Privacy Policy

Introduction

About this privacy notice

This is the customer privacy notice of Caterdesk Limited, a company incorporated in England & Wales under number 09755215 whose registered office is at 52 Tabernacle Street, London, England, EC2A 4NJ.

Caterdesk respects your privacy and is committed to protecting your personal data. This privacy notice informs you of who we are, how we collect, share, use and protect your personal data, however you provide it to us, and tells you about your privacy rights and legal protections.

Purpose of this privacy notice

This privacy policy tells you how Caterdesk collects and processes your personal data through your provision of that data to us and use of any of our group websites, including but not limited to any data you may provide when you sign up to a newsletter, purchase a product or service, take part in a survey or enter a competition.

It is important that you read this privacy notice together with any other information we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice is complementary to the other information which we might provide in specific circumstances and will not override it.

Contacts

Who is the controller and data protection officer?

When we use "Caterdesk", "we", "us" or "our" in this privacy notice, we are referring to Caterdesk. We are the “data controller” for your personal data under the applicable legislation and it is primarily responsible for processing and ensuring proper protection of your data.

This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

This notice does not form part of any contract we might have with you and we can update it at any time but if we do so, we will provide you with an updated copy as soon as reasonably practical.

It is important that you read and retain this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under the data protection legislation.

Caterdesk have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice and data protection issues in general. If you have any questions about this privacy notice, including in relation to your legal rights, please contact the DPO using the details set out below.

DPO Contact details

Richard Stevens
richard@caterdesk.com
52 Tabernacle Street, London, EC2A 4NJ

Your rights

You have rights under data protection laws in relation to your personal data. Under certain circumstances your rights are as follows:

  • Request access to your personal data (commonly known as a "data subject access request" or “DSAR”). This enables you to receive a copy of the personal data we hold about you in order to check that we are processing it lawfully
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where you believe we have no legitimate reason for continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be obliged to comply fully with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we might demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. Again, it is subject to any overriding legal, accounting and reporting rights we might have to retain copies of your data; and
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact our DPO at richard@caterdesk.com

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

In addition, we limit access to your personal data strictly to those employees, agents, contractors and other third parties who have a need to know that data in order to further the transaction in which we are both concerned. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

Whilst we are in control of our own data environment unfortunately the transmission of information via the internet is not always completely secure.

This makes it as secure as possible, but it is still not completely secure. You should be aware that if you send us anything in an unencrypted format that we will not be able to secure it until it has securely entered our network. As such any transmission is at your own risk. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so and, in a format, and within timescales stipulated by the applicable regulator or the applicable data protection legislation.

You also play a part in ensuring the security of your personal data. We recommend that you choose a password that is unique to our service. You are responsible for keeping this password confidential. Please do not share this password with anyone else. We will not be liable for any unauthorised transactions performed through our service where the user's credentials have been compromised.

How to complain

You have the right to make a complaint at any time to your local supervisory authority.
In the UK that is the Information Commissioner's Office (ICO) (www.ico.org.uk)
In Ireland that is the Data Protection Commission (DPC) (www.dataprotection.ie)

We would, however, appreciate the chance to deal with your concerns before you approach the ICO or the DPC; so please contact us in the first instance.

Full name of legal entity: Caterdesk Limited

Name and title of DPO: Richard Stevens, VP of Engineering

Email address: richard@caterdesk.com

Postal address: 52 Tabernacle Street, London, EC2A 4NJ

How we may interact with you

  • You order our food via our app or website
  • You are applying to work for us
  • You supply food, equipment or services to us
  • You buy our services
  • You’ve taken part in one of our surveys or a competition
  • You receive marketing about our food or services to you or your organisation
  • You’ve engaged with us on social media
  • You’ve visited one of our websites
  • You receive a newsletter or other communication from us

You order our food via our app or website

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online forms we might ask you to complete from time-to-time will vary but, ordinarily, we are likely to be collecting your personal information when you register for an app or website account, we provide you with our services, perform a contract with you or to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, and email addresses
  • Bank account details or other payment details
  • Information about your use of our information and communications systems including transactional data
  • Profile data including your username and password (in those circumstances where you might have a technological relationship with us through a smartphone or computer), purchases or orders made by you, your interests, preferences, feedback and survey responses
  • Marketing and Communications Data may include your preferences in receiving marketing or service messages from us and will reflect your communication preferences. You will not be contacted for third party marketing purposes unless you have given us your express consent to do so
  • Location data may include your location, the location of your device or where the facility that serves you is located. You select the unit or location that you wish to use

The location data are selected by you so that we can offer you relevant menu and booking information for the location of the services we offer. We have a legitimate interest to know the location of the service you want us to offer you.

