Gordon’s Wine Bar is committed to protecting the privacy of our customers and this privacy notice sets out details of how we use and process your data.


The name and contact details of our organisation:

Court Pie Catering Ltd t/a Gordon’s Wine Bar is a company limited by shares registered in England under company number 00981038 whose registered office is at Walter Wright, 89 High Street, Hadleigh, Ipswich, Suffolk IP7 5EA.

If you would like to get in touch with us for any further information the best way to do so is by emailing:



In line with UK Government direction to licensed premises Gordon’s Wine Bar seeks to minimise the risk of COVID-19 transmission and protect the health of staff and customers on our premises.

We will assist the NHS Test and Trace service by keeping a temporary record of our customers and visitors for 21 days and assist NHS Test and Trace with requests for that data if needed. This could help contain clusters or outbreaks.

We will do this by making a condition of entry to our premises that customers log onto Gordon’s Wine Bar WIFI at point of entry and consent to supply their name, email address, mobile number for this and no other purpose.

Although Gordon’s Wine Bar seeks consent from customers and staff to process these details our lawful basis for doing so is that it is in the Legitimate Interest of Gordon’s Wine Bar to do so as there is a compelling justification to process this personal data in order to protect the health of staff and customers on our premises.

We have balanced our legitimate interest with the rights and freedoms of others who may choose not to enter our premises and have their data processed in this way.

The personal data captured is strictly retained for no more than 21 days from date of last entry.

Consent to capturing these details will be sought for marketing purposes. This is strictly optional and not a condition of entry.

Gordon’s Wine Bar processes the data using the Encapto Sytem.

If we receive a request from the Govt track and Trace team we can provide details of who was in the bar at a particular time direct from this system.

Gordon’s Wine Bar has a data processing agreement with Encapto and will store the data securely. They are fully GDPR compliant.


The personal data processing we undertake

Any information provided by you through our website uses a secure https connection and is stored securely.  We do not share your information with any third parties.

Any contact with you will be in direct response to a query, booking or order from you based on your consent to being contacted.

Any purchases made will be handled through PayPal, Stripe or Shopify so that we will never hold your card/payment details and will never ask you to provide us with such details directly.

We give our customers the option to sign-up to our newsletters to receive occasional news on upcoming events, products and general information. We provide the option to sign-up via our website or it can occasionally be processed manually if requested.

Email marketing campaigns may contain tracking facilities within the actual email. Subscriber activity is tracked and stored in a database to improve how we communicate with the customer and ensure content is relevant. Such tracked activity may include, for example: the opening of emails, forwarding of emails, the clicking of links within the email content, times, dates and frequency of activity.


External Links

While we do our best to include quality, safe and relevant external links we cannot take any responsibility for the privacy policy of any external websites. It is at the customer’s own risk to click on the hyperlink. It is always advisable to read the website’s own privacy policy statement if in doubt.


Social Media Platforms

Gordon’s Wine Bar does make use of social media where we share images, videos and information to better communicate and interact with our customers. All the social media use is based on the terms and conditions as well as the privacy policies held with each social media platform respectively.

Any image or video shared is carefully selected and if any individual is present they will not be identified without consent. Consent will always be asked to share any image or video which was not taken ourselves.

We will share links through social media which often will get shortened. An example being: While we do our best to make sure all links are safe and genuine many social media platforms are prone to spam and hacking and therefore we cannot be held responsible for any damages or implications caused by clicking on a shortened link.


CCTV and Facial Recognition

We use CCTV surveillance for both our inside and outside areas to maximise security and safety for both customers and staff. Access to the recordings are limited and controlled. Recordings will only be used if an incident is reported or if required by law, furthermore, it will only be handled by persons with approved access. Such as: police, insurers or courts of law.

CCTV recordings are kept for a maximum of 28 days at which point they are automatically deleted.

We also use facial recognition for the prevention of unlawful acts and we are able to fulfil the requirement for this to be in the “substantial public interest” (a requirement of the Data Protection Act 2018) by using the Facewatch real time alerting service. Facewatch act as joint Data Controller as explained in their privacy policy:

We supply facial images, descriptions, personal details and incidents details to Facewatch Ltd (Facewatch) of individuals reasonably suspected of having committed unlawful acts (Subjects of Interest). We also supply CCTV images to Facewatch who, in real time, compare the faces of people in those images to their watchlist of Subjects of Interest and alert us if there are matches. Faces not matched to a watchlist are deleted by Facewatch immediately to protect individual privacy.

We receive Facial Recognition Alerts instantly when a Subject of Interest enters our properties which are always checked for accuracy by a human before acted upon.

The recipients or categories of recipients of the personal data include our staff and may include third parties who assist us with the prevention and detection of unlawful acts, including Facewatch and police.

