Policy Statement

As a family business we really value your privacy, so we would like to explain our privacy policy to you. Some of the information below might be a little technical but it’s important that you read and understand what follows because it explains how J.W. Lees & Co (Brewers) Limited (J.W. Lees) will collect and use your personal information. If you have provided your personal information to us and have accepted marketing updates in one of our managed properties it will be J.W. Lees as the controller of the business who are responsible for your information. This privacy policy applies to all personal data processed by J.W. Lees and within our managed properties. For information concerning how your personal data is processed at our
tenanted pubs, please view their website for more information.

J.W. Lees & Co Brewers Limited (company registration number: 557225) are the ‘controllers’ of personal data (referred to in this privacy policy as ‘J.W. Lees’, ‘us’, ‘we’, ‘our’). Our Head Office is located at:

J.W. Lees & Co. (Brewers) Limited
Greengate Brewery
Middleton Junction
Manchester
M24 2AX

Our phone number: 0161 643 2487

If you want to get in touch with our data protection officer about this privacy policy, or for any other data protection matters, you can do so by emailing: gdpr@jwlees.co.uk.

We collect your personal information in the following ways:
• When you sign up to use our complimentary WI-FI in our pubs.
• Signing up to the J.W. Lees newsletter.
• When you visit the J.W. Lees website (through the use of cookies).
• When you contact us by telephone or email to make an enquiry, booking, to make a purchase or to submit a complaint.
• When you purchase our products.
• When your personal data is captured on camera (CCTV and vehicle cameras).
• When you register for a prize draw or competition.
• When providing us with guest feedback or completing satisfaction surveys.
• When completing forms for transactions, employment, or other purposes.

The personal information we collect comes directly from you when performing any of the above actions. Failing to provide the required personal information may negatively affect our ability to carry out core business tasks that may benefit you.

Category of Personal Information Description

Identity details

• Name(s)
• Image
• Date of birth
• Vehicle registration
• Passport number
• Nationality

Contact details

• Address(es)
• Email address(es)
• Phone number(s)

Transaction details

• Bank name
• Sort code
• Account number
• Card number
• Expiry date
• CVC
• Details in relation to any payment information

Preference details

• Preferences such as why you visit us, your favourite products and preferred pubs

Technical details

• Details of your website visits
• IP address
• Cookies
• Operating system and platforms
• Time zone setting and location
• Browser type and version
• In store Wi-Fi use and the resources, you access while using the Wi-Fi

Marketing and Communications details

• Your marketing and communication preferences
• Details of which electronic mailers you open and why

Message details

• Information you provide regarding your visit with us and how we can improve our services and make them better for you

• Personal data contained in communications from customers or guests

Booking details

• Table booking details
• Room booking details
• Date of booking
• Special requests
• Time of booking
• Booking reference
• Booking size
• Allergen information

Venue details

• Name of venue
• Address of venue
• Date of purchase

Order details

• Order number
• Details concerning the order

Special category personal data is personal information which is more sensitive by its nature such as health information or religious beliefs. Within our pubs, there could be circumstances where a guest needs to inform us of personal information relating to their health to have a safe experience. This is particular to circumstances concerning allergy information included within a booking, an accident on site or a complaint that involves information related to health data on site. There may be circumstances within our pubs and hotels where an individual states their dietary requirements which in turn reveals their religious or philosophical beliefs. When we process personal information concerning your health, religious or philosophical
beliefs, our lawful basis for processing this information is legitimate interests. It is in J.W. Lees legitimate business interests to ensure the safety of our guests and it is our top priority while you’re visiting us at one of our venues. Our additional special category condition for processing your special category data is:

Explicit Consent Article 9 (2)(a) of the United Kingdom General Data Protection Regulation (UK GDPR).
Where we process identity and health data for the purposes of recording accidents and injuries within our pubs and hotels, this is done in accordance with our legal obligation under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR). When you choose to provide your health data, our additional special category condition for processing your special category data is: Explicit Consent Article 9 (2)(a) of the United Kingdom General Data Protection Regulation (UK GDPR).

We are only allowed to use personal information about you if we have a lawful basis to do so, and we are required to inform you what that lawful basis is. We have set out in the table below: the personal information we collect from you, how we use it, and the lawful basis on which we rely on when we use the personal data. In some circumstances we can use your personal information if it is in our legitimate interest to do so, if we have told you what that legitimate interest is. A legitimate interest is when we have a business or commercial reason to use your personal information which, when balanced against your rights and is justifiable under the UK GDPR. If we are relying on legitimate interests, this will be displayed in the pdf version of our Privacy Policy.