Where you receive marketing communications, we may use your contact information to market similar goods and services that you already used or purchased. You may object to us using your data for marketing purposes at any time by contacting us directly. If you contact us, we will use the information to give to manage your request.

We process payment information to receive payment for the goods or services you buy from us and, if you choose and the function is available, to hold a credit balance on your account. We partner with several payment providers to process card payments. We carry out due diligence on our partners to ensure their PCI compliance and we have standard contractual clauses in place with them. Our systems do not process any payment information or card details. Your payment is processed by our payment provider and the pseudonymised transactional data is then shared with us.

Information that we collect from your use of the app or website

  • Technical Data may include internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access any of our websites
  • Usage Data may include information about how you use our app or websites and purchase our products and services.

We also collect, use and share Aggregated Data such as statistical or demographic data that may be derived from your personal data but is not considered personal data as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users buying a product.

How is your personal information collected?

We collect personal information either directly from you or sometimes from a third party, for example we may receive a list of new users to set up with accounts from our client.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform our obligations when providing our services to you or under our contract
  • Where we need to comply with a statutory obligation
  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests
  • Where we have your express consent (if that is different from 1)

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to provide our services to you, or perform our contract with you. Some we will need to comply with legal obligations.

In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Providing you with food or our services
  • Administering your account or the contract we have entered into with you
  • Business management and planning, including accounting and auditing
  • Dealing with legal disputes involving you
  • Complying with health and safety obligations
  • To detect or prevent fraud
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

We may from time to time carry out other types of processing. For example to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to provide our services to you, or perform the contract we have with you, or we may be prevented from complying with our legal obligations (such as to ensure we comply with our health and safety obligations).

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent
  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to providing our services to you (most importantly so that we provide them properly and safely)

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as EatFirst.

We require our third party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer our service provision, or our contract with you.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the contract we have with you: receiving payment for the services we provide, product or service quality assurance, marketing where we have your consent or we have a legitimate interest, and meeting our health and safety obligations including accident and incident management.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law.

Processing information outside the UK

Where we, or our partners, process your personal information outside the UK or EEA, you can expect an essentially equivalent degree of protection in respect of your personal information (and certainly no less than expected in the data protection legislation in relation to the countries and entities which process your information). Where we do process your personal data outside the UK or EEA, we would only to so in order to carry out activities to operate our business and support the contract we have with you, and provide our services to you. This processing may include special category of personal data and this will depend on the activity being carried out by us or our partners. Such processing would be made only on terms that meet the UK or EU’s expectations in terms of the countries where that data is being processed, and the specific terms on which the data processor is retained by us, so that the process provides an adequate level of protection for your personal information. Your data will be processed in the EU and US, but may be processed in other jurisdictions, such as India, where we have service providers or data processors. In most circumstances, we rely on approved standard contract clauses (SCC) which we include in our agreements with data processors and service providers, but may also rely on other mechanisms recognised in data protection legislation.

Data retention

How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

We maintain a Document and Data Retention Policy and record the retention period for data relating to each activity in our Records of Processing as defined in data protection legislation.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Once we no longer have a lawful basis to process your personal data, we will securely destroy your personal information in accordance with the Document and Data Retention Policy which is informed by the applicable laws and regulations that we are entitled to take into account.

You are applying to work for us

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to pursue the employer – employee relationship primarily to enable us to perform our contract with you and to enable us to comply with our legal obligations as your employer. We also need certain information from you to progress you starting with us as an apprentice or Learner. Any external training provider or partner will act as a data controller in their own right and will let you know their privacy processes. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship, some of which will depend on the role for which you are being employed or to which you are being trained. In addition, some of the following types of information might be obtained during your time working with us in relation to your performance or if any issues or incidents arise in relation to you:

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, and personal email addresses
  • Date of birth
  • Gender
  • Marital status and dependants
  • Next of kin and emergency contact information
  • National Insurance number
  • Bank account details, payroll records and tax status information
  • Salary and annual leave
  • Start date and, if different, the date of your continuous employment
  • Leaving date and your reason for leaving
  • Location of employment or workplace
  • Copy of passport (either as ID evidence or to use for travel arrangements if the role demands it)
  • Right to work in the UK status including current immigration status
  • Copy of driving licence (either as ID evidence or qualification evidence if the role demands it)
  • Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of a job application process)
  • Any information you provide to us during an interview (whether face-to-face, by phone or skype or in any other way)
  • Employment records (including job titles, work history, working hours, holidays, training records and professional memberships)
  • Competency certification or other regulatory or industry-related certification necessary for your role
  • Professional or trade qualifications that are relevant to the industry and/or role for which you are applying
  • Tax documentation where this is necessary for us to work with national or international tax authorities to administrate your tax status or the status of emoluments you earn either in the UK or aboard, where applicable.
  • Compensation history
  • Performance information
  • Disciplinary and grievance information
  • CCTV footage and other information obtained through electronic means such as swipe/access card record
  • Information about your use of our information and communications systems
  • Photographs
  • Results of HMRC employment status check, details of your interest in and connection with the intermediary through which your services are supplied (should you provide services in a way that might legally qualify you as an employee in the eyes of the law or in accordance with HMRC guidance and regulation on the status of individuals and their tax affairs)
  • Provision of company benefits

