INTRODUCTION and IDENTIFYING the CONTROLLER of your personal data
Star Pubs & Bars Limited ("we", "us", or "our") is part of the Heineken group and we are the controller of your personal data. Personal data is any information about an individual from which that person can be identified. If you have any questions about this privacy policy or our processing activities, we can be contacted as follows:
- Mail: 3 – 4 Broadway Park South Gyle Broadway Edinburgh EH12 9JZ, marked for the attention of the Privacy Officer;
or - Email: protectingyourdata@heineken.co.uk
It is important that you read this privacy policy together with our cookie policy and any terms of use that apply to the services or websites which are presented to you. This privacy policy supplements the other policies and is not intended to override them.
What is covered by this Privacy Policy?
This privacy policy describes how we look after your personal data collected from you when you engage with us including when you (i) apply to become a tenant/operator at one of our pubs; (ii) take on the role of tenant/operator at one of our pubs; (iii) act as a guarantor to support a tenant’s/operator’s application; (iv) attend one of our managed pubs and are captured on our CCTV (v) contact us via email or telephone with an enquiry or complaint; (vi) take part in a tenant/operator competition or activation; (vii) purchase our products or services; and/or (viii) visit one of our websites ("Engagement").
What is not covered by this Privacy Policy?
If you submit orders through eazle, please review the privacy policy available on the eazle website, which describes how we look after any personal data that you submit through that website.
If you are a consumer and we or Heineken UK Limited are processing your personal data, including for marketing purposes, please refer to our Brands Privacy Policy.
HOW and WHAT data do we collect about you?
We collect different categories of information which we have grouped together as follows:
- Identity Data - name, username, title, place and date of birth;
- Contact Data - billing address, delivery address, home address, forwarding address, email address(es) and telephone number(s);
- Applicant Data - work history, qualifications, business plan, personal statement of means, National Insurance number, proof of identity, right to work documentation and details of any unspent criminal convictions;
- Financial and Transactional Data - credit history (including confirmation of bankruptcy or any insolvency proceedings), financial data provided in personal statement of means, bank account and card payment details, details about payments, details about products and services purchased from us;
- Image Data – images captured by CCTV in our managed pub estate;
- Response Data - preferences, feedback and survey responses;
- Technical and Usage Data - information about how you use our products, websites (including your IP address and details about the devices you use to access our websites (please review the cookie policy on each website for further information on this));
- Marketing and Communications Data – preferences in receiving marketing and communications from us and information in terms of engagement with email communications. For example, we may track how you respond to the emails we send you, including whether you open the email and / or click on any content;
- Location Data - GPS-based location information from your use of our websites or Social Media Platforms via your smartphone(s), tablet(s) or other devices; and
- Photo and Video Data - photos and/or video footage of you captured as part of a photo or video shoot that we have arranged or at any event hosted or sponsored by us. Your attention will be drawn to any photography or filming that is taking place, and your consent will be obtained, where required.
We also collect, use and share Anonymised Data such as statistical or demographic data which is not reasonably likely to reveal your identity (directly or indirectly). For example, we may receive aggregated usage data detailing the percentage of users accessing a specific website. If we combine or connect Anonymised Data with other data so that it can directly or indirectly identify you, the combined data is 'personal data' which will be used in accordance with this privacy policy.
We do not knowingly process any Special Categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your health or genetics and biometric data).
You have various rights regarding our use of your data, see the section headed "What are my RIGHTS?" below.
WHY do we collect your personal data?
We may collect the above categories of personal data about you for the following purposes (more specifically described in Annex 1):
- To run our applications process;
- To communicate with you;
- To perform a contract we have in place with you;
- To deter crime and ensure the personal safety and security of visitors and staff through the use of CCTV in our managed pub estate;
- To protect our business, comply with our contractual or regulatory obligations and prevent or detect crime;
- To market to you;
- To conduct market research;
- To enable you to partake in a competition or promotion and for prize fulfilment purposes;
- For analytical purposes;
- To improve our products and services;
- To maintain and optimise our websites;
- To satisfy our legal and regulatory obligations and co-operate with regulators and government bodies; and
- To defend and exercise our legal rights, including in relation to managing actual and potential claims.
What is our LAWFUL BASIS for collecting your personal data?
Under data protection laws, we must have a lawful basis under which we process your personal data. We will only use your personal data for the purposes above, unless we reasonably consider that we have another appropriate reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the lawful basis which allows us to do so.
If you provide us with your consent to processing, for example connection with our marketing communications or your use of our website(s), you can withdraw it at any time and we will stop the processing activities that were based on consent as a lawful basis. Please note we may still process the data if we have another lawful basis for processing (in most instances, this will be for a more limited purpose e.g. back-up storage or to record a withdrawal).
Where we need to collect personal data due to a legal or regulatory obligation, or for performance of a contract, and you do not provide that data when requested, we may not be able to continue our Engagement with you or perform the contract we have or are trying to enter into with you (for example, to provide you with products or allow you to participate in competitions or promotions). We will notify you of this at the time.
Further information on the relevant purposes and linked lawful basis are set out in Annex 1.
WHO do we SHARE your personal data with?
