This site uses cookies to bring you the best experience. Find out more
Skip to main content

Stock Spirits Group Privacy Policy

Stock Spirits Group (hereinafter “Stock” or “We”) is committed to protecting and respecting privacy.

This policy (together with our Code of Conduct Policy, our Website Privacy and Cookie Policy and any other documents referred to in it) sets out the basis on which any personal data we collect will be processed by Stock. Please read the following carefully to understand our views and practices regarding personal data and how we will treat it.

We are the data controller for the purposes of the Data Protection Act 1998 (the “Act”).


a) Personal Data

Means data which relates to a living individual who can be identified:

  • from those data
  • or from those data and other information in the possession (or likely to come into the possession) of the data controller

This would include information about employees, agents, customers and suppliers.

b) Sensitive Personal Data

The Act draws a distinction between Personal Data and Sensitive Personal Data.

Sensitive Personal Data includes information about a person’s:

  • racial or ethnic origins,
  • political opinions,
  • religious beliefs or other beliefs of a similar nature,
  • membership of a trade union,
  • physical or mental health or condition,
  • sexual life,
  • commission or alleged commission of any offence, or
  • proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

c) Data Controller

“A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.”

This is the person responsible for making decisions as to how personal data is used, processed or stored, in this case SSG.

d) Data Subject

An individual who is the subject of personal data. In SSG’s case, this would include employees, agents, customers and suppliers.

e) Processing

Processing is any operation carried out on the data including obtaining, recording, retrieving, altering, disclosing and erasing data and passing on data to third party data processors.

f) Explicit Consent

For sensitive personal data explicit consent must be given by the data subject. This requires active communication with the data subject and must specify the data, and the purposes for which the data is held. This would include specifying what data is passed on to any third party data processor.

Stock’s data handling practices


The processing of personal data is only permitted if either the data subject has consented to that processing or if it is permissible under applicable law at the place of processing.

Consent should be declared in writing where possible, or by other legally permissible means, and the data subject must be informed in advance about the purpose of the processing of personal data and the possible transfer of personal data to third parties.


The processing of personal data must be fair and will only be fair if the data subject has been provided with clear information (for example, about the purposes for which the data will be processed, who will have access to the data and, (if applicable), that the data may be transferred outside the European Economic Area (“EEA”).  This information should be provided in a location that is readily available, such as in an employment contract or a privacy policy.


Personal data must be accurate and, where necessary, kept up to date.

Personal data should, wherever possible, be anonymised.

Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.

Stock will only collect personal data to the extent that they are necessary for the relevant purpose for which they are collected.


Stock has implemented measures to prevent the unauthorised processing of personal data including, among other things, controls of:

  • physical access to data processing systems;
  • logical access to data processing systems;
  • logical access to data processing applications;
  • input of data into data processing systems; and
  • transfer of data by means of data transmission.

Access to personal data should only be granted to those employees who have a business-related reason to access that data. 

Unauthorised review, file alteration or removal, password dissemination, damage to systems, removal of programs or improper use of information contained in any computer or phone system is not to be permitted.

Stock has a responsibility to ensure that it has technical and organisational security measures in place that are appropriate to the risks (such as accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access) presented by its processing of personal data. More details of Stock’s security policies are included in our Group IT Policy.


Whenever services which involve processing personal data are outsourced to a third party supplier, Stock chooses the supplier carefully, paying special attention to the suitability of the technical and organisational measures applied by the supplier.  

A written agreement must be in place with the supplier which contains provisions (in conformity with this Policy) dealing with the following:

  • The supplier must only process the personal data in accordance with Stock's instructions.
  • The extent, type and purpose of the intended collection, processing or use of data, the type of data and category of data subjects.
  • The technical and organisational measures to be taken to protect the personal data.
  • How the rights of data subjects (for example, rectification, erasure and blocking of data) will be complied with.
  • Any right to grant subcontracts.
  • Stock's rights to monitor and the supplier’s corresponding obligations to cooperate.
  • Violations by the supplier or its employees of provisions to protect personal data or of the terms specified by the supplier which are subject to the obligation to notify.
  • The return of data storage media and the erasure of data recorded by the supplier after the work has been carried out.


Stock ensures that appropriate measures are in place in relation to any transfers to organisations located outside the EEA and that any such transfer is subject to the conditions set out in applicable law.


Stock may collect and process personal data regardless of physical format, including the following data about data subjects:

  • Information that data subjects provide by filling in forms. This includes information provided during recruitment, the hiring process, at the time of hiring, information relating to employees, and information about individuals registering to use our website, subscribing to our policies or requesting further information.
  • Information requested when a data subject reports a problem with our Legal or HR departments or our website.
  • If a data subject contacts us, we may keep a record of that correspondence.
  • We may also ask data subjects to complete surveys that we use for research purposes.
  • Details of transactions that customers carry out with us, or through our site and of the fulfilment of orders.
  • Details of data subjects’ visits to our company premises or to our website including, but not limited to, traffic data, location data, weblogs and other communication data, and any resources accessed through our website.


