Privacy Policy

About this Privacy Notice

This is the customer privacy notice of Equinoxe Solution Limited (Equinoxe), a company incorporated in England & Wales under number 06644359 whose registered office is at Parklands Court, 24 Parklands, Birmingham Great Park, Rubery, Birmingham B45 9PZ. 

Equinoxe respects your privacy and is committed to protecting your personal data. This privacy notice informs you of who we are, how we collect, share, use and protect your personal data, however you provide it to us, and tells you about your privacy rights and legal protections. 

Purpose of the Privacy Notice

This privacy policy tells you how Equinoxe collects and processes your personal data through your provision of that data to us and use of any of our group websites, including but not limited to any data you may provide when you sign up to a newsletter, purchase a product or service, take part in a survey or enter a competition. 

It is important that you read this privacy notice together with any other information we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice is complementary to the other information which we might provide in specific circumstances and will not override it.

Contacts

Who is the Controller and Data Protection Officer?  

When we use ‘Equinoxe’, ‘we’, ‘us’ or ‘our’ in this privacy notice, we are referring to Equinoxe Solutions Limited. We are the ‘data controller’ for your personal data under the applicable legislation and it is primarily responsible for processing and ensuring proper protection of your data.  

This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

This notice does not form part of any contract we might have with you and we can update it at any time but if we do so, we will provide you with an updated copy as soon as reasonably practical.

It is important that you read and retain this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under the data protection legislation.

Equinoxe is a wholly owned subsidiary of Compass Group, UK and Ireland Limited (Compass).  Whilst Equinoxe has its’ own name and brand it has no legal status in itself. Any contract you enter through us will be, legally speaking, with Compass.  

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice and data protection issues in general. If you have any questions about this privacy notice, including in relation to your legal rights, please contact the DPO using the details set out below.  

Contact details  

Full name of legal entity: Equinoxe solutions Limited
Who to contact: Data Protection Officer
Email address: enquiries@equinoxesolutions.com
Postal address: Ongar Business Centre, The Gables, Fyfield Road, Ongar, Essex CM5 0GA

Your Rights

You have rights under data protection laws in relation to your personal data. Under certain circumstances your rights are as follows:  

  • Request access to your personal data (commonly known as a "data subject access request" or “DSAR”). This enables you to receive a copy of the personal data we hold about you in order to check that we are processing it lawfully 

  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us 

  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where you believe we have no legitimate reason for continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be obliged to comply fully with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request 

  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we might demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms 

  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it 

  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. Again, it is subject to any overriding legal, accounting and reporting rights we might have to retain copies of your data; and 

  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. 

 

If you wish to exercise any of the rights set out above, please contact us at enquiries@equinoxesolutions.com

No fee usually required  

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.  

What we may need from you  

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.  

Time limit to respond  

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.  

In addition, we limit access to your personal data strictly to those employees, agents, contractors and other third parties who have a need to know that data in order to further the transaction in which we are both concerned. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.  

Whilst we are in control of our own data environment unfortunately the transmission of information via the internet is not always completely secure. Our organisations policy is to only send personal data through an encrypted format.  

This makes it as secure as possible, but it is still not completely secure. You should be aware that if you send us anything in an unencrypted format that we will not be able to secure it until it has securely entered our network. As such any transmission is at your own risk. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so and, in a format, and within timescales stipulated by the applicable regulator or the applicable data protection legislation.  

You also play a part in ensuring the security of your personal data. We recommend that you choose a password that is unique to our service. You are responsible for keeping this password confidential. Please do not share this password with anyone else. We will not be liable for any unauthorised transactions performed through our service where the user's credentials have been compromised.  

How to complain

You have the right to make a complaint at any time to your local supervisory authority.  
In the UK that is the Information Commissioner's Office (ICO) (www.ico.org.uk)
In Ireland that is the Data Protection Commission (DPC) (www.dataprotection.ie) 

We would, however, appreciate the chance to deal with your concerns before you approach the ICO or the DPC; so please contact us in the first instance. 

Full name of legal entity: Equinoxe Solutions Limited
Who to contact: Data Protection Officer
Email address: enquiries@equinoxesolutions.com
Postal address: Ongar Business Centre, The Gables, Fyfield Road, Ongar, Essex CM5 0GA

Failure to provide personal data

If you fail to provide certain information when requested, we may not be able to perform the contract we have with you, or we may be prevented from complying with our legal obligations (such as to ensure we comply with our health and safety obligations) or you may not be permitted to enter operational sites.

