The Wellington Inn, Lund, Driffield
about us the bar the restaurant bar meals little people opening times contact us homepage
The Wellington Inn, Lund, Driffield, North Yorkshire
Welcome to the Wellington Inn
special events and special offers disability access how to find us gift vouchers join our mailing list

Legitimate Interest Assessment

This document aims to explore the appropriateness of the legal basis of 'Legitimate Interest' for the processing of personal data by The Wellington Inn with respect to the GDPR and the rights of the individuals whose data is processed and stored by the Business. In this document, The Wellington Inn may be referred to as The Business.

About The Wellington Inn

The Wellington Inn is is an established business which has worked hard to establish a highly regarded and reputable business. The Wellington Inn is high quality gastro pub serving directly with the public. The Business is determined to continue to build their business and would like to develop further quality employment in the future. The Wellington Inn aspires to be a fair, transparent and ethical business both towards its employees and towards it customers;

Why does The Wellington Inn need to process personal data?

There are three main areas of data processing that the Business undertake, these are:

  • Employment data processing (Data Controller)
  • Administrative and commercial data processing (Data Controller)
  • Business development and marketing data processing and (Data Controller)

Taking each of these areas in turn, this document aims to explore:

  1. The objectives of data processing
  2. The relevance and importance of data processing to the business
  3. The impact on the individuals whose data is processed
  4. The expectation of the individual that their data would be processed and
  5. The rights of the individual whose data is processed

Employment data processing (Data Controller)

The Wellington Inn process employees' data for legitimate and common business purposes, in situations which are not necessary for the performance of employment contract, but are nevertheless customary, or necessary for operational, administrative, HR and recruitment purposes and to otherwise manage employment relationship and interaction between employees.

Specific examples are:

  1. Background checks and security vetting in recruitment and HR functions
  2. Office access and operations
  3. Disaster and emergency management tools and apps
  4. Internal directories and other business cooperation and sharing tools.
  5. Business conduct and ethics reporting lines
  6. Compliance with internal policies, accountability and governance requirements and corporate investigations
  7. Call recording and monitoring for call centre employees' training and development purposes
  8. Employee retention programs
  9. Workforce and headcount management, forecasts and planning
  10. Professional learning and development administration
  11. Travel administration
  12. Time recording and reporting
  13. Processing of family members' data in the context of HR records - next of kin, emergency contact, benefits and insurance, etc.
  14. Additional and specific background checks required by particular customers in respect of processors' employees having access to customers' systems and premises
  15. Defending claims - sharing CCTV images from premises with insurers when required for processing, investigating or defending claims due to incidents that have occurred on our premises
  16. Intra-corporations hiring for internal operations.

The argument here is that the business has a legitimate reason for processing employees data to undertake its role as employer and to safeguard its customers during its role as a processor. The data processed is typical employee information and the employee would fully expect The Business to process this data.

Administrative and commercial data processing (Data Controller)

The Wellington Inn processes supplier and customer' data for legitimate and common business purposes, in situations which are not necessary for the performance of the business, but are nevertheless customary, or necessary for operational and administrative purposes and to otherwise manage relationship and interaction between The Business and its suppliers and customers.

Specific examples are:

  1. Develop or operate financial/credit/conduct and risk records
  2. Internal analysis of customers - plan strategy and growth
  3. Reporting and management information
  4. Back-office operations
  5. Monitoring physical access to offices, visitors and CCTV operations in reception and any other restricted areas
  6. Corporate reorganisations
  7. Business intelligence
  8. Managing third party relationships (vendors, suppliers, media, business partners)
  9. Processing identifiable data for the sole purpose of anonymising/de-identifying/re-identifying it for the purposes of using the anonymised data for other purposes (product improvement, analytics, etc.)

The argument here is that the Business has a legitimate reason for processing supplier and customer data to undertake common business purposes. The data processed is not considered to be sensitive according to the guidelines of 'Special Category Data' and the supplier or customer would fully expect The Business to process their data.