We may also collect, store and use the following "special categories" of more sensitive personal information:

  • Credit reference agency checks
  • Biometric data (in particular, with biometric data, where we use a time-and-attendance system, an access security system or cashless/cradles payment system for our own purposes or where those are required by any business client for whom we provide services and on whose business you are deployed)Information about criminal convictions and offences, where these are relevant to the role for which you have applied (or to which you are being transferred if already employed by us) and where client expectations and regulation to which they are subject obliges us to obtain such data (for example; working in schools or hospitals where there are children or vulnerable adults and our clients have a safeguarding obligation and standard which we must meet ourselves)

Information about your health, including any medical condition, health and sickness records, including:

  • where you leave employment and the reason for leaving is determined to be ill-health, injury or disability, the records relating to that decision
  • details of any absences (other than holidays) from work including time on statutory parental leave and sick leave; and
  • where you leave employment and the reason for leaving is related to your health, information about that condition needed for pensions and permanent health insurance purposes

This sort of special category information is required if the role you are applying for demands it or if the role is on a client site where the client has obliged us to vet potential staff to this extent (for example; clients in the finance industry or in the defence sector are very strict about security, clients in the education and health sectors are very strict about criminal convictions because they have statutory “safeguarding” obligations to meet and to which our own staff must adhere). These sorts of information might not seem to be appropriate to the nature of the role you are applying for but we might still have to obtain it from you for reasons such as the above.

How is your personal information collected?

We collect personal information about employees, workers, apprentices, trainees or learners and contactors (whether on a permanent, part-time or casual basis) through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider.

We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies.

We may also use the following other sources of personal information:

  • Sanctions and Watch Lists issued by governments, financial market regulators and law enforcement bodies form across the world
  • Outstanding County Court Judgments (CCJs), IVAs, Bankruptcies, alias names and address history using the electoral register
  • The Disclosure and Barring Service and Disclosure Scotland in respect of criminal convictions
  • The Home Office Employers Checking Service in respect of Right To Work in the UK
  • Your named referees

We may also collect personal information from the trustees or managers of pension arrangements operated by a group company, if relevant.

We will collect additional personal information in the course of job-related activities throughout the period for which you work for us.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform our obligations under the employer - employee contract
  • Where we need to perform our obligations under any training contract or learning agreement
  • Where we need to comply with a statutory obligation
  • Where it is necessary for our legitimate interests, including business interests and employer best practice (or those of a third party) and your interests and fundamental rights do not override those interests
  • Where we have your express consent (if that is different from 1)

Situations in which we will use your personal information

Depending on the nature of the role for which you are employed or work with us, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform the relationship we have with you. Some we will need to comply with legal obligations.

In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Assess your skills, qualifications, and suitability for the work generally or the role specifically
  • Carry out background and reference checks, where applicable
  • Communicate with you about the recruitment process
  • Keep records related to our hiring processes
  • Determining the terms on which you work for us
  • Checking you are legally entitled to work in the UK
  • Paying you and, if you are an employee or deemed employee for tax purposes (PAYE), deducting tax and National Insurance contributions (NICs)
  • Managing your and our tax affairs related to your employment where you work or are paid in a jurisdiction outside the UK
  • Managing travel arrangements in roles where you are required to work outside the UK which could include the disclosure to third parties of your competency or medical certification or identification documents (such as a copy of your passport)
  • Communicating with you about your employment with us, including providing you with opportunities and news about the business by way of staff magazines and newsletters
  • Granting awards under any share plans operated by a group company
  • Administering the employment or training contract we have entered into with you
  • Business management and planning, including accounting and auditing
  • Conducting performance reviews, managing performance and determining performance requirements
  • Making decisions about salary reviews and compensation
  • Assessing qualifications for a particular job or task, including decisions about promotions
  • Keeping your details on Caterdesk systems (including Apps) that allow our contract managers to offer or select you for casual work, overtime or emergency cover
  • Gathering evidence for possible grievance or disciplinary hearings
  • Making decisions about your continued employment or engagement
  • Making arrangements for the termination of our relationship
  • Education, training and development requirements
  • Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work
  • Ascertaining your fitness to work
  • Managing sickness absence
  • Complying with health and safety obligations
  • To detect or prevent fraud
  • To monitor your use of our information and communication systems to ensure compliance with our IT policies
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
  • To conduct data analytics studies to review and better understand employee retention and attrition rates
  • Equal opportunities monitoring

We may from time to time carry out other types of processing. For example to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to consider your application, perform the employment contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of other workers) or our client might not permit you to enter their premises, thus preventing you from fulfilling the role you had intended to perform.