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Processing information outside the UK or EEA

Where we, or our partners, process your personal information outside the UK or EEA, you can expect an essentially equivalent degree of protection in respect of your personal information (and certainly no less than expected in the data protection legislation in relation to the countries and entities which process your information). Where we do process your personal data outside the UK or EEA, we would only do so in order to carry out activities to operate our business and support the processing of personal data we need to carry out. This processing may include special category of personal data and this will depend on the activity being carried out by us or our partners. Such processing would be made only on terms that meet the UK or EU’s expectations in terms of the countries where that data is being processed and the specific terms on which the data processor is retained by us so that the process provides an adequate level of protection for your personal information. Your data will be processed in the UK, EU and US, but may be processed in other jurisdictions, such as India or other third countries, where we have service providers or data processors. In most circumstances, we rely on approved standard contract clauses (SCC) which we include in our agreements with data processors and service providers, but may also rely on other mechanisms recognised in data protection legislation including an International Data Transfer Agreement (IDTA) in the UK.

We use Office 365, which offers a suite of applications we use in our daily operations. These include for example Outlook, Word and Excel, but also other applications are included in our subscription. The data within our Office 365 tenant are processed in the US. Our contract with Microsoft is supported by a Data Processing Agreement which details the controls we have in place to protect and respect personal data, and which complies with UK and Irish law on international transfers of data.

Data retention

How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

We maintain a Document and Data Retention Policy and record the retention period for data relating to each activity in our Records of Processing as defined in data protection legislation.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Once we no longer need to process your personal information, we will securely destroy your personal information in accordance with our Document and Data Retention Policy which is informed by the applicable laws and regulations that we are required to take into account.

How you engage with our organisation

Please use the navigation bar on the right (or at the top on mobile) to go to the section that matches most closely with the way you engage with Equinoxe

You are applying to work for us 

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to pursue the employer – employee relationship primarily to enable us to perform our contract with you and to enable us to comply with our legal obligations as your employer. We also need certain information from you to progress you starting with us as an apprentice or Learner. Any external training provider or partner will act as a data controller in their own right and will let you know their privacy processes. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship, some of which will depend on the role for which you are being employed or to which you are being trained.  In addition, some of the following types of information might be obtained during your time working with us in relation to your performance or if any issues or incidents arise in relation to you:

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, and personal email addresses

  • Date of birth

  • Gender

  • Marital status and dependants

  • Next of kin and emergency contact information

  • National Insurance number

  • Bank account details, payroll records and tax status information

  • Salary and annual leave

  • Start date and, if different, the date of your continuous employment

  • Leaving date and your reason for leaving

  • Location of employment or workplace

  • Copy of passport (either as ID evidence or to use for travel arrangements if the role demands it)

  • Right to work in the UK status including current immigration status

  • Copy of driving licence (either as ID evidence or qualification evidence if the role demands it)

  • Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of a job application process)

  • Any information you provide to us during an interview (whether face-to-face, by phone or skype or in any other way)

  • Employment records (including job titles, work history, working hours, holidays, training records and professional memberships)

  • Competency certification or other regulatory or industry-related certification necessary for your role

  • Professional or trade qualifications that are relevant to the industry and/or role for which you are applying

  • Tax documentation where this is necessary for us to work with national or international tax authorities to administrate your tax status or the status of emoluments you earn either in the UK or aboard, where applicable.

  • Compensation history

  • Performance information

  • Disciplinary and grievance information

  • Information about your use of our information and communications systems

  • Photographs

  • Results of government revenue & customs or local tax office employment status check, details of your interest in and connection with the intermediary through which your services are supplied (should you provide services in a way that might legally qualify you as an employee in the eyes of the law or in accordance with government revenue & customs or local tax office guidance and regulation on the status of individuals and their tax affairs)

  • Provision of company benefits

We may also collect, store and use the following "special categories" of more sensitive personal information:

  • Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions

  • Trade union membership

  • Information about criminal convictions and offences, where these are relevant to the role for which you have applied

  • Information about your health, including any medical condition, health and sickness records, including:

    • where you leave employment and the reason for leaving is determined to be ill-health, injury or disability, the records relating to that decision

    • details of any absences (other than holidays) from work including time on statutory parental leave and sick leave; and

    • where you leave employment and the reason for leaving is related to your health, information about that condition needed for pensions and permanent health insurance purposes

How is your personal information collected?