  • The purposes of the processing is the prevention and detection of unlawful acts against our customers, staff and business assets.
  • The lawful basis for the processing of personal data is – Legitimate Interests:

The legitimate interests for the processing are – There is a compelling justification for us to protect our customers, staff and business assets from unlawful acts. Our Legitimate Interest Assessment is as follows:

It is our legitimate interest to be able to minimise the impact of unlawful acts by processing personal data to identify persons in our business properties who are reasonably suspected of having committed crime and taking reasonable and proportionate action. It is our legitimate interest to prevent crimes against us rather than just capture on CCTV crime that has taken place and report to police.

The processing of personal data, special category data and criminal offence data is necessary to achieve our legitimate purpose as it allows us to quickly and accurately identify individuals who are reasonably suspected of having committed crime, and to take reasonable and proportionate action in the circumstances. Without processing information in this way we would be unlikely to effectively identify such persons as they enter our properties, be less likely to prevent unlawful acts, and therefore more likely to experience crime, even with existing tactics including security staff and/or CCTV monitoring. Reporting crime to police is similarly less effective than the use of Facewatch as this is post event rather than preventative.

We balance our legitimate interest against the individual’s interests, rights and freedoms. We distinguish those individuals reasonably suspected of having committed unlawful acts from all other persons entering our properties by the use of Watchlists and Facial Recognition Alerts. There is always human involved to verify any possible match between an individual entering our properties and an image on a Watchlist or Facial Recognition Alert. In the event of a confirmed match we may take reasonable and proportionate action in the circumstances.

We take particular care when the data subject is, or appears to be, under 18 years of age and do not share this data with Facewatch.

  • The lawful basis for the processing of criminal offence data is that it is necessary for the prevention and
  • Facial Recognition/Special Category data:

Facial recognition algorithms are defined as Special Category data. Any such processing is conducted by Facewatch as data controller who are able to comply with the additional legal requirements for this processing as explained on their website

  • Retention Period

We retain facial images, descriptions, personal details and incidents details including CCTV footage of individuals reasonably suspected of having committed unlawful acts (Subjects of Interest) for a period of 1 year from the date of incident.

  • Your rights as a data subject
    The right to be informed
    The right of access
    The right to rectification
    The right to restrict processing
    The right to data portability
    The right to object
    Rights in relation to automated decision making and profiling
    The right to complain to the Information Commissioner’s Office (ICO)

For a fuller explanation of these rights please see the website of the Information Commissioner’s Office


Website and Cookies

We use Google Analytics cookies to monitor and analyse web traffic and this can be used to keep track of user behaviour.

Google Analytics is a web analysis service provided by Google Inc. (“Google”). Google utilises the Data collected to track and examine the use of this website, to prepare reports on its activities and share them with other Google services. Google may use the Data collected to contextualise and personalise the ads of its own advertising network. The place of processing is in the US protected under Privacy Shield. For more information please see: Google Privacy Policy. If you wish to opt out please click here

If you would like to restrict the use of cookies you can also control this through your Internet browser and instructions on this are easily found using google.


The purposes of the processing

We process personal data for the following purposes:

  • Recruitment and employment of staff
  • Sales and Marketing
  • Customer Communications
  • Security of our patrons, staff, premises, data and other assets


The lawful basis for the processing:

As a legal basis for processing personal data we rely on legal obligation, fulfilment of contract, consent, public interest and legitimate interest.

The right to withdraw consent:

Where we rely on consent to process your personal data you may withdraw that consent at any time and we will cease processing.

The legitimate interests for the processing:

We only rely on legitimate interest for processing the personal data of customers with whom we have an existing relationship and who reasonably expect to receive communication from us.

The categories of personal data obtained:

We only process the minimum amount of personal data to fulfil the purpose of the processing and the requirements of the legal basis for processing.

The recipients or categories of recipients of the personal data:

We only pass on personal data to other recipients to fulfil the purpose of the processing and the requirements of the legal basis for processing e.g HMRC, marketing service providers, accountants, suppliers.

The details of transfers of the personal data to any third countries or international organisations:

All our data stays in the UK except that stored using a cloud data storage provider in the USA who conform with the US Privacy Shield.

The retention periods for the personal data:

Once collected Data is retained for no longer than 28 days to 12 months unless required for longer due to legal requirements.

The source of the personal data:

We only collect personal data provided by the data subject themselves other than as detailed in this notice.

The details of whether individuals are under a statutory or contractual obligation to provide the personal data:

It will be clear when signing a contract with us which personal data is required by law or contract to provide.

 The rights available to individuals in respect of the processing:

 The Data Protection Act 2018 provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

To exercise your rights as a data subject under the Data Protection Act 2018 please email us at


The right to lodge a complaint with a supervisory authority:

You have the right to lodge a complaint with the UK Information Commissioner’s Office.

May 2020

Manage Cookies


Please confirm your date of birth

You must be of legal age in your country or state of residence to enter this website