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent
  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract or agreement we have with you (most importantly so that we perform it properly and safely)
  • Where we need to provide a third party with health certification or evidence to allow you to undertake your role, including providing clients with such information to allow you to access their premises

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision
  • Where it is necessary to perform the employment contract with you and appropriate measures are in place to safeguard your rights
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you. The most likely use of automated decision making is in response to questions we ask about your entitlement to work in the UK. These decisions will be based on the information you provide to us.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as EatFirst.

We require our third party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer the employment contract or agreement we have with you.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the employment contract we have with you: payroll, , providing and reporting training and development, IT services, travel arrangements, foreign jurisdiction permission to work, occupational health, and security vetting.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider which triggers our obligation to disclose anonymised data under the Transfer of Undertakings (Protection of Employment) Regulations 2006 (“TUPE”).

In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if, and to the extent required under the terms of the transaction or by TUPE.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to HMRC, disclosures to stock exchange regulators and disclosures to shareholders such as directors' remuneration reporting requirements.

Processing information outside the UK

Where we, or our partners, process your personal information outside the UK or EEA, you can expect an essentially equivalent degree of protection in respect of your personal information (and certainly no less than expected in the data protection legislation in relation to the countries and entities which process your information). Where we do process your personal data outside the UK or EEA, we would only to so in order to carry out activities to operate our business and support the employment contract we have with you. This processing may include special category of personal data and this will depend on the activity being carried out by us or our partners. Such processing would be made only on terms that meet the EU’s expectations in terms of the countries where that data is being processed and the specific terms on which the data processor is retained by us so that the process provides an adequate level of protection for your personal information. Your data will be processed in the EU and US, but may be processed in other jurisdictions, such as India, where we have service providers or data processors. In most circumstances, we rely on approved standard contract clauses (SCC) which we include in our agreements with data processors and service providers, but may also rely on other mechanisms recognised in data protection legislation.

Data retention

How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Details of retention periods for different aspects of your personal information are available in our Document and Data Retention Policy.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with the Document and Data Retention Policy which is informed by the applicable laws and regulations that we are entitled to take into account.

You supply food, equipment or services to us

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to perform our contract with you and to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship. If you work for a limited company, the personal data will be minimal, but if you operate as a sole trader, there will be more data that is regarded as personal.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, and email addresses
  • Bank account details, and tax status information
  • Credit history
  • CCTV footage and other information obtained through electronic means such as swipe/access card record
  • Information about your use of our information and communications systems
  • Photographs

How is your personal information collected?

We collect personal information during the on-boarding process, either directly from you or sometimes from your employer or credit check provider.

We may collect additional personal information in the course of job-related activities throughout the period for which you work with us.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform our obligations under our contract
  • Where we need to comply with a statutory obligation
  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests
  • Where we have your express consent (if that is different from 1)

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform our contract with you. Some we will need to comply with legal obligations.

In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Determining the terms on which you work for us
  • Administering the contract we have entered into with you
  • Business management and planning, including accounting and auditing
  • Conducting performance reviews, managing performance and determining performance requirements
  • Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work
  • Complying with health and safety obligations
  • To detect or prevent fraud
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

We may from time to time carry out other types pf processing. For example to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you), or we may be prevented from complying with our legal obligations (such as to ensure we comply with our health and safety obligations) or our client might not permit you to enter their premises.

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent
  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract we have with you (most importantly so that we perform it properly and safely)
  • Where we need to provide a third party with health certification or evidence to allow you to work with us, including providing clients with such information to allow you to access their premises

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as EatFirst.

We require our third party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer the contract we have with you.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the contract we have with you: contract, finance, tax and treasury management.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to HMRC, or disclosures to other regulators.

Processing information outside the UK

Where we, or our partners, process your personal information outside the UK or EEA, you can expect an essentially equivalent degree of protection in respect of your personal information (and certainly no less than expected in the data protection legislation in relation to the countries and entities which process your information). Where we do process your personal data outside the UK or EEA, we would only to so in order to carry out activities to operate our business and support the contract we have with you. This processing may include special category of personal data and this will depend on the activity being carried out by us or our partners. Such processing would be made only on terms that meet the UK or EU’s expectations in terms of the countries where that data is being processed, and the specific terms on which the data processor is retained by us, so that the process provides an adequate level of protection for your personal information. Your data will be processed in the EU and US, but may be processed in other jurisdictions, such as India, where we have service providers or data processors. In most circumstances, we rely on approved standard contract clauses (SCC) which we include in our agreements with data processors and service providers, but may also rely on other mechanisms recognised in data protection legislation.