Business development and marketing data processing (Data Controller)

Compliance with GDPR will work to enhance the reputation of The Wellington Inn. The Wellington Inn processes supplier and customer data for legitimate and common business purposes, including communications and marketing, processing certain 'low risk' personal data to gather market intelligence, promote products and services, as well as communicate news and offers to its customers.

Specific examples are:

  1. Discretionary service interactions - customers are identified in order for them to receive communications relating to how they use and operate the data controllers' product
  2. Personalised service and communications
  3. Direct marketing - of the same, or similar, or related products and services; including also sharing and marketing within a unified corporate group and brand;
  4. Targeted advertising
  5. Analytics and profiling for business intelligence - to create aggregate trend reports; find out how customers arrive at a website; how they use apps; the responses to a marketing campaign; what are the most effective marketing channels and messages; etc.
  6. Ad performance and conversion tracking after a click
  7. Audience measurement - measuring audiovisual audiences for specific markets
  8. Mapping of publicly available information of professional nature to develop database of qualified professionals/experts in relevant field for the purpose of joining advisory boards, speaking engagement and otherwise engaging with the Business
  9. Primarily B2C marketing of news and offers.

The argument here is that any individual that has provided their email details, has done so, fully expecting to receive mailshot marketing and would naturally expect The Wellington Inn to store their data, and to make use of it - these data subjects are naturally a 'legitimate interest' to The Wellington Inn. The data processed is not considered to be sensitive according to the guidelines of 'Special Category Data' and the data subject would fully expect The Business to process their data.

The rights of the individual whose data is processed

As alluded to above, The Wellington Inn is a Business that has worked hard to establish itself as a quality business, with a strong reputation. The Wellington Inn is determined to be compliant with respect to the GDPR, data capture, processing, security and the rights of the individual and it has a very clear ambition to be compliant by 25th of May 2018.

The Wellington Inn own website will capture data with consent permissions in accordance with the GDPR. The Business will process non sensitive data such as contact name and email address and business phone number of contacts. Email marketing will be the preferred approach as this is particularly cost effective, and any data processed will not be sensitive, as such will not require special protection under the GDPR.

Minimal intrusion

Following any email marketing correspondence, the data subject will be encouraged to view the Business's Privacy Policy, where they will be able to see the legal basis on which the Business relies on for gathering data. In the event that an individual feels that their data is unconnected to the Business or that they do not expect their information to be used for purposes connected to the product or service of The Wellington Inn, they will be able to manage their subscription via the The Wellington Inn website Subscription Management page (accessible via the unsubscribe link on an email or via the Business's Privacy Policy page).

The Subscription Management page is intended to provide a minimal intrusion experience for the data subject. Should the data subject wish to see their data stored in the The Wellington Inn master database, they will receive a link to their own Subscription Management web page, from which they will be able to unsubscribe from a mailing list or update their data. In the event that an individual would like to exercise their right to erasure, they will be provided with an email address on The Wellington Inn Privacy Policy (tellmemore@thewellingtoninn.co.uk) and their request will be considered with reflection upon the criteria prescribed by the GDPR.

Sharing data

The Wellington Inn will not share its database with any other business. The Wellington Inn may need to make use of third party data processors in order to fulfil their marketing challenge; on these occasions, a contract will be in place between The Wellington Inn (the data controller) and the third party data processor - only GDPR compliant third party data processors will be used to provide these services. The contract, which is a requirement of GDPR will ensure that both parties understand their responsibilities and liabilities.

Data may need to be shared with the authorities such as the ICO during an IT or Cyber security investigation. This may be required under the GDPR following a breach of security. Another example of data sharing may be if the authorities need to investigate a subscribers details during an anti-fraud or criminal investigation.

Security measures & and online safeguards

This section will focus on the security measures that The Wellington Inn has in place for the hosting and administration of its own website thewellingtoninn.co.uk. The website makes use of a Content Management System for data capture and subscription management via thewellingtoninn.co.uk/mailinglist.html The data is contained in a main database, which is hosted online. The Wellington Inn's data capture portal utilises an array of security measures from server through to website.

