Welcome to our website. If you continue to browse and use this website you are agreeing to comply with and be bound by the following terms and conditions of use, which together with our privacy policy govern Warm Beer and Lousy Food Limited’s relationship with you in relation to this website.

The term ‘Warm Beer and Lousy Food Limited’ or ‘us’ or ‘we’ refers to the owner of the website whose registered office is The Wellington Inn, 19

The Green, Lund, Driffield, East Yorks, YO25 9TE. The term ‘you’ refers to the user or viewer of our website.

The use of this website is subject to the following terms of use:

The content of the pages of this website is for your general information and use only. It is subject to change without notice.

Neither we nor any third parties provide any warranty or guarantee as to the accuracy, timeliness, performance, completeness or suitability of the information and materials found or offered on this website for any particular purpose. You acknowledge that such information and materials may contain inaccuracies or errors and we expressly exclude liability for any such inaccuracies or errors to the fullest extent permitted by law.

Your use of any information or materials on this website is entirely at your own risk, for which we shall not be liable. It shall be your own responsibility to ensure that any products, services or information available through this website meet your specific requirements.

This website contains material which is owned by or licensed to us. This material includes, but is not limited to, the design, layout, look, appearance and graphics. Reproduction is prohibited other than in accordance with the copyright notice, which forms part of these terms and conditions.

All trademarks reproduced in this website, which are not the property of, or licensed to the operator, are acknowledged on the website.

Unauthorised use of this website may give to a claim for damages and/or be a criminal offence.

From time to time this website may also include links to other websites. These links are provided for your convenience to provide further information. They do not signify that we endorse the website(s). We have no responsibility for the content of the linked website(s).

You may not create a link to this website from another website or document without Warm Beer and Lousy Food Limited’s prior written consent.

Your use of this website and any dispute arising out of such use of the website is subject to the laws of England and Wales.

GDPR – Legitimate Interest Assessment

This document aims to explore the appropriateness of the legal basis of ‘Legitimate Interest’ for the processing of personal data by The Wellington Inn with respect to the GDPR and the rights of the individuals whose data is processed and stored by the Business. In this document, The Wellington Inn may be referred to as The Business.

About The Wellington Inn

The Wellington Inn is is an established business which has worked hard to establish a highly regarded and reputable business. The Wellington Inn is high quality gastro pub serving directly with the public. The Business is determined to continue to build their business and would like to develop further quality employment in the future. The Wellington Inn aspires to be a fair, transparent and ethical business both towards its employees and towards it customers;

Why does The Wellington Inn need to process personal data?

There are three main areas of data processing that the Business undertake, these are:

• Employment data processing (Data Controller)
• Administrative and commercial data processing (Data Controller)
• Business development and marketing data processing and (Data Controller)

Taking each of these areas in turn, this document aims to explore:

1. The objectives of data processing
2. The relevance and importance of data processing to the business
3. The impact on the individuals whose data is processed
4. The expectation of the individual that their data would be processed and
5. The rights of the individual whose data is processed

Employment data processing (Data Controller)

The Wellington Inn process employees’ data for legitimate and common business purposes, in situations which are not necessary for the performance of employment contract, but are nevertheless customary, or necessary for operational, administrative, HR and recruitment purposes and to otherwise manage employment relationship and interaction between employees.

Specific examples are:

1. Background checks and security vetting in recruitment and HR functions
2. Office access and operations
3. Disaster and emergency management tools and apps
4. Internal directories and other business cooperation and sharing tools.
5. Business conduct and ethics reporting lines
6. Compliance with internal policies, accountability and governance requirements and corporate investigations
7. Call recording and monitoring for call centre employees’ training and development purposes
8. Employee retention programs
9. Workforce and headcount management, forecasts and planning
10. Professional learning and development administration
11. Travel administration
12. Time recording and reporting
13. Processing of family members’ data in the context of HR records – next of kin, emergency contact, benefits and insurance, etc.
14. Additional and specific background checks required by particular customers in respect of processors’ employees having access to customers’ systems and premises
15. Defending claims – sharing CCTV images from premises with insurers when required for processing, investigating or defending claims due to incidents that have occurred on our premises
16. Intra-corporations hiring for internal operations.

The argument here is that the business has a legitimate reason for processing employees data to undertake its role as employer and to safeguard its customers during its role as a processor. The data processed is typical employee information and the employee would fully expect The Business to process this data.

