How do we comply with data protection law?

We have adopted the measures that we believe are necessary to comply with the Data Protection Act 1998 and we are preparing for the act’s replacement, which will fully embed the General Data Protection Regulation into UK law.

We have also adopted the measures that we believe are necessary to comply with the Privacy and Electronic Communications Regulations 2003. This law sets out an additional set of rules that we must follow whenever we communicate with you via any of our websites and apps, or by telephone, fax, email or text message.

Being accountable for what we do

As well as the security measures mentioned above, we have a team of people whose job it is to make sure that Greene King does the right thing the right way whenever we’re processing personal data. This team includes a Data Protection Officer, who can be contacted using these contact details.

There are a set of checks we apply to make sure we process personal data fairly and transparently. These include:

  • Providing you with clear and accurate information about why we need your personal data, what we do with it and how long we keep it for
  • Checking that our business interests don’t unfairly or unreasonably impact upon you or your rights
  • Identifying personal data processing risks and reducing them to an acceptable level
  • Responding honestly, clearly and promptly to enquiries we receive from you or from the Information Commissioner’s Office

Lawful Bases

The lawful bases we rely on for our processing are:


Lawful basis

When you use our websites

It is in our legitimate interests to provide a fully-functioning, accessible and useful website to our customers.

When we need to verify your age

We process this data to satisfy our legal obligation to not sell alcohol to anyone under the age of 18.

It is in our legitimate interests to ensure that we do not market alcohol to anyone under the age of 18.

We need to verify or record information about your identity

This is sometimes due to a legal obligation imposed under the Licensing Act, or in the case of assisting NHS Test and Trace and NHS Scotland Test and Protect, their legitimate interest of being able to act quickly during the pandemic.

When you make a booking, payment, request a refund, use a loyalty card, use a gift card, use our Wi-Fi or when we send you service-related communications

We process data to set up the contract, provide the services to you and notify you of any important changes to them.

When you subscribe to newsletters or direct marketing

We send marketing information to people who consent to receive it.

We may also send marketing to customers who, when informed that we want to do so, choose not to opt out (soft opt-in).

It's a legitimate interest to send direct mail marketing to let our customers know about our products, brands, services and any special offers we are running.

Customers who no longer want to receive marketing can opt out at any time (please follow the instructions in the marketing messages we send you).

When we carry out profiling

This helps our business to develop by targeting our advertising and marketing and understand more about our customers like and dislikes, which are legitimate interests for us.

When you use a gift card or participate in a loyalty scheme 

 To provide the benefits you are due under the contract.

When you enter a competition. 

 Please see the privacy notice for the competition.

When you play pub poker

 Please see the privacy notice for the tournament.

When you submit queries, compliments or complaints

Sometimes our processing will be necessary for us to meet the terms of the contract we have with you. Otherwise, it we will have a legitimate interest in dealing fully with the matter you have raised.

When you take part in a survey

It is a legitimate interest to ask you what you think of our service, what we do well and what you think we can improve on, and act on that.

We record promotional videos or interviews or take photos

It is in our legitimate interests to take photos and video and recordings to promote our businesses positively via our marketing and press releases.

When we record CCTV images or emergency phone calls

We may be required to do so by a licencing authority (legal obligation) or choose to do so for the purposes stated on the signage (legitimate interest).

When we record phone calls to our offices

It's in our legitimate interest to be able to use suitable recordings to train call handlers and to be able to refer to recordings when that can help resolve a dispute.

When an accident occurs

 We record accidents primarily for compliance with our legal obligations and to support and defend claims (legitimate interest).

When we impose a ban

We may impose a ban on visiting our premises, to protect our customers and staff (legitimate interest).

The ICO have published a helpful guide to lawful bases for the general public which you can find here.


We protect the personal data we hold from theft, accidental loss, corruption and other threats that would have a negative impact on our customers. Our protective measures include:

  • Not collecting personal data that we don’t really need
  • Securely destroying or anonymising personal data when we don’t need it any more
  • Only allowing our employees and our suppliers to process the personal data they need to carry out their duties
  • Encrypting personal data to render it useless to anyone who is not authorised to access it
  • Making sure that staff are trained on how to handle personal data safely and securely and are fully aware of their personal responsibilities
  • Binding our suppliers and partners to the same standards and duty of care that we hold ourselves to
  • Protecting our websites, networks and IT systems from unauthorised access and from threats such as denial of service attacks, viruses and malware
  • Making periodic checks that these safeguards are working well and making improvements to them when we think we can do better

Your Rights

Data protection law provides you with certain rights and as a responsible data controller, we are committed to uphold these.

Name of right



You have the right to be informed what we will use your personal information for, where we obtain it, who we share it with and how long we keep it for. This is the primary reason for publishing this notice.


You have the right to access a copy of your personal data and an explanation of what we are using it for. This is also known as a ‘subject access request’, ‘SAR’ or ‘DSAR’.


You have the right to ask us to correct or stop processing inaccurate personal data.

Erasure ('right to be forgotten')

You have a right in certain situations to ask us to delete your personal data.

Restriction of processing

You have a right in certain situations to ask us not to process your personal data.

Object to processing

You have the right in certain situations to object to the fact that we are processing some of your personal data.


You have the right in certain situations to ask us to pass some of your personal data to another data controller on your behalf.


You have a right to submit a complaint to the UK Information Commissioner’s Office (ICO).

withdraw Consent

Most of the personal data processing we do is not dependent on your consent but any consent that we are relying on can be withdrawn if you wish to do so.

Detailed information about all of these rights can be found on the ICO website.

Responding to your request

If you notify us that you want to exercise your rights, we will acknowledge your request promptly. if we don't already know who you are, we may need to ask you to provide us with additional information to enable us to verify your identity. The information we would need depends on the nature of your request.

Once we have confirmed your identity, we will validate your request and gather the information we need to be able to respond to it. We will carry out this work as quickly as possible but it may take up to 30 days to respond in full. If your request is particularly complex, we may ask you for further information to help us respond more quickly, or ask you if there is some information that you want particularly urgently. We may also respond to your request in phases, as relevant information becomes available.

If we cannot satisfy your request within 30 days, we will write to you to tell you why, and when we expect to be able to provide you with a full response.

Some of these rights are subject to conditions. If for any reason we decide that we cannot satisfy your request, we will provide you with our decision and our reasons for reaching it within 30 days.

Contact Us

If you want to discuss how we use your personal data, opt out of profiling, exercise your data protection rights or contact our data protection officer, you may write to: Greene King, Westgate Brewery, Bury St Edmunds, Suffolk, IP33 1QT; or send an email to:

Changes to this privacy notice

This notice is effective from 6th July 2020 11:00. You can see the previous version of this privacy notice here. You can check if the privacy policy has changed by revisiting this webpage at any time. If we make any significant changes to this policy, if we have your email address, we will email you to let you know.

< Back to Privacy