Privacy impact & risk mitigation

The Wellington Inn has, and will always look to secure its hard earned reputation throughout any marketing campaign - consequently it is very careful to consider the relevance of its marketing to a data subject. The Wellington Inn takes the position that the quality and relevance of a data subject is crucial, but equally the Business feels that every effort should be made to allow the data subject to easily act to assert their right to privacy.

Data Controllers have obligations under GDPR to keep good records of personal data and processing activities. With this in mind, The Wellington Inn have implemented processes, which work to establish transparency as well as to protect the data subjects rights according to GDPR guidance; these processes include the following:

  1. Routine data consent refresh every 6 months - All data subjects will be emailed to confirm that they are happy to remain subscribed to the Business's News & Events list - the email will provide clear access to:
    1. Details relating to the data controller (The Wellington Inn)
    2. The legal basis used by the Business for processing data
    3. How the Business may use the data
    4. What data is processed by The Wellington Inn (non sensitive)
    5. The Wellington Inn Privacy Policy
    6. A Subscription Management page
      1. Right to withdraw consent
      2. Unsubscribing from all lists
      3. Contact details about the controller's Data Protection Officer
      4. Link to a supervisory authority to lodge a complaint against The Wellington Inn
    7. Information relating to 3rd party data processors
    8. Information relating to sharing of data
    9. Information relating to security of and storage of data
    10. Information relating to retention of data
    11. Information relating to the right to erasure
  2. Record keeping of the activities relating to the way that the Business processes an individual's data
    1. How and when data was collected
    2. How and when data was used
    3. When the data subjects' consent was refreshed - consequence of the refresh
  3. Record keeping of any actions taken by the subject following any communication from the Business
    1. Opens, clicks, unsubscribes
    2. Correspondence with the tellmemore@thewellingtoninn.co.uk
    3. How and when does a contact unsubscribe
      1. Unsubscribe link from Marketing email
      2. Subscriptions Management page unsubscribes (directly via thewellingtoninn.co.uk)
      3. Verbal notice
    4. Responses to any complaint relating to information/rights that we receive, clearly stating how we have processed the individual's personal information and explaining how the Business will put right anything that's gone wrong
  4. Most of the record keeping referred to above is carried out automatically. Subscription and marketing activities are handled by the website, so access to records is relatively straightforward - this also means that the Business's master database is dynamic - as individuals subscribe or unsubscribe or as data is added manually, the master database is always up to date. The beauty of this approach is that version control is always accurate, minimising irritation of data subjects once unsubscribed.

Contact Form data

If a user subscribes to the Mailing list, then the user is positively opting in to receive the News & Offers emails. Any data captured or recorded is kept to a minimum, ie. name, email and telephone number, this information is not sensitive. Data subjects will only receive the News & Events email, if they have opted in. The Business make it very easy for a data subject to manage their data via a Subscriptions web page and any inconvenience felt by the data subject following a marketing communication (email) is easily avoided in the future simply by following the unsubscribe link. Once again, if the data subject does feel that the Business's use of their data is intrusive, it is very easy for the data subject to unsubscribe from the Business's marketing.

Summary of the Business's reliance on the 'Legitimate Interest' legal basis

The Wellington Inn is a well established business that takes its reputation very seriously. The Business is respected and wishes to embrace the ethos of GDPR, further establishing its credibility with compliance and transparency. The Business does need to be progressive and email marketing is seen as a cost effective form of profile raising. On balance our judgement is that the Business takes its data responsibilities very seriously and markets its services sensitively to an audience that has shown to be of Legitimate Interest. The business's website uses an approach which records data in a compliant manner and only if consent is provided. Data subjects have good access to their subscription data - making the removal of their data from a marketing list very straightforward. All data subjects will be asked periodically to unsubscribe if they feel that The Wellington Inn News & Offers notifications are no longer appropriate.