Administrative and commercial data processing (Data Controller)

The Wellington Inn processes supplier and customer’ data for legitimate and common business purposes, in situations which are not necessary for the performance of the business, but are nevertheless customary, or necessary for operational and administrative purposes and to otherwise manage relationship and interaction between The Business and its suppliers and customers.

Specific examples are:

1. Develop or operate financial/credit/conduct and risk records
2. Internal analysis of customers – plan strategy and growth
3. Reporting and management information
4. Back-office operations
5. Monitoring physical access to offices, visitors and CCTV operations in reception and any other restricted areas
6. Corporate reorganisations
7. Business intelligence
8. Managing third party relationships (vendors, suppliers, media, business partners)
9. Processing identifiable data for the sole purpose of anonymising/de-identifying/re-identifying it for the purposes of using the anonymised data for other purposes (product improvement, analytics, etc.)

The argument here is that the Business has a legitimate reason for processing supplier and customer data to undertake common business purposes. The data processed is not considered to be sensitive according to the guidelines of ‘Special Category Data’ and the supplier or customer would fully expect The Business to process their data.

Business development and marketing data processing (Data Controller)

Compliance with GDPR will work to enhance the reputation of The Wellington Inn. The Wellington Inn processes supplier and customer data for legitimate and common business purposes, including communications and marketing, processing certain ‘low risk’ personal data to gather market intelligence, promote products and services, as well as communicate news and offers to its customers.

Specific examples are:

1. Discretionary service interactions – customers are identified in order for them to receive communications relating to how they use and operate the data controllers’ product
2. Personalised service and communications
3. Direct marketing – of the same, or similar, or related products and services; including also sharing and marketing within a unified corporate group and brand;
4. Targeted advertising
5. Analytics and profiling for business intelligence – to create aggregate trend reports; find out how customers arrive at a website; how they use apps; the responses to a marketing campaign; what are the most effective marketing channels and messages; etc.
6. Ad performance and conversion tracking after a click
7. Audience measurement – measuring audiovisual audiences for specific markets
8. Mapping of publicly available information of professional nature to develop database of qualified professionals/experts in relevant field for the purpose of joining advisory boards, speaking engagement and otherwise engaging with the Business
9. Primarily B2C marketing of news and offers.

The argument here is that any individual that has provided their email details, has done so, fully expecting to receive mailshot marketing and would naturally expect The Wellington Inn to store their data, and to make use of it – these data subjects are naturally a ‘legitimate interest’ to The Wellington Inn. The data processed is not considered to be sensitive according to the guidelines of ‘Special Category Data’ and the data subject would fully expect The Business to process their data.

The rights of the individual whose data is processed

As alluded to above, The Wellington Inn is a Business that has worked hard to establish itself as a quality business, with a strong reputation. The Wellington Inn is determined to be compliant with respect to the GDPR, data capture, processing, security and the rights of the individual and it has a very clear ambition to be compliant by 25th of May 2018.

The Wellington Inn own website will capture data with consent permissions in accordance with the GDPR. The Business will process non sensitive data such as contact name and email address and business phone number of contacts. Email marketing will be the preferred approach as this is particularly cost effective, and any data processed will not be sensitive, as such will not require special protection under the GDPR.

Minimal intrusion

Following any email marketing correspondence, the data subject will be encouraged to view the Business’s Privacy Policy, where they will be able to see the legal basis on which the Business relies on for gathering data. In the event that an individual feels that their data is unconnected to the Business or that they do not expect their information to be used for purposes connected to the product or service of The Wellington Inn, they will be able to manage their subscription via the The Wellington Inn website Subscription Management page (accessible via the unsubscribe link on an email).

The Subscription Management page is intended to provide a minimal intrusion experience for the data subject. Should the data subject wish to see their data stored in the The Wellington Inn master database, they will receive a link to their own Subscription Management web page, from which they will be able to unsubscribe from a mailing list or update their data. In the event that an individual would like to exercise their right to erasure, they will be provided with an email address on The Wellington Inn Privacy Policy (info@thewellingtoninn.co.uk) and their request will be considered with reflection upon the criteria prescribed by the GDPR.

Sharing data

The Wellington Inn will not share its database with any other business. The Wellington Inn may need to make use of third party data processors in order to fulfil their marketing challenge; on these occasions, a contract will be in place between The Wellington Inn (the data controller) and the third party data processor – only GDPR compliant third party data processors will be used to provide these services. The contract, which is a requirement of GDPR will ensure that both parties understand their responsibilities and liabilities.

