GDPR Information

1. Controller

For the purposes of UK GDPR and applicable data protection law, Grand Bazaar London is the controller for personal data collected through this website, restaurant reservation process, customer communications and marketing consent records.

2. Data Protection Principles

We aim to process personal data lawfully, fairly and transparently; collect it for specified and legitimate purposes; keep it adequate, relevant and limited; keep it accurate and up to date; retain it only as long as necessary; and protect it with appropriate security.

3. Categories Of Processing

Our processing includes website operation, reservation management, table planning, customer communication, allergy and dietary handling, staff administration, security monitoring, marketing consent, offer delivery, unsubscribe management, legal compliance and business record keeping.

4. Lawful Basis Matrix

Reservation management is generally processed under contract and legitimate interests. Allergy and safety notes may rely on explicit information supplied by you and vital interests where needed. Marketing emails rely on consent or applicable soft opt-in rules where lawful. Security logs rely on legitimate interests. Tax and legal records rely on legal obligation.

5. Data Subject Rights

You may request access to your data, rectification, erasure, restriction, portability, objection to processing, objection to direct marketing and withdrawal of consent. We may need to verify your identity before responding. Some rights are not absolute, for example where records must be kept for legal claims, safety, fraud prevention or accounting.

6. How To Make A Request

Email info@grandbazaarlondon.uk with your name, contact details, the right you want to exercise and enough information for us to locate your record. We normally respond within one month, unless the request is complex or numerous.

7. Processor Controls

Where we use processors such as hosting, email, analytics or operational providers, we expect written terms requiring confidentiality, security, restricted use, assistance with rights requests, breach notification and deletion or return of data when services end.

8. Data Breaches

If we become aware of a personal data breach, we will assess the risk, take containment steps, document the incident and notify the ICO or affected individuals where required by law.

9. International Safeguards

If data is transferred outside the UK or EEA, we use appropriate safeguards where required, including adequacy decisions, contractual protections or equivalent lawful transfer mechanisms.

10. Accountability

We keep privacy notices, consent records, system access controls, operational logs and supplier information under review. Staff access to booking and customer data should be limited to those who need it for restaurant operations.

11. Complaints

Please contact us first so we can try to resolve your concern. You also have the right to complain to the Information Commissioner's Office at ico.org.uk.