Privacy Notice

Last Updated: 30/05/2024

This is Compass Group PLC’s privacy notice. Compass Group PLC is a company incorporated in England & Wales under number 04083914 whose registered office is at Compass House, Guildford Street, Chertsey, KT16, 9BQ (“Compass”).

Compass respects your privacy and is committed to protecting your personal data. For more information about Compass Group, please see the ‘What we Do’ section of our website.

When we use ‘Compass’, ‘we’, ‘us’ or ‘our’ in this privacy notice, we are referring to Compass Group PLC. We are the data controller for your personal data under the applicable legislation and are primarily responsible for processing and ensuring proper protection of your data.  

It is important that you read and retain this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under the data protection legislation.

Purpose of this Privacy Notice

This privacy notice informs you of who we are, how we collect, share, use and protect your personal information, however you provide it to us, and tell you about your privacy rights and legal protections.

This privacy notice tells you how Compass collects and processes your personal information that we collect through this website, any enquiries you may make to us, for example to our Investor Relations or Treasury team, via the ‘Contact Us’ section of this website, responding to any shareholder notifications, signing up to receive a Regulatory News Services or RNS alert, if you are engaged in a recruitment process with us, or if you contact us via Compass’ confidential reporting programme, Speak Up, We’re Listening.

It is important that you read this privacy notice together with any other information we may provide on specific occasions when we are collecting or processing personal information about you so that you are fully aware of how and why we are using your data. This privacy notice is complementary to the other information which we might provide in specific circumstances and will not override it.   

Website Use and Enquiries

Personal data, or personal information, means any information relating to natural persons who:

  • Can be identified or who are identifiable, directly from the information in question; or
  • Can be indirectly identified from that information in combination with other information.

It does not include data where the identity has been removed (anonymous data). There are special categories of more sensitive personal data which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The content of any enquiry you may submit via the Contact Us section of our website, or via our Investor Relations or Group Treasury team will vary but, ordinarily, in these scenarios we are likely to be collecting your personal information to respond to your request and to enable us to comply with our legal obligations. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship. 

We may collect, store, and use the following categories of personal information about you when you interact with our website:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, email addresses and profile information. 
  • IP address, cookies and tracking technologies. The use of these technologies is covered in a separate Cookie Policy.

How is your personal information collected?

We collect personal information when you interact with our website or send us a message.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to comply with a statutory obligation
  • Where we want to try to provide a tailored experience of our digital presence
  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests
  • Where we have your express consent 

Situations in which we will use your personal information

The situations in which we will process your personal information are listed below:

  • Responding to your engagement with us
  • Understanding your use of our website
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
  • To comply with our legal obligations

We may from time to time carry out other types of processing. For example, to carry out activities necessary to the running of our business, including network monitoring, system testing, staff training, quality control and any legal proceedings. We have a legitimate interest or legal obligation to do so. We may carry out activities that process personal data in order to monitor the performance of our network, systems or the activities of our teams, so that we can ensure the integrity and availability of those systems.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

How we use particularly sensitive personal information

Special categories of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We do not ordinarily process special categories of personal information via our website. In limited circumstances we may process special categories of personal information if you voluntarily provide it when submitting an enquiry to us.

Data sharing

We may have to share your personal information with third parties, including third-party service providers and other legal entities within the same group of companies as Compass. 

We require our third-party processors to respect the security of your personal information and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the relationship we have with you, or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

Third parties include third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help respond to your request, maintain our website and make it easier for you to subscribe to different functions such as an RNS alert.

These include:

  • Microsoft - We use Office 365, which offers a suite of applications we use in our daily operations. These include for example Outlook, Word and Excel, but also other applications are included in our subscription. The data within our Office 365 tenant are processed in the US. Our contract with Microsoft is supported by a Data Processing Agreement which details the controls we have in place to protect and respect personal data, and which complies with UK law on international transfers of data.
  • Euroland – If you would like to subscribe to an RNS alert, we have partnered with Euroland to provide this service. You can see how Euroland use your personal data by clicking on the link to their Privacy Notice which is displayed prior to subscribing to an RNS alert.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies and our Group Data Sharing Agreement. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making disclosures to stock exchange regulators.