We collect personal information about employees, workers, apprentices, trainees or learners and contactors (whether on a permanent, part-time or casual basis) through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider.

We may sometimes collect additional information from third parties including former employers or other background check agencies.

We may also use the following other sources of personal information:

  • The Home Office Employers Checking Service in respect of Right To Work in the UK

  • Your named referees 

We may also collect personal information from the trustees or managers of pension arrangements operated by a group company, if relevant.

We will collect additional personal information in the course of job-related activities throughout the period for which you work for us.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform our obligations under the employer - employee contract

  • Where we need to perform our obligations under any training contract or learning agreement

  • Where we need to comply with a statutory obligation

  • Where it is necessary for our legitimate interests, including business interests and employer best practice (or those of a third party) and your interests and fundamental rights do not override those interests

  • Where we have your express consent 

Situations in which we will use your personal information

Depending on the nature of the role for which you are employed or work with us, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform the relationship we have with you.  Some we will need to comply with legal obligations.

In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Assess your skills, qualifications, and suitability for the work generally or the role specifically

  • Carry out background and reference checks, where applicable

  • Communicate with you about the recruitment process

  • Keep records related to our hiring processes

  • Determining the terms on which you work for us

  • Checking you are legally entitled to work in the UK

  • Paying you and, if you are an employee or deemed employee for tax purposes (PAYE), deducting tax and National Insurance contributions (NIC)

  • Managing your and our tax affairs related to your employment where you work or are paid in a jurisdiction outside the UK

  • Managing travel arrangements in roles where you are required to work outside the UK which could include the disclosure to third parties of your competency or medical certification or identification documents (such as a copy of your passport)

  • Communicating with you about your employment with us, including providing you with opportunities and news about the business by way of staff magazines and newsletters

  • Granting awards under any share plans operated by a group company

  • Administering the employment or training contract we have entered into with you

  • Business management and planning, including accounting and auditing

  • Conducting performance reviews, managing performance and determining performance requirements

  • Making decisions about salary reviews and compensation

  • Assessing qualifications for a particular job or task, including decisions about promotions

  • Keeping your details on Equinoxe systems 

  • Gathering evidence for possible grievance or disciplinary hearings

  • Making decisions about your continued employment or engagement

  • Making arrangements for the termination of our relationship

  • Education, training and development requirements

  • Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work

  • Ascertaining your fitness to work

  • Managing sickness absence

  • Complying with health and safety obligations

  • To detect or prevent fraud

  • To monitor your use of our information and communication systems to ensure compliance with our IT policies

  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

  • To conduct data analytics studies to review and better understand employee retention and attrition rates

  • Equal opportunities monitoring

We may from time to time carry out other types of processing. For example, to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent

  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract or agreement, we have with you (most importantly so that we perform it properly and safely)

  • Where we need to provide a third party with health certification or evidence to allow you to undertake your role, including providing clients with such information to allow you to access their premises

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision

  • Where it is necessary to perform the employment contract with you and appropriate measures are in place to safeguard your rights

  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

  • You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you. The most likely use of automated decision making is in response to questions we ask about your entitlement to work in the UK. These decisions will be based on the information you provide to us.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as Compass. 

We require our third-party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship, we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer the employment contract or agreement we have with you.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the employment contract we have with you: payroll, providing and reporting training and development, IT services, travel arrangements, foreign jurisdiction permission to work, occupational health, and security vetting.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider which triggers our obligation to disclose anonymised data under the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE).

In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes.  Once the transaction is completed, we will share your personal data with the other parties if, and to the extent required under the terms of the transaction or by TUPE.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to government revenue & customs or local tax office, disclosures to stock exchange regulators and disclosures to shareholders such as directors' remuneration reporting requirements.

You supply food, equipment or services to us 

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). For most of our suppliers, the vast majority of the data we process is not regarded as personal data. However, we do deal with a small number of sole traders. For sole traders, more aspect of the data is regarded as personal data. We apply appropriate standards of security to all data that we process. Please refer to the Security section to understand this further.

