We respect your privacy and are committed to protecting your personal data. These privacy policies sets out how Oaxaca Ltd, a trading division of Oaxaca Limited (referred to in this notice as “Wahaca”, “DF Tacos”, “Oaxaca Ltd”, “we” or “us”), collects and uses the personal data of its candidates and employees (referred to in this notice as “you“). It also explains how personal data is shared and protected, what choices you have relating to your personal data and how you can contact us.
Oaxaca Ltd (also operating as Wahaca and DF Tacos) is the data controller of your personal data which means that we are responsible for deciding how we hold and use personal information about you
Our registered company name and office are Oaxaca Limited (5 Little Portland Street, London, England, W1W 7JD) a company registered in England and Wales with company number 05836870.
Our data protection manager is Edward Latham contactable at [email protected]
When you apply to join Oaxaca Ltd, we (and other people on our behalf) will process personal information about you. This Privacy Notice tells you what to expect in relation to your personal data which is collected, handled and processed by or on behalf of Oaxaca Ltd in relation to the recruitment process.
Any personal data of yours that we handle will be processed in accordance with data protection laws. This says that the personal information we hold about you must be:
In connection with your application for work with us, we may collect, hold and process the following categories of personal information about you:
We may also collect, hold and process the following "special categories" of more sensitive personal information:
We may collect personal information about you from the following sources:
The above information is used to:
It is in our legitimate interests to decide whether to offer you a job with Oaxaca Ltd, as it is beneficial to our business to recruit new employees to grow our business and to fill vacancies.
We also need to process your personal information to decide whether to enter into a contract with you.
If you do not provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require references for this role and you fail to provide us with relevant details, we will not be able to take your application further.
The information relating to whether you consider yourself as disabled is used for the purposes of considering whether there are any adjustments that need to be made to the recruitment process.
The information about gender, ethnic origin, religion of belief, gender or sexual orientation is only used for the purposes of equal opportunities monitoring.
The information relating to whether you need permission to work in the UK is used to decide whether we are able to lawfully employ you to work in the UK.
The information relating to whether you have had any illnesses, allergies or medical conditions is used to decide whether we are able to offer you a job in one of our restaurants or working with food.
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We do not envisage that any decisions will be taken about you using automated means.
Your information will not be disclosed to any third parties outside of Oaxaca Ltd except for any third-party service providers (such as recruiters and job boards) involved with our recruitment activities, or other companies in our group. However, it may be necessary to share your data with Government agencies such as HM Revenue and Customs, or the Home Office or legal advisors.
All our third-party service providers are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We have put in place appropriate security measures to prevent your personal information from being accidently lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
We have put in place measures to deal with any suspected data security breach and will notify you and any applicable regulator of any suspected breach where we are legally required to do so.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during our recruitment process.
Under certain circumstances, by law you have the right to:
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please send an email to [email protected] or [email protected].
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is an appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for the purposes of recruitment, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact [email protected] or [email protected].
Once we have received notification that you have withdrawn your consent, we will no longer process your application and, subject to our retention policy, we will dispose of your personal data securely.
If you have applied for a job with Oaxaca Ltd or you have sent us your CV but we did not have a suitable job available for you, then we will keep your personal data (including a copy of your CV/application form) on file for 12 months in case a suitable alternative vacancy arises and if so, we may contact you to find out if you are interested in the vacancy. If no suitable vacancies arise within 12 months then we will securely destroy your data in accordance with applicable laws and regulations. If we destroy your data, this does not prevent you from applying for a job with us in the future. If you do not wish us to retain your data in case a suitable alternative vacancy arises, please contact us at [email protected] or [email protected].
We also keep hold of your personal data for this period of time so that we can show, in the event of a legal claim, that we have not discriminated against candidates and that we have conducted our recruitment processes in a fair and transparent way.
It is in our legitimate interests to contact you about potentially suitable alternative roles where you have applied for a job with us in the past, as it is beneficial to our business to recruit new employees to grow our business and to fill vacancies.
The Information Commissioner's Office (ICO) is the supervisory authority in the UK for data protection issues. Further information on data protection (including your right to complain about the use of your personal data) can be found on the ICO’s website www.ico.org.uk
Throughout your employment it is necessary for us to obtain, process and retain legitimate personal data about you. Personal data is information that relates to an identified, or identifiable, living individual. Normally, it is data intended to form part of a ‘filing system’. This may mean it is in paper form e.g. retained and secured in a filing cabinet. Increasingly, it may be obtained, processed and retained securely electronically. UK GDPR legislation does not cover personal information which is not, or not intended to be, part of such a ‘filing system’.