Data retention

How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

We maintain a Document and Data Retention Policy and record the retention period for data relating to each activity in our Records of Processing as defined in data protection legislation.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Once we no longer have a lawful basis to process your personal data, we will securely destroy your personal information in accordance with the Document and Data Retention Policy which is informed by the applicable laws and regulations that we are entitled to take into account.

You buy our services

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to perform our contract with you and to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship. If you work for a limited company, the personal data will be minimal, but if you operate as a sole trader, there will be more data that is regarded as personal.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, and email addresses. This information is about your at your place of work and your organisation contracts with us to provide services.
  • CCTV footage and other information obtained through electronic means such as swipe/access card record

How is your personal information collected?

We collect personal information during the pre-contract or tendering process and onboarding process, either directly from you or sometimes from your employer or tender portal provider.

We may collect additional personal information in the course of job-related activities throughout the period you work with us.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform our obligations under our contract
  • Where we need to comply with a statutory obligation
  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests
  • Where we have your express consent (if that is different from 1)

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform our contract with you. Some we will need to comply with legal obligations.

In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Preparing contract or tender documents
  • Determining the terms on which you work with us
  • Administering the contract we have entered into with your organisation
  • Business management and planning, including accounting and auditing
  • Conducting performance reviews, managing performance and determining performance requirements
  • Dealing with legal disputes involving you, or your organisation, including accidents at work
  • Complying with health and safety obligations
  • To detect or prevent fraud
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

We may from time to time carry out other types pf processing. For example to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you or your organisation, or we may be prevented from complying with our legal obligations (such as to ensure we comply with our health and safety obligations).

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent
  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract we have with you (most importantly so that we perform it properly and safely)
  • Where we need to provide a third party with health certification or evidence to allow you to work with us

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as EatFirst.

We require our third party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer the contract we have with you.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the contract we have with you: contract, finance, tax and treasury management.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to HMRC, or disclosures to other regulators.

Processing information outside the UK

Where we, or our partners, process your personal information outside the UK or EEA, you can expect an essentially equivalent degree of protection in respect of your personal information (and certainly no less than expected in the data protection legislation in relation to the countries and entities which process your information). Where we do process your personal data outside the UK or EEA, we would only to so in order to carry out activities to operate our business and support the contract we have with you. This processing may include special category of personal data and this will depend on the activity being carried out by us or our partners. Such processing would be made only on terms that meet the UK or EU’s expectations in terms of the countries where that data is being processed, and the specific terms on which the data processor is retained by us, so that the process provides an adequate level of protection for your personal information. Your data will be processed in the EU and US, but may be processed in other jurisdictions, such as India, where we have service providers or data processors. In most circumstances, we rely on approved standard contract clauses (SCC) which we include in our agreements with data processors and service providers, but may also rely on other mechanisms recognised in data protection legislation.

Data retention

How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

We maintain a Document and Data Retention Policy and record the retention period for data relating to each activity in our Records of Processing as defined in data protection legislation.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Once we no longer have a lawful basis to process your personal data, we will securely destroy your personal information in accordance with the Document and Data Retention Policy which is informed by the applicable laws and regulations that we are entitled to take into account.

You receive marketing about our food or services to you or your organisation

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to provide you with our services, perform a contract with you or to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, and email addresses. This information could be about you at your place of work, or at home.
  • Information about your use of our information and communications systems

How is your personal information collected?

We collect personal information either directly from you or sometimes from a third party.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to comply with a statutory obligation
  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests
  • Where we have your express consent (if that is different from 1)

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to tell you about our goods or services, or perform our contract with you if we already have one.  Some we will need to comply with legal obligations.

This section makes a clear distinction between marketing communications, i.e. communicates that sell our goods or services, or to collect to help it (or others) to contact people for marketing purposes at a later date, and genuine service or market research communications. Direct marketing rules do not apply to the later.

In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. For example if we believe that we can offer you similar services to those you have either bought from us or expressed an interest in buying from us. In these circumstances, it won’t surprise you to hear from us, unless you’ve expressly asked us not to. All of our communications to you will give you that option and you can tell us at anytime.

The situations in which we will process your personal information are listed below:

  • Tell you about our food or services
  • To detect or prevent fraud
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

If we are marketing our goods and services to you at work, we are essentially marketing to your organisation rather than directly to you. That means that we may have sent unsolicited communications to you. However we recognise that people work in the organisation we market our goods and services to. Your personal information is just that; personal to you, and you have the same rights. Please let us know if you do not want to receive this these communications. If you’d prefer those communications go to another role in your organisation, please let us know.