We may share your personal data with the parties set out below:
- Internal third parties - other companies in the Star Pubs/Heineken group based within the EEA and the UK;
- External third parties – which include:
- service providers such as solicitors, accountants, surveyors, insurance companies and insurance claims managers stock takers, providers of property repair and property security services, payment processing providers and distributors who assist us to ensure that we meet our legal and regulatory obligations (e.g. property maintenance, health and safety, tax and pubs code compliance), and in order to fulfil our obligations under the terms of our tenancy agreements;
- suppliers such as training suppliers (e.g. Attensi and CPL Learning), satellite TV, Wi-Fi, dispense monitoring (e.g. Vianet), financial monitoring (Innside Track) and web-hosting companies in order to fulfil any requests that our tenants have made for those services;
- credit reference agencies (“CRAs”) – where you submit an application to become one of our tenants or operators, we will supply your personal information to a CRA, and they will give us information about you, such as your financial history, for the purposes of carrying out identity and credit checks against you. Please note that CRAs may also share your information with other interested parties for credit reporting purposes. The identities of CRAs and details of the ways in which they may use your personal information are explained in more detail on the Experian website.
- independent debt recovery and tracing agencies for the purpose of collecting monies due or outstanding on our tenants’ accounts;
- regulators (e.g. the Pubs Code Adjudicator), local licensing authorities, the Health & Safety Executive, the Police, HMRC and any other regulator or public authority, government agency, tax authority, or any agent thereof, with jurisdiction over us, to comply with any legal or regulatory requirements or investigations (including informal investigations);
- IT and system administration service providers (including data storage providers and data management platform providers);
- selected third party providers of video interview software services;
- marketing/media/market research agencies for marketing and research purposes and to provide promotion and activation services, data on-boarding services, research and marketing strategy services;
- communications platform providers (i.e. vendors we use to send and manage email and SMS communications (e.g. Salesforce);
- our energy scheme operator, Inspired Energy;
- our draught dispense equipment service provider, Serviced Dispense Equipment Limited, and its subcontractor, Innserve Limited, to install, maintain, repair, replace and/or remove dispense equipment;
- utility suppliers and local authorities (or such other third parties as may bring a claim for outstanding payments against us, e.g. Sky) in connection with the change of tenancy or sale process;
- courts, parties to litigation and professional advisers where we reasonably deem it necessary in connection with the establishment, exercise or defence of legal claims; and
- a purchaser or parties interested in purchasing any part of our business (and professional advisors supporting on the transaction).
International transfers
Third parties we share data with may be based outside the UK. Whenever we transfer your personal data out of the UK, we take steps to ensure that we comply with our legal and regulatory obligations in relation to personal information and that the same level of protection is afforded to it as in the UK. We do this in two ways:
- we will transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Information Commissioner's Office (for example, all countries in the EEA are “adequate”); or
- we will use specific contracts approved by the UK Information Commissioner's Office.
How SECURE is my data?
We have put in place reasonable security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know - they are subject to a duty of confidentiality. Unfortunately, no transmission of information over the internet can be completely secure, and the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect account information and passwords. Please, take care to protect this information.
Our websites include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites, plug-ins or applications and are not responsible for their privacy statements. We encourage you to read the privacy policy of every website you visit and third party service/application that you use.
How LONG will my personal data be used for?
We will only retain your personal data to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, tax, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider any legal requirements, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means. Criteria used to determine retention periods for specific data collected are detailed further in Annex 1.
What are my RIGHTS?
Under data protection laws, you have various rights, which are set out below. The rights available to you depend on our reason for processing your personal data. You are not required to pay any charge for exercising your rights, although we may charge a reasonable fee if your request is unfounded, repetitive or excessive. We have one month to respond to you (unless you have made a number of requests or your request is complex, in which case we may take up to an extra two months to respond). Please note that, where we ask you for proof of identification, the one-month time limit does not begin until we have received this. If we require any clarification and/or further information on the scope of the request, the one-month deadline is paused until we receive that information.
- Right of access. You have the right to ask us for copies of your personal data. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here.
- Right to rectification. You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here.
- Right to erasure. You have the right to ask us to erase your personal data in certain circumstances. You can read more about this right here.
- Right to restriction of processing. You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.
- Right to object to processing. You have the right to object to processing of your personal data where we are relying on a legitimate interest or conducting direct marketing. You can read more about this right here.
- Right to withdraw consent. Where we are relying on consent to process your personal data, you may withdraw it at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent.
- Right to data portability. This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent. You can read more about this right here.
You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance using the details at the start of this policy.
This version was last updated in December 2024.
