Returning User Login

Whitbread Data Protection Policy

Every day, our teams do a fantastic job serving millions of customers across all our different brands. Their incredible passion, and our business philosophy, is captured in our Customer Heartbeat model. Together with our values, it forms the bedrock of our business.


In a world where data and digitalisation are key components for a successful business, how we protect and securely store personal data is of huge importance to us. We aim to continually build on our trusted reputation in our industry by treating customer, colleague, business partner and stakeholder data to high data protection standards. Trust is hard to win, but easy to lose. Creating a culture where people treat data in the way it needs to be treated requires everyone to work and behave according to these high standards.


This policy sets a globally applicable data protection and security standard for our company and regulates the sharing of information both internally and externally. It's important that everyone understands what's expected of them, so if there's anything you're not sure about, please speak to your line manager or a member of the Data Protection team.


We're all responsible for representing Whitbread and protecting our reputation. By following this Policy and associated guidance documents, we can maintain the trust of our customers and build an even better business.


Kind regards,


Dominic Paul, Chief Executive



1.1 The purpose of this Data Protection Policy (“Policy”) is to ensure that, in complying with this Policy, Whitbread has the adequate level of data protection as prescribed by the General Data Protection Regulation[1] ("GDPR") and the national laws for cross-border data transfer, including in countries that do not yet have adequate data protection laws.

1.2 There are many different categories of data which are processed by Whitbread:  data in relation to our employees, our customers, our suppliers and other third parties.  We have a legal obligation only to hold the data which we strictly need to operate our business, and to look after this data very carefully.  Those who give us their data have rights to see what data we hold, how long for and to have it deleted if necessary.  This Policy sets out all of these obligations. 

1.3 This Policy applies worldwide to Whitbread Group PLC and all of its group companies, affiliated companies and their employees ("Whitbread"), and sets out the principles that shape Whitbread’s data protection compliance. Under this Policy, there are data protection guidance documents which apply the principles to specific functions and/or topics. These are available with this Policy on the Data Protection policy section of the intranet.

1.4 Whitbread is committed to complying with its data protection obligations and recognises that the correct and lawful treatment of personal data is critical to our success.

1.5 This Policy is for internal use only and cannot be shared with third parties, clients or regulators without prior authorisation from the Whitbread Chief Privacy Officer ("CPO").

1.6 The details of the CPO and the Data Privacy Team are set out under the Data

Protection site of Whitbread’s intranet. Any guidance referred to herein is also available under that site.



2.1 This Policy extends to all processing of personal data by Whitbread. In countries where the data of legal entities is protected to the same extent as personal data, this Policy applies equally to data of legal entities. Fully anonymised data, e.g. for statistical evaluations or studies, is not subject to this Policy.

2.2 This Policy comprises the internationally accepted data privacy principles without replacing the existing local laws. It supplements local data privacy laws. The relevant local law will take precedence in the event that it conflicts with this Policy, or it has stricter requirements than this Policy. The content of this Policy must also be observed in the absence of corresponding local law. The reporting requirements for data processing under local laws must be observed.

2.3 Each Whitbread company is responsible for compliance with this Policy and the legal obligations. If there is reason to believe that legal obligations contradict the duties under this Policy, the relevant Whitbread company must inform Whitbread Legal. In the event of conflicts between local law and this Policy, Whitbread Legal will work with the relevant Whitbread company to find a practical solution that meets the purpose of this Policy.



3.1 Whitbread will comply with the following principles relating to the processing of personal data. Personal data must be:

3.1.1 processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency);

3.1.2 processed only for the purpose that has been defined (Purpose Limitation); 

3.1.3 adequate, relevant and limited to what is necessary (Data Minimisation);

3.1.4 deleted when it is no longer necessary (Storage Limitation);

3.1.5 accurate, complete and, if necessary, kept up to date (Accuracy); and 

3.1.6 treated as confidential and secured with suitable organisational and technical measures (Security, Integrity and Confidentiality). 

3.2 Whitbread must be responsible for and be able to demonstrate compliance with the data protection principles listed above.

3.3 Where there are references in this Policy to agreement or consent, such agreement or declaration of consent must be obtained and recorded in writing or electronically for the purposes of documentation (unless expressly stated otherwise). 



