Recent searches

Popular searches

Popular recipes

Leek and potato soup with crusty bread on a rustic wooden table

Leek & potato soup

35 mins

Slow-cooker chilli con carne

Slow-cooker chilli con carne

8 hrs 20 mins

Toad in the hole recipe with rosemary

Toad in the hole

50 mins

What's hot?

A taco night party spread! With all the toppings laid in the middle of the table

It’s taco night!

Read more

Squash soup in a yellow bowl

Awesome autumn soup recipes

Read more

Slow cooker beef with mashed potato and greens

The best recipes for slow cooking

Read more

Featured

Oops

We couldn't find any results for your search. Try again with a different keyword.

Create an account to start saving and reviewing all your favourite recipes

Jamie drizzling honey on top of a fig tart

Share your review and contribute to our community!

Save and access your favourite recipes and products.

Enter the email address associated with your account, and we’ll email you a link to reset your password.

Password Strength

Must contain at least

*Enter your email to receive news and exclusive offers from Jamie Oliver Limited about Jamie's businesses, including books, TV shows, restaurants, products, commercial partners and campaigning activities. By signing up, you agree to our Terms of Use . Learn how we collect, use and share your data in our Privacy Policy .

Please check your inbox to validate your email address to complete sign-up.

Cart item

Just Added

View bag

Data Protection Policy

1. INTRODUCTION

1.1 This policy sets out how we comply with our obligations under data protection laws, including the Data Protection Act 2018 (UK).

1.2 This policy applies to all personal data processed by the Jamie Oliver Group and its staff in the course of business.

1.3 It is the responsibility of staff to ensure they are familiar with and comply with this policy. In particular, all staff should note their obligations in paragraph 9.

1.4 The purpose of this policy is to ensure that all our staff understand and comply with the general rules governing the collection, use, sharing with third parties, and deletion of personal data to which they may have access in the course of their work. The Jamie Oliver Group processes personal data about a wide range of individuals including job applicants, our current and former employees, contractors, clients, suppliers, subscribers to our marketing, customers, and individuals who participate in our promotions. We are committed to complying with our data protection obligations, to being concise, clear and transparent about how we obtain and use personal data, and deleting that information securely once it is no longer required.

1.5 This policy should be read in conjunction with our other Policies (as defined below). You may obtain these Policies on our Intranet, or on request from the P&D or Legal teams.

1.6 This policy is for internal use and should not be shared externally.

1.7 In this policy ‘Jamie Oliver Group’, ‘the Group’, ‘we’, ‘our’ and ‘us’ means Jamie Oliver Limited, Jamie Oliver Productions Limited, Jamie’s Italian International Limited, Trevilo Trading Limited, Recipease Limited and Jamie Oliver Licensing Limited.


2. Definitions

Data subject

The individual to whom the personal data relates

Personal data

Information relating to an individual who can be identified (directly or indirectly) from that information, and includes special categories of personal data

Personal data breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data

Policies

Means policies adopted by the Group including:

  • this Data Protection Policy
  • Data Breach Policy (outlining how we handle breaches relating to personal data)
  • Records Management and Retention Policy (explaining how we store and erase personal data)
  • IT and Computer Use Policy (informing staff how they must manage their equipment)
  • Data Subject Request Guidelines (explaining how we handle requests from data subjects relating to their personal data we process)
  • Privacy Policy - Recruitment (for line managers and staff involved in recruiting activities)
  • Privacy Policy - Staff (for all staff)
  • Criminal Records Information Policy (for employees who handle such information)
  • Information Security Policy (which outlines the measures we use to secure tangible and electronic data)

Process/processing

Means obtaining, recording, organising, destroying/deleting, storing, amending, accessing, disclosing, disseminating, using or doing anything else with personal data

Special categories of personal data

Means personal data about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetic information, biometric information (where used to identify an individual) and information concerning an individual’s health, sex life or sexual orientation

3. TRAINING

We will ensure that staff are adequately trained regarding their data protection responsibilities on a regular basis (and at least within every 2 years). Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or the abovementioned related policies, will receive additional training to help them understand their duties and how to comply with them.


