Hospitality, conferences and catering services privacy notice
The University of Surrey is registered as a Data Controller with the Information Commissioner’s Office (our notification number is Z6346945), and we are committed to ensuring that the data we process is handled in accordance with data protection legislation.
We have a Data Protection Officer who can be contacted via email@example.com.
One of our responsibilities is to tell you about the different ways we collect and use your personal data. This statement provides details about these uses. In addition to this statement, you may be given further information about the uses of your personal data when you use certain services offered by the University of Surrey.
Hospitality, Conference and Catering Services holds and processes personal data about:
- Staff (prospective and current)
- Visitors and members of the public.
The personal data we process about you consists of your:
- Preferred contact details (that you provide to us)
- Credit check result.
We will receive some of this data from you if you contact us, make an enquiry or place an event booking with us.
We may receive dietary, access requirements and medical information about you when an event organiser, whom you have given the information to, provides us with this information regarding an event that you are attending.
NHS track and trace
In-line with government Covid-19 secure guidelines we support NHS track and trace by asking all our customers who eat or drink in when visiting our bars, restaurants and cafes to enter their name and contact number into our database by scanning the QR code located within our facilities. By maintaining records of our customers and sharing these with NHS Test and Trace where requested, you can help us to identify people who may have been exposed to the virus. We will be asking all our customers that dine in to voluntarily provide their name and phone number for this purpose.
We may also process the following more sensitive ‘special category’ data about you - dietary information and access requirements.
We use Food Alert, a safety consultancy firm to manage cases of alleged food poisoning incidents using FACT, a safety compliance service. As part of this process, Food Alert would receive and hold medical information about you as part of their investigation, but this would not be accessible to University of Surrey staff.
The University collects only the data we need and we keep the data up to date and only for as long as it is needed.
We collect your personal data in order to:
- Process and manage a booking contract
- Create an invoice
- Ensure that we can meet any special requirements you may have during your booking
- Provide you with a parking permit
- Investigate a complaint or concern
- Send you news and information for marketing purposes (where you have consented to this)
- Support NHS Track and Trace in line with the UK governments Covid secure guidelines.
We take our obligations for data handling very seriously and it is therefore important for you to know the various lawful bases that we rely on to process your information:
We process data to meet a legal obligations specifically when we complete and hold pre-employment medical questionnaires and return to work forms for our prospective and current employees.
We also process data to meet our contractual duties to you and provide you with catering, meeting rooms, events space, accommodation services as laid out in our contract with you, and to process your payment and issue you with an invoice.
We also process data in our legitimate interests to ensure that we can process and manage your booking.
We have identified these legitimate interests as being the following:
- Carrying out a credit rating check
- Providing you with a parking permit
- Booking accommodation, events or catering facilities
- Log enquiries for forecasting purposes
- Handling any queries, concerns or complaints you may have, including completing the Food Alert FACT form in the event of any allegation of food poisoning incident.
- To support NHS Track and Trace in line with the UK governments Covid-19 secure guidelines
- Sharing your name and contact details with Public Health England/NHS track and trace (whichever body it is that requires data from catering facilities), when required.
These legitimate interests are determined through an assessment made by weighing our requirements against the impact of the processing on you. Our legitimate interests will never override your right to privacy and the freedoms that require the protection of your personal data. If you are interested in learning more about this legitimate interest assessment, please contact our Data Protection team.
We will sometimes process data because you give us your consent when we ask for it, specifically to send you marketing materials where we have received your clear opt-in consent to this.
We process your special category data such as dietary, health and disability information where we have your consent to do so.
NHS track and trace
We process your name and contact details under a legal obligation with Public Health England/NHS track and trace and will share this data with them when we are requested to do so.
The University processes personal data and special category data in accordance with data protection legislation and its own Our Data Policy Statement (PDF).
We combine the data you provide with data obtained from event enquiries to keep a record of your bookings journey.
We store the data securely to enable us to populate booking contracts and invoices.
We ensure that data is kept confidentially, and access to the systems is upon request only.
We keep your personal data in accordance with the University’s retention schedules. This means that your data is kept for a maximum period of 16 years and then destroyed.
When dining in, we keep your name and phone number to support NHS Track and Trace for a minimum of 21 days.
Internally, we share your personal data with:
- Housekeeping team
We do this in order to:
- Ensure that services offered can be prepared in advance
- Ensure safety of those on site
- Prepare for your arrival at the University.
We share your personal data externally with the following third parties:
- FACT online reporting system (in case of Alleged Food Poisoning form) which is provided by FoodAlert
- Public Health England/NHS track and trace (whichever body it is that requires data from catering facilities), when we are requested to do so.
Local authorities have a legal power to enter and inspect or audit the University’s food services and safety records. As part of this, your information may be accessed by local authority officials as part of this work to ensure that the University’s food safety procedures meet the required standard.
As an individual whose data we process (a data subject), you have certain rights in relation to the processing. Find detailed information about your rights as a data subject.
You have the right to:
- Withdraw your consent for us to process your personal data where we have relied on that consent as our basis for processing your data.
- Ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing.
- Request that we rectify any inaccuracies where the data we hold on you is inaccurate or incomplete.
- Have your data erased by us, although in certain circumstances we may not be able to do this. The circumstances where this applies can be found in the guide to data subject rights information.
- Restrict the processing of your personal data in certain ways.
- Obtain your personal data for reuse.
- Object to certain processing of your personal data.
If you would like to exercise any of your rights please visit our make a privacy request section.
Make a complaint
If you have any concerns about the way that we have handled your personal data please email the Data Protection team as we would like to have the opportunity to resolve your concerns.
If you’re still unhappy, you have the right to complain to the Information Commissioner’s Office (an independent body set up to advise on information rights for the UK) about the way in which we process your personal data.