Great British Pub Card > complying with dp law


We have adopted the measures that we believe are necessary to comply with the Data Protection Act 1998 and we are preparing for the act’s replacement, which will fully embed the General Data Protection Regulation into UK law.

We have also adopted the measures that we believe are necessary to comply with the Privacy and Electronic Communications Regulations 2003. This law sets out an additional set of rules that we must follow whenever we communicate with you via any of our websites and apps, or by telephone, fax, email or text message.


We protect the personal data we hold from theft, accidental loss, corruption and other threats that would have a negative impact on our customers. These protective measures include:

  • Not collecting personal data that we don’t really need
  • Destroying or anonymising personal data securely when we don’t need it any more
  • Only allowing our staff and our suppliers to process the personal data they need to carry out their duties
  • Encrypting personal data to render it useless to anyone who is not authorised to access it
  • Making sure that staff are trained on how to handle personal data safely and securely and are fully aware of their personal responsibilities
  • Binding our suppliers and partners to the same standards and duties of care that we hold ourselves to
  • Protecting our websites, networks and IT systems from unauthorised access and from threats such as denial of service attacks, viruses and malware
  • Making periodic checks that all of these measures are working well and making improvements to them when we think we can do better


As well as the security measures mentioned above, we have a team of people whose job it is to make sure that Greene King does the right thing the right way whenever we’re processing personal data. This team includes a Data Protection Officer, who can be contacted using these  contact details.

There are a set of checks we apply to make sure we process personal data fairly and transparently. These include:

  • Providing you with clear and accurate information about why we need your personal data, what we do with it and how long we keep it for
  • Checking that our business interests don’t unfairly or unreasonably impact upon you or your rights
  • Identifying personal data processing risks and reducing them to an acceptable level
  • Responding honestly, clearly and promptly to enquiries we receive from you or from the Information Commissioner’s Office


The ICO have published a helpful guide to lawful bases for the general public which you can find  here. The lawful bases we rely on for the processing we do are shown in bold typeface in this table:


Lawful basis

When you use our websites

We process this personal data because it is in our legitimate interests to provide a fully-functioning, accessible and useful website to our customers.

When we need to verify your age

We process this data to satisfy our legal obligation to not sell alcohol to anyone under the age of 18. We also do so because it is in our legitimate interests to ensure that we do not market alcohol to anyone under the age of 18.

When you make a booking, payment, request a refund, use a loyalty card or gift card, use our Wi-Fi, enter one of our competitions or when we send you service-related communications

We process personal data for these core business activities firstly to set up the contract that commits us to providing you with the services you want, and secondly to provide the services to you, as agreed.

When you sign up for or opt out of direct marketing and when we send direct marketing to you

We are a responsible marketer, so we don’t send marketing to people who have asked us not to do so.


We send electronic direct marketing to people who consent to receive it, such as customers who sign up to one of our email clubs or to our customers who, when notified that we wanted to send them marketing information, chose not to opt out (this is a type of consent known as a soft opt-in).


Occasionally, we send marketing information by direct mail. In these cases, we do so as we believe it is in our legitimate interests to let our customers know about our products, brands, services and any special offers we are running.


Customers who no longer want to receive our marketing have the right to opt out by withdrawing their consent at any time. The easiest way to do this is to follow the instructions in the last marketing message you received but you can also notify our  guest relations team if you no longer want to receive direct marketing.

When we carry out profiling

We believe it is in everyone’s interest that we seek to learn from our customers to improve the relevance, appeal and value of the products, services and brands we offer.


This will help our business to continue to prosper, so this processing is a legitimate interest for us.

Promotional photos, video and audio are being recorded

We believe it is in our legitimate interests to take photos and video and recordings to promote our businesses positively via our marketing and press releases.

When you submit queries, compliments or complaints and when you participate in guest surveys

We receive and respond to lots of different types of enquiry. Sometimes our processing will be necessary for us to meet the terms of the contract we have with you.


Otherwise we do so because it is in our legitimate interests to allow you to tell us what you think of our service, what we do well and what you think we can improve on.

When we record CCTV images, emergency audio or telephone calls, when an accident occurs and when we impose a ban

We record accidents primarily for compliance with our legal obligations.


We use CCTV monitoring, emergency audio recording and record some of the telephone calls we receive because we think this is a proportionate approach to deterring the types of situations that present a safety risk to our guests and staff. If these deterrents are unsuccessful, we may impose a ban on visiting our premises, to protect our customers and staff. This processing is carried out because it is in our legitimate interests to do so.


Data protection laws give you certain rights and as a responsible data controller, we are committed to uphold these for you:

Name of right


How to make a request


You have the right to know what we want your personal data for, what we will do with it, who we share it with and how long we keep it for. This is the primary reason for publishing this notice.

Send any questions you have about our privacy notices to


You have the right to be sent information about the personal data we have about you and a description of what we are using it for. This is also known as a ‘subject access request’, ‘SAR’ or ‘DSAR’.

Send your request to


You have the right to ask us not to process inaccurate personal data or to ask us to correct it.

Send your request to our


Some conditions and limits apply to these rights: you can find out more about these on the  ICO website.

Erasure (‘right to be forgotten’)

You have a right in certain situations to ask us to delete your personal data.

Restrict processing

You have a right in certain situations to ask us not to process your personal data.

Object to processing

You have the right in certain circumstances to object to the fact that we are processing some of your personal data.


You have the right in certain circumstances to ask us to pass some of your personal data to another data controller on your behalf.


You have a right to lodge a complaint with the UK Information Commissioner’s Office or in some situations, another European Union data protection authority.

Send your complaint to the  ICO.


You can find a list of all European Union data protection authorities  here.

Withdraw consent

Most of the personal data processing we do does not rely on your consent to make it lawful but any consent that we are relying on can be withdrawn by you if you decide you wish to do so.

Follow the unsubscribe instructions in any of the marketing messages we have sent you or send your request to

Detailed information about all of these rights can be found on the  ICO website.


When you notify us that you want to exercise any of your rights, we will acknowledge your request as soon as possible and ask for any information we may need to verify your identify: if we don’t already know who you are, we will ask you to send us a copy of your passport or photo-card driving licence, so that we can check your name, address and signature.

Once we have confirmed your identity, we will validate your request then gather together the information we need to be able to respond fully to it.

Whilst we always try to carry out this work as quickly as possible, it may take us up to 30 days to respond to you in full. If your request is particularly difficult to respond to, we may ask you for any further information that will help us respond more quickly, or ask you if there is some information that you want particularly urgently. We may also respond to your request in phases, as relevant information becomes available.

If we cannot satisfy your request within 30 days, we will write to you to tell you why, and when we expect to be able to provide you with a full response. If for any reason we decide that we should not respond in the way you have asked us to, we will provide you with our decision and our reasons for reaching it within 30 days.