Privacy Policy

This is the privacy policy (“Policy”) of Dairy Crest Limited (trading as Saputo Dairy UK and Wensleydale Creamery), and Bute Island Foods Ltd (trading as Bute Island Foods), which are referred to in this Policy as the “SDUK Group”, “we”, “us” or “our”. It sets out what type of Personal Data we may collect from individuals and how we collect and use this Personal Data , such as the Personal Data of individuals who use our internal or external websites or web applications that are either licenced by Saputo and/or under Saputo’s control and/or management, including all webpages therein, individuals who purchase or consume products that are sold by us (whether directly or indirectly), supplied by us or made by us, individuals who enter into our consumer contests, individuals with whom we may have contact from time to time, such as representatives of our customers and suppliers and individuals who may visit our premises or otherwise interact with us either online or offline (collectively, the “Services”) (these individuals and the Personal Data associated with these individuals may hereinafter be respectively referred to as “you” or “your”). This Policy also describes what choices you have regarding how we may use your Personal Data. This Policy will also tell you about your privacy rights and how the law protects you.

For information on the SDUK Group’s brands, see https://uk.saputo.com/brands/

We operate a number of websites designed to provide information to you about our products, including: uk.saputo.com, vitalitedairyfree.co.uk, cathedralcity.co.uk, frylight.co.uk, buteisland.com, buteisland.com, yorkshirecreamery.co.uk, www.wensleydale.co.uk and www.davidstowcheddar.co.uk (our “Websites”) and a number of social media pages.

For the purpose of this Policy, the term “Personal Data” includes any information that relates to you as an identifiable individual, such as your name, personal address, telephone number and e-mail address (although the precise scope of this term may differ between the data protection laws of different jurisdictions/regions). The term “process” means any activity relating to Personal Data, including, by way of example, collection, storage, use, consultation and transmission. “Sensitive Personal Data” is Personal Data that is defined as “sensitive personal information” or “special category data” under applicable data privacy laws which, depending on the jurisdiction, may include Personal Data about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying someone, data concerning health and data concerning someone’s sex life or sexual orientation, or social security number. 

If you do not want your Personal Data processed as detailed in this Policy, please do not use the Websites or the Services. Please note that your use of the Websites is also subject to the Terms of Use that is posted on the Website for your review.

If you have any questions about this Policy, including any requests to exercise your legal rights, or if you require more detail about the legal bases for processing your Personal Data, please contact us using the details set out at the end of this Policy.

For job candidates, please see our supplemental Candidate Privacy Notice available here.

1. Information gathered by the SDUK Group

We may where relevant collect, use, store, disclose and transfer different kinds of Personal Data about you which we have grouped together as follows:

Personal Data type	Types of information included in group
“Business Contact Data”	Includes business contact details such as name, job title, telephone number, e-mail address, business address, organisation, correspondence history, order history, sales history, trade passes and licences, permit to work, proof of ID/background information and documents, lifestyle, social circumstances and personal preferences (including in relation to the use of Personal Data, diet and marketing communications), reasonable adjustments or accommodations, expenses, payment records and details, meeting records, social media records (e.g. LinkedIn profile).
“CCTV Data”	Includes moving and still images and audio recordings captured by CCTV devices.
“Contact Data”	Includes address, e-mail address, telephone numbers and social media contact details.
“Contest Data”	Includes information provided when entering into a contest with us, such as your name, address and e-mail address, and for contest winners, may include supplemental information, such as other Personal Data in identification documents.
“Correspondence Data”	Includes records of your correspondence with us (including e-mails, mail correspondence, web contact forms/details and social media correspondence), incident number and call recordings.
“Health Data”	Includes details of your health and wellbeing, illness, injury allergies and / or disability.
“Identity Data”	Includes first name, last name, marital status, title, date of birth, gender, location, job title and the number or alphanumeric number issued to you by any governmental authority.
“Profile Data”	Includes your interests, preferences, behaviours, hobbies, activities, household or lifestyle information, feedback, opinions, survey responses and qualifications.
“Sales Data”	Includes information provided when you purchase a product or service directly or indirectly from the SDUK Group (either from an SDUK Group company or an entity selling SDUK Group company products), such as name, title, address, e-mail address, telephone number, billing and payment details (including credit/debit card information), details of your order, delivery details and products you have purchased.
“Shareholder Data”	Number of shares held, shareholding history, related correspondence history, payment history.
“Technical Data”	Includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the Website and/or otherwise use our Services.
“Usage Data”	Includes information about how you use our Website and social media pages and/or use our Services.
“Visitor Data”	Includes information collected about visitors to our premises and sites, such as name, organisation representing, entry/exit time, access card records, relevant and necessary health details (e.g. for reasonable adjustments or accommodations), signature, purpose of visit, the person you are attending our premises/site to visit, other people you are visiting with and vehicle details.

