Staff Privacy Policy

We respect your privacy and are committed to protecting your personal data. These privacy policies sets out how Oaxaca Ltd, a trading division of Oaxaca Limited (referred to in this notice as “Wahaca”, “DF Tacos”, “Oaxaca Ltd”, “we” or “us”), collects and uses the personal data of its candidates and employees (referred to in this notice as “you“). It also explains how personal data is shared and protected, what choices you have relating to your personal data and how you can contact us.

Who is Oaxaca Ltd?

Oaxaca Ltd (also operating as Wahaca and DF Tacos) is the data controller of your personal data which means that we are responsible for deciding how we hold and use personal information about you

Our registered company name and office are Oaxaca Limited (5 Little Portland Street, London, England, W1W 7JD) a company registered in England and Wales with company number 05836870.

Who is our data protection manager?

Our data protection manager is Edward Latham contactable at [email protected]


When you apply to join Oaxaca Ltd, we (and other people on our behalf) will process personal information about you. This Privacy Notice tells you what to expect in relation to your personal data which is collected, handled and processed by or on behalf of Oaxaca Ltd in relation to the recruitment process.  

Any personal data of yours that we handle will be processed in accordance with data protection laws. This says that the personal information we hold about you must be: 

  • Used lawfully, fairly and in a transparent way;
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
  • Relevant to the purposes we have told you about and limited only to those purposes;
  • Accurate and kept up to date; 
  • Kept only as long as necessary for the purposes we have told you about;
  • Kept securely;

What information do we collect?

In connection with your application for work with us, we may collect, hold and process the following categories of personal information about you: 

  • Name 
  • Address 
  • Date of birth 
  • Email address 
  • Telephone number 
  • CV/ work history  
  • Qualifications  
  • Current salary 
  • Current notice period 
  • Job preferences including role, geographical areas and salary 
  • Any information you provide to us during an interview, trial shift or during a psychometric test 
  • Any information you provide to us through a job board, recruitment agency or employee referral  
  • Job references 

We may also collect, hold and process the following "special categories" of more sensitive personal information: 

  • Whether you need a permission to work in the UK;
  • Whether you consider yourself disabled or have a long-term health condition;
  • Whether you have suffered from particular illnesses, allergies or medical conditions;
  • Your gender, ethnic origin, nationality, religion or belief, sexual orientation;
  • Information about any relevant criminal convictions you may have shared with us;

How is your personal information collected? 

We may collect personal information about you from the following sources: 

  • You, the candidate, for example if you apply for a job on Wahaca or DF Tacos’s website; if you fill in one of our application forms or if you hand us your CV in person; 
  • Recruitment agencies;
  • Job boards and publicly accessible sources such as LinkedIn; 
  • Your named referees, from whom we may collect the following categories of data: details of your previous employer and your previous job title, the dates of your previous employment, details of your performance, details of any development areas, opinions about reemployment and attendance records;
  • Employee referrals, for example if one of our current employees recommends you for employment with us;

How we use the information?

The above information is used to: 

  • Find out more about your skills and experience; 
  • Match your skills with job vacancies to assist in finding you the positions that most suit you; 
  • Carry out background and reference checks, where applicable;
  • Communicate with you about the recruitment process;
  • Comply with legal or regulatory requirements;
  • Keep you informed of available opportunities as they arise;
  • Keep records related to our hiring processes; 

It is in our legitimate interests to decide whether to offer you a job with Oaxaca Ltd, as it is beneficial to our business to recruit new employees to grow our business and to fill vacancies. 

We also need to process your personal information to decide whether to enter into a contract with you. 

If you choose not to provide personal information 

If you do not provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require references for this role and you fail to provide us with relevant details, we will not be able to take your application further. 

How we use sensitive personal information?

The information relating to whether you consider yourself as disabled is used for the purposes of considering whether there are any adjustments that need to be made to the recruitment process. 

The information about gender, ethnic origin, religion of belief, gender or sexual orientation is only used for the purposes of equal opportunities monitoring.  

The information relating to whether you need permission to work in the UK is used to decide whether we are able to lawfully employ you to work in the UK. 

The information relating to whether you have had any illnesses, allergies or medical conditions is used to decide whether we are able to offer you a job in one of our restaurants or working with food.   

Automated decision making 

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We do not envisage that any decisions will be taken about you using automated means.  

Disclosure of your information 

Your information will not be disclosed to any third parties outside of Oaxaca Ltd except for any third-party service providers (such as recruiters and job boards) involved with our recruitment activities, or other companies in our group.  However, it may be necessary to share your data with Government agencies such as HM Revenue and Customs, or the Home Office or legal advisors.  

All our third-party service providers are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.  

Data Security 

We have put in place appropriate security measures to prevent your personal information from being accidently lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.  

We have put in place measures to deal with any suspected data security breach and will notify you and any applicable regulator of any suspected breach where we are legally required to do so.  