If we are marketing to you at home, we will not send unsolicited communications to you unless you have given us your consent to do so, or we have a legitimate interest in sending you information about goods or services similar to those you have either previously bought or expressed an interest in buying from us.

We may from time to time carry out other types of processing. For example to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to provide you with the information you want from us, or we may be prevented from complying with our legal obligations (such as to ensure we comply with our health and safety obligations).

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent
  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to providing our services to you (most importantly so that we provide them properly and safely)
  • Where we need to provide a third party with health certification or evidence to allow you to work with us, including providing clients with such information to allow you to access their premises

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights
  • You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as EatFirst.  

We require our third party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer our service provision, our contract with you, or how we communicate with you.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the relationship we have with you: receiving payment for the services we provide, product or service quality assurance, and marketing where we have your consent or a legitimate interest.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law.

Processing information outside the UK

Where we, or our partners, process your personal information outside the UK or EEA, you can expect an essentially equivalent degree of protection in respect of your personal information (and certainly no less than expected in the data protection legislation in relation to the countries and entities which process your information). Where we do process your personal data outside the UK or EEA, we would only to so in order to carry out activities to operate our business and support the contract we have with you, and provide our services to you. This processing may include special category of personal data and this will depend on the activity being carried out by us or our partners. Such processing would be made only on terms that meet the UK or EU’s expectations in terms of the countries where that data is being processed, and the specific terms on which the data processor is retained by us, so that the process provides an adequate level of protection for your personal information. Your data will be processed in the EU and US, but may be processed in other jurisdictions, such as India, where we have service providers or data processors. In most circumstances, we rely on approved standard contract clauses (SCC) which we include in our agreements with data processors and service providers, but may also rely on other mechanisms recognised in data protection legislation.

Data retention

How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

We maintain a Document and Data Retention Policy and record the retention period for data relating to each activity in our Records of Processing as defined in data protection legislation.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Once we no longer have a lawful basis to process your personal data, we will securely destroy your personal information in accordance with the Document and Data Retention Policy which is informed by the applicable laws and regulations that we are entitled to take into account.

You’ve taken part in one of our surveys or a competition

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to perform our contract with you and to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, and email addresses. This information could be about you at your place of work and your organisation contracts with us to provide services, or at home if you have bought food or services from us delivered to your home.
  • There may be other aspects of personal data we ask for in the survey or competition. If that is the case, we will explain the purpose of this within the survey or competition itself, and it will be supported by this Privacy Notice.

How is your personal information collected?

We collect personal information when you complete the survey or enter a competition. This may be a paper or digital tool, or may be via one of our apps.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform our obligations under the terms of the survey or competition
  • Where we need to comply with a statutory obligation
  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests
  • Where we have your express consent (if that is different from 1)

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform our contract with you.  Some we will need to comply with legal obligations.

In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Processing the outcomes of the survey or competition
  • Making improvements to our food or services
  • Understanding how you use our services
  • Understanding how we interact with you and helping us improve
  • Understanding your use of our marketing channels and which produces the best outcomes for consumers and our operations
  • Conducting performance reviews, managing performance and determining performance requirements
  • Dealing with legal disputes involving you, or your organisation, including accidents at work
  • Complying with health and safety obligations
  • To detect or prevent fraud
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
  • Other specific requirements set out in the introduction to specific surveys or competitions

We may from time to time carry out other types pf processing. For example to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to complete the survey or enter you into a competition, or we may be prevented from complying with our legal obligations (such as to ensure we comply with our health and safety obligations).

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent
  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract we have with you (most importantly so that we perform it properly and safely)
  • Where we need to provide a third party with health certification or evidence to allow you to work with us

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as EatFirst.  

We require our third party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer the delivery, use of or assessment of the survey or competition.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the contract we have with you: service improvement, product improvement, operational and support improvements, as well as the delivery of the survey, how the survey operates and any assessment of completed surveys, processing the entries of the competition, fulfilling winners of the competition, processing any marketing consent given as part of the competition.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to HMRC, or disclosures to other regulators.

Processing information outside the UK

Where we, or our partners, process your personal information outside the UK or EEA, you can expect an essentially equivalent degree of protection in respect of your personal information (and certainly no less than expected in the data protection legislation in relation to the countries and entities which process your information). Where we do process your personal data outside the UK or EEA, we would only to so in order to carry out activities to operate our business and support the contract we have with you. This processing may include special category of personal data and this will depend on the activity being carried out by us or our partners. Such processing would be made only on terms that meet the UK or EU’s expectations in terms of the countries where that data is being processed, and the specific terms on which the data processor is retained by us, so that the process provides an adequate level of protection for your personal information. Your data will be processed in the EU and US, but may be processed in other jurisdictions, such as India, where we have service providers or data processors. In most circumstances, we rely on approved standard contract clauses (SCC) which we include in our agreements with data processors and service providers, but may also rely on other mechanisms recognised in data protection legislation.