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to perform our contract with you and to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship. If you work for a limited company, the personal data will be minimal, but if you operate as a sole trader, there will be more data that is regarded as personal.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, and email addresses

  • Information about your use of our information and communications systems

  • Photographs

How is your personal information collected?

We collect personal information during the on-boarding process, either directly from you or sometimes from your employer.

We may collect additional personal information in the course of job-related activities throughout the period for which you work with us.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform our obligations under our contract

  • Where we need to comply with a statutory obligation

  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests

  • Where we have your express consent 

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform our contract with you. 

In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Determining the terms on which you work for us

  • Administering the contract we have entered into with you

  • Business management and planning, including accounting and auditing

  • Conducting performance reviews, managing performance and determining performance requirements

  • Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work

  • Complying with health and safety obligations

  • To detect or prevent fraud

  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

We may from time to time carry out other types of processing. For example, to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent

  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract we have with you (most importantly so that we perform it properly and safely)

  • Where we need to provide a third party with health certification or evidence to allow you to work with us, including providing clients with such information to allow you to access their premises

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision

  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights

  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as Equinoxe. 

We require our third-party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship, we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer the contract we have with you.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the contract we have with you: contract, finance, tax and treasury management.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to government revenue & customs or local tax office, or disclosures to other regulators.

You buy our services 

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to perform our contract with you and to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship. If you work for a limited company, the personal data will be minimal, but if you operate as a sole trader, there will be more data that is regarded as personal.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, and email addresses. This information is about you at your place of work and your organisation contracts with us to provide services.

How is your personal information collected?

We collect personal information during the pre-contract or tendering process, either directly from you or sometimes from your employer or tender portal provider.

We may collect additional personal information in the course of job-related activities throughout the period you work with us.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform our obligations under our contract

  • Where we need to comply with a statutory obligation

  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests

  • Where we have your express consent 

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform our contract with you.  Some we will need to comply with legal obligations.

In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Business development activity

  • Preparing contract or tender documents

  • Determining the terms on which you work with us

  • Administering the contract we have entered into with your organisation

  • Business management and planning, including accounting and auditing

  • Conducting performance reviews, managing performance and determining performance requirements

  • Dealing with legal disputes involving you, or your organisation, including accidents at work

  • Complying with health and safety obligations

  • To detect or prevent fraud

  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

We may from time to time carry out other types of processing. For example, to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

In limited circumstances, with your explicit consent

  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract we have with you (most importantly so that we perform it properly and safely)

  • Where we need to provide a third party with health certification or evidence to allow you to work with us

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision

  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights

  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as Compass. 

We require our third-party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer the contract we have with you.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the contract we have with you: contract, finance, tax and treasury management.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to government revenue & customs or local tax office, or disclosures to other regulators.

You visit our offices 

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to provide you with our services, perform a contract with you or to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, email addresses, and vehicle registration number

  • Information about your use of our information and communications systems

  • Photographs

How is your personal information collected?

We collect personal information either directly from you or sometimes from a third party.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

Where we need to perform our obligations when providing our services to you or under our contract

  • Where we need to comply with a statutory obligation

  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests

  • Where we have your express consent 

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to provide our services to you or perform our contract with you.  Some we will need to comply with legal obligations.

In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Business management and planning, including accounting and auditing

  • Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at our place of work

  • Complying with health and safety obligations

  • To detect or prevent theft or fraud

  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

 

We may from time to time carry out other types of processing. For example, to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

In limited circumstances, with your explicit consent

  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to providing appropriate facilities for you (most importantly so that we provide them properly and safely)

  • Where we need to provide a third party with health certification or evidence to allow you to work with us, including providing clients with such information to allow you to access their premises

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision

  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights

  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

  • You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as Equinnoxe. 

We require our third-party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help operate our facilities.

The following are the activities which are most likely to be carried out by third-party service providers for us: providing access to, security for, or the safe management of our facilities, including the monitoring of and processing of CCTV and ANPR technologies.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law.

You order through Foodbuy

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to perform our contract with you and to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship. If you work for a limited company, the personal data will be minimal, but if you operate as a sole trader, there will be more data that is regarded as personal.