Shareholder Management

As an individual shareholder of Compass, we will hold certain information about you, including any information that you or an agent of yours may provide to us. This may be via one of our service providers such as Link Group, or via email, telephone or in another written format.

We may collect, store, and use the following categories of personal information about you as a shareholder: personal contact details such as name, title, addresses, post code, telephone numbers, email addresses and any other profile information you may share with us. 

How is your personal information collected?

We collect personal information when you transact in shares in Compass.

How we will use information about you

We will only use your personal information when the law allows us to. We will use your personal information in the following circumstances:

  • Where we need to comply with a statutory obligation to maintain our records of shareholders and to allow you to exercise your rights such as the payment of dividends
  • Where it is necessary for our legitimate interests, including business interests and best practice (or those of a third party) and your interests and fundamental rights do not override those interests such as to communicate with you any shareholder updates. 

Situations in which we will use your personal information

The situations in which we will process your personal information are listed below:

  • To comply with our legal obligations
  • To notify you of shareholder updates
  • To process share transactions including the payment of dividends

How we use particularly sensitive personal information

Special categories of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We do not ordinarily process special categories of personal information via your shareholding in Compass.

Data sharing

We may have to share your personal information with third parties, including third-party service providers and other legal entities within the same group of companies as Compass. 

We require our third-party processors to respect the security of your personal information and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the relationship we have with you, or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

Third parties include third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help maintain our shareholder list and process share transactions.

These include:

  • Link Group – Link Group provide us with registrar services and provide our shareholders with the Signal Share Portal and access to and use of CREST. Our contract with Link Group is supported by a Data Processing Agreement which details the controls we have in place to protect and respect personal data.
  • CREST is a service owned and operated by Euroclear. You can see how Euroclear use your personal data by clicking on the link to their Privacy Notice which is displayed on their website.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies and our Group Data Sharing Agreement. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making disclosures to stock exchange regulators.

Speak Up, We're Listening

Speak Up, We’re Listening is Compass’ confidential reporting programme which provides a channel to seek guidance on ethical concerns and issues, express your views freely and to report, in confidence, any concerns regarding potential breaches of our Code of Business Conduct involving any unethical, illegal or other improper circumstances or behaviours.

Our Compass Speak Up platform and helpline is operated by an independent third-party provider, OneTrust LLC and is available 365 days a year, 7 days a week, 24 hours a day, in all of the countries in which we operate. Reports received are referred to Group Ethics & Integrity for confidential review and assignment for follow up and/or investigation, as appropriate.

When we receive a report from you, via our Helpline or Platform (web-intake) a case is created which contains the details of your complaint. When you make this report, the amount of personal information collected is your decision, you can choose to submit as much or as little as you wish. This may include your identity, contact details and any other information you provide which may contain special categories of personal information such as health, ethnic information and imagery. Should you make a report anonymously, the case will only reflect the information you provide about the situation. In each instance, this information will be kept confidential and restricted to a limited number of employees.

How is your personal information collected?

We will collect personal information when you submit a report via Speak Up, We’re Listening.

How we will use information about you

We will use your personal information to comply with our legal obligations and to help follow up or investigate the concern you have raised (where applicable).  We may also use your personal data to contact you about your report if you have consented for us to do so. The personal information you submit will be kept confidential and we won't disclose it without lawful authority. Your identity will not be disclosed without your consent to anyone beyond those dealing with and investigating the concerns or those included on a strict need-to-know basis to receive and act upon the findings or remedial actions, unless this is necessary and proportionate in the context of looking into the matter, undertaking an investigation and/or seeking legal advice.

How we use particularly sensitive personal information

Special categories of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We do not ordinarily process special categories of personal information via Speak Up, We’re Listening programme. In limited circumstances we may process special categories of personal information if you voluntarily provide it when making your report or a report is made where you are mentioned, or in any subsequent interactions with our Group Ethics and Integrity team.

Data sharing

We may have to share your personal information with third parties, including third-party service providers and other legal entities within the same group of companies as Compass. 

We require our third-party processors to respect the security of your personal information and to treat it in accordance with the law.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to administer and manage the Speak Up Helpline or Platform or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

Our Speak Up, We’re Listening Helpline and Platform is provided by OneTrust LLC, an industry leading technology platform. Our contract with OneTrust is supported by a Data Processing Agreement which details the controls we have in place to protect and respect personal data, and which complies with UK law on international transfers of data. Various parts of our Speak Up, We’re Listening platform are provided or hosted in the US and the EEA and your data will be processed in the US and the EEA.