Data retention

How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

We maintain a Document and Data Retention Policy and record the retention period for data relating to each activity in our Records of Processing as defined in data protection legislation.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Once we no longer have a lawful basis to process your personal data, we will securely destroy your personal information in accordance with the Document and Data Retention Policy which is informed by the applicable laws and regulations that we are entitled to take into account.

You’ve engaged with us on social media

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to perform our contract with you and to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship.

We may collect, store, and use the following categories of personal information about you:

    Personal contact details such as name, title, addresses, post code, telephone numbers, email addresses and profile information. This information could be about you at your place of work and your organisation contracts with us to provide services, or at home if you have bought food or services from us delivered to your home.

How is your personal information collected?

We collect personal information when you send us a message or interact with our social media channel. This may be via one of our apps.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to comply with a statutory obligation
  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests
  • Where we have your express consent (if that is different from 1)

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform our contract with you.  Some we will need to comply with legal obligations.

In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Responding to your engagement with us
  • Making improvements to our food or services
  • Understanding how you use our services
  • Understanding how we interact with you and helping us improve
  • Understanding your use of our marketing channels and which produces the best outcomes for consumers and our operations
  • Dealing with legal disputes involving you, or your organisation, including accidents at work
  • Complying with health and safety obligations
  • To detect or prevent fraud
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

We may from time to time carry out other types pf processing. For example to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify your use of your personal information.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to respond to your query of your use of our social media platform, or we may be prevented from complying with our legal obligations (such as to ensure we comply with our health and safety obligations).

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent
  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract we have with you (most importantly so that we perform it properly and safely)
  • Where we need to provide a third party with health certification or evidence to allow you to work with us

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as EatFirst.  

We require our third party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer the delivery, use of social media accounts.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the contract we have with you: service improvement, product improvement, operational and support improvements, as well as the operation of our social media accounts.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to HMRC, or disclosures to other regulators.

Processing information outside the UK

Where we, or our partners, process your personal information outside the UK or EEA, you can expect an essentially equivalent degree of protection in respect of your personal information (and certainly no less than expected in the data protection legislation in relation to the countries and entities which process your information). Where we do process your personal data outside the UK or EEA, we would only to so in order to carry out activities to operate our business and support the contract we have with you. This processing may include special category of personal data and this will depend on the activity being carried out by us or our partners. Such processing would be made only on terms that meet the UK or EU’s expectations in terms of the countries where that data is being processed, and the specific terms on which the data processor is retained by us, so that the process provides an adequate level of protection for your personal information. Your data will be processed in the EU and US, but may be processed in other jurisdictions, such as India, where we have service providers or data processors. In most circumstances, we rely on approved standard contract clauses (SCC) which we include in our agreements with data processors and service providers, but may also rely on other mechanisms recognised in data protection legislation.

Data retention

How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

We maintain a Document and Data Retention Policy and record the retention period for data relating to each activity in our Records of Processing as defined in data protection legislation.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Once we no longer have a lawful basis to process your personal data, we will securely destroy your personal information in accordance with the Document and Data Retention Policy which is informed by the applicable laws and regulations that we are entitled to take into account.

You’ve visited one of our websites

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to perform our contract with you and to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, email addresses and profile information. This information could be about you at your place of work and your organisation contracts with us to provide services, or at home if you have bought food or services from us delivered to your home.
  • IP address, cookies and tracking technologies. The use of these technologies is covered in a separate Policy which can be found on our websites.

How is your personal information collected?

We collect personal information when you send us a message, interact with our social media channels or visit our websites. This may be via one of our apps.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to comply with a statutory obligation
  • Where want try to provide a tailored experience of our digital presence
  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests
  • Where we have your express consent (if that is different from 1)

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform our contract with you.  Some we will need to comply with legal obligations.

In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Responding to your engagement with us
  • Making improvements to our food or services
  • Understanding how you use our services
  • Understanding how we interact with you and helping us improve
  • Understanding your use of our web sites or marketing channels, and which produces the best outcomes for consumers and our operations
  • Dealing with legal disputes involving you, or your organisation, including accidents at work
  • Complying with health and safety obligations
  • To detect or prevent fraud
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

We may from time to time carry out other types pf processing. For example to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify your use of your personal information.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to respond to any query of your use of our websites, or we may be prevented from complying with our legal obligations (such as to ensure we comply with our health and safety obligations).

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent
  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract we have with you (most importantly so that we perform it properly and safely)
  • Where we need to provide a third party with health certification or evidence to allow you to work with us

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as EatFirst.  

