The English Restaurant - An independent, family-owned restaurant on the fringe of the City. 50-52 Brushfield Street, Spitalfields, London E1

The English Restaurant Privacy Policy


Data Protection Policy

Introduction

The Market Coffee House Limited is committed to ensuring that your privacy is protected. We will comply with the principles of the Data Protection Act 1998 (guide) and the General Data Protection Regulation (GDPR) and aim to maintain best-practice standards in our processing of personal and/or sensitive personal/company sensitive data.


Purpose

The Market Coffee House Limited (the Company) will be transparent about how it collects and uses the personal data of its employees and those that work for us in other capacities such as consultants, and to meeting its data protection obligations. This policy sets out the company's commitment to data protection, and individual rights and obligations in relation to personal data.

This policy applies to the personal data of job applicants, employees (which includes contractors) and former employees, referred to as HR-related personal data. This policy does not apply to the personal data of customers or other personal data processed for business purposes.

Personal data of customers, suppliers and third parties is limited and includes an individual’s name, phone number, fax numbers, company e-mail address and company address. This is gathered in several ways including reservations either directly or through a third party, exchanging business cards and e-mails and is held for the purposes of conducting business. A customer, supplier or third party can ask for their details to be removed at any time and on receipt of such a request their name and details will be removed from our marketing system they will not be contacted again. We are PCI DSS compliant regarding the processing of credit card details.

The company has appointed Kay Sinden as the person with responsibility for data protection compliance within the Company. She can be contacted at sindenkay@gmail.com. Questions about this policy, or requests for further information, should be directed to her.


Definitions

"Personal data" is any information that relates to an individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

"Special categories of personal data" means information about an individual's racial or ethnic origin, religious or philosophical beliefs, trade union membership and health life or sexual orientation.


Data protection principles

We process HR-related personal data in accordance with the following data protection principles:

• We process personal data lawfully, fairly and in a transparent manner.
• We collect personal data only for specified, explicit and legitimate purposes.
• We process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
• We keep accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
• We keep personal data only for the period necessary for processing.
• We adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.

Information regarding the collecting, processing and holding of personal data gathered during employment is contained in employee privacy notices issued to employees. Personal data of individuals will only be processed for reasons stated in the employee privacy notice.

Where the company processes special categories of personal data to perform obligations or to exercise rights in employment law, this is done in accordance with the GDPR guidelines on special categories of data or is anonymised.

We will update HR-related personal data promptly if an individual advises that their information has changed or is inaccurate.

The company keeps a record of its processing activities in respect of HR-related personal data in accordance with the requirements of GDPR.


Individual rights

Employees are made aware of their rights in the Employee Privacy Notice which they receive at the same time as their Contract of Employment. Employees at the time GDPR legislation was introduced in May 2018 all received an Employee Privacy Notice.


Data security

We take the security of HR-related personal data seriously. We have internal controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by authorised staff in the proper performance of their duties.

Where we engage third parties to process personal data on its behalf, such parties do so on the basis of written instructions and are obliged to implement appropriate technical and organisational measures to ensure the security of data.


International data transfers

The Company will not transfer HR-related personal data to countries outside the EEA without agreement.


Individual responsibilities

Individuals are responsible for helping the company keep their personal data up to date. Individuals should let Kay Sinden know if data provided to the company changes, for example if an individual moves house or changes their bank details.

Individuals may have access to the personal data of other individuals and clients in the course of their employment. Where this is the case, the company relies on individuals to help meet its data protection obligations to staff and clients.


Individuals who have access to personal data are required:

• to access only data that they have authority to access and only for authorised purposes;
• not to disclose data except to individuals (whether inside or outside the company) who have appropriate authorisation;
• to keep data secure;
• not to remove personal data, from the company's premises without adopting appropriate security measures (such as password protection) to secure the data and the device; and
• not to store personal data on local drives or on personal devices that are used for purposes.


Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the company's disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or client data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.


Training

We will provide training to all individuals about their data protection responsibilities as part of the induction process.

Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy will receive training to help them understand their duties and how to comply with them.


Those visiting the Company website

The company does not use analytics gathered by Google, OpenTable etc


Policy Review

This policy will be reviewed and updated if required in accordance with our data protection obligations. As a minimum we will review this policy once a year.