In order to run our business efficiently and provide benefits and services to individuals who visit J.W. Lees, we require the involvement of third-party organisations. This is so J.W. Lees can operate parts of the business which include:

• Administering and completing booking applications;
• Website hosting;
• Capturing personal data for marketing and validation;
• Developing complaint reports;
• Verifying user’s ID’s;
• Gift card providers;
• Online payments;
• Providing a review platform for our guests;
• Providing complimentary WI-FI to our guests;
• Recording accidents and incidents;
• Sending media information; and
• Identifying operational strengths and weaknesses.

If requested, we will share your personal information with authorities such as:

• The Police;
• The Health and Safety Executive;
• Local Authorities;
• Her Majesty’s Revenue and Customs (HMRC);
• The Courts; and
• Central or Local Government Bodies.

THIRD-PARTY LINKS
Our website includes links to third-party websites, plug-ins and applications. Clicking on
those links or enabling those connections may allow third parties to process your personal
data. We do not control these third-party websites and are not responsible for their data
protection practices. When you leave our website, we encourage you to read the privacy
policy of every website, plug-in and/or application that you visit.

Our website includes links to third-party websites, plug-ins and applications. Clicking on
those links or enabling those connections may allow third parties to process your personal
data. We do not control these third-party websites and are not responsible for their data
protection practices. When you leave our website, we encourage you to read the privacy
policy of every website, plug-in and/or application that you visit.

We will only retain your personal information for as long as necessary to fulfil the purpose(s) for processing. This includes satisfying any legal, accounting, or reporting requirements. When we assess the retention of your personal information, we will take the following into consideration:

• Nature of the information;
• Sensitivity of the information;
• Potential risks if breached;
• The purpose(s) for which we initially processed;
• Whether we can achieve the purpose(s) through less invasive means; and
• Applicable legal requirements.

We regularly review the retention of personal information held within J.W. Lees to ensure
that we are not keeping your personal information for no longer than is necessary.
After the record has met its designated retention period, we will securely delete or destroy
your personal information.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal
data on our instruction, and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator (including the Information Commissioners Office (ICO)) of a breach where we are legally required to do so.

The European Economic Area (EEA), which consists of the EU Members States, Iceland, Liechtenstein and Norway. If we transfer your personal information outside the EEA, we have to tell you and we will utilise one of the following bases.

• Adequacy decision: The country we send your personal information to must provide an adequate level of protection which has been approved by the European Commission.
• Standard Contractual Clauses: The recipient of your personal information has provided us with signed Standard Contractual Clauses which has been approved by the European Commission. This holds the recipient accountable to safeguard the personal information.
• International Data Transfer Agreement / Addendum (IDTA): The recipient of your personal data has provided us with a signed IDTA which has been approved by the ICO. This holds the recipient accountable to safeguard the personal data.

Limited situations where your personal information may be transferred outside of the EEA can be viewed in the pdf version of the Privacy Policy

Before sharing any personal information with a third-party, we will ensure that there is a data processing agreement in place requiring that the third-party processor protects your personal information in accordance with the UK GDPR.

Everybody has rights relating to the collection and use of their personal information. These are the rights that apply to your personal information held within J.W. Lees:

• The right to be informed – you have the right to know what information we hold and process about you which is why we have provided this privacy notice.
• The right of access – you have the right to ask for a copy of the information we hold regarding yourself.
• The right to rectification – you have the right to ask for us to correct any information we hold which may be inaccurate or incorrect.
• The right of erasure – you have the right to have your personal information ‘erased’ in the following situations:
o Where the personal information is no longer required for the purpose(s) for which it was originally collected or processed;
o Where the processing was based on consent and you have withdrawn your
consent;
o When the personal information was unlawfully processed;
o When the personal information has to be erased in order to comply with a legal obligation.

We will erase your records when one of the above situations apply.
• The right to object – you have the right to object to the processing of your personal information in the following circumstances:
o The purpose of the processing activity is direct marketing;
o Where the processing is based on legitimate interests; and
o Processing for purposes of scientific/historical research and statistics.
• The right to restriction of processing – you have the right to ask us to restrict the processing of your personal information in certain situations such as:
o Where you contest the accuracy of your personal information, we will restrict the processing until you have verified the accuracy of your personal information;
o When processing is unlawful, and you oppose erasure and request restriction instead;
o Where we no longer need the personal information, but you require the information to establish, exercise or defend a legal claim.

If you would like to exercise any of these rights, please get in contact with us using any of
the details found below or use the email form found on the website link.

We may update this Colleague Privacy Policy at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information. If you have any questions in relation to this notice, please contact our DPO.

Please let us know if you are unhappy with how we have used your personal information by
contacting the data protection officer at gdpr@jwlees.co.uk.
If you are not satisfied with our response, you have the right to lodge a complaint with the
ICO using the information below. We would be grateful for the chance to deal with your
concerns directly before you approach the ICO so please contact us in the first instance.

Address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113