We may also need to share your personal information with professional advisors such as legal advisors, our auditors and if required, law enforcement or other regulators.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies and our Group Data Sharing Agreement. We do not allow our third-party service providers to use your personal information for their own purposes. We only permit them to process your personal information for specified purposes and in accordance with our instructions.

Candidates

This section of our privacy notice applies to if you are involved in a recruitment process with Compass Group PLC or Compass Group Holdings Plc.

The kind of information we hold about you

Personal data, or personal information, means any information relating to natural persons who:

  • Can be identified or who are identifiable, directly from the information in question; or
  • Can be indirectly identified from that information in combination with other information.

It does not include data where the identity has been removed (anonymous data).

There are special categories of more sensitive personal information which require a higher level of protection, such as information about a person's health, religious beliefs or sexual orientation.

The online or hard-copy forms and processes we might ask you to complete from time-to-time will vary but, ordinarily, in the scenarios where we are likely to be collecting your personal information to potentially pursue the employer – employee relationship. We are likely to collect, store, and use the following categories of personal information about you in order to fulfil that relationship, some of which will depend on the role for which you are applying for.  

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, post code, telephone numbers, and personal email addresses
  • Date of birth
  • Gender
  • Marital status and dependants
  • Leaving date and your reason for leaving previous employment
  • Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of a job application process)
  • Any information you provide to us during an interview (whether face-to-face, by phone or Microsoft Teams or in any other way)
  • Employment records (including job titles, work history, working hours, holidays, training records and professional memberships)
  • Competency certification or other regulatory or industry-related certification necessary for your role
  • Professional or trade qualifications that are relevant to the industry and/or role for which you are applying
  • Credit history
  • CCTV footage and other information obtained through electronic means 
  • Photographs
  • Results of government revenue & customs or local tax office employment status check, details of your interest in and connection with the intermediary through which your services are supplied (should you provide services in a way that might legally qualify you as an employee in the eyes of the law or in accordance with government revenue & customs or local tax office guidance and regulation on the status of individuals and their tax affairs)

Some roles have regulatory requirements or are client focussed roles for industries where they are obliged to undertake stringent vetting on their own employees and those of contractors. In such circumstances, we will have to undertake a level of investigation about you that might seem unnecessarily intrusive.  We will only do this where we are required to do so or where our client demands this of us.  If we do not do this, we may not be able to fulfil our regulatory obligations or our client might not grant you access to their premises and you might be unable to perform your intended role.

We may also collect, store and use the following special categories of more sensitive personal information:

  • Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions
  • Trade union membership
  • Credit reference agency checks
  • Information about criminal convictions and offences, where these are relevant to the role for which you have applied and where regulation to which we are subject to obliges us to obtain such data (for example; Stock Exchange Requirements)

How is your personal information collected?

We collect personal information about potential employees, workers and contactors (whether on a permanent, part-time or casual basis) through the application and recruitment process, either directly from candidates or sometimes from a recruitment agency, intermediary or background check provider.

We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies.

We may also use the following other sources of personal information:

  • Sanctions and Watch Lists issued by governments, financial market regulators and law enforcement bodies form across the world 
  • Outstanding County Court Judgments (CCJs), IVAs, Bankruptcies, alias names and address history using the electoral register 
  • The Disclosure and Barring Service and Disclosure Scotland in respect of criminal convictions 
  • The Home Office Employers Checking Service in respect of Right To Work in the UK 
  • Your named referees  

We may also collect personal information from the trustees or managers of pension arrangements operated by a group company, if relevant.

We will collect additional personal information in the course of job-related activities throughout the period for which you work for us and this is covered in our Employee Privacy Notice.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to comply with a statutory obligation 
  • Where it is necessary for our legitimate interests, including business interests and employer best practice (or those of a third party) and your interests and fundamental rights do not override those interests 
  • Where we have your express consent  

Situations in which we will use your personal information

Depending on the nature of the role for which you are applying, from time-to-time, we are likely to need most of the categories of information in the list above to allow us properly to perform the relationship we have with you.  Some we will need to comply with legal obligations.