4.1 The collection, processing and use of employee personal data (names, addresses, phone numbers, personal performance data, salary information, gender, ethnic background, medical history, bank details etc.)  is only permitted under the following legal bases:

4.1.1 Data processing is necessary for the employment contract - personal data can be processed in employment relationships if it is needed to initiate, carry out and/or terminate the employment contract. 

During the recruitment process, the applicants' personal data can be processed. If the candidate is rejected for the role, their personal data must be deleted in accordance with the retention policy, unless otherwise agreed with the candidate. If you wish to use the data for future roles or wish to share with other Whitbread companies, a legal basis is required e.g. consent, legitimate interest etc. 

If you need to collect information on an applicant from a third party (references etc.), national laws must be observed. If there is any doubt, consent should be obtained from the data subject. 

Any processing of employee data which is not deemed to be contractual requires another lawful basis, such as consent of the employee or the legitimate interest of Whitbread.

4.1.2 Data processing where consent has been given by the data subject – employee data can be processed on receipt of consent of the person concerned, such as when a photograph is intended to be used on a Whitbread website or newsletter. Such declarations of consent must however be submitted voluntarily, as involuntary consent is invalid. 

4.1.3 Data processing necessary to meet a legal obligation – the processing of employee data is also permitted where local law requests, requires or authorises it. The extent of data processing must be relevant and comply with the statutory provisions. If flexibility is permitted by statutory provisions, the interests of the employee must be taken into consideration.

4.1.4 Data processing authorised through a collective agreement – if a data processing activity exceeds the purposes of fulfilling a contract, it may be permissible if authorised through a collective agreement which specifies the purpose of the intended data processing activity.

4.1.5 Data processing is necessary for the purposes of pursuing a legitimate interest – personal data can also be processed if it is necessary to enforce a legitimate interest of Whitbread. Employee personal data may not be processed based on a legitimate interest if, in individual cases, there is evidence that the interests of the employee override our legitimate interest. It is necessary to determine this prior to processing the personal data by completing a legitimate interest assessment (commonly referred to as an LIA).

4.1.6 Processing of special categories of personal data – special categories of personal data can only be processed under certain conditions. These special categories are: racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, data concerning health, sex life and orientation, and trade union membership. Under certain local laws, further data categories may also be considered highly sensitive/special categories, such as financial data, and criminal records can often only be processed under special requirements. 

Processing of such personal data must be expressly permitted or prescribed by law. Processing can also be permitted if necessary for Whitbread to fulfil its rights and duties under employment law. The employee can also provide explicit consent to such processing.

If there is a need to process special categories of personal data, the CPO must be informed in advance.

4.1.7 Processing of personal data produced by automatic means – we must be cautious when processing and evaluating personal data automatically (using technology) as part of the employment relationship, especially in the event automatic processing could negatively impact the data subject. In the event such processing is likely to have a negative effect, the final evaluation must be made by a natural person. In addition, the data subject must always be informed of any decisions made by automated means and they have the right to request human intervention.

4.1.8 Processing of personal data using telecommunications and the internet Whilst employed by Whitbread, employees may be provided with telephone equipment, email addresses, intranet and internet social networks for work related assignments. These tools must be used in compliance with applicable legal regulations and internal company policies. 

4.2 Please note that one of the above legal bases is also required if the purpose of collecting, processing and using the personal data has changed from the original purpose.



5.1 The collection, processing and use of customer and partner personal data (names, addresses, e-mail addresses, bank account details, health data, information about stays in hotels etc.) is only permitted under the following legal bases: 

5.1.1 Data processing for marketing purposes - if a data subject requests information about our products or services (e.g. requests a quote), data processing is permitted to fulfil this request and data captured can also be used for marketing or market research activities. The data subject must however have been informed about this in advance.  

Where data subjects are requested to provide personal data only for marketing purposes, disclosure is voluntary and the data subject must be informed of this. In this scenario, consent for marketing must be obtained and the data subject should be given a choice of contact (e.g. email, mail, SMS). 

If the data subject objects to receiving marketing, the data subject has opted out and systems must be updated to reflect this to ensure that data subject receives no marketing. Any further restrictions from specific countries in relation to using personal data for marketing need to be adhered to. 

5.1.2 Data processing where consent has been given by the data subject - where consent is relied upon, it must be documented in writing or electronically. In certain circumstances verbal consent can be given, but this must be documented (e.g. in system record notes). Prior to giving the consent, the data subject must be informed of how his/her personal data will be handled. 