We require our third party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer the delivery, use of our websites or digital platforms.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the contract we have with you: service improvement, product improvement, operational and support improvements, as well as the operation of our social media accounts.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to HMRC, or disclosures to other regulators.

Processing information outside the UK

Where we, or our partners, process your personal information outside the UK or EEA, you can expect an essentially equivalent degree of protection in respect of your personal information (and certainly no less than expected in the data protection legislation in relation to the countries and entities which process your information). Where we do process your personal data outside the UK or EEA, we would only to so in order to carry out activities to operate our business and support the contract we have with you. This processing may include special category of personal data and this will depend on the activity being carried out by us or our partners. Such processing would be made only on terms that meet the UK or EU’s expectations in terms of the countries where that data is being processed, and the specific terms on which the data processor is retained by us, so that the process provides an adequate level of protection for your personal information. Your data will be processed in the EU and US, but may be processed in other jurisdictions, such as India, where we have service providers or data processors. In most circumstances, we rely on approved standard contract clauses (SCC) which we include in our agreements with data processors and service providers, but may also rely on other mechanisms recognised in data protection legislation.

Data retention

How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

We maintain a Document and Data Retention Policy and record the retention period for data relating to each activity in our Records of Processing as defined in data protection legislation.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Once we no longer have a lawful basis to process your personal data, we will securely destroy your personal information in accordance with the Document and Data Retention Policy which is informed by the applicable laws and regulations that we are entitled to take into account.

You receive a newsletter or other communication from us

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to perform our contract with you and to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship. If you work for a limited company, the personal data will be minimal, but if you operate as a sole trader, there will be more data that is regarded as personal.

We may collect, store, and use the following categories of personal information about you:

    Personal contact details such as name, title, addresses, post code, telephone numbers, and email addresses. This information could be about you at your place of work, or at home.

How is your personal information collected?

We collect personal information when you sign up for the newsletter. This may be a paper or digital tool, or may be via one of our apps.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform our obligations under our contract
  • Where we need to comply with a statutory obligation
  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests
  • Where we have your express consent (if that is different from 1)

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform our contract with you.  Some we will need to comply with legal obligations.

In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. For example if we believe that we can offer you similar services to those you have either bought from us or expressed an interest in. In these circumstances, it won’t surprise you to hear from us, unless you’ve expressly asked us not to. All of our communications to you will give you that option.

The situations in which we will process your personal information are listed below:

  • Provide you with the communications you want from us
  • Making improvements to our food or services
  • Understanding how you use our services
  • Understanding how we interact with you and helping us improve
  • Understanding your use of our marketing channels and which produces the best outcomes for consumers and our operations
  • Conducting performance reviews, managing performance and determining performance requirements
  • Dealing with legal disputes involving you, or your organisation, including accidents at work
  • Complying with health and safety obligations
  • To detect or prevent fraud
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

We may from time to time carry out other types pf processing. For example to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to send you the communication you want, or we may be prevented from complying with our legal obligations (such as to ensure we comply with our health and safety obligations).

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent
  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract we have with you (most importantly so that we perform it properly and safely)
  • Where we need to provide a third party with health certification or evidence to allow you to work with us

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as EatFirst.  

We require our third party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to maintain our relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help develop and deliver our communications to consumers, clients or members of the public.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the contract we have with you: developing relevant communications, delivery of our communications, reviewing and assessing the delivery methods we use.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to HMRC, or disclosures to other regulators.

Processing information outside the UK

Where we, or our partners, process your personal information outside the UK or EEA, you can expect an essentially equivalent degree of protection in respect of your personal information (and certainly no less than expected in the data protection legislation in relation to the countries and entities which process your information). Where we do process your personal data outside the UK or EEA, we would only to so in order to carry out activities to operate our business and support the contract we have with you. This processing may include special category of personal data and this will depend on the activity being carried out by us or our partners. Such processing would be made only on terms that meet the UK or EU’s expectations in terms of the countries where that data is being processed, and the specific terms on which the data processor is retained by us, so that the process provides an adequate level of protection for your personal information. Your data will be processed in the EU and US, but may be processed in other jurisdictions, such as India, where we have service providers or data processors. In most circumstances, we rely on approved standard contract clauses (SCC) which we include in our agreements with data processors and service providers, but may also rely on other mechanisms recognised in data protection legislation.

Data retention

How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

We maintain a Document and Data Retention Policy and record the retention period for data relating to each activity in our Records of Processing as defined in data protection legislation.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Once we no longer have a lawful basis to process your personal data, we will securely destroy your personal information in accordance with the Document and Data Retention Policy which is informed by the applicable laws and regulations that we are entitled to take into account.