Privacy Policy

Join HEINEKEN, Eazle by HEINEKEN and Eazle by Star Pubs & Bars

INTRODUCTION and IDENTIFYING the CONTROLLER of your personal data

Heineken UK Limited and Star Pubs & Bars Limited are part of the Heineken Group.

If you are viewing this policy in connection with your visit to the Join Heineken or Heineken by Eazle websites, Heineken UK Limited is the company responsible for processing your data and references to "we", "us" or "our" in this policy means Heineken UK Limited.

If you are viewing this policy in connection with your visit to the Eazle by Star Pubs & Bars website, Star Pubs & Bars Limited is the company responsible for processing your data and references to "we", "us" or "our" in this policy means Star Pubs & Bars Limited.

If you have any questions about this privacy notice or our processing activities, we can be contacted as follows:

Mail: 3-4 Broadway Park, South Gyle Broadway, Edinburgh, EH12 9JZ, marked for the attention of the Privacy Officer; or
Email: protectingyourdata@heineken.co.uk.

It is important that you read this privacy notice together with our Cookie Policy and any terms of use that apply to the services or website which are presented to you. This privacy notice supplements the other notices and is not intended to override them.

2. HOW and WHAT personal data do we collect about you?

Personal data is any information about an individual from which that person can be identified. We may receive your personal data directly from you or otherwise have access to it if the information is publicly available.

This privacy policy describes how we look after your personal data collected when you engage with us including when (i) you visit our Join Heineken, Heineken Direct or Star Pubs & Bars Online websites; (ii) you purchase products or services from us; and (iii) we communicate with each other as part of our ongoing business relationship including where you contact us via our websites, email or telephone with an enquiry or complaint and where we send email or other communications to you ("Engagement").

We collect different categories of information which we have grouped together as follows:

Identity Data – name, username, title, place and date of birth and personal characteristics including age and gender;
Contact Data – billing address, delivery address, email address and telephone number;
Financial and Transactional Data - bank account and card payment details, and details about payments as well as products and services purchased from us;
Profile Data – preferences, feedback and survey responses;
Technical and Usage Data – information about how you use our websites (including your IP address and details about the devices you use to access our website). Please review the cookie policy on the relevant website for further information on this;
Marketing and Communications Data – preferences in receiving marketing and communications from us and information in terms of engagement with email communications (see Annex 1 for more details); and
Location Data – GPS-based location information from your use of our websites via your smartphone(s), tablet(s) or other devices.

We also collect, use and share Anonymised Data such as statistical or demographic data which is not reasonably likely to reveal your identity (directly or indirectly). For example, we may receive aggregated usage data detailing the percentage of users accessing a specific website. If we combine or connect Anonymised Data with other data so that it can directly or indirectly identify you, the combined data is 'personal data' which will be used in accordance with this privacy policy.

We do not knowingly:

Process any Special Categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your health or genetics and biometric data). Nor do we process any information about criminal convictions and offences; or
Collect personal data relating to children. Further, we do not market our products or brands to anyone under the age of 18.

3. WHY do we collect your personal data?

We collect the above categories of personal data about you for the following purposes (more specifically described in Annex 1):

To enable you to register your interest in and/or create an account on our websites;
To complete our customer application process via the Join Heineken website;
To communicate with you and improve our products and services;
To administer our business and perform contracts with you;
To maintain and optimise our websites;
To market to you;
To conduct surveys/market research;
For analytical purposes including tracking how you respond to the emails we send you so that we can understand and improve our approach to marketing;
To enable you to partake in a promotion and for prize fulfilment purposes;
To protect our business, comply with our contractual or regulatory obligations and prevent or detect crime;
To satisfy our legal and regulatory obligations and co-operate with regulators and government bodies; and
To defend and exercise our legal rights, including in relation to managing actual and potential claims.

4. What is our LAWFUL BASIS for collecting your personal data?

Under data protection laws, we must have a lawful basis under which we process your personal data. We will only use your personal data for the purposes set out in section 3, unless we reasonably consider that we have another appropriate reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the lawful basis which allows us to do so.

