Let's start with the introductions ...

We are EG Group 

We are the organisation that is responsible for the personal information processing that this notice describes, and as described in data protection legislation, we’re the ‘data controller’.

Throughout this notice, when we use terms like ‘we’, ‘us’, ‘our’, or even ‘EG’, we’re referring to EG Group Limited. There are number of companies within EG Group, and whilst we have separate websites and privacy notices for other companies within EG Group, the general processing safeguards in this privacy notice apply to all EG Group companies.

Our company registration

EG Group Limited is a company incorporated in England and Wales.  Our registration number is 09826582 and our registered office is Waterside Head Office, Haslingden Road, Guide, Blackburn, Lancashire, United Kingdom, BB1 2FA.

Our data protection registration

As an organisation with operations across 10 markets, we comply with varying versions of privacy and data protection legislation. Here in the UK where we have our Headquarters, our data protection supervisory authority is the Information Commissioners Office, or ‘ICO’.

We’re registered with the ICO, these are the details of our registration:

Data Controller Name: EG Group Limited

Registration number: ZB089476

We have separate registrations with the ICO for a number of our group companies, including Euro Garages Limited (Registration Number Z3248731).

Our Privacy & Data Protection team

If you ever have a query about how we’re handling your personal information, or you want to exercise a right in relation to your information, there’s a number of ways you can contact our team.

You can write to us at: DPO, EG Group, Waterside Head Office, Haslingden Road, Guide, Blackburn, Lancashire, United Kingdom, BB1 2FA.

If you prefer to email, use dpo@eg.group

Your data protection rights

We’ll talk more later on about what we call ‘subject access requests’, but if you’d like to exercise one of these rights, you can submit a request using our individual rights form above, it’s quick, easy and goes straight to our Privacy & Data Protection team.

Personal data belonging to children

Our websites and our services are not specifically intended for children and we do not knowingly collect data relating to children. If you are under the age of 16, please obtain consent from your parent or guardian before you submit any personal data to us. If you are a parent or guardian of a minor and you have reason to believe your child or ward has provided us with their personal data without your prior consent, please contact us to request the erasure of their personal data or for the minor to be unsubscribed from our mailing lists.

We’re protecting your information

We are committed to your upholding your privacy and protecting the information that we have. So we describe how we collect, use, and share your personal information.

Privacy and data protection are ever changing and enhancing the rights of individuals. As such, we review how we use personal information, and we may update this privacy notice from time to time to reflect changes in applicable laws or the way we use your personal information. The privacy notice displayed on this page is always the most up to date version.

We would encourage you to re-visit our privacy notice from time to time so that you are aware of any relevant updates we have made.

 

What do we mean by personal information?

In recent years, the most widely talked about data protection law was the EU’s General Data Protection Regulation, also known as the GDPR. The UK adopted the GDPR into UK law and it’s commonly known as the UK GDPR. As you’ll see below, the definition of personal information is quite broad, and we recognise and respect personal information, defined as: -

“any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

 

How do we categorise information?

To help explain the different types of information we use, we use categories. Now, it’s worth pointing out that we only collect personal information that is appropriate and lawful, and we comply with data protection legislation around the world, and there may be locations where we are not permitted to collect the types of information we’ve listed below. But in general terms, this describes the categories we use.

Identity information

Information specifically related to your identity which includes, your full name, marital status, title, date of birth, national insurance details and other recognised official identity documents.

Contact information

The contact information of you and others, including, email addresses and telephone numbers, postal address details and social media handles.

Technical data

In this technical age there is quite a bit of technical data around, including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website. With your permission, we’ll collect information about how you use our website.

Marketing and communications data

We’d like to develop lasting relationships and to help with this we collect information about your marketing preferences. But don’t worry, we’re not interested in bombarding you with marketing content, just timely and relevant information about services and products we care about and that we think are relevant to you. We put you in control, so you always have the option to decline this or opt out at any point.

Location data

We may access and collect your geolocation information in order to facilitate our services, such as enabling the functionality of our websites to provide you with information about stores near you. We may also use information about the location of the device you are using to help us understand how our website and other services and functionality are being used and to deliver more relevant advertising.

Transactional & financial information

We may collect information about the products you buy, billing address, method of payment, and payment details.

Further information about engagement with us

We collect information from you when you submit a review, comment or other content to our websites or on our social networking pages, and when you contact us. In addition, we track when you like us or share our content through Facebook, Twitter, Instagram or other social networking platforms. Please see our Cookie Policy for more information.