We may anonymise your Personal Data (the “Anonymised Data”), which means it can no longer be associated with you nor make you identifiable directly or indirectly. We may therefore use the Anonymised Data indefinitely and for any legitimate purpose (and share it with third parties) without further notice to you nor the need to obtain your consent. Such uses and sharing include:

• for research or statistical purposes
• to tailor the experience of our Websites and/or Services, help SDUK analyse interest in areas of the Websites and the browsing patterns of its users in order to improve the content, operation and design of the Website and get data for statistical purposes to improve the Website and/or Services.

Sensitive Personal Data

Sensitive Personal Data is a type of particularly sensitive Personal Data that requires higher levels of protection. We need to have further justification for collecting, transferring, storing and/or otherwise using this type of Personal Data. We have safeguards in place which we are required by law to maintain when processing such data.

Apart from the types of Sensitive Personal Data that may be collected from you in accordance with this Policy, we do not knowingly collect any other such Sensitive Personal Data about you.

2. How is your Personal Data collected?

We collect Personal Data about you from the following sources (please see the ‘section 1 -Information gathered by the SDUK Group’ section above for an explanation of the different types of information included in the data categories mentioned below):

• From you. You may give us your Identity Data, Contact Data, Profile Data, Correspondence Data, Contest Data, Sales Data, Business Contact Data, Visitor Data, Health Data and Shareholder Data by corresponding with us, including by mail, telephone and e-mail or via a contact form or otherwise on our Websites or a message on social media, by interacting with us as part of your job or through an interview process, by visiting our Websites and/or by using Services or by entering into a contest we are holding.

• Third parties or publicly available sources. We may receive Personal Data about you from various third parties and public sources including:

• Identity Data, Contact Data, Profile Data and Health Data from third parties, such as a store from which you bought one of our products, if you ask for details of your complaint, query or feedback to be passed to us for investigation or resolution.
• Business Contact Data from your employer or another member of your organisation.
• Technical Data from analytics providers such as Google.
• Identity Data, Contact Data, Profile Data and Sales Data and from third parties, such as fraud prevention agencies who may gather information from publicly available sources including voting registers or from social media.
• Sales Data from third party payment providers (such as banks and payment platforms).

• Automated technologies or interactions. Subject to your agreement if you interact with our Websites or social media pages, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this Personal Data by using cookies, server logs and other similar technologies. Please see the ‘section 7 - Cookies, web beacons and analyticalservices’ section below for further details.

You may also be asked to provide Personal Data on our Website or when you otherwise use our Services or interact with us. Personal Data can be gathered when you fill out and send feedback forms or send e-mails to us , or when you register for our press releases, newsletters, contests and/or publication list and/or when you communicate with us by means of the "Contact Us" tool.

If you fail to provide Personal Data

If you contact us with a complaint or request but refrain from providing certain Personal Data when requested, we may not be able to help you, investigate the issue raised or respond to or resolve your complaint or request. We will use reasonable efforts to notify you if this is the case.

3. How is your Personal Data used?

We have set out below a description of all the ways we process your Personal Data. and which of the “legal bases” we rely on to do so:

Purpose/Activity	Legal basis for processing, including basis of legitimate interest
To enable us to investigate and deal with your complaint, question, feedback or compliment.	(a) Necessary to comply with a legal obligation (b) Necessary for our legitimate interests (e.g. for quality monitoring and improvements, to carry out an investigation, to take appropriate action and to provide a meaningful response) (c) Necessary for the performance of a contract (d) Necessary for the establishment, exercise or defence of legal claims (e) Necessary for reasons of substantial public interest
To provide feedback to our business on the performance of our products and staff, and as needed to investigate any product issues.	(a) Necessary for our legitimate interests (e.g. for quality monitoring and product improvements, new product development and investigations and for customer service monitoring) (b) Necessary for the establishment, exercise or defence of legal claims (c) Necessary for reasons of substantial public interest
To check for fraud or malicious or unfounded claims.	(a) Necessary for our legitimate interests (prevention of fraudulent claims) (b) Necessary for the establishment, exercise or defence of legal claims.
To manage our relationship with you which may include: (a) Providing you with updates and a response to your question or complaint. (b) Notifying you about changes to our Policy if we choose to contact you directly in order to do so. (c) Asking you to leave a review or take a survey.	(a) Necessary to comply with a legal obligation (b) Necessary for our legitimate interests (keeping you informed as to the progress of your question or complaint, to keep our records updated and to study how consumers use our products)
To administer and protect our business and the Website and the Services as applicable (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).	(a) Necessary for our legitimate interests (e.g. for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation
To use data analytics to improve our Website and Services (as applicable).	Necessary for our legitimate interests (e.g. to keep our Website and means of delivering Services updated and relevant)
To comply with our legal requirements.	Necessary to comply with a legal obligation
To deliver to you by e-mail or by post press releases and publications and to notify you of products or special offers that may be of interest to you.	(a) Consent (b) Necessary for our legitimate interests (e.g. to promote our business)
To publish external facing materials for marketing and public relations purposes, such as where we mention individuals in our marketing materials, social media posts and press releases.	(a) Necessary for our legitimate interests (e.g. to promote our business) (b) Consent
To enforce our Website and Services terms of use and / or terms and conditions and to prevent potentially prohibited or illegal activities for security purposes.	(a) Necessary for our legitimate interests (e.g. prevention of misuse and to maintain security) (b) Necessary for the establishment, exercise or defence of legal claims.
To run contests.	(a) Necessary for performance of a contract (b)Necessary for our legitimate interests (e.g. to increase consumer engagement)
To enable people to visit our sites and premises.	(a) Necessary for our legitimate interests (e.g. to enable business to be conducted on our premises, to enable social/educational visits) (b) Necessary to comply with a legal obligation
To maintain the security of our sites, premises and Services.	Necessary for our legitimate interests (e.g. keeping our sites and premises secure, keeping our staff and visitors safe and deterring and reporting criminal activity)
To conduct business with our customers/suppliers including processing payments and shipping orders.	(a) Necessary for our legitimate interests (e.g. to enable us to purchase products and services required for the running of our business and to ensure that function is efficient; or to enable to sell products) (b) Necessary to comply with a legal obligation (c) Necessary for the performance of a contract
To make reasonable adjustments and accommodating for health/diet/religious requirements	Consent

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your Personal Data.

4. How is your Personal Data disclosed?

We generally do not share Personal Data with any third parties, other than as necessary for third parties to perform services on behalf of the SDUK Group. However, we may share Personal Data with third parties with your consent or where required or permitted by applicable law.

The categories of third parties with whom we share Personal Data include the following:

• we hire third parties to provide limited services on our behalf website hosting, marketing, administering surveys, processing, mailing and delivering orders, and sending information about our products and services;
• professional advisers including lawyers, auditors and insurers who provide ad hoc legal, auditing and insurance services;
• advisors and fraud prevention agencies to provide fraud detection services;
• courts, court-appointed persons/entities, receivers and liquidators;
• business partners and joint ventures;
• trade associations and professional bodies;
• governmental/state departments and agencies, anti-fraud organisations, statutory and regulatory bodies, including law enforcement bodies;
• if you opt in, to analytics and marketing service providers, as further detailed in ‘section 7 - Cookies, web beacons and analytical services’ below;
• banks and other financial services bodies..

However, such third parties are obligated to maintain the confidentiality of Personal Data (unless, for example, they have a legal obligation to share it) and are required to maintain appropriate security measures to protect Personal Data.

We may also share your Personal Data with other entities in our group of companies as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for our general business purposes, for authorisations/approvals with relevant decision makers, to enable other entities to provide support for our business tasks such as responding to queries, for system maintenance support and hosting of data and to provide legal and audit services.

We also reserve the right to share, assign, or transfer your Personal Data to any of our subsidiaries or other affiliates or to any successor in interest to our business by merger, sale of assets, reorganisation, operation of law or otherwise.

Additionally, if you provide SDUK with content for publishing or feedback, we may publish your photo, username, name and/or location.

5. Transferring Personal Data to other jurisdictions

We and some of our third-party suppliers may transfer or process your Personal Data outside of the UK and the European Economic Area. To help ensure that your Personal Data receives an adequate level of protection, we have put in place the following measures (or required our suppliers to put them in place) to ensure that your Personal Data is treated by those third parties in a way that is consistent with and which respects UK laws on data protection:

• confirming that an adequacy decision is in place; or

• making the transfer in accordance with the UK extension to the Data Privacy Framework; or

• where required, putting standard contractual clauses or an international data transfer agreement in place.

If you require further information about these protective measures, please contact us using the contact details at the end of this Policy.

6. How long will you retain my Personal Data?

We will only retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal or reporting requirements.

To determine the appropriate retention period for Personal Data we consider several factors, including the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of the Personal Data the purposes for which we process the Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

7. Cookies, web beacons and analytical services

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our Websites may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy.

8. Do Not Track

On our Websites, we have implemented a cookie “door” to ensure your cookie preferences and any preferences entered through our applications are honoured, and thus we do not sell or share or sell your Personal Data derived from cookies or applications for cross context behavioural advertising without your consent. We also have tools in place to detect and honour requests made using the Global Privacy Control (“GPC”) signal as requests to opt-out of the sharing of Personal Data to the extent required by applicable law. If you wish to manage your cookie preferences, please go to our Cookie Settings Tab or make a request using one of the methods outlined below under the Data Subject Rights heading.