4. CONSEQUENCES OF NON-COMPLIANCE

4.1 We take compliance with this policy very seriously. Failure to comply with the policy:

  • puts at risk the individuals whose personal data is being processed;
  • may lead to investigations by the supervisory authority;
  • may lead to court action by data subjects claiming against us for any damage or distress they have suffered as a result of our breach of data protection laws;
  • carries the risk of significant civil and criminal sanctions, including fines, for the individual and the Group; and
  • may, in some circumstances, amount to a criminal offence by the individual.

4.2 Because of the importance of this policy, an employee’s failure to comply with any requirement of it may lead to disciplinary action under our procedures and this action may result in dismissal for gross misconduct. If a non-employee breaches this policy, they may have their contract terminated with immediate effect.

5. CONSEQUENCES OF NON-COMPLIANCE

5.1 This policy will be reviewed and updated in accordance with our data protection obligations and changing business operations. It does not form part of any employee’s contract of employment and we may amend, update or supplement it from time to time. We will circulate any new or modified policy to staff when it is adopted.

5.2 The Legal Team will assess our data protection systems and measures in place periodically. The Data Protection Team will arrange an external data protection and information governance audit, externally-provided self assessment or other compliance checking procedure periodically.

5.3 The Legal Team will regularly update the Board of Directors and Senior Management Team for the Group about our data protection compliance measures, reviews and any issues.

5.4 The Legal Team is responsible for monitoring and reviewing this policy. If you have any questions or comments regarding this policy, please contact a member of the Legal Team either in person or by e-mailing [email protected].

PART A: DATA PROTECTION PRINCIPLES AND OUR OBLIGATIONS

This part sets out the data protection principles applicable, which the Group and all staff must follow whenever processing personal data.


6. DATA PROTECTION PRINCIPLES

As a Group, we (and therefore all staff) will comply with the following data protection principles when processing personal data:

  • process personal data lawfully, fairly and in a transparent manner;
  • collect personal data for specified, explicit and legitimate purposes only, and not process it in a way that is incompatible with those legitimate purposes;
  • only process the personal data that is adequate, relevant and necessary for the relevant purposes;
  • keep accurate and up to date personal data, and take reasonable steps to ensure that inaccurate personal data is deleted or corrected without delay;
  • keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the information is processed; and
  • take appropriate technical and organisational measures to ensure that personal data is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction, alteration or damage.

7. BASIS FOR PROCESSING PERSONAL DATA

7.1 In relation to any processing activity, we will, before the processing commences and then regularly while it continues:

  • review the purposes of the particular processing activity, and select the most appropriate lawful basis (or bases) for that processing i.e.:

(a) that the data subject has consented to the processing;

(b) that the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) that the processing is necessary for compliance with a legal obligation to which the Group is subject;

(d) that the processing is necessary for the protection of the vital interests of the data subject or another natural person;

(e) that the processing is necessary for the performance of a task carried out in the public interest or exercise of official authority; or

(f) that the processing is necessary for the purposes of legitimate interests of the Group or a third party except where those interests are overridden by the interests of fundamental rights and freedoms of the data subject—see paragraph 7.2 below;

  • except where the processing is based on consent, satisfy ourselves that the processing is necessary for the purpose of the relevant lawful basis (i.e. there is no other reasonable way to achieve that purpose);
  • document the purpose of processing and our decision as to which lawful basis applies in our data map (refer to paragraph 12 below) and other written records where appropriate to demonstrate our compliance with the data protection principles;
  • inform the data subjects about the nature of, purposes of and lawful basis for processing by way of a privacy notice (refer to paragraph 13 below) or otherwise;
  • where sensitive personal data is processed, also identify a lawful special condition for processing that information (see paragraph 8 below), and document it; and
  • where criminal offence information is processed, also identify a lawful condition for processing that information, and document it.

7.2 When determining whether the Group’s legitimate interests are the most appropriate basis for lawful processing, we will:

  • conduct a legitimate interests assessment (LIA) and keep a record of it, to ensure that we can justify our decision;
  • if the LIA identifies a significant privacy impact, consider whether we also need to conduct a data protection impact assessment (DPIA – see paragraph 10); and
  • keep the LIA under review and repeat it if circumstances change.