As stated in our Website Privacy and Cookie Policy, we may collect information about website users’ computers, including where available IP addresses, operating system and browser type, for system administration and to report aggregate information to our advertisers. This is statistical data about our users' browsing actions and patterns, and does not identify any individual.

For the same reason, Stock may obtain information about users’ general internet usage by using a cookie file which is stored on the hard drive of the user’s computer. Cookies contain information that is transferred to the computer's hard drive. They help us to improve our site and to deliver a better and more personalised service. They enable us:

  • To estimate our audience size and usage pattern.
  • To store information about users’ preferences, and so allow us to customise our site according to users’ individual interests.
  • To speed up searches.
  • To recognise users when they return to our site.

There are some limitations:

  • Users may refuse to accept cookies by activating the setting on their browser which allows users to refuse the setting of cookies. However, if users select this setting they may be unable to access certain parts of our site. Unless users have adjusted their browser setting so that it will refuse cookies, our system will issue cookies when users log on to our site;
  • Users may delete cookies by deleting the computer browsing history;
  • Users may select “private” browsing which can restrict the data captured by the computer.



The data that we collect are stored in our HR and Legal departments.

Business data is subject to additional security as well as access controls described above. This means that data is accessible by authorised individuals from relevant business departments only.

All data storage facilities are primarily for the purpose of securely storing business data.

Whilst no barriers are in place to exclude the storage of personal data within the business data storage environments, it is expected that employees treat this facility with due consideration, and explicitly do not use this facility for the storage of any offensive or political data, or data contravening copyright laws (documents, images etc) as defined in the relevant HR Policies document. Any evidence of this practice will be treated in line with formal HR processes, as outlined in the relevant HR policy.

All data storage usage can be monitored by the local IT team (in terms of disc-space used) and remedial actions taken in collaboration with the business if storage space becomes limited.


The data that we collect via our website may be transferred to, and stored at, a destination outside the EEA and transferred to any of our suppliers or principals.  It may also be processed by staff operating outside the EEA who work for us or for our suppliers. By submitting personal data, website users agree to this transfer, storing or processing.  We will take all steps reasonably necessary to ensure that data is treated securely and in accordance with the website privacy policy.

All information users provide to us is stored on our secure servers.  Where we have given users (or where users have chosen) a password which enables users to access certain parts of the Website, users are responsible for keeping this password confidential.  We ask users not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure.  Although we will do our best to protect users’ personal data, we cannot guarantee the security of data transmitted to the Website and any transmission is at users’ own risk.  Once we have received users’ information, we will use strict procedures and security features to try to prevent unauthorised access.


We use information held about data subjects for the purposes for which they were originally collected, which may include in the following ways:

  • To be compliant to local laws.
  • To ensure that content from our website is presented in the most effective manner for users and for their computers.
  • To provide customers with information or products that they request from us or which we feel may interest customers, where they have consented to be contacted for such purposes.
  • To carry out our obligations arising from any contracts entered into between data subjects and us.
  • To allow website users to participate in interactive features of our service, when they choose to do so.
  • To notify customers or website users about changes to our service.

We may also use customers’ data, to provide them with information about goods which may be of interest to them and we may contact them about these by post.

We will only contact existing customers by electronic means (e-mail or SMS) with information about goods similar to those which were the subject of a previous sale to the customer. We will not pass customer data to third parties.

We will contact new customers by electronic means only if they have consented to this.
If customers do not want us to use their data in this way, we ask them to tick the relevant box situated on the form on which we collect their data (the registration form).

In relation to employees, we use personal data to administer their employment with us, including for performance management and HR related matters.

In relation to suppliers, we use personal data to send orders, to process payments and to make enquiries.


We may disclose personal data to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries.

We may disclose personal data to third parties:

  • In the event that we sell or buy any business or assets, in which case we may disclose personal data to the prospective seller or buyer of such business or assets.
  • If Stock or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers, employees, agents and suppliers will be one of the transferred assets.
  • If we are under a duty to disclose or share personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms of Use, Terms and Conditions for Buyers and Terms and Conditions for Sellers and other agreements; or to protect the rights, property, or safety of Stock, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
  • To permit us to use the services of third party data processors, for example in carrying out outsourced work.


Data Subjects have the right to ask us not to process their personal data for marketing purposes. We will usually inform customers (before collecting their data) if we intend to use their data for such purposes. Customers can exercise their right to prevent such processing by checking certain boxes on the forms we use to collect their data.

Data Subjects have the right to request access to any personal data held about them by Stock. Such requests must be made in writing to the address set out in the “Contact” section below and addressed to the General Counsel. If any employee receives a subject access request, it should be passed to the General Counsel for processing as soon as possible, as Stock is required to comply within 40 days.

Data Subjects also have the right to request that their personal data is amended or deleted where it is inaccurate or processed in an unauthorised manner. If any employee receives such a request, it should be passed to the General Counsel as soon as possible.


Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to relevant data subjects by e-mail.


Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to or by writing to: Solar House, Mercury Park, Wooburn Green, Buckinghamshire, HP10 0HH, United Kingdom.