Special categories of personal information

Specifically, through our Global Careers portal, for the purpose of employment and assessing the working capabilities of our employees, we may process special category personal information. There may be instances where other special categories of personal information are disclosed to us, but this is incidental and not part of an organised processing activity.

Data requiring special protection

There may be instances where we process criminal record checks, but this is only done where necessary, aligned to local laws and is strictly limited to specific people in our teams.

You can, of course, always browse our websites without registering or submitting your personal information to us.

 

How we may collect personal information

Personal information you voluntarily provide to us

It’s important to state that we only collect personal information that is relevant to our relationship with you, for example:-

• when you visit our websites, or use our mobile applications, we use cookies and similar technologies, and we cover this in more detail in our Cookie Policy and our Cookie Settings
• when you subscribe to our mailing lists;
• when you register on our Investor Portal;
• when you attend events or meetings organised by us, or conducted at our offices or sites, for example, sales events, promotional and marketing events, training sessions and social events;
• when your images are captured by us via CCTV cameras while you are within the properties we operate and use, or when photographs or videos of you are taken when you attend events, meetings or training sessions organised by us;
• when you use our services or enter into transactions with us, or express an interest in doing so, including services, products and transactions in person at one of our many locations or electronically;
• when you communicate with us by telephone, email, via our website or through other communication channels, for example, through social media platforms;
• when you submit an employment application to us or when you provide documents or information including your CV in connection with such applications;
• when you make a purchase through our websites; and/or
• when you submit your personal information to us for any other reason.

Personal information that has been provided by others

Depending on your relationship with us, we may also collect your personal information from third party sources, for example:-

• from your referees, educational organisations or previous employers (if you have applied to us for a job);
• from your family members, friends or colleagues who provide your personal information to us on your behalf; and/or
• from public agencies or other public sources.

 

Being transparent about our personal information processing

Lawful basis

There are specific reasons set out in data protection law that ensure personal data processing is lawful, this is known as a ‘lawful basis.

We always have a lawful basis for processing personal information, and we have methodically assessed the purpose or our processing and the lawful basis.

It’s safe to say that we have a comprehensive list of all of ways we use personal information, which are called ‘processing activities’. If you would like more information about a particular processing activity, we’re more than happy to provide that. You can ask us for information using any of the methods we outlined earlier.

Here are some of the more common ways we process your information, our lawful basis and how we try to ensure your information and rights are respected:-