8. SENSITIVE PERSONAL DATA

8.1 The Group may from time to time need to process sensitive personal data. We will only process sensitive personal data if the conditions in paragraph 7.1 are met and one of the special conditions for processing sensitive personal data applies, eg:

(a) the data subject has given has given explicit consent

(b) the processing is necessary for the purposes of exercising the employment law rights or obligations of the Group or the data subject

(c) the processing is necessary to protect the data subject’s vital interests, and the data subject is physically incapable of giving consent

(d) processing relates to personal data which are manifestly made public by the data subject

(e) the processing is necessary for the establishment, exercise or defence of legal claims, or

(f) the processing is necessary for reasons of substantial public interest.

8.2 Before processing any sensitive personal data, staff must notify the Legal Team of the proposed processing, in order for them to assess whether the processing complies with the criteria noted above.

8.3 We will not carry out automated decision-making (including profiling) based on any individual’s sensitive personal data.

9. INDIVIDUAL OBLIGATIONS OF GROUP STAFF

9.1 All staff are responsible for helping the Group to comply with our data protection obligations. You will have access to the personal data of a wide range of individual identified in paragraph 1.2 in the course of your employment or engagement. Therefore, the Group expects you to help meet its data protection obligations to those individuals.

9.2 If you use personal data, you must personally ensure that at all times you follow the principles in paragraph 6, for example, you should:

  • only access and allow others to access personal data on a need-to-know basis, with authorisation from your line manager or the Legal Team where access is being given to a person outside the Group, limit the type of access as much as possible (e.g. to read-only) and only allow access for authorised purposes;
  • only collect personal data that is necessary to carry out a lawful basis as discussed in paragraph 7.
  • keep personal data, and the asset in which it is stored, secure at all times (including when you remove or transfer personal data and/or the asset) by complying with our Information Security Policy and our IT and Computer Use Policy;
  • let the P&D team know if your personal data changes, for example if you move house or change details of the account to which you are paid. Alternatively, you can update your personal data securely via our human resources software (currently Cezanne);
  • inform the legal team before you intend to use personal data in a different way, especially if you wish to use sensitive personal data, and ensure you obtain fresh consent to the different use if consent was the lawful basis relied upon;
  • generally, erase or anonymise personal data as soon as soon as it is no longer necessary for its lawful purpose and follow the specific principles and guidelines in our Records Management and Retention Policy;
  • inform us before you make an arrangement with a third party to use personal data for us on our behalf; and
  • notify the Data Protection team if you receive a request from a data subject to exercise their rights, as discussed in paragraph 12 below and our Data Subject Requests Guidelines.
  • all staff must leave their desks clear and lock up all personal belongings at the end of each day.

9.3 You should contact the Legal Team if you are concerned or suspect that one of the following has taken place (or is taking place or is likely to take place):

  • processing of personal data without a lawful basis for its processing or, in the case of sensitive personal data, without one of the conditions in paragraph 8.2 being met.
  • a personal data breach (see paragraph 17 below);
  • access to personal data without the proper authorisation;
  • personal data not kept secure or deleted securely;
  • removal of personal data, or devices containing personal data (or which can be used to access it), from the Group’s premises/network or devices without appropriate security measures being in place;
  • any other breach of this policy or of any of the data protection principles set out in paragraph 6 above.

PART B: DOCUMENTATION AND RECORDS

This part sets out our obligations and commitments as to how we document and maintain records of personal data we process

10. DATA PROTECTION IMPACT ASSESSMENTS (DPIAS)

Where processing is likely to result in a high risk to an individual’s data protection rights (e.g. where a high risk is likely to result from the Group using a new technology or conducting a new project using personal data), the Legal Team will, before commencing the processing, and during the planning and development process, and with assistance from relevant staff and consultation with stakeholders as appropriate, carry out a DPIA to assess:

  • the nature, scope, context and purposes of the processing;
  • whether the processing is necessary and proportionate in relation to its purpose;
  • the risks to individuals; and
  • what measures can be put in place to address those risks and protect personal data

10.2 All staff must consult with their line manager and contact the Legal Team where they know or suspect that process could result in such high risk in order for us to carry out a DPIA.