If you provide us with your consent to processing in connection with your use of our websites, you can withdraw it at any time and we will stop the processing activities that were based on consent as a lawful basis. Please note we may still process the data if we have another lawful basis for processing (in most instances, this will be for a more limited purpose e.g. back-up storage or to record a withdrawal).

Where we need to collect personal data due to a legal or regulatory obligation, or for performance of a contract, and you do not provide that data when requested, we may not be able to continue our Engagement with you or perform the contract we have or are trying to enter into with you (for example, to provide you with products or allow you to participate in competitions). We will notify you of this at the time.

Further information on the relevant purposes and linked lawful basis are set out in Annex 1.

5. WHO do we SHARE your personal data with?

We may share your personal data with the parties set out below:

Internal third parties - other companies in the Heineken group based within the EEA and the UK (but not for any marketing purposes without your consent).
External third parties – which include:

IT and system administration service providers (including data storage providers and data management platform providers);
communications platform providers (i.e. vendors we use to send and manage email and SMS communications);
service providers such as solicitors, accountants, insurance companies and insurance claims managers, debt recovery agencies, payment processing companies, logistics companies and our technical dispense equipment services provider;
marketing and advertising companies and media agencies for marketing and research purposes, and to provide promotion services, data on-boarding services, research and marketing strategy services;
prize fulfilment agencies;
regulators, local authorities and government bodies, including the Police and HMRC, to comply with any legal or regulatory requirements or formal/informal investigations;
courts, parties to litigation and professional advisers where we reasonably deem it necessary in connection with the establishment, exercise or defence of legal claims; and
a purchaser or parties interested in purchasing any part of our business (and professional advisors supporting on the transaction).

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. Where third parties act as processors on our behalf, we only permit them to process your personal data for specified purposes and in line with our instructions.

6. International transfers

Our external third parties may be based outside the UK or the EEA. Whenever we transfer your personal data out of the UK or the EEA, we ensure that the same level of protection is afforded to it by ensuring at least one of the following safeguards are put in place:

We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission and/or the UK Information Commissioner's Office and where we use certain service providers, we may use specific contracts approved by the European Commission and/or the UK Information Commissioner's Office which give personal data the same protection it has in Europe (or the United Kingdom).

7. How SECURE is my data?

We have put in place reasonable security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know - they are subject to a duty of confidentiality. Unfortunately, no transmission of information over the internet can be completely secure, and the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect account information and passwords. Please, take care to protect this information.

Our website and the Wi-Fi services include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites, plug-ins or applications and are not responsible for their privacy statements. We encourage you to read the privacy policy of every website you visit and third party service/application that you use.

8. How LONG will my personal data be used for?

We will only retain your personal data to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, tax, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider any legal requirements, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means. Criteria used to determine retention periods for specific data collected are detailed further in Annex 1.

9. What are my RIGHTS?

Under data protection laws, you have various rights which are set out below. The rights available to you depend on our reason for processing your personal data. You are not required to pay any charge for exercising your rights, although we may charge a reasonable fee if your request is unfounded, repetitive or excessive. We have one month to respond to you (unless you have made a number of requests or your request is complex, in which case we may take up to an extra two months to respond). Please note that, where we ask you for proof of identification, the one-month time limit does not begin until we have received this. If we require any clarification and/or further information on the scope of the request, the one-month deadline is paused until we receive that information.

a. Right of access. You have the right to ask us for copies of your personal data. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here.

b. Right to rectification. You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here.

c. Right to erasure. You have the right to ask us to erase your personal data in certain circumstances. You can read more about this right here.

d. Right to restriction of processing. You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.

e. Right to object to processing. You have the right to object to processing of your personal data where we are relying on a legitimate interest or conducting direct marketing. You can read more about this right here.

f. Right to withdraw consent. Where we are relying on consent to process your personal data, you may withdraw it at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent.

g. Right to data portability. This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent. You can read more about this right here.