In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your personal information are listed below:

  • Assess your skills, qualifications, and suitability for the work generally or the role specifically 
  • Carry out background and reference checks, where applicable 
  • Communicate with you about the recruitment process 
  • Keep records related to our hiring processes 
  • Determining the terms on which you work for us 
  • Checking you are legally entitled to work in the UK  
  • Assessing qualifications for a particular job or task 
  • Ascertaining your fitness to work 
  • Complying with health and safety obligations 
  • To detect or prevent fraud 
  • Equal opportunities monitoring 

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

How we use particularly sensitive personal information

Special categories of personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit consent 
  • Where we need to carry out our statutory or contractual obligations or exercise rights in relation to the contract or agreement, we have with you (most importantly so that we perform it properly and safely) 
  • Where we need to provide a third party with health certification or evidence to allow you to undertake your role 

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision arrived at through the automated process and given you 21 days to request some human intervention into that decision 
  • Where it is necessary to perform the employment contract with you and appropriate measures are in place to safeguard your rights 
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights 

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you. The most likely use of automated decision making is in response to questions we ask about your entitlement to work in the UK. These decisions will be based on the information you provide to us.

Data sharing

We may have to share your personal information with third parties, including third-party service providers and other legal entities within the same group of companies as Compass. 

We require our third-party processors to respect the security of your personal information and to treat it in accordance with the law. 

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to pursue the relationship, we have with you or where we have another lawful basis for doing so.

Which third-party service providers process my personal information?

Third parties include third-party service providers (including contractors and designated agents) and other entities within our group who we might use to help administer the recruitment process, employment contract or agreement we have with you. 

The following are the activities which are most likely to be carried out by third-party service providers for us, in relation to supporting the recruitment process such as background checking agencies, recruitment agencies, credit reference agencies and security vetting organisations.

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal information for their own purposes. We only permit them to process your personal information for specified purposes and in accordance with our instructions.

What about other third parties?

We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making disclosures to stock exchange regulators and disclosures to shareholders such as directors' remuneration reporting requirements.

Social Media

Compass Group PLC has two social media channels: a LinkedIn page and a YouTube channel. These channels are provided by third party providers LinkedIn Inc and YouTube Inc on their respective platforms. Each of these companies acts as a separate data controller of any personal information you post on these platforms when interacting with our channels and how they use your personal information is contained within their respective privacy notices.   

Any personal information that you have made public and accessible via your profiles on the social media channels in question will be available to us.

How long will Compass keep my personal information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

What other rights do I have in respect of my personal information?

You have rights under data protection laws in relation to your personal information. Under certain circumstances your rights are as follows:  

Request access to your personal information (commonly known as a "data subject access request" or “DSAR”). This enables you to receive a copy of the personal information we hold about you in order to check that we are processing it lawfully. 

  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where you believe we have no legitimate reason for continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be obliged to comply fully with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request 
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we might demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. 
  • Request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. Again, it is subject to any overriding legal, accounting and reporting rights we might have to retain copies of your data.
  • Withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. 

If you wish to exercise any of the rights set out above, please contact us at [email protected].   

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.  

What we may need from you  

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.  

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

Changes to this Notice

Should Compass decide to substantially modify the manner in which Compass collects or uses your personal information, the type of personal information that Compass collects or any other aspect of this Notice, Compass will notify you as soon as possible by reissuing a revised Notice, or taking other steps in accordance with applicable law.

Who can I contact if I have questions?

Full name of legal entity            Compass Group PLC

Who to contact                           Director of Data Privacy

Email address                              [email protected]

Postal address                             Compass House, Guildford Street, Chertsey, KT16 9BQ

As noted in the introduction, Compass has subsidiary companies through which it operates. Some group subsidiaries will contract in their own legal name and have their own privacy notices. 

Please refer to their applicable privacy notices by selecting the country you require from the drop-down list found on our Contact Us page. 

How to make a complaint

You have the right to make a complaint at any time to our supervisory authority the Information Commissioner's Office (ICO) (www.ico.org.uk).

We would, however, appreciate the chance to deal with your concerns before you approach the ICO; so please contact us in the first instance.