Your duty to inform us of changes 

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during our recruitment process. 

Your rights 

Under certain circumstances, by law you have the right to: 

  • Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. 
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. 
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below). 
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes. 
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it. 
  • Request the transfer of your personal information to another party.  

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please send an email to [email protected] or [email protected].

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. 

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is an appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. 

Right to withdraw consent 

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for the purposes of recruitment, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact [email protected] or [email protected].

Once we have received notification that you have withdrawn your consent, we will no longer process your application and, subject to our retention policy, we will dispose of your personal data securely.  

Retention of your data 

If you have applied for a job with Oaxaca Ltd or you have sent us your CV but we did not have a suitable job available for you, then we will keep your personal data (including a copy of your CV/application form) on file for 12 months in case a suitable alternative vacancy arises and if so, we may contact you to find out if you are interested in the vacancy. If no suitable vacancies arise within 12 months then we will securely destroy your data in accordance with applicable laws and regulations. If we destroy your data, this does not prevent you from applying for a job with us in the future. If you do not wish us to retain your data in case a suitable alternative vacancy arises, please contact us at [email protected] or [email protected].

We also keep hold of your personal data for this period of time so that we can show, in the event of a legal claim, that we have not discriminated against candidates and that we have conducted our recruitment processes in a fair and transparent way.  

It is in our legitimate interests to contact you about potentially suitable alternative roles where you have applied for a job with us in the past, as it is beneficial to our business to recruit new employees to grow our business and to fill vacancies. 

Who to contact 

If you have any questions or concerns regarding the processing of your personal information by Oaxaca Ltd, you can contact us on the following email address [email protected] or [email protected]

The Information Commissioner's Office (ICO) is the supervisory authority in the UK for data protection issues. Further information on data protection (including your right to complain about the use of your personal data) can be found on the ICO’s website  


Throughout your employment it is necessary for us to obtain, process and retain legitimate personal data about you. Personal data is information that relates to an identified, or identifiable, living individual. Normally, it is data intended to form part of a ‘filing system’. This may mean it is in paper form e.g. retained and secured in a filing cabinet. Increasingly, it may be obtained, processed and retained securely electronically. UK GDPR legislation does not cover personal information which is not, or not intended to be, part of such a ‘filing system’. 

As a data controller, we are normally accountable for the personal data we process and always do so in a fair, lawful and transparent manner. We process information both manually and electronically but always for a specific, legitimate purpose. We keep it only for as long as necessary to fulfil that purpose. We retain it securely and confidentially throughout. When its purpose is fulfilled, we securely destroy or erase it.   

What personal information do we collect?

Typically, we collect and process personal data such as: -    

  • Your recruitment information and employment history;
  • Personal details such as your name, home address, personal email, telephone number(s), date of birth, etc.;
  • Gender, next of kin and emergency contact details, etc.; 
  • Personal terms of employment/engagement such as remuneration, allowances and benefits;
  • Banking, tax, national insurance and statutory benefit data;
  • Any holiday provisions, family and discretionary leave, sickness absence, training opportunities, etc.;
  • Appraisals, performance reviews and any personal improvement plans, etc.;
  • Information about your health, medical circumstances, disabilities etc.;
  • Details of formal communications and requests, disciplinary or grievance proceedings etc.; 

The above examples are indicative and not intended to be exhaustive. The nature of the personal data we obtain and process inevitably varies as employment/engagement progresses.  

Why we need your personal data?

We utilise personal data to manage your employment relationship with us. We need it to fulfil contractual provisions such as paying you or recording your sickness absence. We frequently use it to fulfil legal obligations such as paying tax or ensuring you receive statutory benefits. Without such personal data we would not be able to employ you or engage your services. 

There are several legal bases for processing personal data. Some we may never, or very seldom, utilise. We normally rely on the following as the most appropriate lawful bases for processing personal data in an employment context: - 

  • We have a contractual obligation 
  • We have a legal obligation 
  • We have a legitimate interest 

Where we have what is termed a ‘legitimate interest’ in collecting and processing your personal data, the following examples of usage are indicative. They are not intended to be exhaustive. We may collect data that helps us to: - 

  •  Ensure our HR and business administration procedures are effective;
  •  Monitor absence levels and the effectiveness of our management procedures;
  •  Plan for career progression, development and succession planning;
  •  Measure performance for workforce management purposes;
  •  Conduct staff surveys, provide information and undertake communications;
  •  Measure and promote equality and diversity;
  •  Monitor the security, effectiveness and appropriate usage of our business, communication and information technology systems;

Where possible, we anonymise or pseudonymise such data. Where you are personally identified or identifiable, we ascertain that processing it would not compromise or override your individual rights and freedoms. Please advise us immediately if you believe we may process data that may override your individual rights or freedoms. 

Special category data 

Occasionally, personal data can include what are called ‘special categories’ of information. This is sensitive personal data such as your ethnic origin, sexual orientation, religious beliefs, biometric data, health, etc.. Although it is not a special category, we also handle information regarding criminal convictions as though it was. Wherever we can, we anonymise such data. 