Processing type	Data category	Our lawful basis	Specific purpose, and the respect of your information rights
Communication via email, post or telephone	Contact data	Contractual Obligation	When you’ve asked us to, we’ll use your information to contact you with details of our products, events and services and to facilitate our relationship with you, your business or colleagues. You can of course ask us not to contact you, but it's likely to affect our ability to fulfil our obligations to you.
Customer relationship management	Identity & Contact data	Legitimate Interest	We organise our customer records within customer relationship systems, basically an electronic rolodex. We securely store, access, and analyse the information that we have in our CRM systems. The use of our CRM systems helps us ensure the smooth operation of our businesses, plan effectively and it helps us analyse how our business is doing. You can ask for access that that information, ask us to update it, or for us to remove it.
Customer service tickets	Identity, Contact, Technical data	Legitimate Interest	When you have enquiry or complaint, we use customer service tickets to help us manage the process properly. You can ask for access that that information, ask us to update it, or for us to remove it
Training and other corporate events	Identity, Contact, Special category health data	Contractual Obligation/ Consent	The information you provide will be used to communicate with you about your attendance at the event and to follow-up on your experience post-event. The personal information we may process could include your name, job title and employer, address and phone number, email address, dietary requirements, access requirements. We will ask for your consent to process health related data
Email marketing to consumers	Identity & Contact data	Legitimate Interest	We like to let our customers know about our services, products or projects, and when you’re already a customer, we think you’ll be happy for us to send you relevant information. But you can object or opt out of that at any point
Promotional Images and film footage	Identity Data	Consent	We may take photographs and / or video footage at our offices or an event we host, which could capture personal information of staff, customers, visitors and other third parties. We will always notify participants when a photographer or filmmaker is present at our offices or events. Written consent will always be obtained, and we will respect the wishes of anyone who signals their desire not to have their image taken and will always ask for consent where photos are to be published alongside a name or other personal identifier. You have the right to withdraw consent at any time or to opt out of the activity
Collection/analysis of statistical information about website usage	Technical & Usage data	Consent	To manage and improve how people engage with our public-facing channels. The information we collect tells us about how you use our website, what links you follow and tells us what you’re most interested in
Sharing information with Companies House, Accountants, legal advisors, HMRC and Statutory authorities	Identity, Contact, Financial & Special category data	Legal Obligation	We are subject to audits and assessments from industry standard bodies and in the protection of our interests and to comply with UK law, we may be obligated to share information with the statutory authorities
Administrative purposes	Identity, Contact & Financial data	Legitimate Interest	We may disclose your personal information to other companies within EG Group, our investors and third parties who provide services to us, including our service providers and data processors (providing services such as hosting and maintenance services, analysis services, e-mail messaging services, delivery services, handling of payment transactions, marketing, human resources, professional services, tracing services and when we investigate suspected theft) and our consultants and professional advisors (such as accountants, compliance, lawyers, auditors).
Fulfil job roles and recruitment	Identity, Contact, Special category health data	Contractual Obligation/ Legitimate Interest	If you apply for a job with us, in addition to the specific position which you have applied for, we pass your personal information to other departments within the EG Group, for the purpose of offering alternative or additional employment opportunities. We’d really like to find work for you, but of course, you can ask us not to do this.
Security and Safety	Identity, Contact, Technical & Usage data	Legal Obligation /Legitimate Interest	We may process personal data for the specific purposes of security and safety. This is in connection with the buildings that we own and/or rent, or events organised by us or conducted at the buildings we own and/or use; and through the systems that we operate throughout the organisation. We use CCTV in and around our sites, we also use cameras that will automatically recognise your vehicle registration, known as ANPR. We use this technology to prevent, report and investigate crime.
Marketing engagement metrics	Identity, Contact, Technical & Usage data	Consent	If you would like to receive tailored information about products and services, you will have the opportunity to consent to this. We use cookies to help with the process of delivering digital marketing and tracking your preferences
Investor relations	Identity, Contact, Technical & Usage data	Legitimate interest	We like to build lasting relationships with our Investors, and as well as providing an Investor Portal, which captures limited information so that you can access confidential information, we’ll also use your information to invite you to Press Releases, Presentations and other Investor Relations events
Personalise content	Contact information, Technical data, Location data	Consent	To make recommendations to you about our services; to tailor the information that we send or display to you; to offer customisation, based on your location; and to otherwise personalise your experiences based on your purchase history and your interactions with our websites, and social networking pages.
Testimonials	Identity information	Consent	To publish your user experience on our websites or social networking pages.
Process your orders or purchase	Identity data, Contact information	Performance of a Contract	When you make a purchase through our Cinnabon UK site, we use your information to processand delivery your purchases. In order to send your order, we will share your information with our third-party courier, Evri. For more information about how they process personal data, please visit their privacy notice.

When you provide consent to processing

Where you have given your consent for us or a 3^rd party of ours to process your data, you can withdraw your consent at any time. Where consent has been used as the lawful basis for processing your information, the information we provide about our processing activities will be fair, transparent, unambiguous and you will have the power to decide whether you give consent.

Where legitimate interest is the most appropriate lawful basis

When processing your personal information is a legitimate interest for us, or a third-party, we undertake legitimate interest assessments to ensure that our processing does not impact on the rights and freedoms that you have been afforded by data protection legislation.

Use permitted under applicable laws

We may also collect, use, disclose and process your personal information, without your knowledge or consent, where this is required or permitted by law.

 

When we share your personal information

While providing the services or products that you request from us, we share your information with our processing partners, known as recipients and data processors.

When disclosing personal information to third parties, we have contracts with these third parties to protect your personal information, which ensures we are compliant with the law and so that they only process your personal information in accordance with our instructions.

We conduct thorough due diligence with both recipients and data processors around the areas of their data security protocols and data protection policies.

Recipients of your personal information

We share your personal information for the following reasons or when required law, for example:-

• personal information is shared internally, across EG Group companies, which can include international colleagues.
• our third-party vendors and service providers, who are engaged to provide business, support, operational and/ or administrative functions such as IT support, auditing, legal, marketing, website maintenance, payment, fulfilment and delivery of orders.
• regulatory authorities, statutory bodies or public agencies, including to support their investigations.
• if the business is sold or integrated with another business, your details will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business.
• credit reference agencies, debt collection and tracing agencies, financial organisations.
• investigations by government or law enforcement authorities.
• we use Shopify to power our online Cinnabon UK store and you can read more about how Shopify uses your personal data here: https://www.shopify.com/legal/privacy.

