This GDPR Compliance statement explains how The Bull ("we", "us", "our") complies with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. These regulations set guidelines for the collection and processing of personal information of individuals within the European Union and the United Kingdom.

GDPR Principles

We process your data in accordance with the following GDPR principles:

  • Lawfulness, fairness and transparency: We process your data lawfully, fairly and in a transparent manner.
  • Purpose limitation: We collect your data for specified, explicit and legitimate purposes and do not process it in a manner incompatible with those purposes.
  • Data minimization: We only collect and process data that is adequate, relevant and limited to what is necessary.
  • Accuracy: We take reasonable steps to ensure your personal data is accurate and kept up to date.
  • Storage limitation: We retain your data only for as long as necessary for the purposes for which it was collected.
  • Integrity and confidentiality: We process your data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

Your Rights Under GDPR

Under GDPR, you have the following rights regarding your personal data:

  • Right to be informed: You have the right to know how your personal data is being used. This information is provided in our Privacy Policy.
  • Right of access: You have the right to request copies of your personal data that we hold.
  • Right to rectification: You have the right to request that we correct any information you believe is inaccurate or incomplete.
  • Right to erasure: You have the right to request that we erase your personal data, under certain conditions.
  • Right to restrict processing: You have the right to request that we restrict the processing of your personal data, under certain conditions.
  • Right to data portability: You have the right to request that we transfer the data we have collected to another organization, or directly to you, under certain conditions.
  • Right to object: You have the right to object to our processing of your personal data, under certain conditions.
  • Rights in relation to automated decision making and profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects concerning you.

Legal Basis for Processing

We process your personal data under one or more of the following legal bases:

  • Consent: You have given clear consent for us to process your personal data for a specific purpose.
  • Contractual necessity: Processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract.
  • Legal obligation: Processing is necessary for us to comply with the law.
  • Legitimate interests: Processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests.

Data Protection Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data where appropriate;
  • Regular testing, assessing and evaluating the effectiveness of our security measures;
  • Ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • Regular staff training on data protection and security;
  • Implementation of access controls to limit access to personal data to authorized personnel only.

Data Breach Notification

In case of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority (the Information Commissioner's Office in the UK) without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of our specific retention periods are available upon request.

International Data Transfers

We generally process and store your personal data within the UK and European Economic Area (EEA). If any data transfers outside the UK/EEA are necessary, we ensure appropriate safeguards are in place to protect your personal data to the same standard as required within the UK/EEA.

Making a Data Subject Access Request

If you wish to exercise any of your rights under GDPR, please contact us using the details below. We will respond to your request within one month. There is no fee for making a request, but we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.

Data Protection Officer

While we are not required to appoint a Data Protection Officer under GDPR, we have designated a person responsible for overseeing our data protection strategy and implementation. If you have any questions about this GDPR compliance statement or how we handle your personal information, please contact:

The Bull - Data Protection
26 Main Street
Gristhorpe
YO14 9PP
United Kingdom
Email: dpo@bull-inn.com

Complaints

If you have a complaint about our handling of your personal data, please contact us in the first instance. You also have the right to lodge a complaint directly with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
https://ico.org.uk/make-a-complaint/

Changes to This GDPR Compliance Statement

We keep our GDPR compliance statement under regular review. This statement was last updated on March 2025.

Last updated: March 2025