10.3 We will incorporate the outcomes from the DPIA into our work plans, not start high risk processing until mitigating measures are in place and communicate the outcomes of the DPIA to appropriate stakeholders.

10.4 We will review a DPIA reviewing the DPIA regularly or when the nature, scope, context or purposes of the processing changes..



11. DATA PROCESSING AGREEMENTS (DPAS)

11.1 We are required to have a particular kind of agreement called a Data Processing Agreement/Addendum (DPA) with third parties that process data on our behalf, or as joint controllers with us, or share personal data with us as independent controllers.

11.2 It is especially important to have particular safeguards in a DPA where the processing will occur outside the UK because it is our priority to ensure that personal data is safe during the processing and transfers, and the processing standards are at least as high as those we uphold in the UK.

11.3 All staff must inform the Legal Team AND the IT team prior to entering into a contract with any third party who may be processing personal data for or with us, so we can get a DPA in place and IT can do due diligence checks on the third party’s security.

12. DATA MAP

12.1 We keep a written records of processing activities (also known as our ‘data map’), including:

  • the purposes of the processing and why processing is necessary for that purpose;
  • the lawful basis for processing (as described in paragraph 7.1 above);
  • a description of the categories of data subjects and categories of personal data (including any sensitive personal data);
  • categories of our internal and any third party recipients of personal data;
  • where relevant, details of transfers to third countries (non-EEA countries), including documentation of the transfer mechanism safeguards in place;
  • retention and deletion procedures; and
  • a description of technical and organisational security measures in place to safeguard the personal data.

12.2 As part of our record of processing activities we document:

  • information required for privacy notices;
  • records of consent (which includes our audit trail of consent to direct marketing); DPAs (see paragraph 11 above)
  • contracts with third parties that process data on our behalf (known as Data Processing Agreements/Addendums), or as joint controllers with us, or share personal data with us as independent controllers;
  • where and how personal data is stored; DPIAs; and
  • records of data breaches.

12.3 We conduct regular reviews of the personal data we process and update our data map accordingly. This may include:

  • carrying out information audits to find out what personal data the Group holds;
  • distributing questionnaires and talking to staff across the Group to get a more complete picture of our processing activities; and
  • reviewing our policies, procedures, contracts and agreements to address areas such as retention, security and data sharing.

12.3 We reiterate that all staff should inform the Legal Team if you intend to use personal data in a different way as it is so important to keep the data map up to date.

12.3 We keep our data map in electronic form to enable it to be updated easily.



PART C: DATA SUBJECT RIGHTS AND OUR RELATED OBLIGATIONS

This part sets out the rights all individuals have under the Data Protection Act 2018 when it comes to their personal data and what we do to comply with these.


13. RIGHTS OF DATA SUBJECTS

13.1 Data subjects (including staff) have the following rights in relation to their personal data and can make requests to exercise those rights (a “data subject request”):

  • to be informed about how, why and on what basis that data is processed - this is contained in our Privacy Notices (see paragraph 13 below);
  • to obtain confirmation that their information is being processed and to obtain access to it and certain other information;
  • to have data corrected if it is inaccurate or incomplete;
  • to have data erased if it is no longer necessary for the purpose for which it was originally collected/processed, or if there are no overriding legitimate grounds for the processing (this is sometimes known as ‘the right to be forgotten’);
  • to restrict the processing of personal data where the accuracy of the information is contested, or the processing is unlawful (but the data subject does not want the data to be erased), or where the data controller no longer needs the personal data but the data subject requires the data to establish, exercise or defend a legal claim; and
  • to restrict the processing of personal data temporarily where the data subject does not think it is accurate (and the data controller is verifying whether it is accurate), or where the data subject has objected to the processing (and the data controller is considering whether the organisation’s legitimate grounds override the data subject’s interests)

13.2 Staff should be familiar with our Data Subject Requests Guidelines so that they recognise a data subject request if they receive one, report it correctly and immediately to the Legal Team, who can action that request where required.