5.1.3 Data processing necessary to meet a legal obligation - personal data may be processed if local law requires or allows it. The type and extent of data processing must be relevant and comply with the applicable statutory provisions. 

5.1.4 Data processing is necessary for a contractual relationship – the personal data of relevant prospects, customers and partners can be processed for contractual purposes, this includes negotiations. 

Prospective customers may provide their personal data before entering into a contract with us, and we can contact them during the contract preparation process, however any restriction requests (such as only communicate by email) must be complied with. 

5.1.5 Data processing is necessary for the purposes of pursuing a legitimate interest – personal data can be processed if it is necessary for a legitimate interest of Whitbread. Personal data may not be processed however, if there is evidence that the interests of the data subject override the business’ interest. It is necessary to determine this prior to processing the personal data by completing a legitimate interest assessment (commonly referred to as an LIA). Legitimate interests include for example legal interests (e.g. collection of outstanding debt) or commercial interests (e.g. to avoid a breach of contract).

5.1.6 Processing of special categories of personal data – special categories of personal data can be processed if the law requires it (such as processing medical information to accommodate an individual with a disability) or the data subject has given express consent. 

5.1.7 Processing of personal data produced by automatic means - where automated decisions are taken, the data subject must be informed of the facts and results of that automated decision and given the opportunity to respond. To ensure the decisions are correct, a test and plausibility check must be carried out. 

5.1.8 Processing of personal data using the internet - where customer personal data is processed on apps and websites, the data subjects must be informed of this in a privacy notice and provided with information about any cookies used. If user profiles are tracked then data subjects must always be informed. Tracking may only be used if permitted under local law and the data subject has consented. 

If websites or apps can access personal data in an area restricted to registered users, the identification and authentication of the data subject must offer sufficient protection during such access 

5.2 Please note that one of the above legal bases is also required if the purpose of collecting, processing and using the personal data is to be changed from the original purpose.



6.1 In the event that personal data is transferred to a recipient outside the European Union (“EU”), including to a company within Whitbread, we must ensure that this transfer is allowed and complies with other elements of this Policy regarding all such international transfers. This does not apply if transfer is based on a legal obligation. A legal obligation of this kind can be based on the laws of the country of the relevant Whitbread company transferring the personal data or an acknowledgement of the legal obligation of a third country.

6.2 If personal data is transferred by a third party to a Whitbread company, it must be ensured that the personal data can be used for the intended purpose and the data subject is informed, with consent obtained if required.

6.3 If personal data is transferred from a Whitbread company with its registered office in the EU/European Economic Area to a Whitbread company with its registered office outside of the European Economic Area (third country), the Whitbread company importing the personal data is obligated to cooperate with any inquiries made by the relevant supervisory authority in the country in which the party exporting the data has its registered office, and to comply with any observations made by the supervisory authority with regard to the processing of the transferred personal data. The same applies to personal data transfer by Whitbread companies from other countries. Guidance should be obtained from the CPO for any transfer of personal data outside of the EU/European Economic Area.



7.1 Whitbread will not share personal data with third parties, such as external service providers, unless:

7.1.1 the third party has agreed to comply with the Whitbread data security standards, policies and procedures (if required) and to maintain adequate technical and organisational measures and to only act on the instructions of the relevant Whitbread company;

7.1.2 consent has been given by the individual(s) or the sharing is necessary for one of the following reasons: to fulfil a contractual or legal obligation, for the business to pursue its legitimate interest or to protect the life of an individual. ;

7.1.3 the data sharing arrangement is reflected in the privacy notice provided to the data subject, and if required, the data subject's consent has been obtained;

7.1.4 if appropriate, the third party has satisfied the Whitbread due diligence process;

7.1.5 in the event that it involves a cross-border transfer of personal data, an adequate data transfer mechanism is in place as required by data protection laws; and

7.1.6 a fully executed written contract that contains the provisions required by the applicable data protection laws has been entered into between the relevant Whitbread company and the third party.