Data may need to be shared with the authorities such as the ICO during an IT or Cyber security investigation. This may be required under the GDPR following a breach of security. Another example of data sharing may be if the authorities need to investigate a subscribers details during an anti-fraud or criminal investigation.

Security measures & and online safeguards

This section will focus on the security measures that The Wellington Inn has in place for the hosting and administration of its own website thewellingtoninn.co.uk. The website makes use of a Content Management System for data capture and subscription management. The data is contained in a main database, which is hosted online. The Wellington Inn’s data capture portal utilises an array of security measures from server through to website.

Privacy impact & risk mitigation

The Wellington Inn has, and will always look to secure its hard earned reputation throughout any marketing campaign – consequently it is very careful to consider the relevance of its marketing to a data subject. The Wellington Inn takes the position that the quality and relevance of a data subject is crucial, but equally the Business feels that every effort should be made to allow the data subject to easily act to assert their right to privacy.

Data Controllers have obligations under GDPR to keep good records of personal data and processing activities. With this in mind, The Wellington Inn have implemented processes, which work to establish transparency as well as to protect the data subjects rights according to GDPR guidance; these processes include the following:

1. Routine data consent refresh every 6 months – All data subjects will be emailed to confirm that they are happy to remain subscribed to the Business’s News & Events list – the email will provide clear access to:
   1. Details relating to the data controller (The Wellington Inn)
   2. The legal basis used by the Business for processing data
   3. How the Business may use the data
   4. What data is processed by The Wellington Inn (non sensitive)
   5. The Wellington Inn Privacy Policy
   6. A Subscription Management page
      1. Right to withdraw consent
      2. Unsubscribing from all lists
      3. Contact details about the controller’s Data Protection Officer
      4. Link to a supervisory authority to lodge a complaint against The Wellington Inn
   7. Information relating to 3rd party data processors
   8. Information relating to sharing of data
   9. Information relating to security of and storage of data
   10. Information relating to retention of data
   11. Information relating to the right to erasure
2. Record keeping of the activities relating to the way that the Business processes an individual’s data
   1. How and when data was collected
   2. How and when data was used
   3. When the data subjects’ consent was refreshed – consequence of the refresh
3. Record keeping of any actions taken by the subject following any communication from the Business
   1. Opens, clicks, unsubscribes
   2. Correspondence with the info@thewellingtoninn.co.uk
   3. How and when does a contact unsubscribe
      1. Unsubscribe link from Marketing email
         1. Send unsubscribe request to info@thewellingtoninn.co.uk
      2. Verbal notice
   4. Responses to any complaint relating to information/rights that we receive, clearly stating how we have processed the individual’s personal information and explaining how the Business will put right anything that’s gone wrong
4. Most of the record keeping referred to above is carried out automatically. Subscription and marketing activities are handled by the mailing platform, so access to records is relatively straightforward – this also means that the Business’s master database is dynamic – as individuals subscribe or unsubscribe or as data is added manually, the master database is always up to date. The beauty of this approach is that version control is always accurate, minimising irritation of data subjects once unsubscribed.

Contact Form data

If a user subscribes to the Mailing list, then the user is positively opting in to receive the News & Offers emails. Any data captured or recorded is kept to a minimum, ie. name, email and telephone number, this information is not sensitive. Data subjects will only receive the News & Events email, if they have opted in. The Business make it very easy for a data subject to manage their data via unsubscribe links in the email. Once again, if the data subject does feel that the Business’s use of their data is intrusive, it is very easy for the data subject to unsubscribe from the Business’s marketing.

Summary of the Business’s reliance on the ‘Legitimate Interest’ legal basis

The Wellington Inn is a well established business that takes its reputation very seriously. The Business is respected and wishes to embrace the ethos of GDPR, further establishing its credibility with compliance and transparency. The Business does need to be progressive and email marketing is seen as a cost effective form of profile raising. On balance our judgement is that the Business takes its data responsibilities very seriously and markets its services sensitively to an audience that has shown to be of Legitimate Interest. The business’s website uses an approach which records data in a compliant manner and only if consent is provided. Data subjects have good access to their subscription data – making the removal of their data from a marketing list very straightforward. All data subjects will be asked periodically to unsubscribe if they feel that The Wellington Inn News & Offers notifications are no longer appropriate.