Annex 1 - PURPOSES, OUR LAWFUL BASIS, RETENTION PERIODS
Purpose/Activity |
Type of data |
Lawful basis for processing including basis of legitimate interest
|
Retention period |
To process your application to become a tenant/operator in one of our pubs which includes verifying your suitability as a tenant/operator through anti-money laundering and credit checks, as part of our application process. |
|
Necessary for our legitimate interests (recruitment of tenants/operators and internal administration). |
Where your application is successful, 6 years following termination of the relationship. Where your application is unsuccessful, 6 months after notifying you that it is unsuccessful. If we perform a video interview with you, we will retain your data for 180 days from the date of collection. |
To register you as a new tenant/operator if your application is successful. |
|
Performance of a contract with you. |
6 years following termination of the relationship. |
To conduct market research with unsuccessful or withdrawn candidates, as part of our application process. |
|
Necessary for our legitimate interest (to improve and streamline application process). |
Generally, we will do this within 2 weeks after notification to you that your application was unsuccessful/after you have withdrawn your application (as applicable). By exception, we will contact you up to 6 months after such notification where we consider you can provide still us with valuable feedback on specific topics. |
To add unsuccessful applicants to our talent bank of excellent candidates so that we can contact you when suitable opportunities to become a tenant/operator of one of our pubs arises, as part of our applications process. |
|
Consent. |
Contact details are removed from our talent bank after three unresponsive contacts have been made to you, or if you notify us that you no longer wish to be contacted by us (whichever is the earlier). |
To communicate with you and improve our services with you, which includes:
|
|
Performance of a contract with you. Necessary for our legitimate interests (for running our business and managing our pub estate, improving our services through feedback and use of real calls for training purposes). To perform our legal obligations. Where required by privacy laws, consent. You will be notified that calls are being recorded at the start of the call. If you object to the call recording, you will have the option to end the call and contact us through alternative means. |
Recorded calls will be retained for 365 days from the time of the relevant call. Where you have contacted us in connection with an enquiry or compliant, we will retain your data for 3 years from when the enquiry or compliant has been resolved. If you no longer wish to receive any marketing emails/alerts from us, you can unsubscribe at any time. Survey feedback will be retained until it has fulfilled its intended purpose (Note: please see section above “How LONG my personal data will be used for?” to learn more about the things we consider when determining how long we will retain your personal data). |
Where we perform the contract we have in place with you, including managing payments, fees and charges, and delivering the requested product or service. |
|
Performance of a contract with you. To perform our legal obligations. |
After the duration of your contract with us has expired, our online sales records will be retained by us for 7 years or longer if required by tax or corporate bookkeeping. |
To deter crime and ensure the personal safety and security of visitors and staff through the use of CCTV in our managed pub estate. |
|
Necessary for our legitimate interests (to protect the safety and security of visitors and staff at our sites and assist in criminal investigations). |
Video footage will be retained for a limited time before it is automatically deleted. The retention of CCTV is determined by any specific requirements as specified by the local licensing authority in the premises licence, as well the need to investigate health and safety incidents or criminal incidents, including in connection with any legal proceedings or requests from law enforcement authorities, loss adjusters and insurers. |
To protect our business through compliance with contractual or regulatory obligations, prevention / detection of crime and satisfaction of our legal obligations / defence of our legal rights, including:
Note: in sharing Contact Data with third parties, we may rely on the exemption in Schedule 2, Part 1, Paragraph 2(c) of the Data Protection Act 2018 (the "crime and taxation" general exemption). |
|
Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise). Necessary to comply with a legal obligation.
|
Where you have contacted us in connection with an enquiry or complaint, we will retain your data for 3 years after the enquiry or complaint has been resolved. The cookie policy on the relevant website provides more information on specific cookie retention periods. 6 years following termination of the relationship. |
To share photo and/or video footage captured at photo or video shoots that we have arranged or public or private events in external publications, on social media, with marketing agencies and/or internally. |
|
Necessary for our legitimate interest (to promote and grow our business).
Where required by privacy laws, consent. |
Until an op-out/objection is received or consent is withdrawn as applicable. |
To send you direct electronic marketing communications (i.e. via email or SMS).
|
|
Necessary for our legitimate interest (to promote and grow our business).
Where required by privacy laws, consent. |
Data will be processed until an objection is received or consent is withdrawn as applicable. |
To conduct data analytics to improve our websites, products/services, customer relationships and experiences and marketing strategies. This includes:
|
|
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our websites updated and relevant, to develop our business and to inform our marketing strategy).
Where required by privacy laws, consent. |
Data will be processed until an opt-out / objection is received or consent is withdrawn as applicable. The cookie policy on the relevant website provides more information on specific cookie retention periods. |
To enable you to partake in promotions and competitions and for prize fulfilment purposes. |
|
Performance of a contract with you. |
6 months following prize fulfilment (in certain cases the retention period may be longer due to the nature of the prize e.g. flight tickets – in such cases the personal data will be deleted when it is no longer required). |
To maintain and optimise our websites which includes where we need to solve performance issues, including troubleshooting, testing, system maintenance, support, reporting and hosting of data, to improve the availability and functionality of our websites. |
|
Necessary for our legitimate interests to maintain the relevance of our brand and reputation, run our business, operate administration and IT services, protect network security and to prevent fraud). Necessary to comply with a legal obligation. |
We retain information relating to the performance of our websites for 2 years.
|
Pub vacancy alerts
Register to receive regular new pub alerts. You'll also receive the latest Star news, industry tips and advice.
Pub vacancy alertsWant to know more?
To download our no nonsense guide to running your own pub click below.
GET STARTED NOW