8.1 Whitbread must ensure that it correctly recognises and responds to requests made by data subjects to exercise their rights under data protection laws, which include the right to: 

8.1.1 request information on personal data held relating to him/her such as how the data was collected, and for what purpose.;

8.1.2 request the transfer of their personal data to another party, in a structured, commonly used and machine readable format;

8.1.3 if personal data is incorrect or incomplete, to demand that it be corrected;

8.1.4 object to the processing of his or her data for purposes of marketing or market/opinion research (including any related profiling) at any time:

8.1.5 request his/her personal data to be deleted if the processing of such personal data has no legal basis, or if the legal basis has ceased to apply. Whitbread’s Master Data Retention Schedule (available on the Data Protection section of the intranet in Policies and Guidance) must be observed;

8.1.6 request that Whitbread restricts the processing of their personal data, for example if the data subject contests its accuracy; and

8.1.7 object to the processing of their personal data where Whitbread is relying on a legitimate interest to process, and there is something about the particular situation which makes the data subject want to object to the processing. Where Whitbread receives such an objection, it will need to stop processing the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or where it is necessary for the establishment, exercise or defence of legal claims.



9.1 Personal data must be protected from unauthorised access and unlawful processing or disclosure, as well as accidental loss, modification or destruction by appropriate technical and organisational measures. This applies regardless of whether data is processed electronically or in paper form. 

9.2 These measures should include, where appropriate:

9.2.1 the pseudonymisation and encryption of personal data;

9.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

9.2.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

9.2.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

9.3 All of Whitbread are responsible for protecting the personal data which they process, and must take appropriate security measures to protect personal data against unlawful or unauthorised processing and against the accidental loss of, or damage to, personal data.

9.4 Any unauthorised collection, processing, or use of such data by Whitbread is prohibited. Any data processing undertaken by an employee that he/she has not been authorised to carry out as part of his/her legitimate duties is unauthorised. Employees may have access to personal information only as is appropriate for the type and scope of the task in question. 

9.5 Employees are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorised persons, or to make it available in any other way. Line managers must inform their employees at the start of the employment relationship about the obligation to protect data secrecy. This obligation to protect data secrecy shall remain in force even after employment has ended.

9.6 For further information on Whitbread’s Information Security standards please see the Information Security Policies and associated contact details on the Whitbread intranet.



10.1 All employees must immediately inform their line manager or the CPO (through immediately about cases of violations against this Policy or other regulations on the protection of personal data (data breaches). The line manager responsible for the relevant team is required to inform the CPO immediately about any data breaches.

10.2 In cases of:

10.2.1 improper transmission of personal data to third parties,

10.2.2 improper access by third parties to personal data, or 10.2.3 loss of personal data,

a report of the breach must be immediately provided to the CPO at by the relevant team so that any reporting duties under national law can be complied with. Further details of Whitbread’s approach to data breaches can be found in the Information Security section of the intranet.



11.1 Compliance with this Policy is overseen by the CPO (available at The following senior roles are responsible for ensuring that Whitbread complies with this Policy and for implementing it and all related policies and relevant practices, processes, controls and training to ensure such compliance:

11.1.1 Chief Executive (CEO) – has overall responsibility for ensuring that Whitbread can demonstrate its accountability and compliance with data protection laws and this Policy;

11.1.2 Chief Privacy Officer (CPO) – reports directly to the Whitbread Executive Committee and is responsible for providing independent oversight and guidance for compliance with data protection laws;

11.1.3 Chief Information Security Officer – has responsibility for information system data security risk within Whitbread; and

11.1.4 Managing Directors/Directors of the Whitbread Business Units and Functions – are responsible for compliance with this Policy and the risks arising from the holding and use of information, each within their business areas.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council



We're shaking up the steak world and offering you a fresh + exciting approach to dining out.

Find out more

Our first brand and still one of the UK's best loved restaurants.

Find out more

Our aim is - 'To serve the nation's favourite pub food, at great value prices, in a family friendly environment.'

Find out more

Cookhouse & Pub, a great place to get together.

Find out more

hub by Premier Inn is a smart new concept in urban hotels.

Find out more

Is it our beds, our food, our great value or our people that people love so much?

Find out more

Table Table is the perfect place to get together with family and friends.

Find out more

We serve up delicious dishes full of seasonal flavour and a variety of drinks including local cask ales.

Find out more

We get to serve an amazing 25 million customers each month in the UK.

About Us
A new kind of hotel for Premier Inn

A new kind of hotel for Premier Inn

The first ZIP will be opening in Cardiff March 2019, with more coming soon. Keep your eyes peeled for a ZIP near you.