We may collect, store, and use the following categories of personal information about you:

Personal contact details such as name, title, addresses, post code, telephone numbers, and email addresses

  • Date of birth

  • Bank account details, and tax status information

  • Credit history

  • Information about your use of our information and communications systems

  • Photographs

  • Voice recordings online with this facility. You will be informed if call is recorded.
       

How is your personal information collected?

We collect personal information during the on-boarding process, either directly from you or sometimes from your employer or credit check provider.

We may collect additional personal information in the course of job-related activities throughout the period for which you work with us.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform our obligations under our contract

  • Where we need to comply with a statutory obligation

  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests

  • Where we have your express consent

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform our contract with you.  Some we will need to comply with legal obligations.

In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Determining the terms on which you work for us

  • Administering the contract we have entered into with you

  • Business management and planning, including accounting and auditing

  • Conducting performance reviews, managing performance and determining performance requirements

  • Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work

  • Complying with health and safety obligations

  • To detect or prevent fraud

  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

 

We may from time to time carry out other types of processing. For example, to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent

  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract we have with you (most importantly so that we perform it properly and safely)

  • Where we need to provide a third party with health certification or evidence to allow you to work with us, including providing clients with such information to allow you to access their premises

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision

  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights

  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as Compass. 

We require our third-party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer the contract we have with you.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the contract we have with you: contract, finance, tax and treasury management.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to government revenue & customs or local tax office, or disclosures to other regulators.

You receive marketing about our food or services to you or your organisation

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to provide you with our services, perform a contract with you or to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, and email addresses. This information could be about you at your place of work, or at home.

  • Information about your use of our information and communications systems

How is your personal information collected?

We collect personal information either directly from you or sometimes from a third party.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to comply with a statutory obligation

  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests

  • Where we have your express consent 

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to tell you about our goods or services, or perform our contract with you if we already have one.  Some we will need to comply with legal obligations.

This section makes a clear distinction between marketing communications, i.e. communicates that sell our goods or services, or to collect to help it (or others) to contact people for marketing purposes at a later date, and genuine service or market research communications. Direct marketing rules do not apply to the later.

In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. For example, if we believe that we can offer you similar services to those you have either bought from us or expressed an interest in buying from us. In these circumstances, it won’t surprise you to hear from us, unless you’ve expressly asked us not to. All of our communications to you will give you that option and you can tell us at any time.

The situations in which we will process your personal information are listed below:

  • Tell you about our food or services

  • To detect or prevent fraud

  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

If we are marketing our goods and services to you at work, we are essentially marketing to your organisation rather than directly to you. That means that we may have sent unsolicited communications to you. However, we recognise that people work in the organisation we market our goods and services to. Your personal information is just that; personal to you, and you have the same rights. Please let us know if you do not want to receive this these communications. If you’d prefer those communications go to another role in your organisation, please let us know.

If we are marketing to you at home, we will not send unsolicited communications to you unless you have given us your consent to do so, or we have a legitimate interest in sending you information about goods or services similar to those you have either previously bought or expressed an interest in buying from us.

We may from time to time carry out other types of processing. For example, to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent

  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to providing our services to you (most importantly so that we provide them properly and safely)

  • Where we need to provide a third party with health certification or evidence to allow you to work with us, including providing clients with such information to allow you to access their premises

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision

  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights

  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

  • You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as Compass. 

We require our third-party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer our service provision, our contract with you, or how we communicate with you.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the relationship we have with you: receiving payment for the services we provide, product or service quality assurance, and marketing where we have your consent or a legitimate interest.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law.

You’ve taken part in one of our surveys or a competition

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to perform our contract with you and to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship. If you work for a limited company, the personal data will be minimal, but if you operate as a sole trader, there will be more data that is regarded as personal.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, and email addresses. This information could be about you at your place of work and your organisation contracts with us to provide services, or at home if you have bought food or services from us at a public venue.

  • There may be other aspects of personal data we ask for in the survey or competition. If that is the case, we will explain the purpose of this within the survey or competition itself, and it will be supported by this Privacy Notice.

How is your personal information collected?

We collect personal information when you complete the survey or enter a competition. This may be a paper or digital tool, or may be via one of our apps.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform our obligations under the terms of the survey or competition

  • Where we need to comply with a statutory obligation

  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests

  • Where we have your express consent

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform our contract with you.  Some we will need to comply with legal obligations.