13.3 If staff wish to exercise any of the rights above, please contact the [email protected].

14. PRIVACY NOTICES

14.1 Whenever we collect information from individuals, we must provide them with access to a privacy notice, informing them about the personal data that we collect and hold relating to them, how they can expect their personal data to be used and for what purposes, in a concise, transparent, intelligible and easily accessible form, and using clear and plain language.

14.2 The Group currently has three privacy notices:

  • Privacy Notice - Recruitment sets out how personal data about job applicants is collected and used by the Group.
  • Privacy Notice - Staff sets out how personal data about current and former staff, including employees, temporary and agency workers, interns, volunteers and work experience participant’s information is collected and used by the Group.
  • Privacy Notice available to the public on our website(s) sets out the types of personal data that the Group processes about its customers, contributors or subscribers, what it is used for and the lawful basis for the processing.

14.3 We will update and circulate our privacy notices from time to time as necessary.


PART D: SECURITY OF PERSONAL DATA AND DATA BREACHES

This part sets out the technical safeguards applicable to all personal data we handle, retention periods and what to do in the event of a data breach.

15. INFORMATION SECURITY

15.1 We use appropriate technical and organisational measures in accordance with our Information Security Policy to keep personal data secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage. These include:

  • making sure that, where possible, personal data is pseudonymised or encrypted
  • ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services ensuring that, in the event of a physical or technical incident, availability and access to personal data can be restored in a timely manner, and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

15.2 It is essential that all staff familiarise themselves with our Information Security Policy and implement all the security measures that apply to them. One such action to ensure the security of personal data we are responsible for is that staff must obtain approval from the legal team before entering into a contract (which could be just accepting T&Cs or signing up for a service) with third parties who will process personal data in any way on our behalf (for example, an agreement with a marketing company, research company, CRM software, human resources software, recruiter, website infrastructure, payroll or pensions provider or IT software).

16. STORAGE AND RETENTION OF PERSONAL DATA

16.1 Personal data (and sensitive personal data) must be kept securely in accordance with the Group’s Information Security Policy.

16.2 As a general rule, personal data (and sensitive personal data) should be retained for only as long as necessary to achieve the purpose for which it was collected and should thereafter be deleted permanently from electronic systems and hard copies should be destroyed securely. There are certain types of data which we have a legal obligation to hold on to for specific periods, for example in accordance with tax laws. Staff should follow the Group’s Records Management and Retention Policy which sets out the relevant retention period or the criteria that should be used to determine the retention period. Where there is any uncertainty, staff should consult the Legal Team.

17. DATA BREACHES

17.1 A personal data breach (defined above) may take many different forms, for example:

  • loss or theft of data or equipment on which personal data is stored
  • unauthorised access to or use of personal data either by a member of staff or third party
  • loss of data resulting from an equipment or systems (including hardware and software) failure
  • human error, such as accidental deletion or alteration of data
  • unforeseen circumstances, such as a fire or flood
  • deliberate attacks on IT systems, such as hacking, viruses or phishing scams, and
  • ‘blagging’ offences, where data is obtained by deceiving the organisation which holds it.

17.2 Where a staff member suspects or knows that a personal data breach has occurred, they must immediately complete the Data Breach Form on the Group’s intranet and inform the Data Breach Team by email to [email protected] The Legal Team will subsequently notify affected data subjects and report to the supervisory authority within 72 hours of becoming aware of the personal data breach. More detail about these procedures is set out in our Data Breach Policy.

18. INTERNATIONAL TRANSFERS

18.1 Wherever possible, we seek to ensure all personal data we process or allow others to process on our behalf is stored in the European Economic Area (EEA).

18.2 If we transfer personal data to countries outside the EEA, we will only do so on the basis that that country, territory or organisation is designated as having an adequate level of protection or that the organisation receiving the information has provided adequate safeguards by way of binding corporate rules or standard data protection clauses or of compliance with an approved code of conduct.