Purpose of policy
The purpose of our policy is to
• comply with the law
• follow good practice
• protect clients, staff and other individuals
• protect the organisation
When you use Gambas wi-fi we do not collect data about:
- your device
- the volume of data which you use
- the websites and applications which you access
- Your usage by access time or frequency
As part of the registration for our Loyalty Programme, we collect personal information. We use that information to tell you about special offers, live acts that we have performing for you and any news that we think you would like to know about. We may need to contact you if we need to obtain additional information; to check our records are right and to check now and again that you are happy and satisfied. We do not rent or trade email lists with other organisations or businesses. We use a thirdparty provider, MailChimp, to deliver our newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. For more information, please see MailChimp’s privacy notice. You can unsubscribe to general mailings at any time of the day or night by clicking the unsubscribe link at the bottom of any of our emails.
When someone visits gambas.co.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to various parts of the
site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make any attempt to find out the identities of those visiting our website.
Electronic Point of Sale
Loyalty Card customers will be able to give explicit consent at the time of sign-up so that you can opt in to receive communications by email, text, phone and/or mail. Only staff and management have access to any information that is held on our system and have be sufficiently trained on how to handle data sensitively. Nobody unauthorised will have access to any details that we hold of our customers. Customers at any time can request that their details be removed and their details will be deleted from our system. We will not sell or distribute any of our customer’s data to any third parties or transfer any
data outside the EU.
Social Media Policy (Staff & Management)
Our Social Media Policy is to protect from the following:
- Risk of defamation
- Reputation and brand management
- Handling negative comments
- Monitoring employees
- Protecting information about employees
Employees may face disciplinary action for posting comments online that may damage the company’s reputation. Gambas may monitor employees’ social media activity if we become aware of any of the above. Any members of staff that posts on social media on behalf of Gambas and uses the company’s devices are not permitted to use the devices for personal communications. They will not publicly share sensitive information about followers online. Staff using their own device to post on behalf of Gambas that contains personal data of customers must be aware that they are responsible for any security breaches which include the loss of a personal device or it being accessed by friends or family whilst containing confidential or sensitive information. All devices are to be and will be password protected to ensure that this information does not and cannot be accessed by anyone unauthorised to do so.
Electronic Booking Systems (Loyalty customer Database)
Bookatable is an online restaurant service that we use in Gambas. Bookatable has a consent box so that customers are able to opt-in to marketing whilst using the platform themselves. This gives our diners the opportunity to consent by taking a positive action. Bookatable is also used as a tool within the restaurant and any customer calling to book a table will be asked if they are happy to receive marketing communications from us. We will not sell any customer data to any third parties or transfer any data outside the EU.
Textlocal is a mobile communications online platform that we use to inform our customers of any special offers, news and Live Acts that may be performing in due course. All customers that are on our database for textlocal will be sent texts in which they will be able to opt-in or out of our marketing communications. Nobody unauthorised will have access to any details that we hold of our customers. Customers at any time can request that their details be removed and their details will be deleted from our system.
Gambasuk Ltd. will:
- comply with both the law and good practice
- respect individuals’ rights
- be open and honest with individuals whose data is held
- provide training and support for staff who handle personal data, so that they can act confidently and consistently
- Notify the Information Commissioner voluntarily, even if this is not required
The Board / Company Directors: Darin Scales
Data Protection Officer
As Gambas has less than 250 employees we do not have to employ a Data Protection Officer but all staff and employees will:
- Brief staff on Data Protection responsibilities
- Review Data Protection and related policies
- Advise other staff on tricky Data Protection issues
- Ensure that Data Protection induction and training takes place
- Notification to the ICO
- Handle subject access requests
- Approve unusual or controversial disclosures of personal data
- Approve contracts with Data Processors
All staff are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.
Any member of staff or management that infringe Data Protection and/or related policies will be subject to disciplinary action that may involve dismissal as an employee of Gambas. All staff and management will be provided with basic training and knowledge of data protection laws and are expected to adhere to this.
All data held on our customers is kept on password protected devices.
Customers are able to opt-in or out of marketing at any time by updating their preferences across all of our communications. Customers are also able to request that their information is deleted by contacting the restaurant and asking.
Right of Access
Right of access requests will be handled within one month.
Procedure for making request
Right of access requests must be in writing
Provision for verifying identity
Identity must be checked before handing over any information.
Information will be provided free of charge. However we will charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. The fee will be based on the administrative cost of providing the information.
Customers are given the opportunity to opt-out of any type of marketing we utilise (as explained before).
Consent can be withdrawn at any time by verbal request, written request or by following the links and instructions.
Employee training & Acceptance of responsibilities
All employees who have access to any kind of personal data will have their responsibilities outlined during their induction.
Any Data Protection issues will be raised during employee training, team meetings, supervisions, etc.
Procedure for staff signifying acceptance of policy
Staff and employees are expected to show acceptance of their responsibilities to Data Protection.
Management will have responsibility for carrying out the next policy review.
All employees that are privy to sensitive information will be consulted in the review.
The next review will be carried out no later than two months before the review date of 25th May 2021.
Prepared by: Karen Whisker.
Last updated: 25th May 2018. Policy review date: 25th May 2021.