Third-party links

Our websites contains links to third-party websites. Any access to and use of such linked websites is not governed by this Policy, but instead is governed by the privacy policies of those third-party websites. We are not responsible for the information practices of such third-party websites. Please read their respective privacy policies for information about how these third parties handle the processing of personal information and other information.

Sharing your information internationally

In the provision of our websites and services to you, we use data processors that are outside of the UK. The UK General Data Protection Regulation has strict rules about data transfers to international organisations and we use approved data transfer mechanisms, and use contracts with model clauses to safeguard the information that we may transfer. We take extra steps to ensure comprehensive due diligence of the data processing activities of our data processors. If you would like any more information, please get in touch by contacting our Data Protection Officer, details can be found at the end of this Privacy Notice.

 

The security of your personal information

Unauthorised access

We have put in place security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

Specific access

We limit access to your personal information to those employees, agents, contractors and other third parties who have been authorised to access your personal information.

Vulnerabilities

We have put in place procedures to deal with any suspected personal information breach and will notify you and the appropriate supervisory authority of a breach where we are legally required to do so.

However, we cannot guarantee that our systems or applications are invulnerable to security breaches, and we can’t provide warranty, guarantee, or representation that your use of our systems or applications is safe and protected from viruses, and other vulnerabilities.

We also cannot guarantee the security of information that you choose to send us electronically. Sending such data is entirely at your own risk.

 

How long we keep personal information

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

Details of retention periods for different aspects of your personal information are available and you can request more details of that by contacting our Privacy & Data Protection team.

 

You have rights when it comes to your personal information

At any point while we have your personal information you can exercise what we can subject access requests, or individual rights. Privacy and data protection rights can differ depending on your location, but these are the rights that you have if you live in the UK and Europe.

Right of access

You have the right to request a copy of the information that we hold about you. Access to a copy of your personal information is often known as a Subject Access Request, is usually free of charge and we have a one-month time period with which to respond.

If requests to information are excessive or unfounded, the law permits an extension to the one-month timeline of up to two further months if the request is particularly complex. It is also permitted to apply a fair administration fee for access requests that are deemed manifestly unfounded or excessive or if further copies of data are requested.

Right of rectification

You have a right to review and correct data that we hold about you that is inaccurate or incomplete.

Right to be forgotten

In certain circumstances you can ask for the data we hold about you to be erased from our records. As detailed within data protection law, a request to be forgotten is not an absolute right and will be assessed on its merits.

Right to restriction of processing

Where certain conditions apply to have a right to restrict the processing. In particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing.

Right of portability

You have the right to have the data that you have provided to us, for the fulfilment of a contract or where you have provided your consent, transferred in a structured and machine-readable format to another organisation.

Right to object

You have the right to object to certain types of processing, in particular where we process your personal information for marketing purposes, this is an absolute right. You will be able to object to or opt out of any marketing message we send you.

Right to object to automated processing, including profiling

You also have the right to be subject to the legal effects of automated processing or profiling.

Right to judicial review

In the event that we refuse your request under rights of access, we will provide you with a reason why. You have the right to complain about that, and we have provided a specific section on this below.

All of the above requests will be forwarded on should there be a third party involved in the processing of your personal information.

Regardless of where in the world you live or work, you could fill out our individual rights form.

 

What to do when things don’t go as planned

If you ever wish to make a complaint about how your personal information is being handled by us or third parties, or how your complaint has been handled, you have the right to lodge a complaint directly with the relevant supervisory authority where you live, and with our Privacy & Data Protection Office.

We'd like to try and resolve a complaint

You can write to us at: DPO, EG Group, Waterside Head Office, Haslingden Road, Guide, Blackburn, Lancashire, United Kingdom, BB1 2FA.

If you prefer to email, use dpo@eg.group

If you wish to lodge a complaint with a supervisory authority

The UK’s supervisory authority is the Information Commissioners Office.

Postal Address:

Information Commissioner, Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Web: https://ico.org.uk/make-a-complaint/

Telephone: 0303 123 1113

 

If you'd like more information about this privacy notice 

If you have any queries about this privacy notice, please feel free to get in touch with our Privacy & Data Protection team and we will do our best to answer your questions.

This Privacy Policy is effective from November 2022.