Date last revised: January 2020
This policy sets out how personal data is processed by Brouge Restaurant (we/us/our). We are the data controller, in relation to all personal data processed on our behalf. Whenever you join us at any of our restaurants, or visit our website at brouge.co.uk (Website) we will collect a range of your personal data to provide our food, drinks and related services to you. Personal data taken by any of the processing companies listed above belongs to you and we recognise that we have a duty to protect it. Unless otherwise required by law, the Information Commissioner’s Office (ICO) guidance or best practice, or in order to provide our services to you, we will only process your personal data in the way we tell you or in the way you ask us to, and we will give it back to you at any time.
1. This policy
1.1 This policy sets out how we will process your personal data. You are therefore advised to read it carefully. Terms used within it shall have the meaning(s) given in the Data Protection Act 1998 (Act) and/or the General Data Protection Regulation (Regulation), as applicable.
1.2 By visiting our Website, or eating at one of our restaurants and providing your personal data to us, you understand, accept and consent to the practices described in this policy.
1.3 Any changes we make to this policy will be posted on this page. You are advised to check back frequently as, unless your consent is required, any changes will be binding on you when you continue to use the Website or work with us after the date of the relevant change.
1.4 For more information relating to your rights under this policy, please see section 8.
1.5 If you have any queries relating to this policy, please contact us through our Operations Manager at email@example.com in the first instance.
2. Who we are
2.1 For the purposes of the Act, the data controller is Brouge Bistros Limited. We are a UK registered company (number 07801709) and our registered office is at 241 Hampton Road, Twickenham, TW2 5NG.
2.2 We are registered with the ICO to process your personal data in the manner set out in this policy.
2.3 All personal data needed for reservations, correspondence and payment processing purposes, is stored on Cloud-based storage solutions, hosted by third parties. These are listed in section 5.4.
2.4 Our CRM database is hosted by 1and1.com. They provide us with the platform that allows us to send out our newsletters and general updates via email. Your data is stored securely on 1and1.com’s servers. For more insight, you may also want to read 1and1.com’s Privacy Statement https://www.ionos.co.uk/terms-gtc/privacy-policy/
3. Your consent
3.1 Ordinarily, we process your personal data solely for legitimate business purposes and we take only the personal data you freely give to us when making a reservation, or by paying for our food and drinks at any of our restaurants. We consider that all personal data we obtain from you in relation to your reservations and payment for our services are reasonable and necessary. However, we review this intermittently and remove, or cease to process, any inaccurate or obsolete data.
3.2 We only rely on your consent where we wish to use your personal data to contact you for marketing purposes.
3.3 You may exercise your rights under section 8 at any time, which includes withdrawing your consent to our processing of your data. However, where this withdrawal prevents us from verifying your identity, you won’t be able to make a reservation with us (for obvious reasons).
4. What we collect
4.1 We will collect the following personal data from you, to: make a reservation, we need your name, email address and telephone number to allow us to verify who you are and contact you if necessary; receive our marketing emails, we need your name and your email address; and pay for your food, we retain your payment card information.
4.2 CCTV is in use our restaurant for the protection of our staff and property, and each company is separately registered with the ICO to process your data in this way. If you visit these premises, your biometric data might/will be taken during your time on site and this will be stored and retained in accordance with our internal data retention policy.
4.3 Occasionally, staff may retain your driver’s licence, passport or other valid form of photo identification. Any personal data contained on such documents will be retained for compliance with alcohol licensing laws in the UK, and evidence of our diligence in carrying out appropriate checks.
5. How we collect your data
The data listed in section 4 is collected in the following ways:
5.1 When you provide it to us This is largely self-explanatory and already described in section 4.1
5.2 When we collect it from you. When you use our Website, we will automatically collect technical information about the device you use to visit, including your IP address, browser type/version and related settings; and We also monitor your use of our Website. This includes the full URLs, your clickstreams through our Website, the pages you view and how you interact with them and how you leave the Website.
5.3 When we receive it from others We do not transfer or receive personal data relating to you from any third party other than those listed in section
5.4. Our Website is managed by Brouge who has access to the technical information we collect from your visit
6. What we use your data for and how long we keep it
6.1 We need your data to take payment for our food and drink, allow you to reserve a table with us, or market our products, offers and competitions to you.
6.2 We only contact you for marketing purposes where you have given us permission to do so, and you can opt-out at any time. Where you opt out, we will no longer contact you until you ask us to, and we will not prompt you to do so.
6.3 Technical information we collect about your visit to our Website is used to enable us to: personalise and improve its functionality and security (to keep it safe and secure); administer and monitor traffic and behaviours on our Website for analysis, testing, research, statistical and survey purposes; and ensure that we can offer you the most effective and efficient browsing experience, and make improvements where necessary.
6.4 Once collected, your data (other than payment data retained for accounting purposes) will be retained for as long as you permit us to market our services to you, or for 24 months after your last reservation with us. After this point, your data will be securely deleted and we will not contact you without your prior consent.
6.5 Credit card data is automatically shredded, or otherwise securely deleted, after 7 years.
7. How secure your data is with us
7.1 Internal staff access to your data (on and off-site) is restricted to those members of staff in departments who need to know for the purposes of performing their roles. Our marketing and operations teams have access to your details on our CRM system for marketing purposes.
7.2 Our operations, reservations teams and restaurant staff have access to our internal reservations system and that database on Quandoo.
7.3 Our accounts, operations and reservations teams, as well as restaurant managers, have access to your payment details.
7.4 Any data sent to us by email is automatically encrypted in transit.
8. Your rights
8.1 In relation to all of your personal data, you have the following rights (in addition to any rights you may have under the Act or the Regulation) to ask us:
8.1.1 not to process your personal data for marketing purposes; 8.1.2 to clarify what data we hold about you, how it was obtained, to whom it has been disclosed and for how long it will be stored; 8.1.3 to amend any inaccurate data we hold about you; 8.1.4 to delete any of your data (where you no longer think we need to hold it, or you think we have obtained or processed it without your consent at any time); and 8.1.5 to only process your personal data in limited circumstances, for limited purposes.
8.2 We have the capacity to extract your personal data from our databases and provide it to you in a structured, commonly-used way (typically by .csv file).
8.3 If you wish to exercise any of your rights at any time, please contact us on the details contained at the beginning of this policy in the first instance. We will require you to verify your identity to us before we provide any personal data, and reserve the right to ask you to specify the types of personal data to which your request relates.
8.4 Where you wish to exercise any of your rights, they may be subject to payment of a nominal administration fee (to cover our costs incurred in processing your request) and any clarification we may reasonably require in relation to your request. Such fees may be charged where we consider (acting reasonably) that your request is excessive, unfounded or repetitive.