You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance using the details at the start of this policy.

This version was last updated in August 2023.

Annex 1 – PURPOSES, OUR LAWFUL BASIS, RETENTION PERIODS

Purpose/Activity

Type of data

Lawful basis for processing including basis of legitimate interest

Retention period

Where you create an account on one of our websites.

Identity

Contact

Performance of a contract with you.

For the duration of your contract with us and for 2 years after a period of inactivity.

To process and respond to your interest in becoming a Heineken customer or a SmartDispense Customer or your application to add an additional outlet where you are already a customer of ours through our Join Heineken website.

Identity

Contact

Performance of a contract with you.

Information submitted through our Join Heineken website will be deleted 6 months after your application is made.

Where we perform a contract we have in place with you, including managing payments, fees and charges, and delivering the requested product or service.

Identity

Contact

Financial and Transactional

Performance of a contract with you.

To perform our legal obligations.

After the duration of your contract with us has expired, our online sales records will be retained by us for 7 years or longer if required by tax or corporate bookkeeping. This data will be removed after a period of 2 years of inactivity on your account.

To communicate with you and improve our products and services, which includes:

managing our relationship with you;
investigating and responding to enquiries or complaints;
making suggestions to you about various products and services that may be of interest to you;
sending you emails, newsletters or alerts;
asking you to complete surveys about how we can improve the products or services we offer you; and
asking you for information on how we can improve our websites or our Engagements with you; and
notifying you about changes to our terms or privacy policy.

Identity

Contact

Profile

Technical and Usage

Marketing and communications

Performance of a contract with you.

Necessary for our legitimate interests (for running our business, in order to offer you a good service and to protect our business).

Where required by privacy laws, consent.

Customer services will retain all information for 1 year after your question or complaint has been solved, or the inquiry was closed.

If you no longer wish to receive marketing communications from us, you can unsubscribe at any time. We will remove your email address once you have opted-out, unless this is also used and retained for other purposes listed in this privacy notice.

Survey feedback will be retained until it has fulfilled its intended purpose (Note: please see section 8 above “How LONG my personal data will be used for?” to learn more about the things we consider when determining how long we will retain your personal data).

To maintain and optimise our websites which includes where we need to solve performance issues, including troubleshooting, testing, system maintenance, support, reporting and hosting of data, to improve the availability and functionality of the websites.

Identity

Contact

Profile

Technical and Usage

Necessary for our legitimate interests to maintain the relevance of our brand and reputation, run our business, operate administration and IT services, protect network security and to prevent fraud).

Necessary to comply with a legal obligation.

We retain information relating to the performance of our websites for 2 years.

To conduct data analytics to improve our marketing strategies and customer relationships, so that we can issue relevant marketing content and offers and analyse email engagement. This includes:

identifying what subjects are of most interest to you;
using tracking technologies to understand how you respond to our emails (for example, whether you open the email, click-through links and/or unsubscribe); and
assessing the success of our marketing campaigns and communications.

See Annex 2 for more information on our marketing and profiling activities.

Identity

Profile

Marketing and Communications

Technical and Usage

Location

Consent

Data will be processed until an opt-out / objection is received or consent is withdrawn as applicable.

The cookie policy on the relevant website provides more information on specific cookie retention periods.

To administer and protect our business and our websites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).

Identity

Contact

Technical and Usage

Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise);

Necessary to comply with a legal obligation.

26 months from website visit.

To enable you to partake in promotions and for prize fulfilment purposes, including:

prize with purchase promotions (including giveaways, instant wins and online, mobile, social media and app entries);
loyalty and reward schemes;
activity challenge;
sweepstakes, scratch card and raffle style promotions (including instant wins and online, mobile, social media and app entries);
sampling and point of sales promotions; and

geo-targeted activities (including gamification and SMS).

Identity

Contact

Financial and Transactional

Performance of a contract with you.

6 months following prize fulfilment (in certain cases the retention period may be longer due to the nature of the prize e.g. flight tickets – in such cases the personal data will be deleted when it is no longer required).