In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Processing the outcomes of the survey or competition

  • Making improvements to our services

  • Understanding how you use our services

  • Understanding how we interact with you and helping us improve

  • Understanding your use of our marketing channels and which produces the best outcomes for consumers and our operations

  • Conducting performance reviews, managing performance and determining performance requirements

  • Dealing with legal disputes involving you, or your organisation, including accidents at work

  • Complying with health and safety obligations

  • To detect or prevent fraud

  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

  • Other specific requirements set out in the introduction to specific surveys or competitions

 

We may from time to time carry out other types of processing. For example, to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent

  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract we have with you (most importantly so that we perform it properly and safely)

  • Where we need to provide a third party with health certification or evidence to allow you to work with us

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision

  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights

  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as Compass. 

We require our third-party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer the delivery, use of or assessment of the survey or competition.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the contract we have with you: service improvement, product improvement, operational and support improvements, as well as the delivery of the survey, how the survey operates and any assessment of completed surveys, processing the entries of the competition, fulfilling winners of the competition, processing any marketing consent given as part of the competition.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to government revenue & customs or local tax office, or disclosures to other regulators.

You’ve engaged with us on social media

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to perform our contract with you and to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship. If you work for a limited company, the personal data will be minimal, but if you operate as a sole trader, there will be more data that is regarded as personal.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, email addresses and profile information. This information could be about you at your place of work and your organisation contracts with us to provide services, or at home if you have bought food or services from us at a public venue.

How is your personal information collected?

We collect personal information when you send us a message or interact with our social media channel. This may be via one of our apps.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to comply with a statutory obligation

  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests

  • Where we have your express consent 

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform our contract with you.  Some we will need to comply with legal obligations.

In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Responding to your engagement with us

  • Making improvements to our food or services

  • Understanding how you use our services

  • Understanding how we interact with you and helping us improve

  • Understanding your use of our marketing channels and which produces the best outcomes for consumers and our operations

  • Dealing with legal disputes involving you, or your organisation, including accidents at work

  • Complying with health and safety obligations

  • To detect or prevent fraud

  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

We may from time to time carry out other types of processing. For example, to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify your use of your personal information.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent

  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract we have with you (most importantly so that we perform it properly and safely)

  • Where we need to provide a third party with health certification or evidence to allow you to work with us

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision

  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights

  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as Compass. 

We require our third-party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer the delivery, use of social media accounts.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the contract we have with you: service improvement, product improvement, operational and support improvements, as well as the operation of our social media accounts.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to government revenue & customs or local tax office, or disclosures to other regulators.

You’ve visited one of our websites

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to perform our contract with you and to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship. If you work for a limited company, the personal data will be minimal, but if you operate as a sole trader, there will be more data that is regarded as personal.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, email addresses and profile information. This information could be about you at your place of work and your organisation contracts with us to provide services, or at home if you have bought food or services from us at a public venue.

  • IP address, cookies and tracking technologies. The use of these technologies is covered in a separate Policy which can be found on our websites.

How is your personal information collected?

We collect personal information when you send us a message, interact with our social media channels or visit our websites. This may be via one of our apps.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to comply with a statutory obligation

  • Where want try to provide a tailored experience of our digital presence

  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests

  • Where we have your express consent 

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform our contract with you.  Some we will need to comply with legal obligations.

In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Responding to your engagement with us

  • Making improvements to our food or services

  • Understanding how you use our services

  • Understanding how we interact with you and helping us improve

  • Understanding your use of our web sites or marketing channels, and which produces the best outcomes for consumers and our operations

  • Dealing with legal disputes involving you, or your organisation, including accidents at work

  • Complying with health and safety obligations

  • To detect or prevent fraud

  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

We may from time to time carry out other types of processing. For example, to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify your use of your personal information.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent

  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract we have with you (most importantly so that we perform it properly and safely)

  • Where we need to provide a third party with health certification or evidence to allow you to work with us

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision

  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights

  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as Compass. 

We require our third-party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the contract or relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer the delivery, use of our websites or digital platforms.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the contract we have with you: service improvement, product improvement, operational and support improvements, as well as the operation of our social media accounts.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to government revenue & customs or local tax office, or disclosures to other regulators.