9. Other websites

Please be aware that the Websites may contain links to other websites on the internet that are owned and operated by third parties. The privacy practices of those websites linked to the Websites and /or Services are not covered by this Policy, and the SDUK Group is not responsible for the privacy policies of those websites. If you provide any information to such third parties, different rules regarding the collection and use of your Personal Data may apply. We strongly suggest you review such third party's privacy policies before providing any data to them. These other websites may use their own cookies or clear GIFs to use, collect data or solicit your Personal Data. Additionally, other companies which place advertising on the Website may collect information about you when you view or click on their advertising through the use of cookies or clear GIFs. We cannot control this collection of information. You should contact these entities directly if you have any questions about their collection and use.

10. Security and Data Governance

The SDUK Group takes appropriate measures to protect information from unauthorised access, collection, use, disclosure, copying, modification or disposal. While the SDUK Group puts in place reasonable measures to protect information, we cannot guarantee at all times the security of such information. No method of transmitting or storing data is completely secure, particularly with regard to Internet applications. We recommend that you do not use unsecure channels to communicate Personal Data or confidential information to us.

The SDUK Group also maintains policies and practices which ensure the protection of Personal Data. Depending on the volume and sensitivity of the information, the purposes for which it is used, and the format in which it is stored, we implement a combination of measures to protect Personal Data, including:

• Internal policies and procedures that define the roles and responsibilities of our employees throughout the information life cycle and limit their access to such information on a “need-to-know” basis;
• A designated privacy officer to monitor the Saputo group’s compliance with applicable data protection laws;
• Employee privacy and data security training;
• Procedures for receiving, investigating and responding to complaints or inquiries regarding information handling practices, including any security incidents involving Personal Data, and notifying the applicable regulator where required to do so;
• A framework governing the retention and destruction of Personal Data, as more fully described in section 6 - How long will you retain my Personal Data? of this Policy;
• Contractual protections and other measures to ensure that service providers with whom we share Personal Data maintain adequate privacy protections and standards.

The SDUK Group also performs data protection impact assessments in certain circumstances if required by applicable privacy laws to ensure adequate mitigation measures are in place. 

11. Accuracy

The SDUK Group uses reasonable efforts to ensure that Personal Data in our possession is kept as accurate, complete and up to date as possible. We do not routinely update Personal Data, unless such an update is necessary. In order to help us maintain and ensure that your Personal Data is accurate and up to date, we ask you to inform us, without delay, of any change in the information you provide to us.

12. Children

Unless expressly stated otherwise on any of our Websites, the SDUK Group does not knowingly collect Personal Data from children under the age of 13 years old or prescribed under applicable local laws. Children are not permitted to use the Website and / or our Services, and the SDUK Group requests that children do not submit any Personal Data to the SDUK Group or the Website. If we learn we have collected or received Personal Data from a child, we will delete that information.

13. Data Subject Rights

Under certain circumstances, by law you have the right to:

• Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you (as well as some related details) and to check that we are lawfully processing it.
• Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure or deletion of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to hold or otherwise process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).
• Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes.
• Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your Personal Data to another party.
• Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to help you, investigate the issue raised or respond to or resolve your complaint or query.

In some circumstances there may be specific legal reasons why we are not able to comply with your request to exercise your rights. Where this is the case, we will inform you of this.

If you wish to exercise any of the rights set out above, please contact the relevant Data Protection Manager in writing, as outlined further in this Policy.

You will not usually have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive subject to the applicable data privacy laws. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Data Privacy Manager

Full name of legal entity:	Contact:	Email address:	Postal address:
Dairy Crest Limited	Data Privacy Manager	datacontroller@saputo.com	Data Privacy Manager, Dairy Crest Limited 5 The Heights, Brooklands, Weybridge, Surrey, KT13 0NY
Bute Island Foods Ltd.	Data Privacy Manager, Bute Island Foods Ltd., 5 The Heights, Brooklands, Weybridge, Surrey, KT13 0NY

14. Modifications to this Policy

SDUK reserves the rights to modify this Policy at any time without prior notice (although we may contact you to let you know of any changes). If we make material changes to the way in which we use Personal Data we collect, we will use reasonable efforts to notify you (such as by emailing you at the last email address you provided us, by posting notice of such changes on the Website and/or Services, or by other means consistent with applicable law) and will take additional steps as required by applicable law. If you do not agree to any updates to this Policy please do not access or continue to use the Website and/or Services. We encourage you to review this Policy whenever you use the Website and/or Services, especially when you provide any Personal Data.

Contact us

If you have any questions about this Policy or our practices or about the SDUK Group’s handling of your information, you can contact us by e-mail at datacontroller@saputo.com. Please provide a sufficiently detailed question or description of your concern.

Last revised: 4 April 2024