As a data controller, we are normally accountable for the personal data we process and always do so in a fair, lawful and transparent manner. We process information both manually and electronically but always for a specific, legitimate purpose. We keep it only for as long as necessary to fulfil that purpose. We retain it securely and confidentially throughout. When its purpose is fulfilled, we securely destroy or erase it.
Typically, we collect and process personal data such as: -
The above examples are indicative and not intended to be exhaustive. The nature of the personal data we obtain and process inevitably varies as employment/engagement progresses.
We utilise personal data to manage your employment relationship with us. We need it to fulfil contractual provisions such as paying you or recording your sickness absence. We frequently use it to fulfil legal obligations such as paying tax or ensuring you receive statutory benefits. Without such personal data we would not be able to employ you or engage your services.
There are several legal bases for processing personal data. Some we may never, or very seldom, utilise. We normally rely on the following as the most appropriate lawful bases for processing personal data in an employment context: -
Where we have what is termed a ‘legitimate interest’ in collecting and processing your personal data, the following examples of usage are indicative. They are not intended to be exhaustive. We may collect data that helps us to: -
Where possible, we anonymise or pseudonymise such data. Where you are personally identified or identifiable, we ascertain that processing it would not compromise or override your individual rights and freedoms. Please advise us immediately if you believe we may process data that may override your individual rights or freedoms.
Occasionally, personal data can include what are called ‘special categories’ of information. This is sensitive personal data such as your ethnic origin, sexual orientation, religious beliefs, biometric data, health, etc.. Although it is not a special category, we also handle information regarding criminal convictions as though it was. Wherever we can, we anonymise such data.
Where we cannot anonymise data, there are ten legal conditions which allow us to process special category data. Although still very occasional, we most frequently rely on the following three: -
Often you will provide us with such information yourself. We may also receive data from, or provide it to, relevant third parties such as HMRC, pension or benefit providers. Appropriate personal data may also occasionally be received from or sent to referees, financial institutions, professional and trade union bodies etc.
Where we engage third parties to process personal data, they do so under written instruction from us. This includes a duty of confidentiality. We require them to have appropriate technical and organisational measures in place to ensure the security of the data.
We may process personal data outside the UK for various reasons. For instance, you may ask us to provide a personal reference to an organisation based outside the UK. Where we process personal data outside the UK, we observe the necessary safeguards to protect it, as required by law.
We do not make any decision that affects you personally relying solely on automated processing of your personal data. Decisions that affect you personally are only made following appropriate managerial input.
We take the security of your personal data very seriously. Your privacy is uppermost in the design and operation of our data systems. We have internal policies and controls in place to try to ensure that your personal data is not lost, accidentally destroyed, misused or inappropriately disclosed. Your personal data is only accessed by those we specifically authorise to do so in performance of their duties on our behalf.
Whenever possible we deal with sensitive employment matters, such as disciplinary, capability and grievances procedures, confidentially and in private. We follow fair, non-discriminatory procedures and strive for consistency of approach. However, we cannot guarantee to prevent identities or personal details being revealed in every situation.
We cannot be definitive about how long we retain personal data. It will depend entirely on the purpose for which it has been secured. In many cases, retention will be short term e.g. details of your current holidays, a job application etc. However, some may be retained throughout and beyond your employment e.g. details of your pension provisions. You can ask our data manager to provide you with further details of typical retention periods we adopt.
It’s important that the information we hold about you is appropriate, accurate and up to date. If you think something’s out-of-date, incorrect or inappropriate please tell us. This includes bank account, home address, telephone number etc. We also need to know who to contact on your behalf in an emergency. And you need to tell them you’ve given us their contact details. We are happy to review any personal data that you tell us is incomplete or incorrect.
If we intend to process existing personal data for a new purpose you are unaware of, we will advise you. We stress that this is unlikely and only liable to happen extremely infrequently.
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information: -
Most personal data you provide will not meet these data portability tests. Possible examples could be e.g. your bank account details, current home address or family status.
To exercise any data protection rights please send a letter or email with details of your specific request to our data controller manager at [email protected].
There is normally no charge. We will respond within a month where practicable and, otherwise, as quickly as possible.
Unfortunately, not all information systems are under our control (HMRC and benefit providers for instance). And we recognise criminality is increasingly sophisticated. We will advise you promptly if we become aware of any significant breach of security involving your personal data.
Please also read ‘Personal Information and Data Protection’ which you’ll find in Section 2 of our employee handbook. This sets out some more information about how we deal with personal data.
If you’re ever concerned about how we’ve handled your personal data, please raise this confidentially in writing with [email protected] or [email protected]. We will investigate and respond as quickly as possible. If you are unhappy with our response, you may be able to raise your concern with the ICO (https://www.ico.org.uk).