You receive a newsletter or other communication from us

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to perform our contract with you and to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship. If you work for a limited company, the personal data will be minimal, but if you operate as a sole trader, there will be more data that is regarded as personal.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, and email addresses. This information could be about you at your place of work, or at home.

How is your personal information collected?

We collect personal information when you sign up for the newsletter. This may be a paper or digital tool, or may be via one of our apps.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform our obligations under our contract

  • Where we need to comply with a statutory obligation

  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests

  • Where we have your express consent

Situations in which we will use your personal information

Depending on the nature of our relationship, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform our contract with you.  Some we will need to comply with legal obligations.

In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. For example, if we believe that we can offer you similar services to those you have either bought from us or expressed an interest in. In these circumstances, it won’t surprise you to hear from us, unless you’ve expressly asked us not to. All of our communications to you will give you that option.

The situations in which we will process your personal information are listed below:

  • Provide you with the communications you want from us

  • Making improvements to our food or services

  • Understanding how you use our services

  • Understanding how we interact with you and helping us improve

  • Understanding your use of our marketing channels and which produces the best outcomes for consumers and our operations

  • Conducting performance reviews, managing performance and determining performance requirements

  • Dealing with legal disputes involving you, or your organisation, including accidents at work

  • Complying with health and safety obligations

  • To detect or prevent fraud

  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

We may from time to time carry out other types of processing. For example, to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. For systems that require the use of personal data to conduct testing, production data may be copied to a non-production environment, then scrambled, masked or, by using another technique, anonymised to create test data. This data can therefore not be linked to you or another person. This process allows for the modification of personal data into anonymised, usable test records that we can use efficiently to test the integrity of the application or system. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

How we use particularly sensitive personal information

"Special categories" of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent

  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract we have with you (most importantly so that we perform it properly and safely)

  • Where we need to provide a third party with health certification or evidence to allow you to work with us

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision

  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights

  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with third parties, including third-party service providers and other legal entities within the same group of companies as Compass. 

We require our third-party processors to respect the security of your data and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to maintain our relationship we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help develop and deliver our communications to consumers, clients or members of the public.

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the contract we have with you: developing relevant communications, delivery of our communications, reviewing and assessing the delivery methods we use.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business or where there is a change in service provider.

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to government revenue & customs or local tax office, or disclosures to other regulators.

UK&I COVID 19

Where we are required to do so, we will check the people's COVID status. There are differences in the requirements across the UK and Ireland and we keep up to date on these differences and the rapid changes by governments to the global pandemic.

Where it is not a requirement to check this information, we may do so at our discretion. However, we will only do so where we have a legitimate interest to check, and this will be balanced against the rights and freedoms of the individual. We will record this legitimate interest and the decision we take with regard to this balancing test within our data protection records. We will not check individual's COVID status 'just in case'. We will always have a valid justification for doing so.

COVID 19 status and what it means

There may be local differences, but this details the broad understanding of COVID status:

  • a person is vaccinated with doses of an approved vaccine

  • a person has taken a PCR or, in some cases, a lateral flow test within the last 48 hours and the result of the test is negative

  • a person has a valid exception from receiving an approved vaccine

Accepted proof can be in the following ways:

  • evidence on an approved government app or paper copy

  • an approved international equivalent which has been accepted at the UK or Irish border

  • a validated text or email confirmation of a recent negative test result

Please note that proof of natural immunity cannot be accepted as an alternative to proof of vaccination or a recent negative test.

The legal basis for obtaining and using vaccination status

Data protection law provides that it is lawful to process 'special category' data where

  • it is necessary for employment purposes

  • it is in the substantial public interest, including to comply with legal obligations

  • it is necessary for the management of healthcare services

  • it is necessary for public health purposes

Where we use the NHS COVID Pass Verifier app

We will process the data within the 2D barcode to authenticate the COVID pass status and for no other purpose. We do this where we have a legal obligation to comply with local legislation. The data will not be shared with any other entity other than the site owner if requested. This health data is special category of personal data but we are processing this data in compliance with the sections of Article 9 of the GDPR. Personal data is not retained.

The data controller of the app is the Department of Health and Social Care (HDSC) who can be contracted by email at data_protection@dhsc.gov.uk