
This document aims to explore the appropriateness of the legal basis of 'Legitimate Interest' for the processing of personal data by The Wellington Inn with respect to the GDPR and the rights of the individuals whose data is processed and stored by the Business. In this document, The Wellington Inn may be referred to as The Business.
The Wellington Inn is is an established business which has worked hard to establish a highly regarded and reputable business. The Wellington Inn is high quality gastro pub serving directly with the public. The Business is determined to continue to build their business and would like to develop further quality employment in the future. The Wellington Inn aspires to be a fair, transparent and ethical business both towards its employees and towards it customers;
There are three main areas of data processing that the Business undertake, these are:
Taking each of these areas in turn, this document aims to explore:
The Wellington Inn process employees' data for legitimate and common business purposes, in situations which are not necessary for the performance of employment contract, but are nevertheless customary, or necessary for operational, administrative, HR and recruitment purposes and to otherwise manage employment relationship and interaction between employees.
Specific examples are:
The argument here is that the business has a legitimate reason for processing employees data to undertake its role as employer and to safeguard its customers during its role as a processor. The data processed is typical employee information and the employee would fully expect The Business to process this data.
The Wellington Inn processes supplier and customer' data for legitimate and common business purposes, in situations which are not necessary for the performance of the business, but are nevertheless customary, or necessary for operational and administrative purposes and to otherwise manage relationship and interaction between The Business and its suppliers and customers.
Specific examples are:
The argument here is that the Business has a legitimate reason for processing supplier and customer data to undertake common business purposes. The data processed is not considered to be sensitive according to the guidelines of 'Special Category Data' and the supplier or customer would fully expect The Business to process their data.
Compliance with GDPR will work to enhance the reputation of The Wellington Inn. The Wellington Inn processes supplier and customer data for legitimate and common business purposes, including communications and marketing, processing certain 'low risk' personal data to gather market intelligence, promote products and services, as well as communicate news and offers to its customers.
Specific examples are:
The argument here is that any individual that has provided their email details, has done so, fully expecting to receive mailshot marketing and would naturally expect The Wellington Inn to store their data, and to make use of it - these data subjects are naturally a 'legitimate interest' to The Wellington Inn. The data processed is not considered to be sensitive according to the guidelines of 'Special Category Data' and the data subject would fully expect The Business to process their data.
As alluded to above, The Wellington Inn is a Business that has worked hard to establish itself as a quality business, with a strong reputation. The Wellington Inn is determined to be compliant with respect to the GDPR, data capture, processing, security and the rights of the individual and it has a very clear ambition to be compliant by 25th of May 2018.
The Wellington Inn own website will capture data with consent permissions in accordance with the GDPR. The Business will process non sensitive data such as contact name and email address and business phone number of contacts. Email marketing will be the preferred approach as this is particularly cost effective, and any data processed will not be sensitive, as such will not require special protection under the GDPR.
Following any email marketing correspondence, the data subject will be encouraged to view the Business's Privacy Policy, where they will be able to see the legal basis on which the Business relies on for gathering data. In the event that an individual feels that their data is unconnected to the Business or that they do not expect their information to be used for purposes connected to the product or service of The Wellington Inn, they will be able to manage their subscription via the The Wellington Inn website Subscription Management page (accessible via the unsubscribe link on an email or via the Business's Privacy Policy page).
The Subscription Management page is intended to provide a minimal intrusion experience for the data subject. Should the data subject wish to see their data stored in the The Wellington Inn master database, they will receive a link to their own Subscription Management web page, from which they will be able to unsubscribe from a mailing list or update their data. In the event that an individual would like to exercise their right to erasure, they will be provided with an email address on The Wellington Inn Privacy Policy (tellmemore@thewellingtoninn.co.uk) and their request will be considered with reflection upon the criteria prescribed by the GDPR.
The Wellington Inn will not share its database with any other business. The Wellington Inn may need to make use of third party data processors in order to fulfil their marketing challenge; on these occasions, a contract will be in place between The Wellington Inn (the data controller) and the third party data processor - only GDPR compliant third party data processors will be used to provide these services. The contract, which is a requirement of GDPR will ensure that both parties understand their responsibilities and liabilities.
Data may need to be shared with the authorities such as the ICO during an IT or Cyber security investigation. This may be required under the GDPR following a breach of security. Another example of data sharing may be if the authorities need to investigate a subscribers details during an anti-fraud or criminal investigation.
This section will focus on the security measures that The Wellington Inn has in place for the hosting and administration of its own website thewellingtoninn.co.uk. The website makes use of a Content Management System for data capture and subscription management via thewellingtoninn.co.uk/mailinglist.html The data is contained in a main database, which is hosted online. The Wellington Inn's data capture portal utilises an array of security measures from server through to website.
The Wellington Inn has, and will always look to secure its hard earned reputation throughout any marketing campaign - consequently it is very careful to consider the relevance of its marketing to a data subject. The Wellington Inn takes the position that the quality and relevance of a data subject is crucial, but equally the Business feels that every effort should be made to allow the data subject to easily act to assert their right to privacy.
Data Controllers have obligations under GDPR to keep good records of personal data and processing activities. With this in mind, The Wellington Inn have implemented processes, which work to establish transparency as well as to protect the data subjects rights according to GDPR guidance; these processes include the following:
If a user subscribes to the Mailing list, then the user is positively opting in to receive the News & Offers emails. Any data captured or recorded is kept to a minimum, ie. name, email and telephone number, this information is not sensitive. Data subjects will only receive the News & Events email, if they have opted in. The Business make it very easy for a data subject to manage their data via a Subscriptions web page and any inconvenience felt by the data subject following a marketing communication (email) is easily avoided in the future simply by following the unsubscribe link. Once again, if the data subject does feel that the Business's use of their data is intrusive, it is very easy for the data subject to unsubscribe from the Business's marketing.
The Wellington Inn is a well established business that takes its reputation very seriously. The Business is respected and wishes to embrace the ethos of GDPR, further establishing its credibility with compliance and transparency. The Business does need to be progressive and email marketing is seen as a cost effective form of profile raising. On balance our judgement is that the Business takes its data responsibilities very seriously and markets its services sensitively to an audience that has shown to be of Legitimate Interest. The business's website uses an approach which records data in a compliant manner and only if consent is provided. Data subjects have good access to their subscription data - making the removal of their data from a marketing list very straightforward. All data subjects will be asked periodically to unsubscribe if they feel that The Wellington Inn News & Offers notifications are no longer appropriate.