Privacy Policy

Collection of personal data - privacy notice

We are committed to ensuring that your privacy is protected, and we shall endeavour to use any information that you provide when using this web site in accordance with this privacy notice. This privacy policy explains what information we collect, how we protect it, and how we use it. For the health and safety of the customers and staff in these premises, we are collecting the name and contact details of every visitor of our premises to support NHS Test and Trace program during COVID-19 crisis. This information will be used to enable NHS to contact you should you have been in the premises around the same time as someone who has tested positive for coronavirus. Contacting people who might have been exposed to the virus is an important step in stopping the spread the infection and save lives.
All collected data and information will be handled in accordance with General Data Protection Regulation (GDPR) to protect the privacy of the staff, customers and visitors.

Reasons for data collection

In line with the UK Government Guidance to support the NHS Test and Trace program, all establishment from hospitality, tourism and leisure sectors ae recommended to collect details and maintain records of staff, customers and visitors, to manage the risk of COVID-19 transmission. This will involve the gathering and, when necessary, the sharing of information with NHS as the responsible body for Test and Trace. Your data will not be used for any other purpose. The data can be collected at the point that visitors enter the premises, or at the point of service if impractical to do so at the entrance.

Type of data collected

Each visit is recorded by date and time of arrival and departure (if possible), along with:

Recording both arrival and departure times (or estimated departure times) will help reduce the number of customers or staff needing to be contacted by NHS Test and Trace. We recognise, however, that recording departure times will not always be practical.
No additional information is collected for this purpose.

How is the information used?

All collected data will be securely stored in a cloud base platform, powered by the Microsoft Azure data security infrastructure. In order to assist in the containment of the virus, we will only share your data when it is requested directly by NHS. Either because someone who has tested positive for COVID-19 has listed the premises as a place they visited recently, or because the premises have been identified as the location of a potential local outbreak of COVID-19. Information will be transferred securely to NHS (National Health Services) or the responsible body for the Test and Trace program, who will use the data to contact those who were in the establishment at the same time.
NHS Test and Trace will handle all data according to the highest ethical and security standards and ensure it is used only for the purposes of protecting public health, including minimising the transmission of COVID-19. Read further information on the NHS Test and Trace website.

Lawful basis for collecting this data

Under data protection law, GDPR Article 6(1), we have a number of lawful bases that allow us to collect and process personal information. In this case, the lawful basis for processing your data is 'legitimate interests'. Broadly speaking 'legitimate interests' means that we can process your personal information if we have a genuine and legitimate reason and we are not harming any of your rights and interests. Our legitimate reason for processing your data is to assist with NHS Test and Trace strategy in relation to the coronavirus public health epidemic. Before sharing any information, we will carefully consider and balance any potential impact on you and your rights.

Data retention period

Your personal data will be retained only for the purposes stated in this privacy notice and will be held by us for no more than 3 weeks (21 days). All personal data will be held and disposed of in a safe and secure manner.

Your rights

As defined in the data protection law, GDPR Article(s) 12-23, you have the following rights:

In certain circumstances exemptions to these rights may apply. Further information is available on the Information Commissioner’s Office website.

Complaint procedure

If you consider that your personal data has been misused or mishandled by us, you can raise this with the data controller. In this instance, the data controller is the manager of this premises. If you remain dissatisfied you can make a complaint to the Information Commissioner, who is an independent regulator.