, which are used for various reasons and expire after your visit, for example, remember certain information as you navigate from one page to another so you don't have to keep entering it.
Cookies which remember things for longer, from one session to the next, are called "persistent" cookies. Persistent cookies can do things like remember preferences and adjust content to suit you (personalisation).
Data collected informs personalised content such as advertisements
The data collected by cookies and similar technologies may be used (on the basis of our legitimate interests) to provide personalised promotional offers to you. For example, we may do this in order to send you relevant offers and promotions by email (where you permit us to do so). We may also use this data to provide you with personalised promotional offers on selected partner websites (for example, you might see an advertisement for our products on a partner site such as Facebook and Google).
We also share some of your information with marketing service and ad technology providers and digital marketing networks, such as Facebook, Google, and Adobe, to present advertisements that might interest you. For example, we may transfer information about you to such providers. The providers may then recognise your devices and send you interest-based content and advertisements. We may send the providers information such as your name, email, device ID, or other identifier in encrypted form and they may process your information in hashed form. These providers may collect additional information from you, such as your IP address and your browser or operating system. Information may be combined with information from other companies in data sharing cooperatives, who may place or recognize their own unique cookie on your browser. These cookies may contain demographic or other data.
Further information on how we use your data, how you stop us sending you direct marketing communications such as emails and your other rights are set out in our Privacy Notice [link].
What are first and third party cookies?
Cookies can be sent by different parties.
If the cookie comes from our site it is a first party cookie. If it comes from another site, such as our marketing services or ad technology providers or business partners, it is a third party cookie, specifically chosen by us to provide a service, such as a more personalised visit.
The third party cookies we use include those provided by Facebook, Google, and Adobe.
Do I Have to Accept Cookies?
You may reject cookies and disable similar technologies. However, site functions will be affected. Cookies and similar technologies help our sites to work properly and personalise your experience. You'll be able to browse the sites without them but some standard functionality, preferences and certain features will not work.
By accepting them, you allow us to improve your experience and remember information about you, which can personalise your experience.
To withdraw consent, you can reject or delete cookies. Please see the Managing Your Cookies section below on how you can adjust your browser settings. (link to info). Please contact third parties directly to withdraw consent.
By browsing or using our site you agree that we and the selected third parties in this notice can use (as described in this notice) data collected by the cookies you allow. If you do not agree, you can withdraw your consent by setting your browser to reject cookies, see below.
Managing your cookies
There are several ways to manage cookies. You can:
- set your browser to prevent cookies from being accepted. More information should be in your browser's "help" menu. How to adjust your browser will depend on which browser you're using.
- set some browsers to send you an alert when a website is trying to place a cookie on your browser.
- block cookies by activating the setting on your browser to refuse all or some cookies. However, if you use your browser settings to block all cookies including strictly necessary cookies, site access and features can be limited or not available.
- use an ad blocker to block any of the tools specifically or individually, including Google Analytics.
- delete cookies stored in your browser by "clearing cookies". This will only delete cookies already stored. It won't prevent new ones being accepted unless you change the acceptance settings. Also, clearing your cookies on one browser of one device does not automatically clear them on another. You need to clear all browsers on all devices, independently.
- refuse specific cookies, by using that cookies opt out process, in the table at the end of this notice.
More information about cookies is available on external websites such as www.aboutcookies.org[this link will open in a new window]. For help with how to manage and delete cookies, visit aboutcookies.org. Further information about advertising cookies, and how to manage them, can be found at youronlinechoices.eu (EU based), or aboutads.info (US based).
We are not responsible for the content or cookies from external websites. If you follow a link from our website to a third party site, they will have their own privacy and cookie notice.
How long do cookies last?
Different cookies can last for different lengths of time.
Session cookieslast for that website visit. Information is kept from one page to another, so you don't have to keep entering it. We use session cookies to help improve your experience with us and to support key activities that you want to undertake on our websites.
Persistent cookiesare on your browser and may last for a period of time or until you delete them. They can personalise the site and remember information each time you visit. We use them to see how people engage with our site. It helps us change and develop the site and improve your experience of it.
Cookies we use
- are ‘strictly necessary' for technical reasons;
- enable a personalized experience for visitors and registered users; and
- allow selected third parties to collect personal data for advertising and direct marketing.
Some of these cookies may be set when a page is loaded, or when a visitor takes a particular action, such as clicking the ‘continue' or ‘book' button on a particular site.
Below is a description of each category of cookies that are in use, along with specific examples.
Strictly Necessary Cookies support our websites operation. They are essential when you move around our website and use its features. For example, they remember your details when you login. This allows you to access your account. Without such cookies certain services cannot be provided.
Functionality Cookies remember when you return to the site and choices you have made on previous visits such as searches and which country you are from. This allows us to personalise our content for you such as enabling us to remember your preferences such as account name, and location.
Analytical/Performance cookies collect information on how people use the site including the pages visited, which helps us develop these and improve how a site functions. We can see if people find things easily and improve site navigation.
Targeting/Advertising Cookies. These are cookies that record your visit to our sites, the pages you have visited and the links you have followed. They collect information about your browsing habits and track the volume of visitors and number of times an advert is displayed and clicks such adverts receive.
We will use this information to make our sites and the advertising sent to you and displayed on them more relevant to you and your interests. We may also share this information with certain third party business partners for analytical purposes such as Google and to enable them (and other parties) to serve personalised advertisements to you.
These cookies are also used to limit the number of times you see an advert as well as help measure the effectiveness of advertising campaigns. They are usually placed by third party advertising networks or technology providers. They remember the websites you visit and that information may also be shared with other parties e.g. advertisers.
What are similar technologies?
Tagging works in a similar way to cookies. We use a tag called a pixel. A pixel is an image that once embedded in an email connects to a file stored on our web server and allows us to determine customer interest in our marketing emails. Tags can also be known as beacons.
These allow us to see which promotions seem of interest to our customers, and if a particular offer seems to interest you. We may use this information to send offers which appear to be more relevant to you.
You can find more information about the individual cookies and similar technology we use and the purposes for which we use them in the tables below.
Website cookies and similar technologies
The cookies and similar technologies we use are listed below. To opt out of these please see "Managing your cookies"[link] above. Using an ad blocker enables you to individually block any cookies.
Some third parties will also drop first party cookies, normally ‘session' ones, onto your device which may not be included in the table below.
Table of cookies and similar technologies used