Where we cannot anonymise data, there are ten legal conditions which allow us to process special category data. Although still very occasional, we most frequently rely on the following three: -  

  • Employment, social security and social protection law - for instance to fulfil contractual or legal obligations such as assessing the right to work in the UK or provide sick, maternity or parental bereavement pay;
  • Legal claims and judicial acts – for instance we may need to exercise or defend a legal claim, implement a court’s attachment of earnings decision etc.;
  • Health or social care – for instance we may utilise this for preventive or occupational medicine or assessment of your working capacity. It may be associated with medical diagnosis to consider reasonable adjustments to accommodate a disability;

Data we receive and/or share 

Often you will provide us with such information yourself. We may also receive data from, or provide it to, relevant third parties such as HMRC, pension or benefit providers. Appropriate personal data may also occasionally be received from or sent to referees, financial institutions, professional and trade union bodies etc. 

Where we engage third parties to process personal data, they do so under written instruction from us. This includes a duty of confidentiality. We require them to have appropriate technical and organisational measures in place to ensure the security of the data.  

We may process personal data outside the UK for various reasons. For instance, you may ask us to provide a personal reference to an organisation based outside the UK.  Where we process personal data outside the UK, we observe the necessary safeguards to protect it, as required by law.

Automated processing and profiling 

We do not make any decision that affects you personally relying solely on automated processing of your personal data. Decisions that affect you personally are only made following appropriate managerial input.  

How we protect your personal data?

We take the security of your personal data very seriously. Your privacy is uppermost in the design and operation of our data systems. We have internal policies and controls in place to try to ensure that your personal data is not lost, accidentally destroyed, misused or inappropriately disclosed. Your personal data is only accessed by those we specifically authorise to do so in performance of their duties on our behalf.  

Whenever possible we deal with sensitive employment matters, such as disciplinary, capability and grievances procedures, confidentially and in private. We follow fair, non-discriminatory procedures and strive for consistency of approach. However, we cannot guarantee to prevent identities or personal details being revealed in every situation. 

We cannot be definitive about how long we retain personal data. It will depend entirely on the purpose for which it has been secured. In many cases, retention will be short term e.g. details of your current holidays, a job application etc. However, some may be retained throughout and beyond your employment e.g. details of your pension provisions. You can ask our data manager to provide you with further details of typical retention periods we adopt.  

It’s important that the information we hold about you is appropriate, accurate and up to date. If you think something’s out-of-date, incorrect or inappropriate please tell us. This includes bank account, home address, telephone number etc. We also need to know who to contact on your behalf in an emergency. And you need to tell them you’ve given us their contact details. We are happy to review any personal data that you tell us is incomplete or incorrect.  

If we intend to process existing personal data for a new purpose you are unaware of, we will advise you. We stress that this is unlikely and only liable to happen extremely infrequently. 

Your data protection rights 

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information: - 

  • Your right of access - you have the right to ask us for copies of your personal information. There are some exemptions, which means you may not always receive all the information we process;
  • Your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete;
  • Your right to erasure - you have the right to ask us to erase your personal information but only in certain circumstances; 
  • Your right to restriction of processing - you have the right to ask us to restrict the processing of your personal data but only in certain circumstances;
  • Your right to object to processing - You can ask us not to process your personal data where:-
  • we are performing a task in the public interest;
  • exercising official authority vested in us, or 
  • doing so in furtherance of our legitimate interests;
  • Your right to data portability - this only applies to information you provided personally. You can ask us to transfer the information you gave us to another organisation. Alternately, we can provide it to you. The right only applies if we are processing the data: -    
  • with your consent, or  
  • under your contract of employment,  
  • and the processing is automated.  

Most personal data you provide will not meet these data portability tests. Possible examples could be e.g. your bank account details, current home address or family status.

To exercise any data protection rights please send a letter or email with details of your specific request to our data controller manager at [email protected]

There is normally no charge. We will respond within a month where practicable and, otherwise, as quickly as possible. 

Unfortunately, not all information systems are under our control (HMRC and benefit providers for instance). And we recognise criminality is increasingly sophisticated. We will advise you promptly if we become aware of any significant breach of security involving your personal data. 

Please also read ‘Personal Information and Data Protection’ which you’ll find in Section 2 of our employee handbook. This sets out some more information about how we deal with personal data. 

If you’re ever concerned about how we’ve handled your personal data, please raise this confidentially in writing with [email protected] or [email protected]. We will investigate and respond as quickly as possible. If you are unhappy with our response, you may be able to raise your concern with the ICO (

Guac on the gram
Follow us on Instagram
Get exclusive offers and news
Sign Me Up
Get exclusive offers and news
Sign me up


Get the Wahaca lowdown and exclusive offers straight to your inbox.

Airship Subscribe Form